SlideShare a Scribd company logo

Applications of the Reverse Engineering Language REIL

zynamics GmbH
zynamics GmbH
Technology
1 of 39
Download to read offline
Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, São Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com)
Talk Overview • Necessity of new RE methods • Solutions we developed • Applications of our solutions
About zynamics • Small German company • Unhappy with the state of Reverse Engineering • Needed: New RE tools and methods –BinDiff, BinNavi, VxClass
About me • Lead Developer of BinNavi • Many years of RE experience • Try to come up with new RE methods • Talk about it at conferences
What we are doing • Build Reverse Engineering tools • Try to automize binary file analysis • Help people find vulnerabilities
Why we are doing this Software Complexity Architectural Diversity Microsoft Security Budget Good old days Now
How we are doing this • Develop new RE methods –Platform-Independent –Easy to use • Integrate them into our tools
REIL • Reverse Engineering Intermediate Language • Platform-Independent • Designed for Reverse Engineering
Design Principles • Very small instruction set • Very regular operand structure • Very simple operand types • No side-effects
Example
REIL Usage Convert native code to REIL Run REIL algorithm Port results back to original code
Advantages • Easy to pick up and comprehend • Reduces analysis complexity • Write once; use everywhere
MonoREIL • Monotone framework for REIL • Simplifies analysis algorithm development • Read the book
Advantages • All algorithms have the same regular structure • Simplifies algorithms –Trade-off: Runtime
Core Concepts • Instruction Graph • Lattice • Monotone Transformations
Instruction Graph 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420
Lattice T B
Transformations 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420
Applications Register Tracking: Helps Reverse Engineers follow data flow through code (Never officially presented) Index Underflow Detection: Automatically find negative array accesses (CanSecWest 2009, Vancouver) Automated Deobfuscation: Make obfuscated code more readable (SOURCE Barcelona 2009, Barcelona) ROP Gadget Generator: Automatically generates return-oriented shellcode (Work in progress; scheduled for Q1/2010)
Register Tracking • Follows interesting register values • Keeps track of dependent values • Transitive closure of the effects of a register on the program state
Lattice All eax eax ebx ecx ebx ecx ecx OF eax ebx ecx OF Ø
General Idea • Start with the tracked register • Follow the control flow • Instruction uses register → Add modified registers to the tracked set • Instruction clears register → Remove cleared register from the set
Example {t0} add t0, 4, t1 {t0, t1} bisz t2, , CF {t0, t1} bisz t0, , ZF {t0, t1, ZF} add t2, 4, t1 {t0, ZF}
Result
Use • Fully integrated into BinNavi • Makes it very simple to follow values • Helps the reverse engineer to concentrate on what is important
Range Tracking • Tracks potential ranges for register values • Useful to detect buffer underflows like MS08-67 • Intervals are used to cut down on complexity
Lattice • Complicated to show in a picture • Keep track of register values and pointer dereferences as a list of ranges • eax [0 .. 4] [0 .. 10] – Add a value between 0 and 10 to [eax], [eax + 1], [eax + 2], [eax + 3], or [eax + 4]
General Idea • Track register values relative to their first use • Follow the control flow • Calculate maximum range of effects each instruction has on a register • If the range gets negative for memory accesses, mark the location
Use • Helps bug hunters to find potential vulnerabilities • Automated and effective • Not yet fully proven to work
Deobfuscation • Convert obfuscated code into something more readable • Multi-process step with many lattices –Constant propagation –Dead code elimination –...
General Idea • Take a piece of code • Apply the deobfuscation algorithms • Repeat until no further deobfuscation is possible • Result: Deobfuscated Code
Result Before After
Problems • Turns out that deobfuscation is tricky for many reasons • Further requirements: –Function that determines the readability of code –Backend that produces executable code from REIL
ROP Gadget Generator • Return-oriented shellcode generator • REIL-based but not MonoREIL-based • Originally for Windows Mobile but platform-independent • To be presented in 2010
General Idea • Automated analysis of instruction sequences • Automated extraction of useful instruction sequences • Combines gadgets to shellcode • Helps the development of return- oriented shellcode
Result
Future Development • BinAudit –Collection of algorithms for vulnerability research • Type Reconstruction –Figuring out what higher level data types are stored in registers
Related Work • ERESI Project • BitBlaze • Silvio Cesare
http://www.flickr.com/photos/marcobellucci/3534516458/

Recommended

BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
R intro
R introR intro
R introVishakh Nair
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly Sam Bowne
 
8051 programming in c
8051 programming in c8051 programming in c
8051 programming in cDr. Ritula Thakur
 
ALU_4bit
ALU_4bitALU_4bit
ALU_4bitla_hormiga
 
Lab5 s2
Lab5 s2Lab5 s2
Lab5 s2rajbabureliance
 
Pipeline stalling in vhdl
Pipeline stalling in vhdlPipeline stalling in vhdl
Pipeline stalling in vhdlSai Malleswar
 

Recommended

BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 BUD17-TR02: Upstreaming 101
BUD17-TR02: Upstreaming 101 Linaro
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
R intro
R introR intro
R introVishakh Nair
 
CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly CNIT 126 6: Recognizing C Code Constructs in Assembly
CNIT 126 6: Recognizing C Code Constructs in Assembly Sam Bowne
 
8051 programming in c
8051 programming in c8051 programming in c
8051 programming in cDr. Ritula Thakur
 
ALU_4bit
ALU_4bitALU_4bit
ALU_4bitla_hormiga
 
Lab5 s2
Lab5 s2Lab5 s2
Lab5 s2rajbabureliance
 
Pipeline stalling in vhdl
Pipeline stalling in vhdlPipeline stalling in vhdl
Pipeline stalling in vhdlSai Malleswar
 
Transformer Mods for Document Length Inputs
Transformer Mods for Document Length InputsTransformer Mods for Document Length Inputs
Transformer Mods for Document Length InputsSujit Pal
 
Presentacion exposicion Sistemas Digitales I
Presentacion exposicion Sistemas Digitales IPresentacion exposicion Sistemas Digitales I
Presentacion exposicion Sistemas Digitales IAngela Ximena Pedraza Martinez
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP PacketsSecurity B-Sides
 
[論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation [論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation OgataTomoya
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
Semaphores and Monitors
Semaphores and Monitors Semaphores and Monitors
Semaphores and Monitorssathish sak
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblySam Bowne
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 
ITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferSneh Prabha
 
Beautiful Parrot
Beautiful ParrotBeautiful Parrot
Beautiful ParrotNuno Carvalho
 
Instruction Set of 8051 Microcontroller
Instruction Set of 8051 MicrocontrollerInstruction Set of 8051 Microcontroller
Instruction Set of 8051 MicrocontrollerMultisoft Virtual Academy
 
LAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, InternalsLAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, InternalsLinaro
 
JS introduction
JS introductionJS introduction
JS introductionYi Tseng
 
Semophores and it's types
Semophores and it's typesSemophores and it's types
Semophores and it's typesNishant Joshi
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linaro
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 Linaro
 
Uc 2(vii)
Uc 2(vii)Uc 2(vii)
Uc 2(vii)Ankita Jaiswal
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamOWASP Delhi
 
8051 instruction set
8051 instruction set8051 instruction set
8051 instruction setAndri Prastiyo
 
8051 micro controllers Instruction set
8051 micro controllers Instruction set 8051 micro controllers Instruction set
8051 micro controllers Instruction set Nitin Ahire
 
BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr Linaro
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaRedis Labs
 

More Related Content

What's hot

Transformer Mods for Document Length Inputs
Transformer Mods for Document Length InputsTransformer Mods for Document Length Inputs
Transformer Mods for Document Length InputsSujit Pal
 
[論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation [論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation OgataTomoya
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeSam Bowne
 
Semaphores and Monitors
Semaphores and Monitors Semaphores and Monitors
Semaphores and Monitorssathish sak
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblySam Bowne
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4Yi Tseng
 
ITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferSneh Prabha
 
LAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, InternalsLAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, InternalsLinaro
 
JS introduction
JS introductionJS introduction
JS introductionYi Tseng
 
Semophores and it's types
Semophores and it's typesSemophores and it's types
Semophores and it's typesNishant Joshi
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linaro
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 Linaro
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamOWASP Delhi
 
8051 micro controllers Instruction set
8051 micro controllers Instruction set 8051 micro controllers Instruction set
8051 micro controllers Instruction set Nitin Ahire
 

What's hot (20)

Transformer Mods for Document Length Inputs
Transformer Mods for Document Length InputsTransformer Mods for Document Length Inputs
Transformer Mods for Document Length Inputs
 
Presentacion exposicion Sistemas Digitales I
Presentacion exposicion Sistemas Digitales IPresentacion exposicion Sistemas Digitales I
Presentacion exposicion Sistemas Digitales I
 
Fun with TCP Packets
Fun with TCP PacketsFun with TCP Packets
Fun with TCP Packets
 
[論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation [論文紹介]A syntactic neural model for general purpose code generation
[論文紹介]A syntactic neural model for general purpose code generation
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
Semaphores and Monitors
Semaphores and Monitors Semaphores and Monitors
Semaphores and Monitors
 
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in AssemblyPractical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
Practical Malware Analysis: Ch 6: Recognizing C Code Constructs in Assembly
 
20170925 onos and p4
20170925 onos and p420170925 onos and p4
20170925 onos and p4
 
ITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded bufferITFT_Semaphores and bounded buffer
ITFT_Semaphores and bounded buffer
 
Beautiful Parrot
Beautiful ParrotBeautiful Parrot
Beautiful Parrot
 
Instruction Set of 8051 Microcontroller
Instruction Set of 8051 MicrocontrollerInstruction Set of 8051 Microcontroller
Instruction Set of 8051 Microcontroller
 
LAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, InternalsLAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
LAS16-501: Introduction to LLVM - Projects, Components, Integration, Internals
 
JS introduction
JS introductionJS introduction
JS introduction
 
Semophores and it's types
Semophores and it's typesSemophores and it's types
Semophores and it's types
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
 
BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2 BUD17-302: LLVM Internals #2
BUD17-302: LLVM Internals #2
 
Uc 2(vii)
Uc 2(vii)Uc 2(vii)
Uc 2(vii)
 
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank NigamDetecting Reconnaissance Through Packet Forensics by Shashank Nigam
Detecting Reconnaissance Through Packet Forensics by Shashank Nigam
 
8051 instruction set
8051 instruction set8051 instruction set
8051 instruction set
 
8051 micro controllers Instruction set
8051 micro controllers Instruction set 8051 micro controllers Instruction set
8051 micro controllers Instruction set
 

Similar to Applications of the Reverse Engineering Language REIL

BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr Linaro
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaRedis Labs
 
Introduction to TensorFlow Lite
Introduction to TensorFlow Lite Introduction to TensorFlow Lite
Introduction to TensorFlow Lite Koan-Sin Tan
 
Automated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse EngineeringAutomated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineeringzynamics GmbH
 
OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Symposium_Python Bindings_9.21.11OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Symposium_Python Bindings_9.21.11OpenSAF Foundation
 
Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android BenchmarksKoan-Sin Tan
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on androidKoan-Sin Tan
 
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream Projects
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream ProjectsITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream Projects
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream ProjectsITCamp
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTStéphanie Roger
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?GetInData
 
Highly concurrent yet natural programming
Highly concurrent yet natural programmingHighly concurrent yet natural programming
Highly concurrent yet natural programmingInfinit
 
Verilog Lecture1
Verilog Lecture1Verilog Lecture1
Verilog Lecture1Béo Tú
 
c programming L-1.pdf43333333544444444444444444444
c programming L-1.pdf43333333544444444444444444444c programming L-1.pdf43333333544444444444444444444
c programming L-1.pdf43333333544444444444444444444PurvaShyama
 
Platform-independent static binary code analysis using a meta-assembly language
Platform-independent static binary code analysis using a meta-assembly languagePlatform-independent static binary code analysis using a meta-assembly language
Platform-independent static binary code analysis using a meta-assembly languagezynamics GmbH
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Michel Buczynski
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Chocolatey Software
 
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020C# 8 in Libraries and Applications - BASTA! Frankfurt 2020
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020Christian Nagel
 

Similar to Applications of the Reverse Engineering Language REIL (20)

BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr BUD17-405: Building a reference IoT product with Zephyr
BUD17-405: Building a reference IoT product with Zephyr
 
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca AntigaServing Deep Learning Models At Scale With RedisAI: Luca Antiga
Serving Deep Learning Models At Scale With RedisAI: Luca Antiga
 
Introduction to TensorFlow Lite
Introduction to TensorFlow Lite Introduction to TensorFlow Lite
Introduction to TensorFlow Lite
 
Automated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse EngineeringAutomated static deobfuscation in the context of Reverse Engineering
Automated static deobfuscation in the context of Reverse Engineering
 
OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Symposium_Python Bindings_9.21.11OpenSAF Symposium_Python Bindings_9.21.11
OpenSAF Symposium_Python Bindings_9.21.11
 
Understanding Android Benchmarks
Understanding Android BenchmarksUnderstanding Android Benchmarks
Understanding Android Benchmarks
 
running stable diffusion on android
running stable diffusion on androidrunning stable diffusion on android
running stable diffusion on android
 
Introduction to multicore .ppt
Introduction to multicore .pptIntroduction to multicore .ppt
Introduction to multicore .ppt
 
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream Projects
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream ProjectsITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream Projects
ITCamp 2017 - Raffaele Rialdi - Adopting .NET Core in Mainstream Projects
 
Lect 1.pptx
Lect 1.pptxLect 1.pptx
Lect 1.pptx
 
Linux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old SecretsLinux Performance Analysis: New Tools and Old Secrets
Linux Performance Analysis: New Tools and Old Secrets
 
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoTInria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
Inria Tech Talk : RIOT, l'OS libre pour vos objets connectés #IoT
 
Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?Hot to build continuously processing for 24/7 real-time data streaming platform?
Hot to build continuously processing for 24/7 real-time data streaming platform?
 
Highly concurrent yet natural programming
Highly concurrent yet natural programmingHighly concurrent yet natural programming
Highly concurrent yet natural programming
 
Verilog Lecture1
Verilog Lecture1Verilog Lecture1
Verilog Lecture1
 
c programming L-1.pdf43333333544444444444444444444
c programming L-1.pdf43333333544444444444444444444c programming L-1.pdf43333333544444444444444444444
c programming L-1.pdf43333333544444444444444444444
 
Platform-independent static binary code analysis using a meta-assembly language
Platform-independent static binary code analysis using a meta-assembly languagePlatform-independent static binary code analysis using a meta-assembly language
Platform-independent static binary code analysis using a meta-assembly language
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
 
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
Facilitating continuous delivery in a FinTech world with Salt, Jenkins, Nexus...
 
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020C# 8 in Libraries and Applications - BASTA! Frankfurt 2020
C# 8 in Libraries and Applications - BASTA! Frankfurt 2020
 

More from zynamics GmbH

Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!zynamics GmbH
 
Automated Mobile Malware Classification
Automated Mobile Malware ClassificationAutomated Mobile Malware Classification
Automated Mobile Malware Classificationzynamics GmbH
 
VxClass for Incident Response
VxClass for Incident ResponseVxClass for Incident Response
VxClass for Incident Responsezynamics GmbH
 
Malware classification
Malware classificationMalware classification
Malware classificationzynamics GmbH
 

More from zynamics GmbH (7)

Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!Everybody be cool, this is a roppery!
Everybody be cool, this is a roppery!
 
Automated Mobile Malware Classification
Automated Mobile Malware ClassificationAutomated Mobile Malware Classification
Automated Mobile Malware Classification
 
VxClass for Incident Response
VxClass for Incident ResponseVxClass for Incident Response
VxClass for Incident Response
 
Malware classification
Malware classificationMalware classification
Malware classification
 
Hitb
HitbHitb
Hitb
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
Bh dc09
Bh dc09Bh dc09
Bh dc09
 

Recently uploaded

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Recently uploaded (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Applications of the Reverse Engineering Language REIL

  • 1. Applications of the Reverse Engineering Language REIL Hackers to Hackers Conference 2009, São Paulo Sebastian Porst zynamics GmbH (sebastian.porst@zynamics.com)
  • 2. Talk Overview • Necessity of new RE methods • Solutions we developed • Applications of our solutions
  • 3. About zynamics • Small German company • Unhappy with the state of Reverse Engineering • Needed: New RE tools and methods –BinDiff, BinNavi, VxClass
  • 4. About me • Lead Developer of BinNavi • Many years of RE experience • Try to come up with new RE methods • Talk about it at conferences
  • 5. What we are doing • Build Reverse Engineering tools • Try to automize binary file analysis • Help people find vulnerabilities
  • 6. Why we are doing this Software Complexity Architectural Diversity Microsoft Security Budget Good old days Now
  • 7. How we are doing this • Develop new RE methods –Platform-Independent –Easy to use • Integrate them into our tools
  • 8. REIL • Reverse Engineering Intermediate Language • Platform-Independent • Designed for Reverse Engineering
  • 9. Design Principles • Very small instruction set • Very regular operand structure • Very simple operand types • No side-effects
  • 11. REIL Usage Convert native code to REIL Run REIL algorithm Port results back to original code
  • 12. Advantages • Easy to pick up and comprehend • Reduces analysis complexity • Write once; use everywhere
  • 13. MonoREIL • Monotone framework for REIL • Simplifies analysis algorithm development • Read the book
  • 14. Advantages • All algorithms have the same regular structure • Simplifies algorithms –Trade-off: Runtime
  • 15. Core Concepts • Instruction Graph • Lattice • Monotone Transformations
  • 16. Instruction Graph 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420
  • 18. Transformations 1400: add t0, 15, t1 1401: bisz t1, , t2 1402: jcc t2, , 1405 1403: str 8, , t3 1405: str 16, , t3 1404: jcc t2, , 1406 1406: add t3, t3, t4 1407: jcc 1, , 1420
  • 19. Applications Register Tracking: Helps Reverse Engineers follow data flow through code (Never officially presented) Index Underflow Detection: Automatically find negative array accesses (CanSecWest 2009, Vancouver) Automated Deobfuscation: Make obfuscated code more readable (SOURCE Barcelona 2009, Barcelona) ROP Gadget Generator: Automatically generates return-oriented shellcode (Work in progress; scheduled for Q1/2010)
  • 20. Register Tracking • Follows interesting register values • Keeps track of dependent values • Transitive closure of the effects of a register on the program state
  • 21. Lattice All eax eax ebx ecx ebx ecx ecx OF eax ebx ecx OF Ø
  • 22. General Idea • Start with the tracked register • Follow the control flow • Instruction uses register → Add modified registers to the tracked set • Instruction clears register → Remove cleared register from the set
  • 23. Example {t0} add t0, 4, t1 {t0, t1} bisz t2, , CF {t0, t1} bisz t0, , ZF {t0, t1, ZF} add t2, 4, t1 {t0, ZF}
  • 25. Use • Fully integrated into BinNavi • Makes it very simple to follow values • Helps the reverse engineer to concentrate on what is important
  • 26. Range Tracking • Tracks potential ranges for register values • Useful to detect buffer underflows like MS08-67 • Intervals are used to cut down on complexity
  • 27. Lattice • Complicated to show in a picture • Keep track of register values and pointer dereferences as a list of ranges • eax [0 .. 4] [0 .. 10] – Add a value between 0 and 10 to [eax], [eax + 1], [eax + 2], [eax + 3], or [eax + 4]
  • 28. General Idea • Track register values relative to their first use • Follow the control flow • Calculate maximum range of effects each instruction has on a register • If the range gets negative for memory accesses, mark the location
  • 29. Use • Helps bug hunters to find potential vulnerabilities • Automated and effective • Not yet fully proven to work
  • 30. Deobfuscation • Convert obfuscated code into something more readable • Multi-process step with many lattices –Constant propagation –Dead code elimination –...
  • 31. General Idea • Take a piece of code • Apply the deobfuscation algorithms • Repeat until no further deobfuscation is possible • Result: Deobfuscated Code
  • 32. Result Before After
  • 33. Problems • Turns out that deobfuscation is tricky for many reasons • Further requirements: –Function that determines the readability of code –Backend that produces executable code from REIL
  • 34. ROP Gadget Generator • Return-oriented shellcode generator • REIL-based but not MonoREIL-based • Originally for Windows Mobile but platform-independent • To be presented in 2010
  • 35. General Idea • Automated analysis of instruction sequences • Automated extraction of useful instruction sequences • Combines gadgets to shellcode • Helps the development of return- oriented shellcode
  • 37. Future Development • BinAudit –Collection of algorithms for vulnerability research • Type Reconstruction –Figuring out what higher level data types are stored in registers
  • 38. Related Work • ERESI Project • BitBlaze • Silvio Cesare