At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
A lecture/talk describing how to build and use polyglot payloads for finding vulnerabilities in web applications that traditional payloads can't.
Here's the last slide: http://www.slideshare.net/MathiasKarlsson2/final-slide-36636479
This talk is going to give an overview of Android operating system and it´s apps ecosystem from the security point of view of a penetration tester.
So lets dive into topics like Pentest Environment Setup, Tools of the Trade, App Analysis and some security hints for Android developers.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
How to steal and modify data using Business Logic flaws - Insecure Direct Obj...Frans Rosén
Regardless on how sophisticated your framework is, how many layers of firewalls and mitigation techniques that are put in place, there's a common weakness that often gets overlooked: the insecure direct object reference. The flaw exist everywhere: WordPress with username enumeration issues. Twitter where remote attackers could delete credit cards for the ad service and to OculusVR with a horizontal privilege escalation vulnerability which got disclosed recently.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Title: Sista: Improving Cog’s JIT performance
Speaker: Clément Béra
Thu, August 21, 9:45am – 10:30am
Video Part1
https://www.youtube.com/watch?v=X4E_FoLysJg
Video Part2
https://www.youtube.com/watch?v=gZOk3qojoVE
Description
Abstract: Although recent improvements of the Cog VM performance made it one of the fastest available Smalltalk virtual machine, the overhead compared to optimized C code remains important. Efficient industrial object oriented virtual machine, such as Javascript V8's engine for Google Chrome and Oracle Java Hotspot can reach on many benchs the performance of optimized C code thanks to adaptive optimizations performed their JIT compilers. The VM becomes then cleverer, and after executing numerous times the same portion of codes, it stops the code execution, looks at what it is doing and recompiles critical portion of codes in code faster to run based on the current environment and previous executions.
Bio: Clément Béra and Eliot Miranda has been working together on Cog's JIT performance for the last year. Clément Béra is a young engineer and has been working in the Pharo team for the past two years. Eliot Miranda is a Smalltalk VM expert who, among others, has implemented Cog's JIT and the Spur Memory Manager for Cog.
2011 CodeEngn Conference 05
DBI 란 Dynamic Binary Instrumentation 의 약자이다. 이는 실행 중인 어떤 Process 또는 Program 에 특수한 목적으로 사용될 임의의 코드를 삽입하는 방법이다. 이를 이용하여 동적으로 생성된 Code 처리, 특정 코드의 발견, 실행중인 Process 분석 등을 할 수 있다. 주로 컴퓨터 구조 연구, 프로그램, 스레드 분 석에 이용되며, Taint Analysis 에 대한 개념, 각종 Tool 과 사용 방법, 간단한 예제, 최신 취약점 분석 등 을 통하여 DBI 를 알아보도록 한다.
http://codeengn.com/conference/05
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Welcome to the first live UiPath Community Day Dubai! Join us for this unique occasion to meet our local and global UiPath Community and leaders. You will get a full view of the MEA region's automation landscape and the AI Powered automation technology capabilities of UiPath. Also, hosted by our local partners Marc Ellis, you will enjoy a half-day packed with industry insights and automation peers networking.
📕 Curious on our agenda? Wait no more!
10:00 Welcome note - UiPath Community in Dubai
Lovely Sinha, UiPath Community Chapter Leader, UiPath MVPx3, Hyper-automation Consultant, First Abu Dhabi Bank
10:20 A UiPath cross-region MEA overview
Ashraf El Zarka, VP and Managing Director MEA, UiPath
10:35: Customer Success Journey
Deepthi Deepak, Head of Intelligent Automation CoE, First Abu Dhabi Bank
11:15 The UiPath approach to GenAI with our three principles: improve accuracy, supercharge productivity, and automate more
Boris Krumrey, Global VP, Automation Innovation, UiPath
12:15 To discover how Marc Ellis leverages tech-driven solutions in recruitment and managed services.
Brendan Lingam, Director of Sales and Business Development, Marc Ellis
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Enhancing Performance with Globus and the Science DMZGlobus
ESnet has led the way in helping national facilities—and many other institutions in the research community—configure Science DMZs and troubleshoot network issues to maximize data transfer performance. In this talk we will present a summary of approaches and tips for getting the most out of your network infrastructure using Globus Connect Server.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
The Metaverse and AI: how can decision-makers harness the Metaverse for their...Jen Stirrup
The Metaverse is popularized in science fiction, and now it is becoming closer to being a part of our daily lives through the use of social media and shopping companies. How can businesses survive in a world where Artificial Intelligence is becoming the present as well as the future of technology, and how does the Metaverse fit into business strategy when futurist ideas are developing into reality at accelerated rates? How do we do this when our data isn't up to scratch? How can we move towards success with our data so we are set up for the Metaverse when it arrives?
How can you help your company evolve, adapt, and succeed using Artificial Intelligence and the Metaverse to stay ahead of the competition? What are the potential issues, complications, and benefits that these technologies could bring to us and our organizations? In this session, Jen Stirrup will explain how to start thinking about these technologies as an organisation.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Epistemic Interaction - tuning interfaces to provide information for AI support
Dynamic Binary Analysis and Obfuscated Codes
1. Dynamic Binary Analysis and Obfuscated Codes
How to don’t kill yourself when you reverse obfuscated codes.
Jonathan Salwan and Romain Thomas
St’Hack in Bordeaux, April 8, 2016
Quarkslab
2. About us
Romain Thomas
• Security Research Engineer at Quarkslab
• Working on obfuscation and software protection
Jonathan Salwan
• Security Research Engineer at Quarkslab
• Ph.D student on Software Verification supervised by:
• S´ebastien Bardin from CEA
• Marie-Laure Potet from VERIMAG
2
3. Roadmap of this talk
1. Obfuscation introduction
2. Dynamic Binary Analysis introduction
3. The Triton framework
4. Conclusion
5. Future works
3
5. What is an obfuscation?
Wikipedia: ”Obfuscation is the obscuring of intended meaning in
communication, making the message confusing, willfully ambiguous, or
harder to understand.” 1
1
https://en.wikipedia.org/wiki/Obfuscation
5
7. What kind of obfuscations may we find in modern softwares?
• Opaque predicates
• Control-flow flattening
• Virtualization
• MBA and bitwise operations
• Use of uncommon instructions.
7
8. Example: Opaque predicates
• Objective: Create unreachable basic blocks
• The constraint ¬π1 is always UNSAT
• The basic block ϕ3 is never executed
ϕ1
ϕ2 ϕ3
ϕ4
π1
¬π1
Figure 1: Control Flow Graph
8
9. Example: CFG flattened
• Objective: Remove structured control flows
• The basic block ϕ2 is now used as dispatcher
• The dispatcher manages the control flow
• Static analysis: hard to predict which basic block will be called next
ϕ1 ϕ2
ϕ3
ϕ4
ϕ5 ϕ6
Figure 2: Original CFG
ϕ1
ϕ2
ϕ3 ϕ4 ϕ5 ϕ6
Figure 3: Flattened CFG
9
10. Example: Virtualization
• Objective: Emulate the original code via a custom ISA (Instruction Set
Architecture)
• Example:
xor R1, R2 push R1
push R2
mov eax, [esp]
mov ebx, [esp - 0x4]
xor eax, ebx
push eax
10
12. Example: MBA and bitwise operations
• Objective: Transform the normal form of an expression to a more complex one
• The transformation output may also be transformed again and so one
a + b = (a ∨ b) + (a ∧ b)
a ∗ b = (a ∧ b) ∗ (a ∨ b) + (a ∧ ¬b) ∗ (¬a ∧ b)
a ⊕ b = (a ∧ ¬b) ∨ (¬a ∧ b)
a ⊕ b = ((a ∧ ¬a) ∧ (¬b ∨ ¬a)) ∧ ((a ∨ b) ∨ (¬b ∨ b))
0 = (a ∨ b) − (a + b) + (a ∧ b)
12
13. Example: Use of uncommon instructions
• Objective:
• Break your tools
• Break your mind!
• May transform classic operations
using AVX and SSE
Figure 5: Uncommon instructions
13
15. What is a DBA?
• Dynamic Binary Analysis
• Any way to analyze a binary dynamically
• Most popular analysis
• Dynamic information extraction
• Dynamic taint analysis [4]
• Dynamic symbolic execution [3, 2, 6, 1]
15
16. Why use a DBA?
• To get runtime values at each program point
• To get the control flow for a given input
• To follow the spread of a specific data
16
17. What is a dynamic taint analysis?
• Taint analysis is used to follow a specific information through a data flow
• Cell memory
• Register
• The taint is spread at runtime
• At each program point you are able to know what cells and registers interact with
your initial value
17
18. What is a dynamic symbolic execution?
• A DSE is used to represent the control and the data flow of an execution into
arithmetical expressions
• These expressions may contain symbolic variables instead of concrete values
• Using a SMT solver 23 on these expressions, we are able to determine an input for
a desired state
2
https://en.wikipedia.org/wiki/Satisfiability modulo theories#SMT solvers
3
http://smtlib.cs.uiowa.edu
18
19. SBA vs DBA
• Static Binary Analysis
• Full CFG
• No concrete value
• Often based on abstract analysis
• Scalable
• False positive
• Too complicated for analyze obfuscated code
• Dynamic Binary Analysis
• Partial CFG (only one path at time)
• Concrete values
• Often based on concrete analysis
• Not scalable
• Less false positive
• Lots of static protections may be broken
19
20. Online vs offline analysis
• Online analysis
• Extract runtime information
• Inject runtime values
• Interact and modify the control flow
• Good for fuzzing
• Offline analysis
• Store the context of each program point into a database
• Apply post analysis
• Display the context information using both static and dynamic paradigms
• Good for reverse
20
21. Offline analysis good for reverse
Bin
DB
Dynamic
Extraction
Analysis
API
IDA
Static
Extraction
Figure 6: Example of an offline analysis infrastructure
21
22. Offline analysis and symbolic emulation
• Explore more than one path using symbolic emulation from a concrete path
• From one path emulate them all
ϕ1 ϕ2
ϕ3
ϕ4
ϕ5 ϕ6
Figure 7: Concrete execution
22
23. Offline analysis and symbolic emulation
• Keep both concrete and symbolic values of each symbolic variable
• Use the concrete value for the emulation part and the symbolic value for
expressions and models
• Get the model of the new branch and restore the concrete value of the symbolic
variable
ϕ1 ϕ2
ϕ3
ϕ4
ϕ5 ϕ6
¬π
π
Get model
Figure 8: Symbolic emulation from a concrete path
23
24. Offline analysis and symbolic emulation
• Concrete and emulated paths are merged with disjunctions to get a coverage
expression
ϕ1 ϕ2
ϕ3
ϕ4
ϕ5 ϕ6
¬π
π
Get model
pre ∧ (ϕ3 ∨ ϕ4) ∧ post
Figure 9: Disjunction of paths
24
26. Triton in a nutshell
• Dynamic Binary Analysis Framework
• x86 and x86 64 binaries analysis
• Dynamic Taint Analysis
• Dynamic Symbolic Execution
• Partial Symbolic Emulation
• Python or SMT semantics representation
• Simplification passes
• Python and C++ API
• Tracer independent
• A Pintool 4
is shipped with the project
• Free and opensource 5
4
https://software.intel.com/en-us/articles/pintool/
5
http://triton.quarkslab.com
26
28. The Triton’s design
• libpintool.so
• Used as tracer to give the execution context to the Triton library
• Python bindings on some Pin’s features
• libtriton.so
• Takes as input opcodes and a potential context
• Contains all engines and analysis
• Python and C++ API
28
29. In what scenarios should I use Triton?
• If I want to use basic Pin’s features with Python bindings
• If I’m working on a trace and want to perform a taint or symbolic analysis
• If I want to simplify expressions using my own rules or those of z3 6
6
https://github.com/Z3Prover/z3
29
30. The classic count inst example
count = 0
def mycb(inst):
global count
count += 1
def fini():
print count
if __name__ == ’__main__’:
setArchitecture(ARCH.X86_64)
startAnalysisFromEntry()
addCallback(mycb, CALLBACK.BEFORE)
addCallback(fini, CALLBACK.FINI)
runProgram()
30
31. Can I use the libTriton into IDA?
Figure 11: Triton and RPyC 7
7
https://rpyc.readthedocs.org 31
32. Can I emulate code via the libTriton into IDA?
Figure 12: Symbolic Emulation into IDA
32
34. Simplify expressions
• Simplification passes may be applied at different levels:
• Runtime node assignment (registers, memory cells, volatile)
• Specific isolated expressions
• Triton allows you to:
• Apply your own transformation rules based on smart patterns
• Use z3 8
to apply transformations
8
(simplify <expr>)
34
36. Simplify expressions with your own rules
Rule example: A ⊕ A → A = 0
def xor(node):
if node.getKind() == AST_NODE.BVXOR:
if node.getChilds()[0] == node.getChilds()[1]:
return bv(0, node.getBitvectorSize())
return node
if __name__ == ’__main__’:
# [...]
recordSimplificationCallback(xor)
# [...]
36
37. Smart patterns matching
• Commutativity and patterns matching
• A smart equality (==) operator
>>> a | >>> a | >>> a
((0x1 * 0x2) & 0xFF) | (((0x1 * 0x2) & 0xFF) ^ 0x3) | (0x1 / 0x2)
>>> b | >>> b | >>> b
((0x2 * 0x1) & 0xFF) | (0x3 ^ ((0x2 * 0x1) & 0xFF)) | (0x2 / 0x1)
>>> a == b | >>> a == b | >>> a == b
True | True | False
37
45. Analyse opaque predicates
Convert x and y as symbolic variable;
for basic block in graph do
for instruction in basic block do
triton.emulate(instruction);
if instruction.type is conditionnal jump and zf expression is symbolized then
Check if zf has solutions ;
end
end
end
45
53. Reconstruct a CFG from trace differential
Problem: Given two sequences what is the minimal edition distance?
T1 : A T C T G A T
T2 : A A T C T G A T
53
54. Reconstruct a CFG from trace differential
Levenshtein algorithm (dynamic programming)
T1 : A - T C T G A T
T2 : A A T C T G A T
54
55. Reconstruct a CFG from trace differential
We can see a trace as a DNA sequence on a bigger alphabet. Many algorithms have
been developed to analyze/compare a DNA sequence and they can be used on traces.
• Levenshtein algorithm: optimal alignment, if, else detection
• Suffix Tree: Longest repeated factor, loops detection
55
56. Reconstruct a CFG from trace differential
int f(int x) {
int result = 0;
result = x;
result = result >> 3;
if (result % 4 == 2) {
result += 5;
result = result + x;
}
result = result * 7;
return result;
}
Figure 17: Function f
56
59. Recover the algorithm of a VM
Problem: Given a very secret algorithm obfuscated with a VM. How can we recover
the algorithm without fully reversing the VM?
59
60. Recover the algorithm of a VM
$ ./vm 1234
3920664950602727424
$ ./vm 326423564
16724117216240346858
60
61. Recover the algorithm of a VM
• The VM is too big to be analyzed statically in few minutes
• One trace gives you all information that you need
61
62. Recover the algorithm of a VM
• Use taint analysis to isolate VM’s handlers and their goal
Figure 18: VM handler and a taint analysis
62
68. Conclusion
• Lots of static protections may be broken from an unique trace
• Taint and symbolic analysis are really useful when reversing obfuscated code
• The best protection is MBA and bitwise operation
• Hard to detect patterns automatically
• Hard to simplify
68
70. Future Works
• libTriton
• Improve the emulation part
• Paths and expressions merging
• Restructured DFG/CFG via a Python representation (WIP #282 #287)
• Trace differential on DNA-based algorithms
• Pattern matching via formal proof
• Internal GC to scale the memory consumption
70
72. Contact us
• Romain Thomas
• rthomas at quarkslab com
• @rh0main
• Jonathan Salwan
• jsalwan at quarkslab com
• @JonathanSalwan
• Triton team
• triton at quarkslab com
• @qb triton
• irc: #qb triton@freenode.org
72
73. References I
S. Bardin and P. Herrmann.
Structural testing of executables.
In First International Conference on Software Testing, Verification, and Validation,
ICST 2008, Lillehammer, Norway, April 9-11, 2008, pages 22–31, 2008.
P. Godefroid, J. de Halleux, A. V. Nori, S. K. Rajamani, W. Schulte, N. Tillmann,
and M. Y. Levin.
Automating software testing using program analysis.
IEEE Software, 25(5):30–37, 2008.
73
74. References II
P. Godefroid, N. Klarlund, and K. Sen.
DART: directed automated random testing.
In Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language
Design and Implementation, Chicago, IL, USA, June 12-15, 2005, pages 213–223,
2005.
J. Newsome and D. X. Song.
Dynamic taint analysis for automatic detection, analysis, and
signaturegeneration of exploits on commodity software.
In Proceedings of the Network and Distributed System Security Symposium,
NDSS 2005, San Diego, California, USA, 2005.
74
75. References III
F. Saudel and J. Salwan.
Triton: A dynamic symbolic execution framework.
In Symposium sur la s´ecurit´e des technologies de l’information et des
communications, SSTIC, France, Rennes, June 3-5 2015, pages 31–54. SSTIC,
2015.
K. Sen, D. Marinov, and G. Agha.
CUTE: a concolic unit testing engine for C.
In Proceedings of the 10th European Software Engineering Conference held jointly
with 13th ACM SIGSOFT International Symposium on Foundations of Software
Engineering, 2005, Lisbon, Portugal, September 5-9, 2005, pages 263–272, 2005.
75