Introduction

The REVEN® technology is at the base of both REVEN®-Axion and REVEN®-Impact products, and has been in development for more than 4 years. Its purpose is the analysis of binary executables, either for helping security experts in their reverse-engineering tasks or for helping developers who may need advanced debugging.

At the core of REVEN® is a pretty accurate symbolic CPU that will execute the binary code which requires analysis. It translates the native input disassembled code into our intermediate symbolic language, and then execute it. Around it, we also developed the various emulation layers that are required for the CPU to interact with the hardware: MMU, IRQ/Exceptions handling, hardware ports accesses, DMA, MMIO, etc.

Since REVEN® is placed right at the frontier between hardware and software, it will cover everything that happens at a software level: that includes OS code of any privilege level (ring 3 or ring 0) up to the application code. This represents a huge perimeter to cover and, to best exploit it, TETRANE also develops the products that will aggregate, organize and explore the analysis data. Those products provide two different modes of operation: dynamic analysis and static analysis.

The dynamic mode is currently embedded in the REVEN®-Axion product. It will enable the user to navigate in a previously recorded trace (the scenario) by going backward and forward, explore the CPU registers and RAM data at any time point, access the entire access history of any memory location, etc.

In static mode, the user can manually explore portions of assembly code through various graphs, and better understand its structure.

Finally, the REVEN® technology provides access to higher-level functionalities such as data-tainting, or to information that is usually unavailable without source-code access: OS semantic propagation, dynamically accessed strings, hardware accesses, etc.


Technical details

  • Simulates (via symbolic execution) an Intel Core i7 (x86 + FPU, MMX, SSE)
  • Supports, via the scenario generation, hardware events (USB, network, etc.)
  • Handles huge traces (tens of billions of CPU instructions)
  • Allows analysis for various platform (Windows, Linux, etc.)
  • Unified mode of operation for kernel or user mode and multiple binaries
  • Direct access to generated data through the Python API or the dedicated GUI