Ideas

[karlek]

Surrounding

• Database file format (git-able) (see #6)
  • human readable by commits (also readable diffs)
  • sync updates for collaboration
• Undo stack
  • undo tree
• API (example: https://www.zerodayinitiative.com/blog/2019/7/16/mindshare-automated-bug-hunting-by-modeling-vulnerable-code)

Interactive

• Introduce new types
  • parse C header files
  • let user define types interactively
• Toggle code/data

Dynamic

• Binary instrumentation
• Debugger + reverse debugging (+ time-travel?)
• Code coverage
• Dynamic analysis

Static

• IR (thesis)

• Call graph

• Control flow analysis (control flow primitive recovery)

• Data flow analysis

• Symbolic execution

  • Register bounding (value set analysis)

• Pseudo code generation (decompilation)

• Type analysis

  • Detection of types based on parsing of format strings, and arguments passed to printf

• Corpus (static library detection)

• Shingled graph

• Recursive Descent Disassembly

• Syscalls

• Compiler version detection based on analysis of output when compiling a given function with several different versions of the same compiler (e.g. one docker per compiler version)

Future aspirational

• Language Server Protocol (LSP)

[karlek]

File format reverse engineering mode. Annotate, color, document, select and mark field as length or offset, reserved, etc. Inspired by yours truly.

[mewmew]

• Cantor Dust, a merge between visual reverse engineering and the Scene from the 90s. (Name suggestion: Dammtrasa or Dammtuss)

[mewmew]

For binary instrumentation, investigate using uprobes (instead of ptrace) as we wish to get execution context for every instruction. For this purpose, uprobes should be more performant than ptrace.

From https://www.youtube.com/watch?v=de9cVAx6REA:

[mewmew]

Putting this here to have easy access to the links.

For emulation, rather than relying on e.g. QEMU, we should look into Unicorn (by the same people that wrote Capstone).

Slides from 2015: https://www.unicorn-engine.org/BHUSA2015-unicorn.pdf

Stumbled upon this, as I'd love to play around with the Tiny Code Generator of QEMU, and as it turns out, Unicorn is essentially QEMU without "bloat" (or rather features useful for emulation, but feature we will not need for static and dynamic analysis of binaries).

[mewmew]

Another system to look into playing around with is S²E which can be used for symbolic execution, among others.