3rd Reversing and Offensive-oriented Trends Symposium 2019 (ROOTS)

Academic workshop co-located with DeepSec November 28/29, Vienna

List of Accepted Papers

RevEngE is a dish served cold: Debug-Oriented Malware Decompilation and Reassembly

Marcus Botacin (Federal University of Paraná), Lucas Galante (University of Campinas), Paulo de Geus (University of Campinas), Andre Gregio (Federal University of Paraná)

Malware analysis is key for cybersecurity overall improvement. Analysis tools have been evolving from complete static analyzers to decompilers. Malware decompilation allows for code inspection at higher abstraction levels, easing incident response. However, the decompilation procedure has many challenges, such as opaque constructions, irreversible mappings, semantic gap bridging, among others.
In this paper, we propose a new approach that leverages the human analyst expertise to overcome decompilation challenges. We name this approach “DoD—debug-oriented decompilation”, in which the analyst is able to reverse engineer the malware sample on his own and to instruct the decompiler to translate selected code portions (e.g., decision branches, fingerprinting functions, payloads etc.) into high level code. With DoD, the analyst might group all decompiled pieces into new code to be analyzed by other tool, or to develop a novel malware sample from previous pieces of code and thus exercise a Proof-of-Concept (PoC). To validate our approach, we propose RevEngE, the Reverse Engineering Engine for malware decompilation and reassembly, a set of GDB extensions that intercept and introspect into executed functions to build an Intermediate Representation (IR) in real-time, enabling any-time decompilation. We evaluate RevEngE with x86 ELF binaries collected from VirusShare, and show that a new malware sample created from the decompilation of independent functions of five known malware samples is considered “clean” by all VirusTotal’s AVs.
[ ACM ISBN 978-1-4503-7775-1/19/11. ] [ DOI 10.1145/3375894.3375895 ]
[ ACM Digital Library (PDF) ] [ Author's copy (PDF) ] [ Github ] [ Slides ]

Automatic Modulation Parameter Detection In Practice

Johannes Pohl (University of Applied Sciences Stralsund), Andreas Noack (University of Applied Sciences Stralsund)

Internet of Things (IoT) devices have to be small and energy efficient so that resources for security mechanisms tend to be limited. Due to the lack of open source or license free standards, device manufacturers often use proprietary protocols. Software Defined Radios (SDR) provide a generic way to investigate wireless protocols because they operate on nearly arbitrary frequencies, but they output sine waves that have to be demodulated. This demodulation process slows down security investigations because it forces researchers to start on the physical layer while the real reverse-engineering is performed on the logical layer.
We contribute an auto-detection system that estimates all demodulation parameters of a wireless signal and, additionally, explicitly returns all these parameters so that they can be fine-tuned afterwards. This allows security researchers to skip the physical layer and work with the bits and bytes instead of sine waves. The contributed system is evaluated with both simulated signals and ten real-world signals captured from various IoT devices with SDRs. Furthermore, we show how parameters can be estimated during recording time and evaluate this technique by attacking an AES secured wireless door lock. Our solution is available as part of the open source software Universal Radio Hacker and follows the ergonomic philosophy of the main application.
[ ACM ISBN 978-1-4503-7775-1/19/11 ] [ DOI 10.1145/3375894.3375896 ]
[ ACM Digital Library (PDF) ] [ Author's copy (PDF) ] [ Github ]

Harzer Roller: Linker-Based Instrumentation for Enhanced Embedded Security Testing

Katharina Bogad (Fraunhofer AISEC), Manuel Huber (Fraunhofer AISEC)

Due to the rise of the Internet of Things, there are many new chips and platforms available for hobbyists and industry alike to build smart devices. The SDKs for these new platforms usually include closed-source binaries containing wireless protocol implementations, cryptographic implementations, or other library functions, which are shared among all user code across the platform. Leveraging such a library vulnerability has a high impact on a given platform. However, as these platforms are often shipped ready-to-use, classic debug infrastructure like JTAG is often times not available.
In this paper, we present a method, called Harzer Roller, to enhance embedded firmware security testing on resource-constrained devices. With the Harzer Roller, we hook instrumentation code into function call and return. The hooking not only applies to the user application code but to the SDK used to build firmware as well. While we keep the design of the Harzer Roller generally architecture independent, we provide an implementation for the ESP8266 Wi-Fi IoT chip based on the xtensa architecture.
We show that the Harzer Roller can be leveraged to trace execution flow through libraries without available source code and to detect stack-based buffer-overflows. Additionally, we showcase how the overflow detection can be used to dump debugging information for later analysis. This enables better usage of a variety of software security testing methods like fuzzing of wireless protocol implementations or proof-of-concept attack development.
[ ACM ISBN 978-1-4503-7775-1/19/11 ] [ DOI 10.1145/3375894.3375897 ]
[ ACM Digital Library (PDF) ] [ arXiv (PDF) ]

Shallow Security: on the Creation of Adversarial Variants to Evade Machine Learning-Based Malware Detectors

Fabricio Ceschin (Federal University of Paraná), Marcus Botacin (Federal University of Paraná), Heitor Gomes (University of Waikato), Luiz Oliveira (Federal University of Paraná), André Grégio (Federal University of Paraná)

The use of Machine Learning (ML) techniques for malware detection has been a trend in the last two decades. More recently, researchers started to investigate adversarial approaches to bypass these ML-based malware detectors. Adversarial attacks became so popular that a large Internet company has launched a public challenge to encourage researchers to bypass their (three) ML-based static malware detectors. Our research group teamed to participate in this challenge in August/2019, accomplishing the bypass of all 150 tests proposed by the company. To do so, we implemented an automatic exploitation method which moves the original malware binary sections to resources and includes new chunks of data to it to create adversarial samples that not only bypassed their ML detectors, but also real AV engines as well (with a lower detection rate than the original samples). In this paper, we detail our methodological approach to overcome the challenge and report our findings. With these results, we expect to contribute with the community and provide better understanding on ML-based detectors weaknesses. We also pinpoint future research directions toward the development of more robust malware detectors against adversarial machine learning.
[ ACM ISBN 978-1-4503-7775-1/19/11. ] [ DOI 10.1145/3375894.3375898 ]
[ ACM Digital Library (PDF) ] [ Author's copy (PDF) ] [ Github ] [ Corvus Plattform ]