.

Reverse engineering = epeen?

<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Sat Sep 04, 2010 7:28 pm

Reverse engineering = epeen?

Hey guys, what's up?

I have a fast question regarding RE and discovering new exploits. I have mostly wanted to be a master at security. But, as we all know, security is very broad. I have chosen web app for the past few years, followed by network security, when studying security. My programming is very strong, but my RE is very very poor. Do you think RE is extremely important as a security professional? I feel like it's the security equivalent of the size of our "package" in the gym locker room lol. The more badass vuln you discover, the bigger the johnson lol.

I recently just felt this way because i'm looking to join a CTF competition at Polytech NYU. I feel extremely comfortable with web app, linux and network security, but RE...very poor. Do you think it's best to just master one or two aspect of security? I don't want to wear myself too thin, or else I'll never be "wanted". I'll never be a master.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sat Sep 04, 2010 8:19 pm

Re: Reverse engineering = epeen?

I don't think I've ever met a "master" in my years in this industry. What I have met are specialists in their respective arena. So let's put this in perspective to see the absurdity with the notion of "mastering."

I will publicly admit this... I would mop up the network floor in a pentest against Bruce Schneier, Marcus Ranum (hola), Ron Gula (hola), 2/3rds of LANL, LLNL, LBNL + DoD red teamers... They in turn would make my head spin with cryptography, SIGINT/IMINT stuff and so on... Does that make me less than a master at what I do... Does it make THEM lesser at what they do?

I understand where you're coming from cause I'm sort of in the same boat as going *back* to understand the RE process however, I learn what I want to as I see fit. What interests me and at this point in life/career, networking, systems, compromise are sort of second nature to me. RE'ing is more fascinating because of the complexities involved with it. These complexities annoy me though ;) They annoy in the sense that I have to go back and focus on what's popular (Windows) to make it worthwhile.

HISTORICALLY
Anyone can go Google out history and determine I've been around the *nix block. Take a pick, I've used it when it comes to Unix/Linux/BSD based systems. While I also Windows on a daily basis, (Visio, Project management, etc.), I dislike the issues surrounding Windows based systems. These same issues are viewed as "gold" in the RE environment. So my background is pretty strong for most variants of *nix with the exception of z/OS.

FUTURE
I intend on learning as much as I can not for the sake of calling myself a master at anything. Heck I don't do so now to be honest. I would like to master it for the sake of learning as much as I can.

As far as penis envy (Gym Room) I've never felt that at all. I've always looked at individuals as being masters of their domain. So while Dino Dai Zovi (hola) might mop the floor with me when it comes to coding and reversing, the reality is, RIGHT NOW, he and I on a network, I'd likely pound on him from the exploitation side (getting into systems) of things because that's my forte. He's targeted, I'm versatile. This is not to say it's a 100% accurate statement, I'm giving an example here. Think about that for a moment... A programmer is almost always a networker and vice versa. Two different arenas. One is always going to be better at another, its RARE to find all around RE'ers + Pentesters rolled in one.

So short answer after the rambling... If you've programmed for some time, RE'ing will come easier depending on the language you program in. They key to it is to think outside of the box in most instances. There is nothing to particularly master to be honest... It's all about the reverse here, breaking, not programming. Breaking is actually easy. Exploiting it afterwards is the complicated part. If you do decide to get heavily into RE'ing, maybe I could race you in this lifespan ;) When it comes down to the nitty gritty, I'm such a Windows RE'er noob its silly. At least in my own mind I am.

E.g, I submitted 54 VMWare bugs last week to VMWare and this was outside of mushroom cloud, all sort of funny remote and local exploits. 1) There were too many to shove into ZDI with explanations. 2) There were too many iterations of issues on the same injection points, etc., 3) Staff @ VMWare unlike other vendors were actually cool with me in their requests on mushroom cloud... I still feel rather lame. 4) It became so cumbersome for me running WinDBG and all other sorts of tools (Pai Mei, Klocwork) trying to make sense of it all that I gave up. RE'ing is A LOT OF WORK and is very time consuming.

Learn it to enjoy it, or do like I do, learn it because you like the mental punishment. Hooking processes, fault injecting/fuzzing, debugging, etc., is laborious, boring and often gives me headaches however, nothing feels better than popping your own shells from something you've broke/made/destroyed. As for "bragging rights", something I learned a long time ago... The lesser noise you make, the better off you are. I don't care for bragging rights off of exploits. If you look through MOST ZDI advisories, many don't care either hence credits going to "anonymous" ... Search as many as you'd like, the heaviest exploits are often submitted by anonymous users - Those are the guys you have to worry about, the ones you don't know about.
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Sat Sep 04, 2010 9:10 pm

Re: Reverse engineering = epeen?

sil, I really do admire the time you take to respond. I always find them very insightful and always helpful. I love web app, network and SE. Always been my forte, and i'm starting to enjoy RE too. You're right in that it takes a lot of work. I guess I will continue to get better in my domains as well as RE for a hobby. I guess, I do enjoy the fact that I am amazing challenged by RE  ::)

It is also funny you mention Dino Dai Zovi. I am actually trying to enter the CTF competition he is judging @ nyc lol. http://www.poly.edu/csaw-CTF I was just concerned about the RE side. While we do get to have teamates, I hate the feeling of not being useful; In this case, with RE.

And for bragging, well maybe I'm not really down for bragging, more like being looked up to...in an inspirational kind of way, not a conceded way. I am an aspiring security professional (out of college in December and interning with eLearnSecurity currently) trying to make a name for myself. I listened to a seminar I found here, by Don, a while ago, and he says to just got for it. So I'm trying hard to get my name out, and while I look up to those tweets by HD.Moore, etc, finding new exploits, I find it hard to make a name for myself without discovering something new and "cool". But, I do have a few ideas up my sleeve for web security and hope to push it out sometime by the end of the year. Hopefully EH-Netters can appreciate it and I can get my security stardom that way  ;D

By all means, this is all just so I can keep a job in security. I find, the more you're known, the more likely you are to land consulting jobs, big firms, etc. But I can't deny, there is a tiny hint of gratitude I feel I would get being an inspiration for future security professionals. Kind of like how your posts always inspire me to be better lol. :D
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Sep 05, 2010 9:22 am

Re: Reverse engineering = epeen?

I just started following you on twitter, don't disappoint me! ;)

Do you have a blog? Why not offer up some instruction? How about writing a tool?

I think you're focusing too much on exploit development in terms of making a name for yourself.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Sep 05, 2010 10:08 am

Re: Reverse engineering = epeen?

secureseven wrote:It is also funny you mention Dino Dai Zovi. I am actually trying to enter the CTF competition he is judging @ nyc lol. http://www.poly.edu/csaw-CTF I was just concerned about the RE side. While we do get to have teamates, I hate the feeling of not being useful; In this case, with RE.


I pester Dino from time to time on email and I can tell you this, he is a really cool guy as is HD Moore, Dave Aitel, Thomas Ptacek, Charlie Miller, Dean DeBeer (another Polytech judge I believe), Ivan @ Core Security. Geez, I wonder who I haven't pestered within the last decade.

One of the things I've found with regards to "the bughunters" is, it is a very tight-knit, closely followed bunch. Now I don't mean tight-knit in the sense that everyone is always hanging out with each other, what I mean by that is when you get involved, depending on who you are, its easy to shoot off an intro to a heavyweight like HD Moore in a respectful manner: "Hi my name is such and such and I've been into RE for some time... I've been reading your work for some time and I'd like to ask you a question or two..." Most are kick ass cool and will actually give you pointers (again depending on who you are, who you know and your gift-of-gab).

As for making a name for yourself "finding something cool", this is what I have my computers do in their spare time (wow sounds almost as if they're humans doesn't it)... Right now I have 4 fuzz stations 2 Windows machines 1 Linux 1 NetBSD station. On my Windows machines (one is 2K3 one is Win7 Ultimate) I run Pai Mei, protos, Klocwork and beStorm for fuzzing for ONLY the top 20 software vendors' applications (Apple, Oracle, MS, SAP, IBM, CA, etc). I pass results to and from my nix machines often with NetBSD doing netflow analysis for network protocol based fuzzing.

While the set up is cool and took some time, the issue is, what the heck to do with all the information I get afterwards. You see, triggering all sorts of bugs isn't a problem, its understanding the program's flow/control/options during the debugging and analysis stage. Hence learning full-blown Windows debugging for me (remember, I posted I understood *nix and I am very comfortable running gdb, etc.).

So few things:

1) Pick your poison Windows/Nix (each will be time consuming)
2) Immerse yourself in not only Assembly, but debugging
3) After your comfortable with debugging, immerse yourself in reversing
4) Refresh yourself with SYSTEMS administration

WHAT THE HECK IS HE TALKING ABOUT
Why the hell would he say Windows?! Out of the immediate 20 people that come to mind, of those who aren't into security/engineering how many are using something other than Windows? Of the last say 5 companies you've dealt with, how many are all *nix shops?

Understanding how to reverse Windows' compiled applications is a royal PITA not to mention understanding debugging them. Because of the way Windows uses its DLL's, OCX's, legacy code, etc. its a lot more time consuming and "leet" to find bugs on applications. You have to familiarize yourself with a lot more programs to trigger faults, debug those faults, make a weaponized application to target the fault you found. The stakes are higher if you're trying to bypass DEP and ASLR because if you don't understand what they are and how the work, you HAVE TO go back and do a lot of reading.

I DON'T REALLY NEED TO KNOW ASSEMBLY DO I?
Yes, you need to understand Assembly to the point where you need to KNOW what the stack is, what the heap is, what the registers are, what they do, how they interact, where they write to, where they push and pop to and from. Otherwise it's all pointless. There is no point and click "fault injection to exploit" program available.

SYSTEMS ADMINISTRATION YOU MUST BE JOKING!@
Systems administration IS A MUST. Let's put an exploit into perspective here from a different angle. Using malware as an example, how many malware exploits "pop a rootshell" on a machine? Answer, almost .000001 of them do (don't quote that number!). Most malware end up owning machines using staged exploits:

1) This piece of malware will add an account (usually small space to execute)
2) The new account will download another piece of malware
3) The third piece of malware will punch a hole through a firewall if need be
4) etc. etc

From a systems admin/pentest perspective, you may only have enough space in your shellcode to add an account versus completely making a callback or listener. Do you think the effects are less from a penetration testing perspective?

You to client: "Well I was only able to create an administrator account on 99% of your servers..."

You to client: "Well I was able to jump in and out of your systems with a rootshell"

Notice that the bottom line is almost the same there? Anyway, RE'ing is cool and fun to learn, but it is a serious royal pain and unless you're going to dedicate ALOT of time to it, it will frustrate you. I do it as a hobby not because I have to in my role, but for the sake of understanding it a little better. It IS fun having all sorts of fun with applications but I ended up waiting far too long to take it serious.
<<

secureseve

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Thu Apr 08, 2010 10:40 pm

Location: DMZ

Post Sun Sep 05, 2010 10:39 am

Re: Reverse engineering = epeen?

dynamik wrote:I just started following you on twitter, don't disappoint me! ;)

Do you have a blog? Why not offer up some instruction? How about writing a tool?

I think you're focusing too much on exploit development in terms of making a name for yourself.


You're right. I should focus more on my strengths. But I do like RE as a hobby and will continue to do so. But lately i've been taking a lot of time reversing popular web frameworks/CMS and the way they attempt to sanitize input. Maybe I can write a doc on that heh.
http://twitter.com/mikesantillana
eLearnSecurity Team Member.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Sun Sep 05, 2010 11:32 am

Re: Reverse engineering = epeen?

secureseven wrote:You're right. I should focus more on my strengths. But I do like RE as a hobby and will continue to do so. But lately i've been taking a lot of time reversing popular web frameworks/CMS and the way they attempt to sanitize input. Maybe I can write a doc on that heh.


I should have added it before. One thing you may come to fight with is disclosure. If you follow any of the heavyweights (Dino, Sotirov, Charlie Miller, s7ephen, etc.) you'll see many differ on disclosure.

1) As a security researcher, you're devoting your time and resources to find someone else's problems. Now that you've found it what do you do with it. Do you post if to ZDI to make some money from your hard work or do you work with the vendor so they'll fix their shoddy work.

2) As a security researcher, you're racing against every other researcher who may be studying this same issue. If you DO DECIDE to ZDI/iDefense your work, there is nothing to indicate that someone else hasn't found this bug before you.

Security research is often a thankless aspect of security. When dealing with CERT's, PSIRT's, SIRT's and other teams in companies, you will eventually get frustrated when you come to find that often "who's on first, what's on second" is rampant. Example... I found a bug on Windows Live Messenger that allows me to send an IM to someone on my list and POTENTIALLY trigger code execution. Note the word potentially. In my WinXP environment I can repeat it at will. On anything other than my environment, its non-existent. Do you a) rinse and repeat the exploit until you've got a seamless exploit across the board b) submit it as is to the vendor/Vulnerabillity Broker. After submitting it to MS' security team, I had to go up the food chain and contact someone in the know from Shmoo to "bitchslap" his colleagues and take a look at what was going on. At that point in time, I gave up on their security staff.

Arrogance: I assumed the first line of defense would understood what it was I did and what I submitted. They're just a triage point. They had little idea of what I was submitting, what it did, etc., hell I don't even know if they knew how to run their own debugger. Don't let yourself get too arrogant. Its easy to miss - allowing our egos/arrogance/pride to get in the way. Always take things in stride if you're in it from the hobbyist standpoint.

Just remember though, that at the end of the day when you wake up to reality, you've spent YOUR OWN time (often a lot of time), effort and resources finding something unique (an exploitable bug(. Many will simply give it away often for a "Credits to:" portion of a vulnerability report. This gets your name out there but nothing else. The reality of the world is, time is money, which is why I state, determine where you want to go with this.

Personally, depending on who the vendor is, I will work with them otherwise I take the time to try iDefense and ZDI after all, its my time and my work. Also, some vendors' employees can be clueless and egotistical... If I have to explain to a vendor's security team the risk of me remotely or locally triggering code execution, than I'd rather not deal with them (this is my arrogance). After all, I'm not on their payroll and the reality is I'm the one doing them a favor not vice-versa.

As you progress in your career, this is something that is either going to take a backseat (reversing) or a front seat in the sense that you're becoming an application tester. Personally, I can't think of any qualifying "board", "company", etc., to qualify someone as a reverser however, ISC2 took a shot with their CSSLP. On that note (CSSLP), here is the gist of that cert which I found funny:

This grandfather clause will give the dumbest of the dumb the opportunity to get this certification. This could be a good talk for Black Hat. “Hacking the CLSSP” Chris can write the paper, I will create the fake resume, Tom Brennan can expense the $650 and we will submit my 5 year old nephew Antonio for the certification.
http://www.veracode.com/blog/2008/09/is ... cow-csslp/

So take some time and think about devoting either too much or less time to this arena (RE'ing) as not only is it a pain, for some it might not be economically practical. This is just me though, I do it to understand it. I could care less about giving it a go for a profession since I got in that part of the game late in my career. Besides for me its more fulfilling compromising machines than it is searching out exploits. I'd rather leave it to the pros who've done so for years. Does it make me less of a "master" I wouldn't think so but opinions go... Everyone is entitled to their opinion no matter how wrong they are ;)
<<

shaqazoolu

User avatar

Newbie
Newbie

Posts: 8

Joined: Tue Aug 03, 2010 2:09 pm

Location: Baton Rouge, La

Post Mon Sep 06, 2010 12:46 am

Re: Reverse engineering = epeen?

I was really interested in focusing on RE until I read this thread.  For some reason, I'm not disappointed because I feel like I learned so much from reading sil's posts.  I think I'll take some time to find and read the other 200 of them in the near future.
Learning mode engaged.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Sep 06, 2010 1:33 am

Re: Reverse engineering = epeen?

shaqazoolu wrote:I was really interested in focusing on RE until I read this thread.  For some reason, I'm not disappointed because I feel like I learned so much from reading sil's posts.  I think I'll take some time to find and read the other 200 of them in the near future.


Aren't you more interested in reverse engineering malware though? I think there's a significant difference in that and trying to find vulnerabilities and write exploits.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Sep 06, 2010 10:25 am

Re: Reverse engineering = epeen?

@dynamik - IMHO, Reversing Malware and Reversing for sploiting can intermingle in the sense that the malware authors usually have to go through some form of exploitation to drop payloads. So comparisons

Reversing for sploits
Studying mechanims to subvert an application or protocol to gain control over a device

Reversing for malware
Studying mechanims to subvert a control or rules on a device to gain enough control over the device in order to gain some form of control to either do dirty deeds or gather enough traction to perform a chain of exploitation

Reversing for sploits
Intense knowledge of debugging and programming needed to understand problematic areas through injection, tainted variables, etc. unknown - you're fishing for issues

Reversing for malware
Decent knowledge of the use of sploits available needed to inject and taint variables established applications and variables [u]KNOWN - malware authors send targeted payload


Reversing for sploits
Full blown knowledge and understanding of disassembling code and looking for what triggered your exception in order to weaponize the trigger and fire a bullet

Reversing for malware
Full blown knowledge and understanding of disassembling of malware code in order to understand what a malware author did with his/her code that triggered events to occur (add an account, install software, bypass firewalls, A/V, etc

There are a lot similarities with the exception of weaponization. Meaning, malware is in a sense, a re-weaponized exploit.
<<

shaqazoolu

User avatar

Newbie
Newbie

Posts: 8

Joined: Tue Aug 03, 2010 2:09 pm

Location: Baton Rouge, La

Post Mon Sep 06, 2010 10:36 am

Re: Reverse engineering = epeen?

Yeah, I figured there was at least some overlap in the two.  It hasn't completely discouraged me because I still think I would be really good at it, but it has shown me how much work I have ahead of me. 
Learning mode engaged.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Sep 06, 2010 11:07 am

Re: Reverse engineering = epeen?

sil wrote:Reversing for sploits
Intense knowledge of debugging and programming needed to understand problematic areas through injection, tainted variables, etc. unknown - you're fishing for issues

Reversing for malware
Decent knowledge of the use of sploits available needed to inject and taint variables established applications and variables [u]KNOWN - malware authors send targeted payload



That's the key difference I was referring do. I don't have the patience fuzz applications or do anything like that. There's obviously a lot of overlap in the requisite skills, but I'd rather try to find out how something works than aimlessly search for something that might not even be there (OK, I know there will likely always be something if you look hard enough ;)).
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Mon Sep 06, 2010 12:17 pm

Re: Reverse engineering = epeen?

dynamik wrote:That's the key difference I was referring do. I don't have the patience fuzz applications or do anything like that.


The fuzzing part is a piece of cake. Its the post analysis of what you discover(ed) that's almost always painful. At most points in time, an error is an error is an error. Some are more catastrophic than others - these are the ones that will trigger code execution and other things. Most vendors will take a look at triggered errors though and sometimes even correct them - note the word sometimes. Bug fixing is an expensive business for any company let alone a weaponized vulnerability.

Oh come on... Go dl PaiMei, go through the enormous headache of putting it all together and find a sploit ;) I guarantee you once you get into it, it becomes a little addictive.
<<

shaqazoolu

User avatar

Newbie
Newbie

Posts: 8

Joined: Tue Aug 03, 2010 2:09 pm

Location: Baton Rouge, La

Post Mon Sep 06, 2010 12:40 pm

Re: Reverse engineering = epeen?

dynamik wrote:I'd rather try to find out how something works


This is my motivation.  I have always done this with everything else since I was a kid, why not malware too?

I have to admit though, finding a widespread vuln that was not previously known would be kind of a rush.  That would definitely get me hooked.
Learning mode engaged.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Sep 06, 2010 12:43 pm

Re: Reverse engineering = epeen?

sil wrote:Oh come on... Go dl PaiMei, go through the enormous headache of putting it all together and find a sploit ;) I guarantee you once you get into it, it becomes a little addictive.


Why can't we set people to ignore on these forums? I'm busy enough as it is; I don't need people filling my head with this kind of nonsense :D

Seriously though, we'll see how it goes. I'm just getting my feet wet with assembly at the moment (ridiculous how little I actually knew about memory and processors), so that's a ways off. I'm not ruling anything out, but I need to prioritize ;)
The day you stop learning is the day you start becoming obsolete.

Return to Programming

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software