SEI’s CERT Division Releases New Version of Pharos Toolset
• Article
September 13, 2019—The SEI’s CERT Division has announced the release of an updated version of its Pharos Binary Analysis Framework. The update represents more than a year’s worth of improvements and bug fixes to the Pharos toolset.
Analysts of software programs use the Pharos suite of tools to automate the reverse engineering of binaries, or executable files. In the wild, malware, or malicious software designed to permit unauthorized access to or damage a computer system, usually consists of binaries alone. Without the source code for a piece of malware, analysts must reverse engineer it. Automated reverse engineering speeds efforts to prevent or recover from malware attacks.
First released by the CERT Division in 2015, Pharos provides a platform for binary static analysis capabilities, including disassembly, control flow analysis, instruction semantics, and more. CERT analysts built Pharos on top of Lawrence Livermore National Laboratory's (LLNL) ROSE compiler infrastructure.
One of the Pharos tools, OOAnalyzer, determines the behavior and structures of object-oriented programs by automatically recovering C++ class abstractions from executables. Users can work with OOAnalyzer output by importing it into other reverse engineering frameworks, such as IDA Pro. This July, the CERT Division added a plugin to OOAnalyzer that imports its outputs into Ghidra, the National Security Agency’s recently released software reverse engineering tool. Ghidra can now display imported OOAnalyzer results in its user interface.
“Ghidra’s decompiler automatically applies imported C++ data structures recovered by OOAnalyzer to decompiled code,” said Jeff Gennari, a senior malware reverse engineer in the CERT Division and a developer of the Pharos toolset. “This greatly improves an analyst's ability to reason about complex data structures at the binary level by getting the representation even closer to source code.”
Cory Cohen, a senior member of the technical staff in the SEI’s CERT Division and Pharos project lead, noted that the Ghidra plugin should expand OOAnalyzer’s impact. “Since Ghidra is freely available,” he said, “the improved analysis produced by OOAnalyzer will be able to reach a much broader audience of program analysts.”
The other significant update to Pharos is improved path analysis. Path finding identifies the steps in the code that lead to program execution, from start to finish. Binary code, usually all that is available of malware, leaves out or obscures critical source-code locations and instructions along the execution path, making path finding notoriously difficult. To complicate the task, some malware can detect path finding efforts and self-destruct before analysts make much headway.
The updated Pharos tool circumvents both problems by filling in the missing pieces with symbolic representations. First the tool establishes the logical constraints on the missing pieces. Then it applies the Z3 Theorem Prover to find variables that fit all the constraints. Finally, it uses the viable values to complete a model of the execution path. This symbolic representation technique has limitations, but it is a leap forward in path analysis that has applications in vulnerability discovery and malware feature identification and removal.
“For example, malware analysts often spend a significant amount of time getting malware to demonstrate the malicious behavior,” explained Cohen. “Automated path analysis can identify the input conditions required to trigger the malicious behavior, greatly improving an analyst’s understanding of the malware capabilities and how to trigger them.”
Other improvements in the new version of Pharos include partitioner improvements, multi-threading, and other minor features and fixes.
Cohen said the Pharos update represents the SEI’s mission at work. “This is how the SEI has transitioned the latest academic research in program analysis capabilities into a platform that’s actually usable by the Department of Defense and others.”
To learn more about the Pharos toolset, visit the SEI’s Digital Library at https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=508008. The Pharos source code is available at the SEI’s GitHub at https://github.com/cmu-sei/pharos.
