visual reverse engineering

Visual Reverse Engineering

Willy Vasquez

Background Willy Vasquez Rising Senior at MIT

› Studying Computer Science and Engineering

› Research with Shafi Goldwasser› Intern at Symantec Mobility Management

Group

Source Work of Christopher Domas of the

Battelle Memorial Institute Brief overview of his talk at REcon

› The Future of RE: Dynamic Binary Visualization

Reverse Engineering The goal is to answer “what is this and

what does it do?”

From Art to Science Lots of time to identify patterns Finding the patterns is an art.

Visual RE Taking a computationally difficult task

and translating it to a problem our brains naturally do

Traversing thousands of lines of hex and making sense of it in 20 seconds

Why improve? Steganography Obfuscation Embedded Devices Unknown formats

Why improve? Our current best RE tools are

completely dependent on known structure

Gates’ Law› Software is getting slower more rapidly

than hardware becomes faster› Amount of Information we need to analyze

is growing exponentially

Background Ideas Greg Conti

› US Military Academy› Blackhat

Aldo Cortesi› Nullcube› corte.si

Conti’s Idea Even in unstructured data there are

relationships, especially among local hex bytes

Digraphs

Conti’s Idea

Ascii AudioImage

Cortesi’s Work Mapping data to Hilbert curves

Building on Concepts Goal: Understanding data independent

of format

..cantor.dust.. Named after Georg Cantor Works off of emphasizing the idea of

relationships between binary information

3D Digraphs

Entropy Explorer

..cantor.dust.. classification Bayesion Method to classify certain

types of formats

..cantor.dust.. parsing Current binary parsing

› Recursive descent: IDA style that follows patterns and calls in code

› Linear sweep: objdump and goes through in linear fashion

Rely on a structures grammar ..cantor.dust.. Uses probabilistic

parsing, which does not rely on grammar

..cantor.dust.. parsing

..cantor.dust.. summary A new way to look at binary

information Can find demo from blackhat

presentation: https://media.blackhat.com/bh-us-12/Arsenal/Domas/_cantor.dust_.7z.zip

No updates since last summer

Sources The full talk and slides located on the

recon.cx website: › http://recon.cx/2013/schedule/events/20.ht

ml