CIS 4615 meeting -*- Outline -*- * overview of reversing Based on the book Reversing: Secrets of Reverse Engineering by Eldad Eilam, Wiley (2005). ** definition ------------------------------------------ WHAT IS REVERSING? def: *reverse engineering* is the process of ------------------------------------------ ... analyzing a system to identify the system's components and their interrelationship and to create abstractions of the system -- based on an IEEE 1990 definition Q: How does reverse engineering differ from scientific discovery? The subject is a designed/engineered artifact ** goals ------------------------------------------ GOALS Why do reverse engineering? - increase understanding - porting code to new platforms - interoperability - discovering flaws and faults - see what other software is used - malware detection and understanding Especially for unknown malware that: - makes basic dynamic analysis hard - fights back ------------------------------------------ Q: How could reversing help with porting code? Understand how the software interacts with the OS or runtime. Q: How could reversing help with interoperability? Understanding protocols and data structures used in other languages. Q: Why would malware want to make analysis difficult? To remain stealthy, to remain effective ** techniques ------------------------------------------ TECHNIQUES Static and dynamic analysis Static analysis: - given binary executable, recover assembly language listing, understand its functionality Dynamic analysis: - often an aid to static analysis, e.g., - using debugging techniques e.g., ------------------------------------------ ... in unpacking ... breakpoints, single stepping *** process ------------------------------------------ OVERALL PROCESS Large-scale observations (systems level) - determine Code-level reversing - understand ------------------------------------------ ... general structure of code (modules) areas of interest Q: How do we do large-scale observations? Using basic static and dynamic analysis ... a block of code in detail *** tools ------------------------------------------ TOOLS FOR REVERSING system monitoring tools disassemblers, which debuggers, which decompilers, which ------------------------------------------ ... take a binary executable and translate it into assembly language Q: Does a disassembler lose information? No, it is just a more human-readable representation of the binary code ... allow detailed observation of code while it is running can set breakpoints, and single-step (trace) through code ... try to recover a high level language code from the binary Q: When do disassemblers work well? With bytecode/interpreted languages, like Java and C#, or Ruby... ** applications ------------------------------------------ APPLICATIONS OF REVERSE ENGINEERING - Developing competing products - encryption research and evaluation - verification of implementation details - understanding malicious software - finding secret - understanding - defeating - OS defenses - copy protection, DRM - auditing binaries - for security problems - for quality and robustness - interoperability - for data and network protocols ------------------------------------------ ... keys e.g., for unpacking and control domains ... protocols ** legal issues ------------------------------------------ IS REVERSING LEGAL? It depends Good/ethical uses: - for interoperability - to gather information (not code) - encryption research - security testing/evaluation - for protection of privacy Bad/unethical uses: - copying of code (copyright violations) - defeating copyright protection systems (DMCA) Watch out for license agreements! ------------------------------------------ ... on many circumstances, seek legal advice