Repeatable reverse engineering with PANDA

Brendan Dolan-Gavitt; Josh Hodosh; Patrick Hulin; Tim Leek; Ryan Whelan

doi:10.1145/2843859.2843867

Repeatable reverse engineering with PANDA

Brendan Dolan-Gavitt, Josh Hodosh, Patrick Hulin, Tim Leek, Ryan Whelan

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

Original language	English (US)
Title of host publication	Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015
Publisher	Association for Computing Machinery
ISBN (Electronic)	9781450336420
DOIs	https://doi.org/10.1145/2843859.2843867
State	Published - Dec 8 2015
Event	5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Los Angeles, United States Duration: Dec 8 2015 → …

Publication series

Name	ACM International Conference Proceeding Series
Volume	08-December-2015

Other

Other	5th Program Protection and Reverse Engineering Workshop, PPREW 2015
Country	United States
City	Los Angeles
Period	12/8/15 → …

Keywords

Instrumentation
Introspection
Record/replay

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Access to Document

10.1145/2843859.2843867

Fingerprint Dive into the research topics of 'Repeatable reverse engineering with PANDA'. Together they form a unique fingerprint.

Cite this

Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., & Whelan, R. (2015). Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015 [2843867] (ACM International Conference Proceeding Series; Vol. 08-December-2015). Association for Computing Machinery. https://doi.org/10.1145/2843859.2843867

Repeatable reverse engineering with PANDA. / Dolan-Gavitt, Brendan; Hodosh, Josh; Hulin, Patrick; Leek, Tim; Whelan, Ryan.

Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Association for Computing Machinery, 2015. 2843867 (ACM International Conference Proceeding Series; Vol. 08-December-2015).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Dolan-Gavitt, B, Hodosh, J, Hulin, P, Leek, T & Whelan, R 2015, Repeatable reverse engineering with PANDA. in Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015., 2843867, ACM International Conference Proceeding Series, vol. 08-December-2015, Association for Computing Machinery, 5th Program Protection and Reverse Engineering Workshop, PPREW 2015, Los Angeles, United States, 12/8/15. https://doi.org/10.1145/2843859.2843867

Dolan-Gavitt B, Hodosh J, Hulin P, Leek T, Whelan R. Repeatable reverse engineering with PANDA. In Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015. Association for Computing Machinery. 2015. 2843867. (ACM International Conference Proceeding Series). https://doi.org/10.1145/2843859.2843867

@inproceedings{eb2719ffb16c4886b3b6f5f4f973ae74,

title = "Repeatable reverse engineering with PANDA",

abstract = "We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.",

keywords = "Instrumentation, Introspection, Record/replay",

author = "Brendan Dolan-Gavitt and Josh Hodosh and Patrick Hulin and Tim Leek and Ryan Whelan",

year = "2015",

month = dec,

day = "8",

doi = "10.1145/2843859.2843867",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

booktitle = "Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015",

note = "5th Program Protection and Reverse Engineering Workshop, PPREW 2015 ; Conference date: 08-12-2015",

}

TY - GEN

T1 - Repeatable reverse engineering with PANDA

AU - Dolan-Gavitt, Brendan

AU - Hodosh, Josh

AU - Hulin, Patrick

AU - Leek, Tim

AU - Whelan, Ryan

PY - 2015/12/8

Y1 - 2015/12/8

N2 - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

AB - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.

KW - Instrumentation

KW - Introspection

KW - Record/replay

UR - http://www.scopus.com/inward/record.url?scp=85007595775&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85007595775&partnerID=8YFLogxK

U2 - 10.1145/2843859.2843867

DO - 10.1145/2843859.2843867

M3 - Conference contribution

AN - SCOPUS:85007595775

T3 - ACM International Conference Proceeding Series

BT - Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015

PB - Association for Computing Machinery

T2 - 5th Program Protection and Reverse Engineering Workshop, PPREW 2015

Y2 - 8 December 2015

ER -