Thursday, December 1, 2016

Project FIRST: Share Knowledge, Speed up Analysis

Project FIRST is lead by Angel M. Villegas. This post is authored by Holger Unterbrink.

Talos is pleased to announce the release of the Function Identification and Recovery Signature Tool (FIRST). It is an open-source framework that allows sharing of knowledge about similar functions used across file types that IDA Pro can analyze. The aim is to create a community for the infosec analysts and reverse engineers that promotes the sharing of information.

The main idea behind FIRST is to preserve an engineer’s analysis of certain functions (name, prototype, comment, etc) by using methods like opcode hashing, mnemonic hashing, locality sensitive hashing, etc. By collecting and storing these signatures centrally the framework can provide them later to the community via the API/Plugin. The goal is to provide quick lookups for similar functions (see Fig. A) to avoid losing time with analysing a function which was already analysed before in another sample or by another engineer.
Fig. A
For example, a researcher in Spain analyzed a sample. He annotated the analysed functions and uploaded the information to the server. Later, a researchers in California comes across a variant of the sample and he queries the FIRST server in order to find similarities with known binaries. He is lucky, someone has already analysed these functions and he does not need to reinvent the wheel, he can use the matches found in the framework and speed up his analysis.

For the client side we are providing an IDA Python plugin with the following capabilities:
  • Add annotations (single or multiple functions)
  • Check for annotations (single or all functions)
  • Update applied annotations
  • View applied annotations
  • View annotation history
  • Manage metadata
  • Script FIRST with IDA Python
This plugin can be used with either the public Talos FIRST server (beta) or with your own instance of the server. To get started you can register for an API key for the Talos server on the FIRST homepage.

The FIRST framework architecture is built out of the following components.
Fig. B
The framework offers a REST API to communicate with the client side plugin e.g. IDA plugin. Further it provides an authentication model, database manager and engine manager. A database manager offers flexibility to integrate other databases than the used MongoDB e.g. MySQL. The engine manager organizes and executes all modules used to derive function similarity, called engines.The client side plugin/API/ABI interacts with the server via the REST API. The API/ABI provide developers with a way to incorporate FIRST into their current workflows and tools.

FIRST was and will be presented at the following conferences:

MALCON - Fajardo, Puerto Rico October 19
PACSEC - Tokyo, Japan October 27
ZeroNights - Moscow, Russia November 18
Botconf - Lyon, France December 1

You can find more information at:

Homepage - Register and Infos

No comments:

Post a Comment