Ghidra - Journey from Classified NSA Tool to Open Source

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
good afternoon and welcome to Guidry journey from classified NSA tool to open source we're in Islander e aĆ­ and we have Chris delicate and Brian Knight and presenting today a couple of notes stop by the business hall located in Mandalay Bay Oceanside shoreline ballrooms on level 2 the blackout Arsenal is running in business hall on level two as well lunch will be served in Bayside a and B between 1:00 and 2:30 with that I'd ask you to silence your cell phones and welcome Chris and Brian thanks everyone thanks for coming it's a big honor to be here speaking for NSA the guitro team and myself is a big honor when we first started the process of moving to classified and open source I sort of made a joke like hey we should go to blackhat like sort of think it would never happen but uh you know but here we are it's just pretty oh it's pretty awesome so thank you so for some introductions I'm Brian Nitin I'm a researcher at NSA I've been a teacher developer since about 2001 currently these days what I do is what I like what I call Applied Research where I'm doing IOT vr4 for various things we're turning over to Chris now and then we'll come back and talk about some other parts of heater so hi my name is Chris I'm a tech lead in research which means I guide a lot of really cool cyber projects I'm not on the guillotine but I've been working with Brian for many years we've collaborated on a lot of different things and he basically brought me here to talk about all the stuff he doesn't want to talk about so such as the agenda we're gonna start off talking a little bit about the origins of deidre and putting it in context with NSA and research it and saying kind of how that makes sense and why we did what we did and a little bit about the background of the tool and some more information about features and why we sort of felt like we needed to have a tool like this built in-house and then we're gonna go and discuss the framework why we call it a framework what it really means and there's going to be a lot of cool screenshots there and then we're going to touch on some more open source aspects of it and all the little things that we had to do to kind of bring the tool open source and what it means to do that and then at the end we've talked away some new features and Metrix kind of hopefully keep people in their seats till then and it'll be really exciting if you can make it that long so I thought it'd be fun to do a little bit of jargon that we have not all this is specific to NSA but like any other professional organization we've got some words and phrases that we kind of use internally and we're gonna probably be saying certain things I figured it'd be good to kind of get some stuff out there so software reverse engineering s-sorry for not familiar with the tool that we're talking about here gira is a software reverse engineering tool I'm gonna talk a little bit more about that in a bit but just so you see sre we're gonna see you can see that where we say that VR vulnerability research is something you do with a software reverse engineering tool cyber it's one of everybody's favorite words these days right cyber cyber security when we say cyber I guess we kind of mean computers computer networks that sort of thing it's almost become synonymous with the next thing which we call CNO computer network operations that's kind of a government abbreviation that we like to use to describe cyber things cyber cyber and so then there's the I see you know we're going to say that quite a bit to the intelligence community that's where we're from there's about 16 entities within the intelligence community and we'll say things like they're releasing of Gita was good for the IC or this whole you know process supports the IC on class is a word that we use a sort of abbreviation to say unclassified it means something that we've it's not protected under classification any longer and that's kind of you know part of the journey of Gita has gotten us to that point an NSA mission these are other we're gonna hear say these things mission is kind of like the goal the point of what we do why we do what we do and when you hear me say something like I do cyber a sorry for the CNO mission and I see now you can understand them talking about so here's NSA headquarters this is I'm going to a little bit about the NSA in case everyone's not completely familiar National Security Agency is part of Department offense and we have a bunch of missions that support cyber type things we are in charge of supporting and securing national security systems and that that contain classified data and are used in the conduct of intelligence and military operations we also support our leaders with information provide them to provide decision-makers the information they need certain make policies and decisions we also work with industry to secure critical infrastructure that's different than cyber not cyber but a different than national security infrastructure in that it's the public infrastructure critical systems that help society keep going think about power water that kind of stuff and finally we support the Armed Forces and we work with them with cyber indicators and other things of Intel value to kind of help them do what they do and protect them and so with all these cyber responsibilities you kind of imagine that we've probably got to have some tools that we've developed to help us with all our cyber right and so that's where it comes into play but where did you come from this building up here this is the headquarters Francaise research so we're brian and i work go in there every single day except the weekends the weekends and so you think for a second what do you think of when you think of research what is research a lot of people research just means something like you're googling around maybe reading some some articles looking at Stack Overflow connect some code but I'm thinking I'm gonna ask you to think of what at an organizational level research means right and so in some organizations research is a means to sort of analyze a specific activity or technology for a specific defined amount of time and then produce some kind of a paper at the end of it no no and other organizations you want to take some technology and try to push it to its limits and develop some proof-of-concept p'tee NSA it's not exactly either of those that we do we do what we like to call mission oriented research and so back to those missions I mentioned earlier our goal is to impact the mission in a positive manner and whatever the timeframe necessary to do that so it gives us flexible time to do whatever we need to do that we think is going to impact the mission and some of those things you can see how you should see how kind of fits into that because as we've announced this has been an ongoing project within research for many years now other projects similar in a similar vein would be SELinux where we worked on that and the mission was sort of to help critical infrastructure and secure that and so maybe you want you're asking yourself now that I've said this is by research why doesn't it say have a real an embedded research organization why don't they just farm the things out that they want well there's a quote I like to use to kind of illuminate what it means that to have an NSA research organization and so there's an American inventor Henry Ford who's credited with the invention the automobile he supposedly said something along lines of if I had asked the people what they wanted they would have said faster horses and so what that means in this context is a lot of times the organization or the individual that needs the innovation doesn't necessarily know exactly what they need they can only see so far ahead of themselves and see essentially I'm doing this now give me more of what I've already got to kind of help me complete what I'm doing and don't have the ability to kind of step back and figure out what the real problem is so at NSA research we're embedded within NSA and that gives us the ability to sit side by side with our operational entities learn their problems and then take a big step back and not have to be beholden to the operational of day to day and we can come up with innovative solutions that they never maybe even thought of right in the case of faster horses we can come up with a car or something else that gets them what they need another cool aspect about NSA research and this is a shameless plug for working in research where our own director with an NSA which means we're not necessarily beholden to requirements from any other org we have the mission to positively impact operations obviously but we can do it in our own way and it helps us to kind of it gives us a lot of freedom to think of solutions that are we're passionate about and we can do things that we're interested in rather than having requirements given to us to say do these things we can come up with ideas sometimes they fail one of the best things about being in research the NSA is we have the freedom to fail and failing is just really figuring out one way not to do something sometimes you figure out a lot of ways now to do something but feelings okay and we like we like that aspect of it and so why is I'm going to talk to something that's not exactly on this side but you can look at those facts up there while I say what you may be asking yourself why is gauge is still in research right and like I was saying before the mission rates the research we do isn't meant to sort of have a beginning middle and an end there's not a time span and there's no paper that we're gonna write at the end of reverse engineering and say we researched it and here's the result what Geezer is is a tool that's been built to be a framework or foundation to support future research and having that entire system in-house gives us the ability to turn the knobs and twiddle the the screens and do whatever it is we can do to support exactly how we want to make that work and having an out that an external tool wouldn't you wouldn't be able to function in the same manner and so now Deidre is a platform or a framework that can sustain next generation vulnerability research different kinds of binary analysis program analysis and all kinds of things that we haven't even thought of yet but we're keeping it in-house for those reasons and so as I mentioned earlier the software reverse engineering why would you even do that what's the point of it well not everybody sort of does software versus engineering so I want to explain a little bit about that as we as you know so you can follow along ultimately it's to find out what's in your binary software reverse engineering is you have a binary you're taking it you're gonna look at and try to figure out what it does why would you want to do that well there's a couple big cybersecurity reasons I can think of number one you've got a binder on your network or just your computer that you're using and you want to look at it and for the vulnerabilities that may be in there so you can defend yourself from them you don't know what's in there you don't have the source you just have a binary maybe you bought it maybe it's part of the operating system who knows it's there I know the reason why you might want to use software versus engineering tool like this is you have a pioneer on your network but you didn't put it there you don't know where it's from maybe it's malware maybe it's not but you want to figure out what it's doing there where it came from and what maybe it's done to your network already and so in 2000 there weren't a lot of tools that did that type of thing and there were really no pools that had all these features that we were looking for here so I'm not going to talk too one of these but some of the key things that we were looking for back then that we're not addressed by anything on the market we were doing collaborative reverse engineering in a way that was not really addressed by existing tools back then teaming keep multiple people working on a single binary and sort of reversing different parts of it then there we wanted to have a lot of extendibility and integration for different tools to sort of improve the overall workflow by putting a bunch of things together that make reverse engineers you know life a little bit easier and then obviously undo redo is a feature that's sort of critical when you're looking for a way to sort of analyze a binary they certainly even know where it came from so you don't really know you want it probably to go down a lot of false starts and then dial it back and have to do other things and then headless automation right you want to do that too you can run a lot more things if we can run stuff on the side where in the background and so what this chart is don't look too closely at the numbers uh not sure what exactly that means but ultimately we're trying to show here is that software is over the years has been growing in size and not only has been growing in size it's been proliferating and working its way into everything that we have right and so there's vulnerabilities and malware potential I was talking about earlier that's growing too it's just everywhere it's all you know software every step of software we're using is any bigger there's more possibility for vulnerabilities more possibility for malware and the networks are connected so there's more possibility for stuff to get everywhere so this is what we sort of anticipated and there part of the reason that we want to get this to lapse everybody can start using it and help us and help the community get better at reverse engineering because this is not a skill set that is going to diminish and it's not something that's we're not going to need in a few years it's something if anything we're going to need a lot more people with that skill set in a few years and so I think at this point I'm gonna hand back to Brian thanks al you ready I am ready are you ready all right so enter the dragon to sort of solve all the problems that was outlined by Chris so thanks Chris for going over that so Ghidorah is our is there sort of our solution that we came up with to solve all those cyber issues of scaling the teaming there's been a lot of questions about what you just like stands for where the name came from so I'm gonna give you a big a big opening reveal here since we use lots of jargon my fortune a I'm just kidding that's a joke this is what keys are actually stands for is what you think it's the three-headed monster right because we were trying to bring together three things into one body one body of knowledge one body of work three three key features that we had in terms of like our research requirements when we started on this was was to have scaling teaming and extendibility all in one one environment one framework or one tool and we also wanted to bring together because before Dedra like you would have your hex editor open in one as one application you would have your disassembler in one application and you would have say a debugger or some kind of other amulet emulation system as a separate device and they weren't all working together so we wanted to bring all those together hence the three-headed monster that's we had you know that's where the name comes from so let's let's do a quick run-through of some of the major features and see how I'm see how kitra kind of flows so the first thing that makes keys are unique and different is that it's project based so instead of just bringing in one one binary you actually create a project first and then in that project you can bring in all the binaries that you want to look at so in this case I brought it and say bin CP into my into my project and because that's the binary that I want to look at we also call this sometimes just our front end we'll say open the front end that's that's this window right here but it's technically the project window we called the front end because if you look at the code it's called the front end plug-in if you check out some of the code base so once you have your your binary brought into your project you can then open it up in this first window which is the listing view this is where you do all your annotation and mark up the binary you create your instructions you create your data you lay down your comments this shows the function as a linear flow of addresses so as you're going down it's flowing down through the address space so if you have a function that's not contiguous that's broken up we have another view that will render this as a graph so we have a function graph which is giving you the same information as the listing view but it breaks it up by control flow so each so here's the one function we were looking at on the previous slide but it's shown East control flow block so it's split up by transitions jumps branches things like that and the way it's organized is actually by dominance so a node that's to the to the is below and to the right of another node means it's dominated by that other node I mean and so like you can't reach that node unless you flow through that like through the know that's that's upper you know up into the left of it down the bottom right hand corner and so is an overview because you can zoom out if you have a really complex function and you can see like just a small piece of a larger function and the bottom right hand corner will show and overview of that then the same view that we just looked at before but we also have a D compiler that will take that assembly code and D compile it into a see like representation the cool thing about Deidre is the D compiler will work on any architecture that we support and and how we and by support I mean if we have a slay processor definition for that architecture slay is what we use it's a text based grammar where you can outline the architecture you define the register the instructions the P code and the pecos what we call the micro code for an instruction and that's how we can actually decompile it from the assembly code back to AC like representation it goes through it through a few steps in the middle but generally speaking that's how that works another cool window we have is the file system browser this was introduced you know like later on after giedrius was created and it was it was designed to build a tear apart and open firmware inside of deidre so instead of just bringing in one file you could have a tar file that has a bunch of binaries in it and you can open that up inside of deidre and sort of alleviate the need to have an external tool to unpack something okay and there's a bunch of formats that we support the other big feature we have is the script manager this is really awesome you can basically configure Ghidorah through the script manager to do anything you want you can automate things create new analyzers lay down code comments find functions you can write scripts in Java and Python fun fact is when we first added this we actually didn't have support for Python and someone was like Java hate Java why'd you do Java right which is kind of a theme we've heard a little bit about Java and so one of our users actually the support for Python so if you wanted to say add another language say Ruby you could drop in an extension to the script framework and support other scripting languages as well as long as it has some Java Java connection and then bringing it back to the bringing it back to the free headed you know like three things working together here's the same three views we saw a moment ago the listing on the left the D compiler in the center and the function graph on the right that and they're all working together so if I make a selection or make a change in any of those windows it will propagate over to the other windows so if I wanted to see you know this if statement here and see where where you know which blocks it's associated to where it is in the listing in the in the in the bytes are the contiguous are they not as well as in the decompiler it'll show me the the transition points okay you have a bunch of other features other than just that we have an assembler that allows you to like inline in the listing view right new assembly code we have bookmarks which are just what they are you can lay down little breadcrumbs at a place we have a byte viewer which is which is what we call our hex editor it's kind of like a hex editor but you can do you can kind of do a little bit more than just change the bytes you can do them in different different bases ascii and all kind of things we have a datatype manager that allows you to create union structures and apply those down on your binary we have an entropy window this will show you how how similar or difference your bytes are across a program it's really good for figuring out if a program is compressed say for example we have lots of ways to do navigation and searching so that's so like you can move around your binary pretty you know in a multitude of ways to make finding things much much quicker version tracking is a really cool feature so if you've done some sre on version 1 of a binary in version 2 has come out and you want to move as much annotation forward as you can because you assume that not everything's changed between 100 and 200 urgent tracking is used for that version control that's our multi user so like if you were if you're looking at a large binary like you can collaborate on it so I'm gonna do the first ten functions then you do the second ten function so it works out really well so now that let's talk about some of our code base and how we implemented some of the features I just talked about so our code base is split up into sort of three high-level categories framework which is the base GUI and storage components we have our features area which are all of the sre focus plugins and scripts that are specific for doing sre and then we have all of our processors which are all of the slay gram respects I told you about for defining architectures that you want to disassemble so let's talk about the framework a little bit and what because this will kind of help understand why we call it a framework and it's not just a tool so the framework has five main components so it's kind of go through those so the first one is DB so as our database it's we call a database but it's probably not a true database because we although we have tables rows and columns it's not really SQL like you can't run sequel statements on and things like that but we created it at a time when there really wasn't any good Java database because it was a long time ago we made this but it was created so we could support natively at a very low level the undo/redo and the version control all that is layered on top of the DB component okay now the model portion of the framework is tough is the is it's from like model view control from software design so that's the model it's the data that's inside of the project the so a project contains one or more domain folders and one and each of those folders can have one or more domain files and a domain file is bound to a double into what we call a domain object and we have three implementations of domain object that's colluded with deidre one is program which is all of us all the stores for storing a program all the programs different information we'll see that in a minute now we also have data a data type archives so you can make bundles of data type of archives and share those across users in your multi-user environment and version tracking sessions so if you start a version tracking session you can save that and come back and do it later so part the reason why we call it a framework is you could create other other domain objects to store inside of here so it's a framework that could be reused for something say other than SRE the software modeling component is the program I just mentioned before so it's all of the classes that we've created that are used to model the the information that's inside of a program so a program contains memory which contains bytes contains a symbol table which contains symbols as well as listing instructions it's it's very large but it's I think it's modeled pretty pretty pretty good I think plugins so what I'm speaking about here is the base class for the plugins that are used so if you wanted to create your own plug-in to drop into our framework this is where the base class and all the base classes live that you would extend from so the base class is called plug-in and plugins can produce and consume events so how like the screen I showed you before where I had like the three window side by side how those windows talk together is one one plug-in will say throw an event and the other windows will consume that event and respond so like address changes location changes things like that plugins are also dependent on each other by decoupling them through a thing we call services so I plugin will produce a service and other plugins will consume that service that way plugins are not dependent on each other so if you wanted to take out say our go to service that's inside of gage which is which controls the navigation you could write a new one and and provide the go to service and drop that in and the rest of the environment would would still respond appropriately and work correctly plugins are also responsible for managing the gooeys all the buttons all the actions so that's kind of the separation between a script what I mentioned before and a plug-in if you want to do anything that's Bui based you should do it as a plugin not as a script otherwise you can do anything else in the script it's kind of our our separation on that docking windows is our suite of custom GUI components that we've created so we have if you're familiar with Java you know there's J components of J table J tree we've extended a whole bunch of those we have G trees and G tables which are our components to make the environment look sim you know looks similar across across gauges so all of our tables look to say all of our trees look the same because we use the G tree so and that the reason to do we want to use that it gives you things like improve table modeling and tree modeling which goes back to what Chris was mentioning earlier about needing this scale so if you have a binary that has 5 million symbols in it and you're trying to open it in traditional Java GUI components it would never happen because the table model would not support that so we have a bunch of threaded models for all of those things also does sorting filtering gives us the nice uniform look and feel and yes it was created to overcome a lot of Java swing sort of wonkiness so here's an example of that going back to the script manager you can see on the right hand side is the G table and the left hand side is the G tree and all of those like the sorting the filtering you know all that stuff is if you use G like one of our key components you'll kind of get that for free which saves you a lot of time and doing all the GUI components like all the development of those so big question we've got a lot is why did we pick Java what were you thinking you know kind of thing well when we started at Java was was very popular right it was early 2000 I came on the project like I said in 2001 before we did it in Java and I wasn't on that I wasn't involved that C++ was tried but it didn't really give us the platform independent GUI from the start which is what we needed so and of course Java gives us a lot of cool features like being able to load classes dynamically that's how the scripts work also gives us extension points you can drop in new plugins if you if you write your own plugins and it'll just it'll just load them automatically Java gives us minimal memory management there's you know it still has some memory link Possible's but now if we if we started it if we started it today what we still use Java I think the answer is yes but we probably do some things differently we would certainly make everything be able to be written in say Python so plugins could be written in Python analyzers loaders but one of the cool things is Java gave us from the beginning was if you have a distribution of deidre and you have say eclipse you can debug that distribution so if someone was using deidre and say call me up hey Brian you know it's not working right on my binary I could just go to their desk without having to take some big development environment I can just fire up eclipse at their desk and debug the source code that we include with Deidre just debug it you know where I didn't write in place and then maybe even patch it right there at their desk so they can keep working then we will come back and integrate that into our code base later on so the open source process let's talk about that well before we talk about that let's talk about every version of Deidre that we've had okay so and so we started it say early say early or late 2000 I came on and say mid mid 2001 is when I was when I joined the team and when we first started it yes it was classified it was classified because factor of NSA doing Sree was considered classified therefore a tool that does SRT sre would inherently be classified we had our first version version 1.0 in 2003 it was mostly proof-of-concept it was kind of just getting the framework laid out the ability to have plugins and analyzers and loaders it wasn't wasn't very good but in 2004 we came out with version 2 and this was getting a lot better this is when we added the database and docking windows so before the database we were actually just writing out the Java classes to disk and we had undo from the beginning but the undo worked didn't work very well so by using the database we were able to do it much much easier the plugins that are layered on top of the database didn't need to know how to undo where to which is what had which is what happened in 1.0 so then we also introduced the docking windows which was really just the ability to pull the windows out from the main code browser window and move them around as well as some of the java components in 2006 we came out with version 3 which was included slay in the D compiler so in versions 1 and 2 we didn't have any compiler yet we could use like you could only disassemble so in inverse of 3 we introduced the D compiler and also version control which is the multi-user which was layered on top of the database so because we added the database were able to then support and implement something that we wanted to do from the beginning which was the multi-user collaboration 2007 version 4 came two big things that were added that was the scripting and framework both the Java and the Python if someone had it the Python very quickly after after we kind of had some some betas of it version tracking was also introduced which is the build going from version one to version two of a binary it's 2010 we had a 5.0 then one of the biggest things that was added that was the file system browser that was introduced you know to deal with the firmware bundles which are which were becoming very prevalent like before that it was always just one binary one binary I'm gonna look at this one binary but now we have bundles of firmware that you want to look at and be able to tether the part and bring that into gear so you'd have to have a bunch of different tools to to look at it the big the big thing though in 2000 in 2014 I should say six plio came out and this was our unclassified version the reason it changed from classified unclassified is fact of like I mentioned before the fact of NSA doing sre had become unclassified therefore we were able to declassify deidre but we were still we still weren't ready to you know release it yet over the next five years we worked from the process of unclassified at the open source now I don't think at five years that's a long time but it wasn't like our full time job we were still supporting deidre we had version 7 in version 8 come out with lots of features lots of bugs but you know bug fixes improvements and then you know we were we were like transitioning to the open source to get there which if you may have heard 2019 this past March we were able to finally release the first public version of deidre and the source code was put on github one month later ok somebody give it back back he's gonna talk some more about open source ok so don't get scared the policy stuff we're not going to go to too deep into this but thought it would be useful at least to sort of point to a couple government policies that we utilized to kind of help push ski-doo over the finish line so to speak and so negative order 13 691 is one of those you can see cybersecurity sharing right the second bullet we were able to kind of point to the second bullet and say look using the same tool across different groups is really going to improve the ability to share right so just it just it makes sense here we're gonna we're looking at the same binaries we're all gonna look at it the same way there's not going to be any communication breakdowns it's just seem like like like it made sense that we could point to this policy and then there's voluntary partnering with the federal government obviously if you're using the tool that we wrote that's going to enable you to work more easily with us the other policy I want to do to underline here was this open source policy now very large organizations can be inefficient at times the government is no different keeping track of all the custom software projects that are started up and torn down and released within the federal government at large it's an it's an enormous effort and so what this tries to address is some of that inefficiency and and make useful custom projects available to the government large and so what we did here is sort of point to this and say look not everybody works in classified environment across the government we make this thing open-source put it out there and it's going to be available to more parts within the government as well as external to the government and it's just it's better overall for all the different groups we don't have to worry about other agencies trying to build a reverse engineering framework for whatever reason we've already got one now as Ryan said it took five years now what exactly was going on in those five years well there's a lot to think about if you're thinking about a large-scale software project like huge or a million lines of code or so and everybody's every lines got to be looked at by two people so this is a process we had to go through it's slow but not just that think about any sort of internal software project that you've got in-house for a decade or more never seen the light of day for whatever reason you got a building on that old box in the corner dependencies everything is kind of set and now all of a sudden you want to make it open source so that anybody can download and build it at home and set it up that's a lot of effort so we had to deal with a lot of build scripts documentation the process internal infrastructure had to be stood up to test everything this was an enormous effort an enormous a number of people were involved the Geezer team public-affairs got involved got something with us today and OGC that's the office of general counsel that's lawyers we had to get involved with them as well it's a huge team effort and we're really really excited that we were able to to get it out and be able to do this type of presentation and so sort of harkening to the anniversary of the the moon landing every 50 years or so the government gets to do something awesome right that's kind of what we're pointing out this it's it's not we're not trying to equate releasing an open-source project with landing on the moon or anything like that if that ultimately this was a moon shot for us though and when it went down we had it we have this big build up a lot of time as you saw to get to that point we had people in on the ground so to speak in RSA at the conference at the booth waiting for the influx of people to come over and ask questions we had a big team back home admission control sort of online answering online questions watching the download count tick up and it was just it was an enormous amount of excitement everybody was we loved it it was great but why did we do it well we believe the cybersecurity is a big issue and we want to do as much as you can to kind of help out and so getting this tool out there is one of those things but we also really want to embrace the open source community we love open source the people that work at NSA our open source type people we like to be able to give back when we can as much as we can it enables us it enables you it's a it's a good thing we're excited about seeing this tool in schools trainings are popping up online YouTube videos it's being attached to curriculums we think this is all fantastic I mean it doesn't hurt for recruitment purposes but ultimately we want to work with Roma tours we're friends of omote were fans of open source and we wanted to show our commitment to the community with this release and our continuing support and engagement you know I think the fact Iran new features so we've got some new stuff coming out I 9.1 9.12 be coming out soon I'm not gonna say exactly when but but very soon eminently and in 9.1 we're gonna have some additional processor modules which are the slave specifications we're gonna have like say super age for some of the HTS processors we're gonna have support for data type bid fields this is this is in for a structure you can specify bit fields inside of a structure or Union we've wanted that for a long time I've also have support for sis calls and a slay editor if you want to know more about that check out the Recon talk that was a few months ago there were some folks from the get your team who gave a talk on once it's call & slay editor some of the future things we have coming out no no projected release date is support for the latest Android in art formats we're gonna have an alpha of our debugger they were gonna hoping to put out so people can use it and see what they think and we're hoping for some more external engagements maybe some more bug fixes you know kind of working on those together as an open source community so let's talk about the o tart support so we've kind of just said a bunch of like you know sort of high-level stuff we kind of wanted to show you know some some VR knowledge on our part for this brief so currently Geezer supports the the dalvik based versions of Android the Dex executable - Oh Dex which is the optimized all Vega executable format the current of support for those in the engage era right now we're gonna be adding support for the the bootloader format this will be in in the form of a new G filesystem for the filesystem browser we're gonna have support for the natively compiled Oh Dex files so so Oh Dex has been overloaded starting with lollipop actually came out a little before lollipop but mostly was very fairly highly prevalent in volley in the inversion of Android lollipop 5 oh where the the the java application is said being compiled to an optimized or to the dalvik VM and then optimized as a still at avec vm executable it's now compiled natively as an elf arm application to run on the device so we're gonna have some analyzers for that as well as the ode in the art formats and some of the other ones like V decks and C decks was to verify and compact Dex files so let's take a look at what this is kind of look like so we're gonna have the ability to open the bootloader binary inside of the G filesystem and pull out the pieces like the a boot the secondary bootloader and things like that so then you can in from this window drag them out and drop them in your listing to do some analysis on them whilst we have support for the new o Dex format like I mentioned which is now the natively compiled application so what we're looking at right here is two of the magic symbols that are inside of that binary this is oak data this is enough in the dot ro data section we're gonna have some analyzers that will lay down the data structure for that format and then we're gonna use this information to pull out say all of the symbol names that are inside of the what was the leftover Java VM stuff which is all the function names and classes so we can go to the other magic symbol which is owed exec which is in the dot text section and we can analyze the code and lay down all of the data structures that are there as well as all of the symbol names that were pulled out of the out there on the oak data area so look for that pretty soon but I won't say how long cuz not sure when you know when will when will have it for for release so some metrics we've got we've we've gotten a lot more downloads than we would have thought of we have just over 500,000 downloads when we when we had the the release go live at at RSA we kind of had an internal like you know sort of sort of bet but like how many downloads you think it'll be it was my my number was way low I was very you know just just super humbled by the number of downloads that we've gotten of course we have a bunch we have we've had a lot of pull requests on github a lot of bug fixes things like that which have been awesome so thank you for that so some of the public impact turn it over to Chris I thought we both had something to say here but ultimately I think we've been super impressed with the amount of people who've gotten involved it's really been beyond our expectations the number of people that actually learned the slay yeah language and were able to incorporate new processor MA for us was I don't know we just we didn't expect that we're really really excited about having more people help help us out with with the code finding bugs and the code reporting problems and making it better I mean part of what we're trying to leverage by entering or getting the tool in the open-source community is the creativity and the the innovation that you guys can help us with by giving us maybe things we hadn't thought about like I was talking about earlier we may not have thought of a lot of things you guys have probably thought about to do and so we really want to get as much help from the public as we can with this tool I think that's that's one of the biggest sub is taking away things maybes god it's a group effort we all need to work together you know to help help improve cybersecurity so this is kind of our contribution we hope we can you know work together more going forward so thanks for everyone who's worked I'll have rated so far if you want to contact us the Geezer team is not owned anything but github so if you want to contact the guiter team you can go out to our github page we're not on Twitter or anything or anything like that that may change at some point but for right now we're home for strictly on github any um any any new announces that go out like when when nine one is released that'll be on our NSA gov Twitter page you know they don't know there'll be an announcement there if you have any questions about you know Ghidorah and policy and things you can contact our public affairs office pa oh we have someone some someone here now Liam sitting up front we have questions and getting Hedra you can get it from our official page which is gage or - s re org that's our official page for downloading the releases I think there's even a link there to the source code which is on github so this is our github page and so you can download you can do you can pull the source code there you can also submit pull requests or ask questions um no no other site is official right now that those are our only two official sites okay so thanks a lot we do have a few minutes for questions if you'd like to ask a question please use the microphones in the middle of the room how do we come in you must have been talking fast and I guess we were I don't fail yeah it's all right I didn't skip anything yeah please use the microphones in the middle of the room if you like to ask a question hey all I have a question here in the center I can't yeah okay um can you are you explained that you're a big fan of open source software but I had imagined during that five-year release process you ran into some approvers or reviewers who didn't really understand open source software and maybe didn't necessarily want it to be released open source can you talk about some of those challenges and how you overcame them I don't think I caught I don't think I really hear the question what was the could you up I mean I don't think there are really objections per se but I mean there was there was there was there was more technical challenges for us to figure out because we we were excited to be able to start working open source because we hadn't worked that way before so it's more figuring out like how to how to best do it from from from our standpoint cuz we hadn't worked that way before so figuring out you know should we be on github should we be you know Apache 200 is their license you know all those kinds of things we're sort of more the challenges that we had to do I have a question here here okay okay I'll see ya there so my question is what we source or documentation do you recommend to become proficient in the school what was the question again sorry Kate here I stand good question so inside of the Geezer distribution it's also on the D dress re site we have lots of documentation we have three classes we have a beginner and intermediate class which is for for using Hedra you know have like how you would manage the projects and importing and disassembling so that's in the intermediate and beginning classes we also have an advanced development class which is which shows you how to write plug-ins analyzer scripts all sorts of things that to to customize the framework there's also some documentation on writing slate languages inside of the and that's underneath of our distribution under Ghidorah Docs Kizer class there's a whole bunch of classes there and of course if you're if you're a developer you know just look at our code there's lots of examples in the script manager all of the scripts there like most of the scripts that are included there are very useful but they're also there deliberately as examples for how to do things like how would you get irate over functions in the listing how would you lay down functions in the listing things like that's a lot of the scripts there are a great resource to go to find find out how to do things thank you sure thank you I have one question now with all the positive feedback of open sourcing Yuja do you plan to open source and attitude sure like we there's nothing just like there specifically plan but we're but NSA in general is hoping to engage more with open source absolutely going forward yes about this being declassified now does that mean like all the changes that are submitted in pull requests and so on you can just work on or do you still have a lengthy process where it's being approved that you can do something there and I just wonder how quick this will run could you translate again I could hear so yeah so like we've if you go if we take a look at the you know at the pool were at the metric slide so like we've we've gotten as of the 22nd job you said we had 140 pool requests we still had about 30 open where we're bringing them in as fast as we can and like we're still trying to also kind of figure out how we're gonna work in this new environment so some like some of them if they're small on there and they're and they're easy to understand what the what the changes they may go in quicker some of them may take longer or you know still trying to try to figure that out thank you so much for joining our session thank you everybody [Applause]
Info
Channel: Black Hat
Views: 51,697
Rating: undefined out of 5
Keywords:
Id: kx2xp7IQNSc
Channel Id: undefined
Length: 47min 36sec (2856 seconds)
Published: Wed Jan 15 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.