eecs 354 network security
DESCRIPTION
EECS 354 Network Security. Reverse Engineering. Reverse Engineering. Reversing Basics Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable. Anything is possible. There is no computer system in existence that cannot be reverse engineered - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/1.jpg)
EECS 354Network Security
Reverse Engineering
![Page 2: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/2.jpg)
Reverse Engineering
Introduction
Preventing Reverse Engineering
Reversing High Level Languages
Reversing an ELF Executable
![Page 3: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/3.jpg)
Anything is possible
There is no computer system in existence that cannot be reverse engineered
Most important limiting factorsComplexity
Time
![Page 4: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/4.jpg)
Reversing by LanguageRuby, javascript, HTML, etc
Not compiled
Python, Java, C#, VB.NET, etcByte compiled
Easier to decompile/inspect
Many symbols still exist in bytecode
C, C++Compiled into machine code
Much harder to decompile
Still possible to reverse engineer with debugger and disassembler
![Page 5: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/5.jpg)
Scalability of techniques
Basic reversing techniques work for small code bases
It’s possible to determine what assembly code does for a 100 line C program without too much difficulty
Not used heavily by hackersWhen trying to hack an application, crashes and error messages are better hints
![Page 6: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/6.jpg)
Windows
Is it possible to reverse engineer Windows?
How many lines of code does it have?
How long would it take?
![Page 7: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/7.jpg)
Wine’s reverse engineering
The Wine project attempts to implement the windows API
Project began in 1993, still unstable and incomplete
Has over 1.4 million lines of code (written by 700 contributors)
Does not cover all of Windows (core OS, windowing, etc)
On the other hand, Samba (reverse engineering Windows file sharing) has been pretty successful
![Page 8: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/8.jpg)
Why Reverse Engineering?
DefenseSecurity companies often reverse malware binaries
Protocol reversing for botnet analysis
Working with proprietary APIs or protocols
HackingFinding vulnerabilities is easier with the code
![Page 9: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/9.jpg)
Introduction
Preventing Reverse Engineering
Reversing High Level Languages
Reversing an ELF Executable
![Page 10: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/10.jpg)
Preventing reverse engineering
ObfuscationTranslate code into something unreadable or unnatural
Must trick a human reader without tricking the machine interpreter/loader
Reverse engineering, besides in the most basic form, is combating software obfuscation
![Page 11: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/11.jpg)
Obfuscation TechniquesRenaming functions/variables
Adding bogus code with no side-effects
Remove whitespace
Make strings/numbers hex values
Using “dynamic” codeJavascript: eval
Java: GetName, GetAttribute
Python: getattr, setattr
Most of these are reversibleExcept function/variable names can’t be recovered
![Page 12: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/12.jpg)
Obfuscation Techniques
PackingStoring an executable as a string (or otherwise) within an executable
Can make use of compression and encryption to hide contents
Decompression or decryption code must be packed in the executable as well
Complex packers exist for most languages
![Page 13: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/13.jpg)
Javascript Obfuscation
![Page 14: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/14.jpg)
Javascript Obfuscation
<script>eval(unescape('%3C%64%69%76%20%73%74'))</script>
<script>a = ‘t’; b = ‘er’; c = ‘a’; d = eval; e = ‘\”XSS\”’; d(c+'l'+b+a+'('+e+')'); </script>
![Page 15: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/15.jpg)
Introduction
Preventing Reverse Engineering
Reversing High Level Languages
Reversing an ELF Executable
![Page 16: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/16.jpg)
What is byte code?Byte code is compiled code that cannot be executed by the processor
Distinct from machine code
Architecture independent
Executed by a software interpreter: a VM, a JIT compiler, etc
Byte code is often dynamicSymbols can be referenced at runtime
This means the program structure still exists, can be rebuilt
![Page 17: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/17.jpg)
DecompilersDecompilers reverse the steps taken by a compiler
Opcode translation
Abstract Syntax Tree construction
PythonUncompyle2, decompyle, unpyc
JavaJad, JD
![Page 18: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/18.jpg)
Reversing Basics
Preventing Reverse Engineering
Reversing High Level Languages
Reversing an ELF Executable
![Page 19: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/19.jpg)
ExecutablesMachine code is changed significantly from the original source code
Variables have been allocated to registers or somewhere in memory
Optimization steps have changed the program structure
No way to decompile this back to the original source
Machine instructions translate directly to assembly code
Disassembly analysis can be effective
![Page 20: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/20.jpg)
Reversing Executables
We will be focusing on x86 32-bit LSB ELF executables
Contains ELF header, program header, section table, and data
May also contain a symbol table
![Page 21: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/21.jpg)
Reversing Executables
ELF Header contains program entry point, basic identifying information
Program header describes memory segments (e.g. where in memory will segments be loaded? what parts of memory are r/w/x?)
Used at program load time
Section table describes section layout (e.g. where’s the .rodata? .text? .bss?)
Used at link time
![Page 22: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/22.jpg)
X86 Assembly
mov
add, sub shl, shr, sar, mul, div
and, or, xor
jmp, je, jne, jl, jg, jle, jge
cmp, test
call, push, pop, ret, nop
0x8(%esp), -0xc(%ebp)
![Page 23: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/23.jpg)
Reversing BasicsBasic tools:
file
strings
strace (and ltrace)
nm
objdump or readelf
tcpdump
gdb
You can reverse anything with a good debugger, but…
![Page 24: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/24.jpg)
Reversing Frameworks
For more advanced reversing, it may help to have more than just a debugger
IDA
Radare
![Page 25: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/25.jpg)
ELF Obfuscation
There are some additional techniques for obfuscating executable formats:
Storing data in unusual sections: .ctors, .dtors, .init, etc
“Corrupting” the ELF header
Stripping the symbol table
Checking ptrace to prevent debuggers
Packing
Code is unpacked dynamically during execution
![Page 26: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/26.jpg)
Malware Examples
![Page 27: EECS 354 Network Security](https://reader036.vdocuments.site/reader036/viewer/2022081520/56814d08550346895dba3c4b/html5/thumbnails/27.jpg)
Demo...
Source: http://crackmes.de/users/synamics/xrockmr/