DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 1. Introducción a la ingeniería inversa

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ

1. Introducción a la ingeniería inversa

1. Introducción a la ingeniería inversa

1. ¿Qué es la ingeniería inversa?

2. Ingeniería inversa de sistemas

3. Aplicaciones

4. Herramientas

5. Legalidad

¿Qué es la ingeniería inversa?

Haga clic en el icono para agregar una imagen

¿Qué es ingeniería inversa?

You have an unexpected case:You finished one course project using JavaYour program runs OKBut, by accident, you delete the java fileHow to hand in in your project?

Reverse Engineering

¿Qué es ingeniería inversa?Enigma

Developed and patented (in 1918) by Arthur Scherbius

Many variations on basic design Eventually adopted by Germany

For both military and diplomatic use Many variations used

Broken by Polish cryptanalysts, late 1930s

Exploited throughout WWII By Poles, British, Americans

Turing was one of Enigma cryptanalysts

Intelligence from Enigma vital in many battles D-day disinformation German submarine “wolfpacks” Many other examples



Definition of engineeringProcess of designing, manufacturing, assembling, and maintaining products and systems

Types Forward engineering Reverse engineering

xyz

today’sdesign

tomorrow’sdesign

Forward engineering

?

yesterday’sdesign

today’sdesign

Reverse engineering

¿Qué es ingenería inversa?

Type of reverse engineering

Description

Redocumentation

• Produce documentation and design

• Leave system unchangedDesign rediscovery

Reestructuring • Transforms the system, but functionality remains intact

Reengineering • Changes functionality, direction of system

documentation design

system

system

system


The process of extracting the knowledge or design blue prints from anything man-made

Reverse engineering Discovery process Reversing

PurposeDeduce design decisions from end products with little or no additional knowledge about the procedures involved in the original production

¿Qué es ingeniería inversa?razones

The original manufacturer no longer exists, but a customer needs the product

The original manufacturer of a product no longer produces the product

The original product design documentation has been lost or never existed

Creating data to refurbish or manufacture a part for which there are no CAD data, or for which the data have become obsolete or lost

Inspection and/or Quality control

Some bad features of a product need to be eliminated

Strengthening the good features of a product based on long-term usage

Analyzing the good and bad features of competitor’s products

Exploring new avenues to improve product performance and features

Creating 3-D data from a model or sculpture for animation in games and movies

¿Qué es ingeniería inversa?razones

Creating 3-D data from an individual, model or sculpture to create, scale, or reproduce artwork

Architectural and construction documentation and measurement

Fitting clothing or footwear to individuals and determining the anthropometry of a population

Generating data to create dental or surgical prosthetics, tissue engineered body parts, or for surgical planning

Documentation and reproduction of crime scenes

Ingeniería inversa de sistemas



SynonymsSoftware reverse

engineeringProgram

comprehension or understanding

Research area devoted to developing tools and methodologies to aid in the understanding and management of the increasing number of legacy systems


Critical set of techniques and tools for understanding what software is really all about

Formally,the process of analyzing a subject system to

identify the system’s components and their interrelationships and to create representations of the system in another form or at a higher level of abstraction (IEEE 1990)


Requirements

Design

Source Code

Behavior

Forward engineering

Requirements

Design

Source Code

Behavior

Reverse engineering

Ingeniería inversa de sistemaspropósitos

Finding malicious codeDiscovering unexpected flaws and faultsFinding the use of others’ codeFinding the use of shareware and open source

code where it was not intended to be usedLearning from others’ product of a different

domain or purposeDiscovering features or opportunities that the

original developers did not realize

Ingeniería inversa de sistemaspropósitos

Recovery of lost informationAssisting with maintenanceMigration to another hw/sw platformFacilitating software reuse

Ingenería inversa de sistemasbeneficios

Maintenance cost savingsQuality improvementsCompetitive advantagesSoftware reuse facilitation


Law of software revolution (Lehman, 1980)Fundamental strategies for program

comprehension (Brooks, 1983)Taxonomy of Reverse Engineering (Chikofsky

& Cross, 1990)Working Conference on Reverse Engineering

(WCRE, 1990)Int. Workshop on Program Comprehension

(IWPC)


Software reverse

engineering

Code breaking

Puzzle solving

Programming

Logical analysi

s

Ingeniería inversa de sistemasthe reversing process

• Helps determine the general structure of the program and

• Sometimes even locate areas of interest within it

System-level

reversing

• Provides detailed information on a selected chunk

Code-level reversing

Ingeniería inversa de sistemasthe reversing process: system-level reversing

Involves running various tools on the program and utilizing various operating system services toobtain information,inspect program executables,track program input and output,…

Ingeniería inversa de sistemasthe reversing process: code-level reversing

Art form

Extracting design concepts and algorithms from a program binary is a complex process

Mastery of

reversing technique

s

Solid understanding of

software development,

CPU, operating system

Code-level

reversing

Ingeniería inversa de sistemaskey areas to find vulnerabilities in software

Functions that do improper (or no) bound checking

Functions that pass through or consume user-supplied data in a format string

Functions meant to enforce bounds checking in a format string (%20s)

Routines that get user input using a loop

Low-level byte copy operations

Routines that use pointer arithmetic on user-supplied buffers

“Trusted” systems calls that take dynamic input

Ingeniería inversa de sistemasenfoques: white box analysis

Analyzing and understanding source codeAnalysis: Binary code source code, study this

source codeTesting

Finding programming and implementation errors in software

False positiveTwo types

Use of the source code Decompilation of the binary code

Commercial products: IDA-Pro, SourceScope

Ingeniería inversa de sistemasenfoques: black box analysis

Refers to analyzing a running program by probing it with various inputs

Analysis: suppling an input, observing the effect of the test

Requires a running program, does not make use of source code analysis

But, a program can be tested remotely over a networkBlack box testing is not as effective as white box testingBlack box testing is much easier to accomplish and

requires much less expertise than white box testingCommercial products: Cenzic’s Hailstorm, SmartBits,

IXIA, ISICS, PROTOS, Spike

Ingeniería inversa de sistemasenfoques: gray box Analysis

Combines white box techniques with black box input testing

Example: running a target program within a debugger and then supplying particular sets of inputs to the program

Commercial products: Rational’s Purify, Valgrind


Black Box White Box

Audit software runtime environment

Audit software code

• External threats• Denial of services• Cascade failure• Security policy and filters• Scales and run accross

enterprise network• Valuable to security/systems

administrators

• Programming errors• Central code repository

required• Valuable to developers and

testers

• Identifies real problems that are known to be exploitable

• Identifies more bugs, but the actual risk of exploit is hard to measure

Ingeniería inversa de sistemasmétodos

Tracing inputExploiting version differencesMaking use of code coverageAccessing the kernelLeaking data in shared buffersAuditing for access requirement screwupsUsing your API resources

Aplicaciones


Aplicaciones

Manufacturing

Industrial design

Jewelry design

Reproduction

Rapid Product Development (RPD)

Aplicacionessoftware reverse engineering

Security-related reversingMalicious softwareReversing

cryptographic algorithms Restricted algorithms Key-based algorithms

Digital right management (DRM)

Auditing Program Binaries

Development-related reversingAchieving

interoperability with proprietary software

Developing competing software

Evaluating software quality and robustness

Aplicaciones

Abstraction System

Old System

New System

Reverse EngineeringAbstraction

Forward EngineeringRe-implementation

(Hausi A. Muller, 1997)

Herramientas


Herramientas

Low-Level SoftwareSystem software

CategoriesSystem-monitoring

toolsDisassemblersDebuggersDecompilersFault Injection Tools

Types Development tool

Compilers Linkers Debuggers Infrastructure

software – operating system

Low-level programming languages Assembly language

Herramientas

System-monitoring tools

Sniff, monitor, explore and otherwise expose the program being reversed

Monitor networking activity, file access, registry access, …

Disassemblers

Programs that take a program’s executable binary as input and generate textual files that contain the assembly language code for the entire program or parts of it

Herramientasassembly languages

The language of reversingA class of languages, not one languageMachine code (binary code or object code)

Herramientas

Debuggers

Programmers can’t really envision everything their program can do

Programs that allow software software software developers to observer their program while it is running Breakpoints

Trace (single-stepping)

Decompilers

Take an executable binary file and attempts to produce readable high-level language code from it

Idea: try and reverse the compilation process, to obtain the original source file or something similar to it

Herramientascompiladores

Source code

Object File Executable

compilation linking

Human readableText file

Binary code withreadable symbols

Binary code withno symbols

Code readability

Herramientascompiladores

int ExecFile(char *FileName) { PyObject* PyFileObject = PyFile_FromString(FileName, "r"); if (!PyFileObject) { return 0; } if (PyRun_SimpleFile(PyFile_AsFile(PyFileObject), FileName) == 0){ Py_DECREF(PyFileObject); return 1; } else { Py_DECREF(PyFileObject); return 0; }}

Herramientasvirtual machines and bytecodes

Herramientassistemas operativos

Application Software

System Software

Hardware

CPU, disks, mouse, printer, etc.

Computergames

Spreadsheets

Word processors

Databases

Internetbrowsers

Operatingsystems

Utilities

Legalidad


Legalidad

Legality of reverse engineering is governed by copyright laws

Copyright laws differ from country to countryReverse engineering is legal only is few specific casesBlack box testing does not constitute reverse

engineeringReverse engineering for compatibility fixes is legalReverse engineering spyware is illegal in most

countriesWhen in doubt, do not reverse engineer!

Legalidad

Illegal to reverse engineer and sell a competing product

Illegal to crack copy protections

Illegal to distribute a crack/registration for copyrighted software

Illegal to gain unauthorized access to any computer system

Copyright protected software is off-limits in most cases

Spyware/Adware with companies behind them are included

Legalidad

InteroperabilityCompetitionCopyright LawTrade Secrets and PatentsThe Digital Millenium Copyright ActLicense Agreement Considerations

LegalidadInteroperability

Task: getting two programs to communicate and interoperate is not easy

Software platforms: MS Windows, Sony Playstation

Publishing software interfaces would also create new competition for the vendor’s own applications

LegalidadSega versus Accolade

1990 Sega Enterprises, a well-known Japanese gaming company, released their Genesis gaming console. The Genesis’s programming interfaces were not published. The idea was for Sega and their licensed affiliates to be the only developers of games for the console.

Accolade, a California-based game developer, was interested in developing new games for the Sega Genesis and in porting some of their existing games to the Genesis platform.

Accolade explored the option of becoming a Sega licensee, but quickly abandoned the idea because Sega required that all games be exclusively manufactured for the Genesis console.


Instead of becoming a Sega licensee Accolade decided to use reverse engineering to obtain the details necessary to port their games to the Genesis platform. Accolade reverse engineered portions of the Genesis console and several of Sega’s game cartridges.

Accolade engineers then used the information gathered in these reverse-engineering sessions to produce a document that described their findings. This internal document was essentially the missing documentation describing how to develop games for the Sega Genesis console.

Accolade successfully developed and sold several games for the Genesis platform, and in October of 1991 was sued by Sega for copyright infringement.


The primary claim made by Sega was that copies made by Accolade during the reverse-engineering process (known as “intermediate copying”) violated copyright laws.

The court eventually ruled in Accolade’s favor because Accolade’s games didn’t actually contain any of Sega’s code, and because of the public benefit resulting from Accolade’s work (by way of introducing additional competition in the market).

This was an important landmark in the legal history of reverse engineering because in this ruling the court essentially authorized reverse engineering for the purpose of interoperability.

LegalidadCompetition

When reverse engineering is used for interoperability benefits society (simplification of

the develpment of new and improved technologies)

In the development of competing products, the situation is more complicated Steal code segments and embed them into your own

clear violation of copyright laws Apply a decompilation process, recompile the output to

generate a binary with identical functionality but with seemingly different code

Reverse engineering applied only to small parts and used for the gathering of information

Legalidad

Copyright lawAim to protect software and other intellectual

property from any kind of unauthorized duplication, and so on Intermediate copies (in memory, on disk, or both) are

legal?

Legalidad

Trade Secrets and PatentsPatents: 20 yearsThe details of the invention must be publishedWhen the patent expires the invention becomes public

domainTrade secret: protects the developer from cases of “trade

secret misappropriation” such a having a rogue employee sell the secret to a competitor

A product’s begin a trade secret does not protect its owner in cases where a competitor reverse engineers the owner’s product, assuming that product is available on the open market and is obtained legitimately

Legalidad

The Digital Millenium Copyright Act (DMCA) [enacted in 1998]Basic purpose: to protect the copyright

protection technologiesProhibited under the DMCA?

Circumvention of copyright protection systems

The development of circumvention technologies

Keygens are (illegally) availble online for practically any program that requires a serial number

LegalidadDMCA: Exceptions

Interoperability Decript a program: the only way to interoperate with it

Encription researchSecurity testing

A person may reverse and circumvent copyright protection software for the purpose of evaluating or improving the security of a computer system

Educational institutions and public librariesTo evaluate the copyrighted work prior to purchasing it

Government investigationRegulationProtection of privacy

LegalidadDMCA Case: Felten vs RIAA

In September, 2000, the SDMI (Secure Digital Music Initiative) announced the Hack SDMI challenge.

The Hack SDMI challenge was a call for security researchers to test the level of security offered by SDMI, a digital rights management system designed to protect audio recordings (based on watermarks).

Princeton university professor Edward Felten and his research team found weaknesses in the system and wrote a paper describing their findings.

The original Hack SDMI challenge offered a $10,000 reward in return for giving up ownership of the information gathered.

Felten’s team chose to forego this reward and retain ownership of the information in order to allow them to publish their findings.

LegalidadDMCA Case: Felten vs RIAA

At this point, they received legal threats from SDMI and the RIAA (the Recording Industry Association of America) claiming liability under the DMCA.

The team decided to withdraw their paper from the original conference to which it was submitted, but were eventually able to publish it at the USENIX Security Symposium.

The sad thing about this whole story is that it is a classic case where the DMCA could actually reduce the level of security provided by the devices it was created to protect.

Instead of allowing security researchers to publish their findings and force the developers of the security device to improve their product, the DMCA can be used for stifling the very process of open security research that has been historically proven to create the most robust security systems.

LegalidadLicense Agreement Considerations

Software vendors add anti-reverse-engineering clausee to shrink-wrap software license agreements

Bibliografía

A Survey of Reverse Engineering and Program Comprehension Michael L. Nelson April 19, 1996 NASA

Reversing: Secrets of Reverse Engineering Eldad Eilam Wiley Publishing, Inc. 2005

Fin

Documents

DR. MIGUEL ÁNGEL OROS HERNÁNDEZ 1. Introducción a la ingeniería inversa