1. Implementation
Background
Reverse engineering is the process of examining a binary
executable file in order to gain an understanding of the function
that it performs. This can be done for many reasons, including:
Problem
Reverse engineering is an incredibly complex task, requiring
many different tools and a significant amount of background
knowledge.
Goals
• Provide access to as much information from a binary file as
possible in a cohesive interface.
• Implement high-level reverse engineering tools.
• Make the framework extensible so that it can be used
alongside other techniques and tools.
• Decrease the learning curve for novice reverse engineers by
providing an intuitive interface and functions.
Data Representations
Information retrieved from a file can exist in many states, which
we have classified into different levels as displayed below.
Basic Structure
FoRREST is a Linux-based framework of reverse engineering tools, implemented as a set of Python
classes, each corresponding to a specific level of the data representation hierarchy (bottom left).
Usage
Features
Access to Information
FoRREST gives users access to most of the information that an
analysts would require from performing static analysis.
High-Level Tools
FoRREST implements several high-level tools such as Radare2,
boomerang, and angr, which can be used for in-depth analysis.
Extensibility
FoRREST can be easily imported into the Python interpreter,
allowing users to easily integrate it with other tools they use.
Intuitive Interface
FoRREST’s features are invoked by function names which clearly
represent the information that they acquire.
Results
To simplify the process of reverse engineering software, we have
created an extensible framework that provides access to much
low-level, and some high-level information about binary
executables. FoRREST was developed to make its use as intuitive
as possible once the basics of reverse engineering are understood.
Going Forward
We have implemented some high-level reverse engineering
techniques, but will need to integrate more in order to make
FoRREST as useful as possible for reverse engineers.
Once high-level functions have been completed, we will design
and perform a controlled user test to judge the project’s success.
Finally, we will submit a complete report to the International
Conference on Cyber Warfare and Security, with the hope of
seeing our results published in a technical journal in 2017.
References
FoRREST
A Framework of Robust Reverse Engineering Software Tools
Cole Loewer, Logan Rickert, David Sutherin, and Dr. Adam Bryant
Conclusion
EvaluationIntroduction
• Malware Analysis • Legacy Code Modification
• Vulnerability Discovery • Security Assurance
Fig. 2: Command Line Interface Fig. 3: Import into Python Interpreter
Database
Information extracted from an executable is stored in a database, which is especially useful for
examining malware, as a preliminary analysis can be performed in a sandbox environment, and it
can be continued on any machine by accessing the database
Level 3: Transform
The Transform plugin leverages Radare2 to
provide the disassembly, mnemonics, functions,
data references and jump targets within the file.
Level 4: Infer
The Infer plugin is the heavy-hitter, allowing
analysts to perform high-level analyses by
working as a wrapper for Radare2, angr, and
boomerang. It gives users access to the control
flow graph (example to the right), intermediate
representation, and decompilation of a file, and
performs deobfuscation.
Level 0: Raw
The Raw plugin allows users to access the most basic information about a file, performing little to
no analysis: filename, extension, file size, and checksums, as well as the original bytes.
Level 1: Extract
The Extract plugin supplies access to information such as the file’s mime type, version number,
intended architecture, the compiler used, and the sections that the original bytes are divided into.
Level 2: Interpret
The Interpret plugin translates the original bytes into more meaningful representations, i.e.
opcodes and strings. It also provides a list of
imported and exported libraries.
Fig. 4: An example control flow graph output from FoRREST
Fig. 1: The data representation hierarchy defining the structure of FoRREST
Adam Bryant. Personal communication, June 2016.
Adam Bryant, Robert Mills, Michael Grimaila, and Gilbert Peterson. Top-level goals in reverse engineering executable software. In Proceedings of
the 8th International Conference on Information Warfare and Security: ICIW 2013, page 16. Academic Conferences Limited, 2013.
emmerik, gerard_, quantumg, and thenihilist. boomerang, 2016
Willy Jimenez, Amel Mammar, and Ana Cavalli. Software vulnerabilities, prevention and detection methods: A review. Security in Model-Driven
Architecture, page 6, 2009.
pancake. Radare2, 2016.
Rensselaer Polytechnic Institute. CSCI 4968: Modern binary exploitation, 2015.
Yan Shoshitaishvili, et al. SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis. 2016.
Wolfgang Wögerer. A survey of static program analysis techniques. Technical report, Citeseer, 2005.