applications of the reverse engineering language reil
TRANSCRIPT
![Page 1: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/1.jpg)
Applications of the Reverse Engineering Language REIL
Hackers to Hackers Conference 2009, São Paulo
Sebastian Porst
zynamics GmbH
![Page 2: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/2.jpg)
Talk Overview
• Necessity of new RE methods
• Solutions we developed
• Applications of our solutions
![Page 3: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/3.jpg)
About zynamics
• Small German company
• Unhappy with the state of Reverse Engineering
• Needed: New RE tools and methods
–BinDiff, BinNavi, VxClass
![Page 4: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/4.jpg)
About me
• Lead Developer of BinNavi
• Many years of RE experience
• Try to come up with new RE methods
• Talk about it at conferences
![Page 5: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/5.jpg)
What we are doing
• Build Reverse Engineering tools
• Try to automize binary file analysis
• Help people find vulnerabilities
![Page 6: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/6.jpg)
Good old days Now
Software Complexity
Architectural Diversity
Microsoft Security Budget
Why we are doing this
![Page 7: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/7.jpg)
How we are doing this
• Develop new RE methods
–Platform-Independent
–Easy to use
• Integrate them into our tools
![Page 8: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/8.jpg)
REIL
• Reverse Engineering Intermediate Language
• Platform-Independent
• Designed for Reverse Engineering
![Page 9: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/9.jpg)
Design Principles
• Very small instruction set
• Very regular operand structure
• Very simple operand types
• No side-effects
![Page 10: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/10.jpg)
Example
![Page 11: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/11.jpg)
REIL Usage
Convert native code to REIL
Run REIL algorithm
Port results back to original code
![Page 12: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/12.jpg)
Advantages
• Easy to pick up and comprehend
• Reduces analysis complexity
• Write once; use everywhere
![Page 13: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/13.jpg)
MonoREIL
• Monotone framework for REIL
• Simplifies analysis algorithm development
• Read the book
![Page 14: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/14.jpg)
Advantages
• All algorithms have the same regular structure
• Simplifies algorithms
–Trade-off: Runtime
![Page 15: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/15.jpg)
Core Concepts
• Instruction Graph
• Lattice
• Monotone Transformations
![Page 16: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/16.jpg)
Instruction Graph
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
![Page 17: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/17.jpg)
Lattice
B
T
![Page 18: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/18.jpg)
Transformations
1400: add t0, 15, t1
1401: bisz t1, , t2
1402: jcc t2, , 1405
1403: str 8, , t3 1405: str 16, , t3
1406: add t3, t3, t4
1407: jcc 1, , 1420
1404: jcc t2, , 1406
![Page 19: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/19.jpg)
ApplicationsRegister Tracking: Helps Reverse Engineers follow data flow through code(Never officially presented)
Index Underflow Detection: Automatically find negative array accesses(CanSecWest 2009, Vancouver)
Automated Deobfuscation: Make obfuscated code more readable(SOURCE Barcelona 2009, Barcelona)
ROP Gadget Generator: Automatically generates return-oriented shellcode(Work in progress; scheduled for Q1/2010)
![Page 20: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/20.jpg)
Register Tracking
• Follows interesting register values
• Keeps track of dependent values
• Transitive closure of the effects of a register on the program state
![Page 21: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/21.jpg)
Lattice
Ø
eax ebx ecx OF
eaxebx
eaxecx
ebxecx
ecxOF
All
![Page 22: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/22.jpg)
General Idea
• Start with the tracked register
• Follow the control flow
• Instruction uses register → Add modified registers to the tracked set
• Instruction clears register → Remove cleared register from the set
![Page 23: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/23.jpg)
Example{t0}add t0, 4, t1
{t0, t1}bisz t2, , CF
{t0, t1}bisz t0, , ZF
{t0, t1, ZF}add t2, 4, t1
{t0, ZF}
![Page 24: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/24.jpg)
Result
![Page 25: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/25.jpg)
Use
• Fully integrated into BinNavi
• Makes it very simple to follow values
• Helps the reverse engineer to concentrate on what is important
![Page 26: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/26.jpg)
Range Tracking
• Tracks potential ranges for register values
• Useful to detect buffer underflows like MS08-67
• Intervals are used to cut down on complexity
![Page 27: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/27.jpg)
Lattice
• Complicated to show in a picture
• Keep track of register values and pointer dereferences as a list of ranges
• eax [0 .. 4] [0 .. 10]– Add a value between 0 and 10 to [eax], [eax + 1],
[eax + 2], [eax + 3], or [eax + 4]
![Page 28: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/28.jpg)
General Idea
• Track register values relative to their first use
• Follow the control flow
• Calculate maximum range of effects each instruction has on a register
• If the range gets negative for memory accesses, mark the location
![Page 29: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/29.jpg)
Use
• Helps bug hunters to find potential vulnerabilities
• Automated and effective
• Not yet fully proven to work
![Page 30: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/30.jpg)
Deobfuscation
• Convert obfuscated code into something more readable
• Multi-process step with many lattices
–Constant propagation
–Dead code elimination
–...
![Page 31: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/31.jpg)
General Idea
• Take a piece of code
• Apply the deobfuscation algorithms
• Repeat until no further deobfuscation is possible
• Result: Deobfuscated Code
![Page 32: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/32.jpg)
Result
Before After
![Page 33: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/33.jpg)
Problems
• Turns out that deobfuscation is tricky for many reasons
• Further requirements:
–Function that determines the readability of code
–Backend that produces executable code from REIL
![Page 34: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/34.jpg)
ROP Gadget Generator
• Return-oriented shellcode generator
• REIL-based but not MonoREIL-based
• Originally for Windows Mobile but platform-independent
• To be presented in 2010
![Page 35: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/35.jpg)
General Idea
• Automated analysis of instruction sequences
• Automated extraction of useful instruction sequences
• Combines gadgets to shellcode
• Helps the development of return-oriented shellcode
![Page 36: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/36.jpg)
Result
![Page 37: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/37.jpg)
Future Development
• BinAudit
–Collection of algorithms for vulnerability research
• Type Reconstruction
–Figuring out what higher level data types are stored in registers
![Page 38: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/38.jpg)
Related Work
• ERESI Project
• BitBlaze
• Silvio Cesare
![Page 39: Applications of the Reverse Engineering Language REIL](https://reader034.vdocuments.site/reader034/viewer/2022042516/55a897a11a28ab0a3e8b466b/html5/thumbnails/39.jpg)
http://www.flickr.com/photos/marcobellucci/3534516458/