Repeatable Reverse Engineering with PANDA
- 8 December 2015
- conference paper
- conference paper
- Published by Association for Computing Machinery (ACM)
Abstract
We present PANDA, an open-source tool that has been purpose-built to support whole system reverse engineering. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU's support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development. We demonstrate PANDA's effectiveness via a number of use cases, including enabling an old but legitimately purchased game to run despite a lost CD key, in-depth diagnosis of an Internet Explorer crash, and uncovering the censorship activities and mechanisms of an IM client.Keywords
This publication has 10 references indexed in Scilit:
- Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platformPublished by Association for Computing Machinery (ACM) ,2014
- Tappan Zee (north) bridgePublished by Association for Computing Machinery (ACM) ,2013
- Architecture-Independent Dynamic Information Flow TrackingLecture Notes in Computer Science, 2013
- HQEMUPublished by Association for Computing Machinery (ACM) ,2012
- Virtuoso: Narrowing the Semantic Gap in Virtual Machine IntrospectionPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2011
- S2EPublished by Association for Computing Machinery (ACM) ,2011
- BitBlaze: A New Approach to Computer Security via Binary AnalysisLecture Notes in Computer Science, 2008
- DytanPublished by Association for Computing Machinery (ACM) ,2007
- PinPublished by Association for Computing Machinery (ACM) ,2005
- ReVirtPublished by Association for Computing Machinery (ACM) ,2002