Advise what to read. Part 2

CPV

As promised, we continue to tell where to get new knowledge in information security. We publish the second part of the selection of useful resources.

Satisfiability modulo theories (SMT)

If you decide to dive into this topic, perhaps the best material for a first acquaintance with SMT will be Theorem prover, symbolic execution and practical reverse-engineering. It will allow you to quickly get acquainted with the principle of applying SMT and symbolic execution in reverse, gain skills in working with Z3 through Python. The presentation also understands a number of specific reverse engineering tasks: reversing hash functions, deobfuscation, searching for ROP gadgets, etc.

For a deeper immersion in the topic, we recommend a book SAT / SMT by Example. This book covers more than 500 pages of various tasks that can be solved using SMT. The author is not limited to reverse engineering problems and provides solutions to some mathematical problems and puzzles. Particular attention should be paid to chapter 18 on working with KLEE.

You can also see academic work for general development. SMT Solvers for Software Security, Sean Heelan, Rolf Rolles. This is one of the first scientific works in which it was proposed to use SMT in the field of software security, thanks to which everything “spun”.

Having a basic understanding and skills of working with SMT, you can proceed to the study of other materials and familiarity with utilities and frameworks:

  1. Frameworks
  2. Utilities:
    • KLEE,
    • Ponce – an interesting plugin for IDA Pro
  3. Articles:

… and all that you yourself find, of course.

For IDA Pro

If you already have excellent knowledge of the IDAPyhton API for IDA Pro and want to take it to the next level, it’s time to look at the Hex-Rays API (ida_hexrays) and Microcode API. The first allows you to play with the capabilities of the decompiler, and the second just lies at the heart of the decompiler.
How to approach this? Everything related to documentation and IDA is a complete collapse, so here it is better to start with the study of other people’s creations. Next, we give a few small (up to 600 LOC) scripts that will help you plunge into the topic.

1) HRDevHelper – displays ctree tree that you have to walk along when working with the decompiler.
2) xray – Helps highlight interesting sections of code that may be useful in analyzing malware and identifying vulnerabilities.
3) MrsPicky – an assistant for auditing memcpy () and memmove () functions, also uses the decompiler functionality for its work.
4) dsync – A simple script to synchronize the disassembler and decompiler windows in IDA.
5) genmc – The main assistant when writing plugins for working with Microcode IDA. It displays how the code you are looking for looks in the IDA microcode.

ML and (In) security

1) A book from ML-based antivirus developers – Cylance “Introduction To Artificial Intelligence For Security Professionals” + immediately google “Bypassing Cylance” and get a lot of posts on how to get around this “miracle” ML in dozens of ways.
2) Interesting post “DETECTING MALWARE PRE-EXECUTION WITH STATIC ANALYSIS AND MACHINE LEARNING” from the creators of another ML SentinelOne antivirus (everyone in this area calls themselves NGAV – Next-Generation Antivirus) – also bypasses, you can google and watch on Youtube.
3) Book Malware data science from the guys from Sophos AB chapter about ML (by the way, available as free).
4) Book Machine learning and security

5) We sincerely recommend our series of articles on Habré: 1, 2, 3.
6) We also highly recommend Thomas Dullien’s performance “Machine learning, offense, and the future of automation” c ZeroNights 2017, where the author expresses an unpopular point of view that ML is more likely to be useful for attacks than for defense.
7) Link Pool Awesome Machine Learning for Cyber ​​Security, there are also books that were mentioned above in pdf format.
8) It is useful to know about such a direction as Adversarial machine learning, which consists in attacks on ML, you can familiarize yourself with the link.
9) Microsoft knows about the possibilities to attack such algorithms and thinks about protecting them – Protecting the protector: Hardening machine learning defenses against adversarial attacks.

Our experience with ML in the field of information security shows the following:

  • Not so important are ML, neurons, algorithms, etc., but the dataset on which it will all be built.
  • Learning from bad / bad is still lagging behind the attacker and being catching up in this race.

Jailbreak iOS

If you are interested in this topic, we recommend that you look at the reports:

From these sources you will learn how it all began and what needs to be done today to get the full JB on the device, as well as what protection mechanisms exist; you’ll find out the opinion of the authors about how long this will be relevant. Reports 2018-2019, so that they cover some of the latest versions of iOS. You will learn what mechanisms are used by security developers, and how attackers bypass them.

AFL ++

Perhaps everyone interested is familiar with the AFL fuzzer. Unfortunately, the author abandoned it on version 2.52b, and the community spontaneously began to saw its patches, improvements, forks, etc. But just recently appeared AFL ++in which fellow van Hauser from The Hacker’s Choice team put together what the community did and put it together the draft. Today it is the best choice for fuzzing using AFL.

We have already published material on auxiliary utilities for AFL and its modifications, for details you can refer to it.

P.S.

For those who want to get more fundamental knowledge, we have a large selection of reverse engineering, it is still as good as it was 3 years ago.

Thanks for selecting @ d1g1!

We hope that you have found something new and useful for yourself. Feel free to share your findings in the comments.

P.P.S.

If you missed the first part of the collection, it is here

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *