Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reverse engineering through full system simulations

Published byDarren Ford Modified over 5 years ago

Similar presentations

Presentation on theme: "Reverse engineering through full system simulations"— Presentation transcript:

1 Reverse engineering through full system simulations

2 What runs on these computers?

3 ? Simplifying assumptions: Linux on 32 bit x86 x86 platform
Applications ? DISK Bootable disk image Linux Kernel x86 platform

4 Without installing software or getting a shell:
What Runs on These Computers? Without installing software or getting a shell: Identify running processes as created and destroyed What files are accessed? Communications between the processes & computers Interact with selected processes using a debugger What if you could see all memory & registers? Access to memory/registers from some other system Ability to pause all the computers & peripherals via breakpoints Instrument memory such that access generates callbacks

5 If you could view RAM, what would you see?
0x1 Applications 0x2 0x3 ... DISK Bootable disk image ... Linux Kernel x86 platform 0xffffffff

6 RAM 0x1 0x2 0x3 ... ... 0xc Kernel code & data structures 0xffffffff

7 Linux kernel internals
Task records current_task PID COMM

8 Other interesting memory locations
Entry points of system calls, e.g., “open” New programs loaded with “execve” Libraries linked via open & mmap Exits from kernel back to user space Page tables Application code – disassemble / decompile

9 Replace hardware with a software simulation
Cannot externally view memory on real systems Replace hardware with a software simulation Simulate processors, memory, peripherals Take disk image from real system & boot it! Simulated processor executes code from bios Starts executing boot block from disk image Loads OS… software is now running on simulated HW This is Simics, an expensive product from Intel Supports “reverse execution” E.g., “Run backwards and break on previous write to address”

10 Processor & Device models
DISK Linux Kernel Applications ? Simulated x86 platform Processor & Device models

11 Processor & Device models
The simulator lets you view RAM & registers RAM 0x1 Applications 0x2 0x3 ... DISK Bootable disk image ... Linux Kernel Simulated x86 platform Processor & Device models 0xffffffff

12 RESim builds on Simics to dynamically analyze systems
Derived from tool built for DARPA’s Cyber Grand Challenge High fidelity models of processors and peripherals NPS developed as software vetting and analysis platform for CGC exploits System execution traces Which programs execute as part of which processes? What other processes and computers do they interact with? Lists of IP addresses connected to & listened to Interactive disassembler / debugger integrated with simulation Attach and drive programs as they exist in their native environment “Reverse execution” functions, e.g., run backwards until memory write IDA Pro disassembler debugger with custom plugins 12

13 Reverse engineering parts of a system
Engineering enclave for Maritime Systems (at ECE) What programs run? Network traffic consumed? Inter-process communication? Sensors Radar Sensors Sensors Fixed Recording Unit Voyage Data Recorder Floating Recording Unit Linux 13

14 Breakpoints & callbacks
Full system simulation Process inventory Simics models of Processors and devices System call trace Simulated memory Processor state Disk image RESim Breakpoints & callbacks Interactive analysis 14

15 Why dynamic analyses of the system?
You obtained an exploit proof-of-concept against a target What is the vulnerability? The people / process that created the POC may not know Exploiting a flaw does not imply an understanding of the flaw RESim used to analyze all successful CGC exploits Of 20 exploited services, half the exploits were not as intended Authors of exploited services had poor grasp of their own flaws Competitors that proved vulnerabilities did not patch them (generics) 15

16 Current Status Current support for 32-bix Linux on x86 (64-bit)
Add 64-bit Linux support (build on CGC experience) Introduce ARM, PowerPC, etc. &load with images from the testbed Integrate software vulnerability analysis features Data tracking (forward and backward) Fuzzing of selected programs Direct injection of data when network receive detected Make the RESim platform available as a network service NPS has large blade servers licensed for this Simics product Remote access by analysts having local copies of IDA Pro 16

17 Questions?

Download ppt "Reverse engineering through full system simulations"

Similar presentations

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.

COMPUTERS: TOOLS FOR AN INFORMATION AGE Chapter 3 Operating Systems.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
ITE PC v4.0 Chapter 1 1 Operating Systems Computer Networks– 2.

ITE PC v4.0 Chapter 1 1 Operating Systems Computer Networks– 2.
Phones OFF Please Operating System Introduction Parminder Singh Kang Home:

Phones OFF Please Operating System Introduction Parminder Singh Kang Home:
Cambodia-India Entrepreneurship Development Centre - : :.... :-:-

Cambodia-India Entrepreneurship Development Centre - : :.... :-:-
Installing software on personal computer

Installing software on personal computer
Week 6 Operating Systems.

Week 6 Operating Systems.
ICMetrics Experimental Platform Jenya Kovalchuk University of Essex 27 January 2012 Ecole Centrale of Lille 1 Part-financed by the European Regional Development.

ICMetrics Experimental Platform Jenya Kovalchuk University of Essex 27 January 2012 Ecole Centrale of Lille 1 Part-financed by the European Regional Development.
Operating Systems Operating System

Operating Systems Operating System
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영 2015. 04. 21.

All Your Droid Are Belong To Us: A Survey of Current Android Attacks 단국대학교 컴퓨터 보안 및 OS 연구실 김낙영
Www.systemhound.be systemhound © 2001-2007 Raxco Software Belgium systemhound PC inventory software.

systemhound © Raxco Software Belgium systemhound PC inventory software.
Laface - 2007 1.1 Operating System Design Booting a PC to run a kernel from Low memory VGA display.

Laface Operating System Design Booting a PC to run a kernel from Low memory VGA display.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
(1) A Beginner’s Quick Start to SIMICS. (2) Disclaimer This is a quick start document to help users get set up quickly Does not replace the user guide.

(1) A Beginner’s Quick Start to SIMICS. (2) Disclaimer This is a quick start document to help users get set up quickly Does not replace the user guide.
Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.

Guide to Linux Installation and Administration, 2e1 Chapter 10 Managing System Resources.
Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,

Lecture 3 Process Concepts. What is a Process? A process is the dynamic execution context of an executing program. Several processes may run concurrently,
Lab 10 Department of Computer Science and Information Engineering National Taiwan University Lab10 – Debugging II 2014/12/2 1 /16.

Lab 10 Department of Computer Science and Information Engineering National Taiwan University Lab10 – Debugging II 2014/12/2 1 /16.

Similar presentations

Ads by Google