Mathieu Desnoyers - Tracing for Hardware, Driver and Binary Reverse Engineering in Linux

In this presentation, we will introduce the new Linux Trace Toolkit Next Generation (LTTng) kernel tracer and its analysis counterpart, Linux Trace Toolkit Viewer (LTTV), a fully extensible text and graphical trace viewer. We will focus on how these tools can be used in the security field, particularly for reverse engineering.

It can be very useful to reverse engineer a software "black box". It can be a driver, a library or a multithreaded application : the tracer can log every interaction between the operating system and the "black box". It can help eluding sandboxes and debugger detectors due to its small performance impact compared to library wrappers and debuggers. It can collect every system call made by every program which can be later used for fuzzing.

It is not, however, limited to process examination : one could use the kernel instrumentation to reverse engineer a driver controlling a piece of hardware. This tracer should be seen as a system wide monitor for your system : It gives you the opportunity to monitor the hardware, the OS, the libraries and the programs and analyse the information with integrated plugins.

This presentation will explain how you can use LTTng and LTTV for reverse engineering and how you can extend it further.

Bio

Mathieu Desnoyers is interested in computer security since the year 2000, His interest in computer security comes from his desire to control his technical environment. His interest in Linux started in 1998 when he saw the level of control he had on such an OS as an individual, and it has never stopped growing since then. He believes in developing Free Software, and is mostly interested in kernel hacking and computer security.

He is the maintainer of the Linux Trace Toolkit (LTT) project since 2005 and the main developer of Linux Trace Toolkit Viewer (LTTV). He presented the LTTV project to IBM in 2004 and additionnaly works on LTTng in collaboration with Autodesk Entertainment, IBM, WindRiver, C2 Microsystems and Richard Purdie, an ARM Kernel developer. He is currently completing a M.Sc.A. in Computer Engineering at Ecole Polytechnique de Montréal.
http://ltt.polymtl.ca