Reverse engineering through full system simulations

What runs on these computers?

? Simplifying assumptions: Linux on 32 bit x86 x86 platform Applications ? DISK Bootable disk image Linux Kernel x86 platform

Without installing software or getting a shell: What Runs on These Computers? Without installing software or getting a shell: Identify running processes as created and destroyed What files are accessed? Communications between the processes & computers Interact with selected processes using a debugger What if you could see all memory & registers? Access to memory/registers from some other system Ability to pause all the computers & peripherals via breakpoints Instrument memory such that access generates callbacks

If you could view RAM, what would you see? 0x1 Applications 0x2 0x3 ... DISK Bootable disk image ... Linux Kernel x86 platform 0xffffffff

RAM 0x1 0x2 0x3 ... ... 0xc0000000 Kernel code & data structures 0xffffffff

Linux kernel internals Task records current_task PID COMM

Other interesting memory locations Entry points of system calls, e.g., “open” New programs loaded with “execve” Libraries linked via open & mmap Exits from kernel back to user space Page tables Application code – disassemble / decompile

Replace hardware with a software simulation Cannot externally view memory on real systems Replace hardware with a software simulation Simulate processors, memory, peripherals Take disk image from real system & boot it! Simulated processor executes code from bios Starts executing boot block from disk image Loads OS… software is now running on simulated HW This is Simics, an expensive product from Intel Supports “reverse execution” E.g., “Run backwards and break on previous write to address”

Processor & Device models DISK Linux Kernel Applications ? Simulated x86 platform Processor & Device models

Processor & Device models The simulator lets you view RAM & registers RAM 0x1 Applications 0x2 0x3 ... DISK Bootable disk image ... Linux Kernel Simulated x86 platform Processor & Device models 0xffffffff

RESim builds on Simics to dynamically analyze systems Derived from tool built for DARPA’s Cyber Grand Challenge High fidelity models of processors and peripherals NPS developed as software vetting and analysis platform for CGC exploits System execution traces Which programs execute as part of which processes? What other processes and computers do they interact with? Lists of IP addresses connected to & listened to Interactive disassembler / debugger integrated with simulation Attach and drive programs as they exist in their native environment “Reverse execution” functions, e.g., run backwards until memory write IDA Pro disassembler debugger with custom plugins 12

Reverse engineering parts of a system Engineering enclave for Maritime Systems (at ECE) What programs run? Network traffic consumed? Inter-process communication? Sensors Radar Sensors Sensors Fixed Recording Unit Voyage Data Recorder Floating Recording Unit Linux 13

Breakpoints & callbacks Full system simulation Process inventory Simics models of Processors and devices System call trace Simulated memory Processor state Disk image RESim Breakpoints & callbacks Interactive analysis 14

Why dynamic analyses of the system? You obtained an exploit proof-of-concept against a target What is the vulnerability? The people / process that created the POC may not know Exploiting a flaw does not imply an understanding of the flaw RESim used to analyze all successful CGC exploits Of 20 exploited services, half the exploits were not as intended Authors of exploited services had poor grasp of their own flaws Competitors that proved vulnerabilities did not patch them (generics) 15

Current Status Current support for 32-bix Linux on x86 (64-bit) Add 64-bit Linux support (build on CGC experience) Introduce ARM, PowerPC, etc. &load with images from the testbed Integrate software vulnerability analysis features Data tracking (forward and backward) Fuzzing of selected programs Direct injection of data when network receive detected Make the RESim platform available as a network service NPS has large blade servers licensed for this Simics product Remote access by analysts having local copies of IDA Pro 16

Questions?