Recon2012 - PREVIEW

Recon 2012

Jason Geffner
Tillmann Werner
Day Day 2 - 2012-06-15
Room Grand Salon
Start time 10:30
Duration 00:30
ID 225

Be Social. Use Rewoltke.

Reversing complex software in short time is challenging due to the lack of professional tools that support collaborative analysis. The Rewoltke project aims to fill this gap. But instead of live distribution of changes to all clients, which has proven to fail in the past, it leverages from the architecture that is being used with success to organize source code repositories: a system that manages a history of changesets as commit messages. The central component is a server that keeps track of commits in a database.
Each commit covers one or more functions of an analyzed binary and contains information like annotations, comments, prototype, struct and enum definitions and the like. Clients can search the database for commits for functions by constructing a query of the analyzed binary's hash and the function offset.
Different concurring commits for a function are possible; in such cases it is up to the user to decide which commit is better.

This basic concept is sufficient for a collaborative workflow on a per-function basis for a shared binary. But the real power of Rewoltke lies in its fuzzy search algorithms. Different compilers may generate slightly different binary code, e.g., different registers may be used in otherwise equal instructions. Rewoltke can still match two such functions using a fuzzy hash that only considers the mnemonics as well as immediates and displacements that do not generate cross references. Uses can select which of the returned commits for a fuzzy hash they want to import.

Another feature is a similarity hashing scheme that considers the basic block boundaries of a function. Each function is mapped on a similarity preserving hash of fixed size. A database query for such a fuction similarity hash returns a set of functions sorted by their similarity value, and the analyst can choose amongst them. This is extremely helpful when analyzing variants based on the same code or generations of a malware famliy, for example.

The Rewoltke client will be freely available as an IDA Pro plugin. We further operate a central Rewoltke cloud for everybody to share their commits. It is our goal to help building a public database of known, well annotated functions to speed up the analysis of standard components, somewhat similar to BinCrowd (which is offline nowadays) but with support for multiple co-existing commits for the same function. We also supports list-based commit visibility to give users control over who else can see and import their contributions.