Upload
dwight-ray
View
224
Download
3
Tags:
Embed Size (px)
Citation preview
1. Introducción a la ingeniería inversa
1. ¿Qué es la ingeniería inversa?
2. Ingeniería inversa de sistemas
3. Aplicaciones
4. Herramientas
5. Legalidad
¿Qué es ingeniería inversa?
You have an unexpected case:You finished one course project using JavaYour program runs OKBut, by accident, you delete the java fileHow to hand in in your project?
Reverse Engineering
¿Qué es ingeniería inversa?Enigma
Developed and patented (in 1918) by Arthur Scherbius
Many variations on basic design Eventually adopted by Germany
For both military and diplomatic use Many variations used
Broken by Polish cryptanalysts, late 1930s
Exploited throughout WWII By Poles, British, Americans
Turing was one of Enigma cryptanalysts
Intelligence from Enigma vital in many battles D-day disinformation German submarine “wolfpacks” Many other examples
¿Qué es ingeniería inversa?
Definition of engineeringProcess of designing, manufacturing, assembling, and maintaining products and systems
Types Forward engineering Reverse engineering
xyz
today’sdesign
tomorrow’sdesign
Forward engineering
?
yesterday’sdesign
today’sdesign
Reverse engineering
¿Qué es ingenería inversa?
Type of reverse engineering
Description
Redocumentation
• Produce documentation and design
• Leave system unchangedDesign rediscovery
Reestructuring • Transforms the system, but functionality remains intact
Reengineering • Changes functionality, direction of system
documentation design
system
system
system
¿Qué es ingeniería inversa?
The process of extracting the knowledge or design blue prints from anything man-made
Reverse engineering Discovery process Reversing
PurposeDeduce design decisions from end products with little or no additional knowledge about the procedures involved in the original production
¿Qué es ingeniería inversa?razones
The original manufacturer no longer exists, but a customer needs the product
The original manufacturer of a product no longer produces the product
The original product design documentation has been lost or never existed
Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost
Inspection and/or Quality control
Some bad features of a product need to be eliminated
Strengthening the good features of a product based on long-term usage
Analyzing the good and bad features of competitor’s products
Exploring new avenues to improve product performance and features
Creating 3-D data from a model or sculpture for animation in games and movies
¿Qué es ingeniería inversa?razones
Creating 3-D data from an individual, model or sculpture to create, scale, or reproduce artwork
Architectural and construction documentation and measurement
Fitting clothing or footwear to individuals and determining the anthropometry of a population
Generating data to create dental or surgical prosthetics, tissue engineered body parts, or for surgical planning
Documentation and reproduction of crime scenes
Ingeniería inversa de sistemas
SynonymsSoftware reverse
engineeringProgram
comprehension or understanding
Research area devoted to developing tools and methodologies to aid in the understanding and management of the increasing number of legacy systems
Ingeniería inversa de sistemas
Critical set of techniques and tools for understanding what software is really all about
Formally,the process of analyzing a subject system to
identify the system’s components and their interrelationships and to create representations of the system in another form or at a higher level of abstraction (IEEE 1990)
Ingeniería inversa de sistemas
Requirements
Design
Source Code
Behavior
Forward engineering
Requirements
Design
Source Code
Behavior
Reverse engineering
Ingeniería inversa de sistemaspropósitos
Finding malicious codeDiscovering unexpected flaws and faultsFinding the use of others’ codeFinding the use of shareware and open source
code where it was not intended to be usedLearning from others’ product of a different
domain or purposeDiscovering features or opportunities that the
original developers did not realize
Ingeniería inversa de sistemaspropósitos
Recovery of lost informationAssisting with maintenanceMigration to another hw/sw platformFacilitating software reuse
Ingenería inversa de sistemasbeneficios
Maintenance cost savingsQuality improvementsCompetitive advantagesSoftware reuse facilitation
Ingeniería inversa de sistemas
Law of software revolution (Lehman, 1980)Fundamental strategies for program
comprehension (Brooks, 1983)Taxonomy of Reverse Engineering (Chikofsky
& Cross, 1990)Working Conference on Reverse Engineering
(WCRE, 1990)Int. Workshop on Program Comprehension
(IWPC)
Ingeniería inversa de sistemas
Software reverse
engineering
Code breaking
Puzzle solving
Programming
Logical analysi
s
Ingeniería inversa de sistemasthe reversing process
• Helps determine the general structure of the program and
• Sometimes even locate areas of interest within it
System-level
reversing
• Provides detailed information on a selected chunk
Code-level reversing
Ingeniería inversa de sistemasthe reversing process: system-level reversing
Involves running various tools on the program and utilizing various operating system services toobtain information,inspect program executables,track program input and output,…
Ingeniería inversa de sistemasthe reversing process: code-level reversing
Art form
Extracting design concepts and algorithms from a program binary is a complex process
Mastery of
reversing technique
s
Solid understanding of
software development,
CPU, operating system
Code-level
reversing
Ingeniería inversa de sistemaskey areas to find vulnerabilities in software
Functions that do improper (or no) bound checking
Functions that pass through or consume user-supplied data in a format string
Functions meant to enforce bounds checking in a format string (%20s)
Routines that get user input using a loop
Low-level byte copy operations
Routines that use pointer arithmetic on user-supplied buffers
“Trusted” systems calls that take dynamic input
Ingeniería inversa de sistemasenfoques: white box analysis
Analyzing and understanding source codeAnalysis: Binary code source code, study this
source codeTesting
Finding programming and implementation errors in software
False positiveTwo types
Use of the source code Decompilation of the binary code
Commercial products: IDA-Pro, SourceScope
Ingeniería inversa de sistemasenfoques: black box analysis
Refers to analyzing a running program by probing it with various inputs
Analysis: suppling an input, observing the effect of the test
Requires a running program, does not make use of source code analysis
But, a program can be tested remotely over a networkBlack box testing is not as effective as white box testingBlack box testing is much easier to accomplish and
requires much less expertise than white box testingCommercial products: Cenzic’s Hailstorm, SmartBits,
IXIA, ISICS, PROTOS, Spike
Ingeniería inversa de sistemasenfoques: gray box Analysis
Combines white box techniques with black box input testing
Example: running a target program within a debugger and then supplying particular sets of inputs to the program
Commercial products: Rational’s Purify, Valgrind
Ingeniería inversa de sistemas
Black Box White Box
Audit software runtime environment
Audit software code
• External threats• Denial of services• Cascade failure• Security policy and filters• Scales and run accross
enterprise network• Valuable to security/systems
administrators
• Programming errors• Central code repository
required• Valuable to developers and
testers
• Identifies real problems that are known to be exploitable
• Identifies more bugs, but the actual risk of exploit is hard to measure
Ingeniería inversa de sistemasmétodos
Tracing inputExploiting version differencesMaking use of code coverageAccessing the kernelLeaking data in shared buffersAuditing for access requirement screwupsUsing your API resources
Aplicaciones
Manufacturing
Industrial design
Jewelry design
Reproduction
Rapid Product Development (RPD)
Aplicacionessoftware reverse engineering
Security-related reversingMalicious softwareReversing
cryptographic algorithms Restricted algorithms Key-based algorithms
Digital right management (DRM)
Auditing Program Binaries
Development-related reversingAchieving
interoperability with proprietary software
Developing competing software
Evaluating software quality and robustness
Aplicaciones
Abstraction System
Old System
New System
Reverse EngineeringAbstraction
Forward EngineeringRe-implementation
(Hausi A. Muller, 1997)
Herramientas
Low-Level SoftwareSystem software
CategoriesSystem-monitoring
toolsDisassemblersDebuggersDecompilersFault Injection Tools
Types Development tool
Compilers Linkers Debuggers Infrastructure
software – operating system
Low-level programming languages Assembly language
Herramientas
System-monitoring tools
Sniff, monitor, explore and otherwise expose the program being reversed
Monitor networking activity, file access, registry access, …
Disassemblers
Programs that take a program’s executable binary as input and generate textual files that contain the assembly language code for the entire program or parts of it
Herramientasassembly languages
The language of reversingA class of languages, not one languageMachine code (binary code or object code)
Herramientas
Debuggers
Programmers can’t really envision everything their program can do
Programs that allow software software software developers to observer their program while it is running Breakpoints
Trace (single-stepping)
Decompilers
Take an executable binary file and attempts to produce readable high-level language code from it
Idea: try and reverse the compilation process, to obtain the original source file or something similar to it
Herramientascompiladores
Source code
Object File Executable
compilation linking
Human readableText file
Binary code withreadable symbols
Binary code withno symbols
Code readability
Herramientascompiladores
int ExecFile(char *FileName) { PyObject* PyFileObject = PyFile_FromString(FileName, "r"); if (!PyFileObject) { return 0; } if (PyRun_SimpleFile(PyFile_AsFile(PyFileObject), FileName) == 0){ Py_DECREF(PyFileObject); return 1; } else { Py_DECREF(PyFileObject); return 0; }}
Herramientassistemas operativos
Application Software
System Software
Hardware
CPU, disks, mouse, printer, etc.
Computergames
Spreadsheets
Word processors
Databases
Internetbrowsers
Operatingsystems
Utilities
Legalidad
Legality of reverse engineering is governed by copyright laws
Copyright laws differ from country to countryReverse engineering is legal only is few specific casesBlack box testing does not constitute reverse
engineeringReverse engineering for compatibility fixes is legalReverse engineering spyware is illegal in most
countriesWhen in doubt, do not reverse engineer!
Legalidad
Illegal to reverse engineer and sell a competing product
Illegal to crack copy protections
Illegal to distribute a crack/registration for copyrighted software
Illegal to gain unauthorized access to any computer system
Copyright protected software is off-limits in most cases
Spyware/Adware with companies behind them are included
Legalidad
InteroperabilityCompetitionCopyright LawTrade Secrets and PatentsThe Digital Millenium Copyright ActLicense Agreement Considerations
LegalidadInteroperability
Task: getting two programs to communicate and interoperate is not easy
Software platforms: MS Windows, Sony Playstation
Publishing software interfaces would also create new competition for the vendor’s own applications
LegalidadSega versus Accolade
1990 Sega Enterprises, a well-known Japanese gaming company, released their Genesis gaming console. The Genesis’s programming interfaces were not published. The idea was for Sega and their licensed affiliates to be the only developers of games for the console.
Accolade, a California-based game developer, was interested in developing new games for the Sega Genesis and in porting some of their existing games to the Genesis platform.
Accolade explored the option of becoming a Sega licensee, but quickly abandoned the idea because Sega required that all games be exclusively manufactured for the Genesis console.
LegalidadSega versus Accolade
Instead of becoming a Sega licensee Accolade decided to use reverse engineering to obtain the details necessary to port their games to the Genesis platform. Accolade reverse engineered portions of the Genesis console and several of Sega’s game cartridges.
Accolade engineers then used the information gathered in these reverse-engineering sessions to produce a document that described their findings. This internal document was essentially the missing documentation describing how to develop games for the Sega Genesis console.
Accolade successfully developed and sold several games for the Genesis platform, and in October of 1991 was sued by Sega for copyright infringement.
LegalidadSega versus Accolade
The primary claim made by Sega was that copies made by Accolade during the reverse-engineering process (known as “intermediate copying”) violated copyright laws.
The court eventually ruled in Accolade’s favor because Accolade’s games didn’t actually contain any of Sega’s code, and because of the public benefit resulting from Accolade’s work (by way of introducing additional competition in the market).
This was an important landmark in the legal history of reverse engineering because in this ruling the court essentially authorized reverse engineering for the purpose of interoperability.
LegalidadCompetition
When reverse engineering is used for interoperability benefits society (simplification of
the develpment of new and improved technologies)
In the development of competing products, the situation is more complicated Steal code segments and embed them into your own
clear violation of copyright laws Apply a decompilation process, recompile the output to
generate a binary with identical functionality but with seemingly different code
Reverse engineering applied only to small parts and used for the gathering of information
Legalidad
Copyright lawAim to protect software and other intellectual
property from any kind of unauthorized duplication, and so on Intermediate copies (in memory, on disk, or both) are
legal?
Legalidad
Trade Secrets and PatentsPatents: 20 yearsThe details of the invention must be publishedWhen the patent expires the invention becomes public
domainTrade secret: protects the developer from cases of “trade
secret misappropriation” such a having a rogue employee sell the secret to a competitor
A product’s begin a trade secret does not protect its owner in cases where a competitor reverse engineers the owner’s product, assuming that product is available on the open market and is obtained legitimately
Legalidad
The Digital Millenium Copyright Act (DMCA) [enacted in 1998]Basic purpose: to protect the copyright
protection technologiesProhibited under the DMCA?
Circumvention of copyright protection systems
The development of circumvention technologies
Keygens are (illegally) availble online for practically any program that requires a serial number
LegalidadDMCA: Exceptions
Interoperability Decript a program: the only way to interoperate with it
Encription researchSecurity testing
A person may reverse and circumvent copyright protection software for the purpose of evaluating or improving the security of a computer system
Educational institutions and public librariesTo evaluate the copyrighted work prior to purchasing it
Government investigationRegulationProtection of privacy
LegalidadDMCA Case: Felten vs RIAA
In September, 2000, the SDMI (Secure Digital Music Initiative) announced the Hack SDMI challenge.
The Hack SDMI challenge was a call for security researchers to test the level of security offered by SDMI, a digital rights management system designed to protect audio recordings (based on watermarks).
Princeton university professor Edward Felten and his research team found weaknesses in the system and wrote a paper describing their findings.
The original Hack SDMI challenge offered a $10,000 reward in return for giving up ownership of the information gathered.
Felten’s team chose to forego this reward and retain ownership of the information in order to allow them to publish their findings.
LegalidadDMCA Case: Felten vs RIAA
At this point, they received legal threats from SDMI and the RIAA (the Recording Industry Association of America) claiming liability under the DMCA.
The team decided to withdraw their paper from the original conference to which it was submitted, but were eventually able to publish it at the USENIX Security Symposium.
The sad thing about this whole story is that it is a classic case where the DMCA could actually reduce the level of security provided by the devices it was created to protect.
Instead of allowing security researchers to publish their findings and force the developers of the security device to improve their product, the DMCA can be used for stifling the very process of open security research that has been historically proven to create the most robust security systems.
LegalidadLicense Agreement Considerations
Software vendors add anti-reverse-engineering clausee to shrink-wrap software license agreements
Bibliografía
A Survey of Reverse Engineering and Program Comprehension Michael L. Nelson April 19, 1996 NASA
Reversing: Secrets of Reverse Engineering Eldad Eilam Wiley Publishing, Inc. 2005