Recon 2024

Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
06-28, 13:00–14:00 (US/Eastern), Grand Salon

This session's header image

This is an hands-on talk about what you can do with the rev.ng decompiler, a FLOSS decompiler based on LLVM and QEMU.

We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.

Then we'll dig into rev.ng intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).

Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by rev.ng, which is always syntactically valid.

Everything that will be shown will be 100% reproducible by the audience in real-time using rev.ng.

Talk outline:

  • From zero to decompiled C code (interactive demo on terminal)
    • Create a 7-bytes long raw binary
    • How to load it into rev.ng
    • How to produce disassembly
    • Adding prototypes to functions
    • How to produce decompiled code
  • Why you won't need to do any of the above: importing from ELF, DWARF, PE/COFF, PDB, Mach-O, and .idb.
  • Code analysis
    • Describe our internal IR, hint at analysis tools (e.g., KLEE)
    • Find bugs on a simple binary using CodeQL
    • Find bugs on a simple binary using clang-static-analyzer
  • Status: what you can expect to work
  • Final recap: rev.ng goals and future directions
See also: Slides (4.4 MB)
Alessandro Di Federico

One day while playing a CTF I thought "hey, this decompiler could be done better".

I like C++, LLVM, binaries, Free Software and privacy.

During my dark academia years I presented at USENIX, DEF CON and several other compilers/computer security conferences.

I'm the co-founder of rev.ng Labs, the company developing the rev.ng decompiler.
My activities include overseeing the overall design and maintaining the first half of the decompilation pipeline.
Pietro Fezzardi

After my MSc in Mathematics I thought it was cool to do something with immediate consequences in the real world and started working in embedded systems.
I got hooked on low level programming, and worked for a few years on automated bug-detection for High-Level Synthesis compilers for FPGAs, during my PhD at Politecnico di Milano.
While trying to decide what to do with my life, I spent a short time at ARM in the Research-Security group, working on fuzzing and static program analysis.
I finally decided to try myself and join rev.ng Labs as co-founder, to help build the rev.ng decompiler. So far it's been a great journey!