Language: English
Have you ever wanted to just run that damn code you are looking at in IDA Pro? You are not alone. Even assuming you can find a working emulator for the required processor, execution requires setting up enough of a complete initial runtime environment and that is by no means easy. There are many puzzle pieces to assemble and put in the right places including register and memory contents, operating system information, libraries, and peripheral models. SmallWorld is designed to make all of that easy, in addition to supporting popular dynamic analysis platforms like Unicorn, angr and others for dynamic analysis. You can even readily move machine state between such platforms. In short, SmallWorld makes code harnessing and dynamic analysis fast and easy. We will explain all of this in detail and present three demonstrations of common but juicy use cases.
Dynamic analysis often breaks down precisely where it’s needed most: code that can’t be easily executed because its runtime environment is unknown or incomplete. SmallWorld is a framework built to close that gap. At the heart of the problem is the need for an execution environment — everything besides your code that it depends on to run, such as the operating system, system libraries, peripherals, or initial memory state.
SmallWorld lets you construct that environment incrementally, specifying only what the code actually needs. By separating environment modeling from analysis tooling, it enables dynamic analysis of previously unreachable binary code in a tool-agnostic way. SmallWorld, furthermore, lets you run just the code you care about, starting execution arbitrarily deep in a binary and stubbing out or modeling functions or code snippets that you don't care to submit to analysis.
The framework currently supports 13 ISAs and integrates with 5 dynamic analysis tools, making it practical for everything from reverse engineering to vulnerability research. It contains models for a healthy fraction of libc and POSIX. Further, SmallWorld's notion of the concrete state used to initialize an emulator prior to beginning execution works as a lingua franca, allowing one to move state between dynamic analysis worlds. You can start analyzing in Unicorn, transfer state at some point to angr for symbolic execution, and later return the state to pick up emulation in Unicorn, etc.
In the first half of this talk, we’ll walk through the design and implementation of SmallWorld as well as explaining how it enables analyses that were previously infeasible. The second half of the talk will be demonstrations of salient use cases: harnessing and fuzzing of code from an embedded system, harnessing of firmware unpacking code let loose on a corpus of firmware downloads, and interactive type recovery of input parsing code.
ISAs supported include:
• aarch64
• amd64
• arm32
• i386
• la64
• m68k (coming soon)
• mips32r2
• mips64r2
• msp430
• ppc32
• ppc64
• riscv64
• xtensa
Supported Dynamic Analysis Tools:
• Unicorn
• angr
• PANDA-ng
• Ghidra
• AFL++
SmallWorld is open source and available at https://github.com/smallworld-re/smallworld.