lecture: The Future of RE: Dynamic Binary Visualization
"Well, you have to... The image translators work for the construct program. But there's way too much information to decode the Matrix..."
Let's run with that. From malware to firmware, memory dumps to steganography, we face an arduous task: making sense of mountains of data, millions of pages of hex. Traditional starting points are file headers and signatures, but anti-RE has become the norm, and conventional approaches prove increasingly useless. We can't hack what we can't understand, we can't fix what we can't see, and we can't analyze what we can't find. We need a new way to sift through data, an efficient means of finding a needle in a haystack.
Introducing 'visual' RE with ..cantor.dust.., a breakthrough interactive visualization tool for rapid binary analysis. By translating binary information to visual abstractions, the reverser can comb through megabytes of arbitrary data in seconds, analyzing based on image patterns rather than byte sequences. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint.
Whether searching for exploitable code, stealthy malware, cryptographic keys, or network anomalies, these radical new visual translation techniques will dramatically accelerate the analysis process for security investigators of all backgrounds.
We initially demonstrated our new binary visualization tool (dubbed ..cantor.dust..) at Black Hat last year. Based on the overwhelming positive feedback, we felt that we need to continue to expose the concept of 'visual RE' to the community, as well as generate discussion on how to further extend current analysis capabilities. To achieve this, we presented a detailed case study using visual RE at DerbyCon; again, the feedback was tremendous. Since then, we've been progressing in leaps and bounds, and we'd like to give a final presentation on the concept at an RE-exclusive conference, REcon. We'll introduce new visual analysis capabilities, and, time permitting, examine their application towards new firmware level attacks.
The foundation of the tool is _visual_ analysis, and we encourage reviewers to see a high level overview of the translation techniques at sites.google.com/site/xxcantorxdustxx . The site provides a rough illustration of our approach, which we intend to discuss in depth at the conference.
The presentation can be broadly divided into two parts. First, we will introduce the concept of visual binary analysis; we will explain the merits of the approach, and describe the binary-to-image translation techniques we've investigated. Second, we will present a live demonstration of using visual abstractions in a number of common use cases.
In the first half of the presentation, we will introduce the concept and merits of visual binary analysis. We will begin by illustrating traditional tools' over-reliance on data structure, and explore how this can be easily manipulated to thwart even the most powerful reverse engineering software. In order to free ourselves from these weaknesses, we propose the radical step of initially treating all binary data as if it had no structure. Instead, by translating arbitrary data to a visual representation, we can investigate structure a priori. In essence, we intend to bridge the chasm between hex editors and high level analysis tools; in treating all data equally, we can gain the flexibility of a hex editor, and by translating data in a generic way, we are still able to investigate data type, structure, and relationships as we would in a high level tool. To investigate this possibility, we'll examine prior binary visualization work by a number of notable security experts (namely, Kaminsky, Conti, and Cortesi). We'll discuss the limitations of prior approaches, and illustrate how we've extended them to enable practical analysis. We'll then outline our new visualization translation techniques as well, including how we can translate binary data to three dimensional abstractions, and generate interactive function graphs from an arbitrary set of data. Next, we will explore using these techniques to examine the visual signatures of a variety of data classes. We will demonstrate how to immediately recognize text, audio, image, code, and other types of data based on visual patterns, rather than byte sequences or file structure. Subtleties, such as the visual differences between x86 vs x64, Spanish vs Italian text, or black and white vs colored images will be illustrated - this will show how one can visually gain an in depth knowledge of an object, without having any knowledge of the underlying data.
After this introduction to the concept of visual binary analysis, we will examine multiple use cases. We will quickly illustrate using the software to instantly solve past cyber CTF problems (from DEFCON and PlaidCTF), before moving on to real world examples. Real world examples will include the rapid dissection and analysis of a common executable, firmware, and malware. In each case we will demonstrate how a visual examination of the object can save the analyst weeks of work. We will illustrate finding hidden components of an executable, unpackers in malware, and vulnerable regions of firmware (among others), all without ever relying on file structure, data types, or even any particular machine code. The visual translation techniques introduced, by operating independently of underlying data formats, prove to be immensely useful for a wide audience; hackers, pentesters, incident responders, reversers, and all varieties of security researchers will gain valuable insight to entirely new analysis techniques. In the months since their introduction, our visual translation approach to binary analysis has already saved our own researchers thousands of hours of work, and we hope to share this capability with the community.
We'll demonstrate using our software (..cantor.dust..) for the analysis, but this is circumstantial - our primary goal is to present and explore the radical approach of visual analysis, and our software is currently the only way to illustrate this. The software is still in the initial stages of development; as we continue to explore the proper path towards release, we'd like to offer attendees exclusive access to a closed beta.
Start time: 11:00