Cyber Research Laboratory

Overview

Domain Expertise

• The Cyber Lab has extensive expertise in systems security assessment, vulnerability discovery, software protection, and malicious software analysis. The Cyber Lab designs software sensors by carefully studying the behavior of a complex system to discover the essential elements of its behavior. The team then implements what they learn about the system as software introspection tools that can provide this data on demand. The team constructs analysis tools by determining the key relationships between sensors and higher-level behavior and presents this in intuitive ways by studying how analysts actually perform the work.

  The Cyber Lab is currently developing a set of intelligent tools called "DigR" intended to provide analysts with a higher-level view of software to make quicker decisions and better understand what software is doing. This can help them determine if software is trustworthy, safe to run on the network, and detect tampering.

  The Cyber Lab is working on extending the capability of DigR through a number of plug-ins to sense, analyze, and visualize low-level cyber information. The tool is capable of importing data files from several popular reverse engineering tools; its pluggable architecture and comprehensive Application Programming Interface allows computer network analysts to develop their own plug-ins with ease.

• The Cyber Lab expertise encompasses analyzing malicious software, performing systems security assessments, and analyzing software protection and anti-tamper mechanisms. Their specific skill sets include:

  • Reverse engineering and red teaming
  • Vulnerability discovery
  • Software engineering and tool development
  • Applying artificial intelligence to novel computer security problems

Equipment/Toolsets

The Riverside Research Cyber Lab is capable of supporting both unclassified and classified operations. Specialized tools developed by the lab currently include:

• DigR – Binary analysis and editing tools for humans

  Riverside Research’s Cyber Lab is currently developing a set of smart tools called "DigR" which is intended to increase an analyst’s effectiveness in understanding malware and discovering vulnerabilities. DigR uses intelligent instrumentation to stealthily monitor an operating system (OS) or application on a remote system. Cyber analysts can collect information about the behavior and effects of running an OS or application, egress that data, and automatically decompose it into something that is easily understood. DigR is capable of importing files from several popular reverse-engineering tools, and its pluggable architecture and comprehensive application programming interface (API) allow cyber analysts to develop their own plug-ins with ease.

  The Cyber Research Lab is developing tools and heuristics to raise the abstraction level of binary analysis. For instance, our team is working on a domain specific language to allow analysts to capture their knowledge and problem-solving process in a set of higher-level heuristics. This will allow less experienced analysts to quickly learn what elements are important, how to experiment with a binary, and how to make decisions about whether a program should be trusted. This should reduce the training time for a cyber analyst and increase the organization’s overall computer and network security capability.

• Cerberus – Universal stealthy debugger

  The ability to do dynamic analysis is a powerful tool in the arsenal of a reverse engineer. Sometimes a piece of code such as malware can employ anti-debugging or packing measures to make dynamic analysis difficult. We have instrumented Microsoft Detours into a stealthy debugger to emulate a breakpoint rather than using standard debugger breakpoints like “INT 3” or DR0-DR7 hardware registers. Understanding the code and data flow at a functional level can now be achieved by using a plugin to the IDA Interactive Disassembler, and the data mining feature that has been extended to Detours. “Cerberus” is the tool that incorporates the emulated breakpoints and data mining capabilities.

• Hades – A Windows kernel-level debugger

  The Cyber Lab is focused on integrating new sources of information and ways of visualizing them into the reverse engineering process. Slogging line by line through assembly code has its place, but where possible we are trying to raise the level of abstraction. We are currently developing a reverse engineering tool suite with this guiding principle in mind. In pursuit of this goal, we have developed Hades, a Windows kernel driver designed to subvert anti-debugging protections by employing intelligent instrumentation via instruction rerouting in both user and kernel space. This technique allows a reverse engineer to easily debug and profile binaries without fear of invoking protection penalties. Once debugging traces or other information is collected, we have several visualization modules that present the data to the user in an intuitive format, as well as an extensible system of heuristics that directs the user’s focus to the most suspicious elements.

• Helikaon – A Linux debugger

  The Linux OS is not immune to malware and viruses. The reverse engineer is faced with fighting though anti-debugging protections when trying to understand these binaries. This can be a tedious and time-consuming process. Commercial-off-the-shelf debuggers, such as the GNU Debugger and the IDA Interactive Disassembler, are detected in Linux utilizing a variety of anti-debugging techniques. Riverside Research has developed a stealthy Linux-driver-based debugger named "Helikaon" to aid analysts in debugging running programs without being detected. Helikaon injects a jump at runtime from kernel land into a user mode running process rather than using standard debugger breakpoints like "INT 3" or DR0-DR7 hardware registers.

• Deobfuscator – A deobfuscator plugin

  The Deobfuscator is a plugin for the IDA Interactive Disassembler that neutralizes anti-disassembly code and transforms obfuscated code to simplified code in the actual binary. This plugin is used in conjunction with a binary injector to remove obfuscated code and replace it with a simplified, transformed equivalent. We developed this tool in assessing strengths of protections and malware analysis for DOD entities and commercial companies.

• Data Code Miner – External library hooker

  In order to understand the behavior of a program it is important to know how it communicates with the system. Because of this, Riverside Research developed Data Code Miner (DCM), a Windows program that stealthily hooks and monitors system calls as a program executes. The DCM traces can be analyzed and inspected using Riverside Research’s DigR tool suite.

• Quiet-RIATT – Import address table re-constructor

  An important part of understanding a program is knowing what library calls the program imports and where they are. This information is stored in the import address table (IAT). Malware and other protected code mangle the IAT of the protected program so it becomes difficult to reverse engineer. Instead of repairing the IAT by hand, Quiet-RIATT allows analysts to hook DLL calls using a modification of Microsoft’s Detours library. The hooked function generates a log file of all DLL calls made in the program. Quiet-RIATT then generates database annotations for IDA databases, generates a data structure to store the information, and allows the import of this information into other reverse engineering tools.