CS 495/595 Lecture 1: Introduction To Software Reverse Engineering
CS 495/595 Lecture 1: Introduction To Software Reverse Engineering
Lecture 1: Introduction to
Software Reverse Engineering
Cong Wang
Center of Cybersecurity Education and Research
Department of Computer Science
http://www.lions.odu.edu/~c1wang/cs495.html
Syllabus
Cyber Center Desktop Logins:
User ID:Your Midas ID
Password: cre-midasid-cre
Or you can bring your own laptop to class – helps save the
work
Syllabus
Textbook:
Practical Malware Analysis – Michael Sikorski et. al.
Let us go through
Gradings
In-Class Homework: 30%
Homework: 40%
Final Project: 30%
Soviet: AK‐47
Reversed
US: McDonell Douglas AV‐8 Harrier Soviet: Yak 38
Body Design
Ford Fusion Aston Martin
German: STG44
Clone
Assemble an iPhone in 15
mins Shenzhen, China
Legal
• Practice of analyzing a software system, either in whole or in part,
to extract design and implementation information.
• Risks of business disputes/lawsuit
• Is Reversing Legal ? Seek legal counsel.
– Copyright Laws (decompilation legal, intermediate copying is illegal)
– Copyright Laws: In order to decompile a program, that program
must be duplicated at least once, either in memory, on disk, or both
– Digital Millenium Copyright Act (applies to Digital Right
Management products)
• Felten vs. RIAA
• US vs. Sklyarov
Felten vs. RIAA
In 2000, SDMI (Secure Digital Music Initiative) announced the
Hack SDMI challenge – protect audio recordings
SDMI challenge offered a $10,000 reward in return of giving up
ownership
Princeton Prof. Felton’s team found weakness and wrote a paper
[Wu et. al.] ANALYSIS OF ATTACKS ON SDMI AUDIO WATERMARKS, ICASSP, 2001.
[Craver et. al.] Reading Between the Lines: Lessons from the SDMI Challenge, USENIX SP,
2001.
Felten’s team chose to forego this reward and retain ownership of
the information to allow them to publish their findings.
They received legal threats from SDMI and the RIAA (the
Recording Industry Association of America) claiming liability
under the DMCA
They first withdraw their original submission, but paper got
published later
Felten vs. RIAA
Classic case
DMCA could actually reduce the level of security by preventing
security researchers to publish their findings.
US vs. Sklyarov
In 2001, Dmitry Sklyarov, a Russian programmer, was arrested by
the FBI for what was claimed to be a violation of the DMCA.
Sklyarov had reverse engineered the Adobe eBook file format while
working for ElcomSoft, a software company from Moscow.
The information gathered using reverse engineering was used in the
creation of a program called Advanced eBook Processor that could
decrypt such eBook files so that they become readable by any PDF
reader.
Adobe filed a complaint stating that the creation and distribution of
the Advanced eBook Processor is a violation of the DMCA, and both
Sklyarov and ElcomSoft were sued by the government.
Why ?
Related to computer security
Used by hackers to defeat copy protection
(crack games/software)
Reverse encryption product to assess
security levels
Malware analysis (our focus)
Motivation Example 1
Set of instructions that run on your computer and make your system do
something that an attacker wants it to do
Malware Classification
Viruses and worms
• Self-replicating code that infects other systems manually or automatically
Botnets
• Software that puts your computer under the remote control of an adversary to
send spam or attack other systems (DDoS)
Backdoors
• Code that bypasses normal security authentications to provide continued,
unauthorized access to an adversary
Trojans
• Code that appears legitimate, but performs an unauthorized action
Malware Classification
Rootkits
• Tools to hide the presence of an adversary, stay concealed, avoid detection
Information theft
• Collects credentials (e.g. keystroke loggers)
• Steal files (credit card data exfiltration)
• Gather information on you, your habits, web sites you visit (e.g. spyware)
• Monitor activity (webcams)
Ransomware
• Code that renders your computer or data inaccessable until payment received
(Wannacry) – Cryptocurrency
• CryptoMiner
• Javascript-based in-Browser malware [INFOCOM 19’]
[INFOCOM' 19] Rui Ning, Cong Wang, Chunsheng Xin, Jiang Li, Liuwan Zhu and Hongyi Wu, CapJack: Capture In-
Browser Crypto-jacking by Deep Capsule Network through Behavioral Analysis, IEEE International Conference on
Computer Communications, Paris, France, 2019. (Acceptance Rate: 19.7%)
Malware Classification
Resource or identity theft
• Store illicit files (copyrighted material)
• Stepping stone to launder activity (frame you for a crime)
Scareware
• Tricks users into buying products they do not need (window pop-up: your
system is infected)
Adware
• Code that tricks users into clicking illegitimate advertisements
Drive-by downloads
• Code automatically downloaded via the web
Malware Classification
Course Objective
Learn tools and techniques to analyze what malicious software
does
How to detect malware
Understand the countermeasures from malware authors to
evade detection
Ethics
Do not run malware files in the classroom PC locally/or
your own computers – only in the VM
Explore only on your own systems/virtual machine you
have permission to
Do not break or break into other people's machines
VirusTotal
• Upload a file, website URL, hash for analysis
• Pros: Free
• Cons: zero‐day exploits, and more ?
VirusTotal
Sandbox
Oracle Virtualbox
Cuckoo framework