Reverse engineering is an activity whose objective is the study and analysis of a system in order to deduce its internal functioning.
In computer science, the objective of software reverse engineering is to to study a software without having its source code available, with the aim of:
To do this, we use tools such as disassemblers, decompilers, debuggers, binary file editors... but we also need skills! One must know how to develop, know the technical specifications of the target processors (x86, RISC, ARM...) and operating systems (Unix, Windows, Android...), know the compilation mechanisms and software protections (Packer, AntiDebug, AntiSandbox, DEP, ASLR...), and above all, be a curious person.
Whether it's on your network, computers, servers, mobiles, we're able to reverse engineer a lot of applications.
If machines in your infrastructure are infected with malware, the malware may be:
In order to be able to eradicate it, we will study how it functions in a confined environment, in order to understand how it settled, spread, and persisted.
With the knowledge acquired in the study phase, we will determine a way to disarm it, either by blocking its operation or by completely uninstalling it, and thus establish a cleaning procedure.
Other people in your company will then be put in the loop, such as system and network administrators, in order to apply these cleanup procedures, but also to make changes so that installing such malware will be made impossible or very complicated in the future. This includes the identification of markers or artefacts identifying the malware, which are then transmitted to a SOC. It can be configuration adjustments to the machines, addition of technical protection measures, or behavioral changes.
If we take the example of an email phishing campaign, which is the most common vector of malware propagation in companies, three solutions can be implemented to try to avoid, or at least reduce the chances of a second infection:
Software security is an example of the usefulness and necessity of reverse engineering. Whether it's because of a design flaw, a poor implementation, or a lack of testing, software often comes with a lot of vulnerabilities. These vulnerabilities can have a significant impact on the security of your data, software, or your business model. Reverse engineering can help uncover such security holes and address them.
When a software company wishes to test the security of its solution, it can use several methods or strategies to estimate its reliability. These evaluation techniques inevitably include audits on targeted or broader scopes. The following audit strategies can be used:
All of the above strategies are good practice and each have relevance from a software security perspective. It is these types of audits that allow the ANSSI to certify products (CSPN, EAL3+, EAL4+). These certifications are then valid for a specific version of the solution, and attest to a specific level of security, corresponding to the means and skills of an attacker.
Among the techniques discussed, one of the most time-consuming and technically demanding is the search and exploitation of vulnerabilities. This is a very targeted activity (specific product version and installation environment) which is an essential complement to the software code audit. It often applies to only one component of the application, because working on the whole application can be a daunting task. Reverse engineering skills are essential. The vulnerabilities we're looking for in this phase can be of any type:
Vulnerability scanning usually begins with a step of fuzzing (with tools such as Peach Fuzzer or American Fuzzy Loop) in order to determine which user inputs cause the application to crash, see if they can be exploited and under what conditions. It is therefore necessary to be familiar with the installation environments and the protections implemented natively (DEP, ASLR, stack canaries...)
A necessary step of reverse engineering will then determine the type of bug and its operating conditions. This will allow developers to fix the vulnerability, and to estimate vulnerable installations and versions of the product based on the system environment on which it was installed. The vulnerability disclosure process is framed, and may result in the release of a CVE (Common Vulnerabilities and Exposures).
When an unknown vulnerability is exploited by a group of attackers, without the editor knowing about it and being able to patch it, we then talk about a 0-Day.
Forensic investigation is an activity primarily carried out by law enforcement and incident response teams. It's about collecting, analyzing and preserving all digital traces deemed necessary to determine, identify, prove, disprove a thesis or an element.
The proof can therefore be presented in multiple shapes. It is therefore necessary to use reverse engineering techniques for the following purposes:
Spécialistes en sécurité informatique à Lyon, Paris, Saint-Étienne et partout en France
You've enabled "Do Not Track" in your browser, we respect that choice and don't track your visit on our website.