TY - GEN
T1 - Repeatable reverse engineering with PANDA
AU - Dolan-Gavitt, Brendan
AU - Hodosh, Josh
AU - Hulin, Patrick
AU - Leek, Tim
AU - Whelan, Ryan
PY - 2015/12/8
Y1 - 2015/12/8
N2 - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.
AB - We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion mstruction boot of FreeBSD, eg, is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugim architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.
KW - Instrumentation
KW - Introspection
KW - Record/replay
UR - http://www.scopus.com/inward/record.url?scp=85007595775&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85007595775&partnerID=8YFLogxK
U2 - 10.1145/2843859.2843867
DO - 10.1145/2843859.2843867
M3 - Conference contribution
AN - SCOPUS:85007595775
T3 - ACM International Conference Proceeding Series
BT - Proceedings of the 5th Program Protection and Reverse Engineering Workshop, PPREW 2015 - Software Security and Protection Workshop 2015, SSP 2015
PB - Association for Computing Machinery
T2 - 5th Program Protection and Reverse Engineering Workshop, PPREW 2015
Y2 - 8 December 2015
ER -