Visual Reverse Engineering

Willy Vasquez

Background

Willy Vasquez Rising Senior at MIT

› Studying Computer Science and Engineering

› Research with Shafi Goldwasser› Intern at Symantec Mobility Management

Group

Source

Work of Christopher Domas of the Battelle Memorial Institute

Brief overview of his talk at REcon › The Future of RE: Dynamic Binary

Visualization

Reverse Engineering

The goal is to answer “what is this and what does it do?”

From Art to Science

Lots of time to identify patterns Finding the patterns is an art.

Visual RE

Taking a computationally difficult task and translating it to a problem our brains naturally do

Traversing thousands of lines of hex and making sense of it in 20 seconds

Why improve?

Steganography Obfuscation Embedded Devices Unknown formats

Why improve?

Our current best RE tools are completely dependent on known structure

Gates’ Law› Software is getting slower more rapidly

than hardware becomes faster› Amount of Information we need to analyze

is growing exponentially

Background Ideas

Greg Conti› US Military Academy› Blackhat

Aldo Cortesi› Nullcube› corte.si

Conti’s Idea

Even in unstructured data there are relationships, especially among local hex bytes

Digraphs

Conti’s Idea

Ascii AudioImage

Cortesi’s Work

Mapping data to Hilbert curves

Building on Concepts

Goal: Understanding data independent of format

..cantor.dust..

Named after Georg Cantor Works off of emphasizing the idea of

relationships between binary information

3D Digraphs

Entropy Explorer

..cantor.dust.. classification

Bayesion Method to classify certain types of formats

..cantor.dust.. parsing

Current binary parsing› Recursive descent: IDA style that follows

patterns and calls in code› Linear sweep: objdump and goes through

in linear fashion Rely on a structures grammar ..cantor.dust.. Uses probabilistic

parsing, which does not rely on grammar

..cantor.dust.. parsing

..cantor.dust.. summary

A new way to look at binary information

Can find demo from blackhat presentation: https://media.blackhat.com/bh-us-12/Arsenal/Domas/_cantor.dust_.7z.zip

No updates since last summer

Sources

The full talk and slides located on the recon.cx website: › http://recon.cx/2013/schedule/events/20.ht

ml