Clone this wiki locally
Articles related to ERESI
The ERESI project is the subject of many articles. Some were published in security conferences. Others were published in technical magazines providing an ideal recipient for research in reverse engineering, computer security, and other alternative content.
We gave an invited talk and released a new paper at the SSTIC conference on June 2-5 2008 (Rennes, France):
- ERESI: a kernel-level binary analysis framework by Anthony Desnos, Sebastien Roy and Julien Vanegue.
In this paper, we present static and dynamic analysis features of ERESI directly usable from the unified scripting of the framework. Our interface is organized in subsets of commands, allowing the execution of programs written in a domain specific language for automated debugging and program analysis without sources. Such framework ease the automation of vulnerability auditing, integrity checking, logging of internal program events, and so on. Our techniques of binary manipulation (on disk and in memory) allows such analysis to be deployed on protected environment, such as Linux-PaX with Address Space Layout Randomization (ASLR). More specifically, this article focuses on the kernel level analysis offered by the ERESI framework, such as real-time inspection and modification, compiled C code injection and function redirections (even unexported) within the Linux kernel. We have integrated these features in a new tool of the ERESI suite: the Kernel shell. Additionally, this paper introduces the first pieces of our upcoming kernel-level embedded debugger: Ke2dbg.
Paper is currently only available in french language (ERESI: une plate-forme d'analyse binaire au niveau noyau).
The name of ERESI appeared explicitely for the first time in this article we released at Blackhat European Conference 2007:
Next Generation Debuggers for Reverse Engineering by Julien Vanegue, Thomas Garnier, Julio Auto, Sebastien Roy and Rafal Lesniak
Also check out the presentation.
'''Abstract:''' Classical debuggers make use of an interface provided by the operating system in order to access the memory of programs while they execute. As this model is dominating in the industry and the community, we show that our novel embedded architecture is more adapted when debuggee systems are hostile and protected at the operating system level. This alternative modelization is also more performant as the debugger executes from inside the debuggee program and can read the memory of the host process directly. We give detailed information about how to keep memory unintrusiveness using a new technique called allocation proxying. We reveal how we developed the organization of our multiarchitecture framework and its multiple modules so that they allow for graph-based binary code analysis, ad-hoc typing, compositional fingerprinting, program instrumentation, real-time tracing, multithread debugging and general hooking of systems. We reveal the reflective essence of our framework by embedding its internal structures in our own reverse engineering language, thus recalling concepts of aspect oriented programming.
We implemented a debugger on top of our framework. We reused our same ELF API which proved genericity of our code. We extended the features to be performed in runtime and not only statically. We also added support for ALPHA and MIPS architectures.
Embedded ELF Debugging] ([http://phrack.org/issues.html?issue=63 Phrack Magazine #63) by Julien Vanegue and Sebastien Soudan
This article presented the improvement and runtime extension to the Cerberus ELF interface by disclosing 7 new binary manipulation techniques on the ELF format. Beside the improvement of ALTPLT, the CFLOW technique allowed internal function redirection for INTEL and MIPS architectures, the EXTPLT technique allowed partial relinking of dynamic binary files, the EXTSTATIC technique allowed partial relinking of static binary files, ALTGOT gave a more portable technique for external function redirection on ALPHA, SPARC and MIPS architectures. Last but not least, the article explained how the framework turned into a very effective generic solution for in-process debugging, uncovering the foundations of the Embedded ELF debugger (e2dbg), making all those techniques also available in runtime, perfoming manipulations directly in memory, using a unified ELF API provided by libelfsh.
This year was the first heavy communication phase on the project. Those articles disclose many innovative techniques and valuable experiments. We applied our ideas on the ELF format but the concepts are not limited to it. The target architectures were mostly INTEL and then SPARC.
This article introduced three new binary injection and redirection techniques. The ET_REL static injection technique allows to add compiled extensions of binary programs without additional external libraries dependencies. The ALTPLT static redirection is an extension of the PLT redirection that allows to redirect functions in a PaX-compatible way, making them pointing directly to compiled C routines instead of architecture-dependant manually written assembly code. Finally the DT_DEBUG to DT_NEEDED .dynamic entries translation has shown how to add libraries dependencies just by changing 4 bytes of content in a given binary file. All those techniques are the base of recent debugging and tracing facilities in the ERESI framework.
Reverse engineering des systemes ELF/INTEL (SSTIC03 french conference) by Julien Vanegue and Sebastien Roy
This article describes the early work on control flow analysis, binary injection, function redirection, staticaly performed ASLR (Address Space Layout Randomization), and semantic attributes for the INTEL architecture instruction set.
'''Interception de l'information sur le format ELF''' (WSTI03 french conference) by Julien Vanegue
This article deals with static binary modification techniques for runtime interception on the ELF format. It is somewhat a (very) condensed version of the previous article.
Those old texts are mostly for beginners who wants to learn the basics of the ELF dynamic linking on the Linux/x86 platform. They were not published in any journal or conference but simply released on the ELF shell website at the time.