Radare2 GSoC 2018 Introduction Project Ideas Micro Tasks

Project Ideas

Radeco GSoC (radare2 decompiler)

radeco is a radare2 based static binary analysis framework. Currently, radeco is stable enough and has several analysis built into it. We believe that this GSoC is a good opportunity to push radeco further and implement our very own decompiler within radare2!

^

[Radeco] Pseudo-C Backend for Decompiler

This task involves completion of a decompiler backend using the analysis in radeco. Once the preliminary results are obtained, students are expected to continue working on improving the quality of decompiled code. Below is a high-level task list that we think is appropriate for this timeline. Feel free to break it down further and bring in new ideas while writing your proposal.

Task

Skills

The student should be familiar with Rust and decompilation basics or be able to learn it quickly.

Difficulty

Advanced

Benefits for the student

The student will learn decompilation theory and working with radeco-ir.

Benefits for the project

This task allows to produce the first release of radeco which will be able to generate readable C code.

Mentors

Assess requirements for midterm/final evaluation

Links/Resources

Cutter (radare2 Qt/C++ GUI)

Cutter is a Qt and C++ GUI for radare2. It focuses on those whose are not yet radare2 users because of the learning curve, because they don't like CLI applications or because of the difficulty/instability of radare2.

^

[Cutter] Implement Debugging and Emulation support

Cutter currently only works in static analysis. The idea would be to implement a debugging view which allows to run/rerun the current binary with multiple r2 dbg/io plugins.

Task

  1. Make every widget have its own seek/offset/address
  2. Add possibility to create multiple instances of the same Widget (with a different seek)
  3. Create a Widget which prints registers names and values
  4. Create a new DebugWindow (QMainWindow) which is proper for debugging (customizable)
  5. Add some debugger toolbar at the top (select dbg plugin, program arguments, run, pause, stop, ...)
  6. Handle correctly emulation

Skills

The student should be familiar with C++ and experience in Qt would be a plus.

Difficulty

Medium

Benefits for the student

The student will learn how to make a correctly designed User Interface.

Benefits for the project

This task provides huge benefits for Cutter because its end users would be able to use Cutter for both static and dynamic analysis.

Mentors

Assess requirements for midterm/final evaluation

Links/Resources

None.

Radare2

^

Console interface improvement

Radare2 has a very flexible console interface, including command line, different visual modes and Unix-like integration with other tools. But there are still a lot of things to be done.

Task

  1. Unify similar code between all different modes
  2. Fixing Unicode support in RCanvas and Visual Panels mode
  3. Write a popup window widget for selection/autocompletion
  4. Add the table API/commands like it is done for graphs
  5. Add API and command for setting graph node background
  6. Show minigraph together with graph
  7. Radiff2 visual split-view mode
  8. Tests and documentation (r2book) for new commands

Skills

Student should know C and basics of terminal interaction (ESC sequences, TTY, etc)

Difficulty

Medium

Benefits for the student

The student will know how the console interaction is done "under the hood", will gain the knowledge of Unicode internals and the experience of tuning the redrawing performance.

Benefits for the project

Huge benefits for end users in UX and better support for localisation

Assess requirements for evaluations

Mentors

Links/Resources

^

Type inference

Currently we have types support in radare2, including basic (low-level) ability to edit type with pf and higher-level, C-like types with t command. Currently you can parse the C type definition from C header for example, or load from "precompiled" SDB file. Goal of this task is to integrate types handling into the radare2 analysis loop, including automatic inference and suggestions.

Task

  1. Write more tests for t commands, fix corresponding bugs
  2. Add the ability to apply structure/union types for arguments/return values
  3. Add the ability to autosubstitute structure offset where possible (e.g. when you specified function parameter type and it uses it inside)
  4. Implement basic (without the need of SMT solver) type inference based on function arguments types, function return types and callgraph
  5. Improve variables and argument detection coupled with type inference engine
  6. Export and import return and argument types with function signatures
  7. To think about possibility of implementing simple data flow engine in radare2 and implement it if feasible in time.

Skills

Student should know C. And thould be familiar with basics of the program analysis.

Difficulty

Medium

Benefits for the student

Student will understand modern program analysis problems related to the type inference, will meet the most common reverse engineering task in its advanced incarnation.

Benefits for the project

This feature will make radare2 usable for day-to-day reverse engineering of complex programs, and will make integration with radeco decompilator even easier.

Assess requirements for midterm/final evaluation

Mentors

Links/Resources

^

Handle EXE/DLL as FAT binaries

Windows programs are like Apple's FAT binaries, they contain multiple programs inside, and r2 should be able to list and select them when loading. Also, it may be possible to extract them with rabin2 -x foo.exe. The sub-bins inside an EXE are:

  1. DOS program
  2. W16 program
  3. W32 program
  4. MSIL program (.NET)

Task

This task also includes adding support for .NET in RBin, to be able to list the symbols, get the entrypoint, code metadata, etc. This will require rethinking some of the commands to allow switch between parts of this FAT binary on the fly.

  1. Fix current fatmach0
  2. dyldcache is broken
  3. PE (dos, win, .net) separation
  4. Add support for iOS OTA images (see issue)

Skills

The student should be comfortable with the C language, and be familiar with windows binaries

Difficulty

Advanced

Benefits for the student

The student will gain a deep understanding of Microsoft's executable formats.

Benefits for the project

Currently, there are no up to date modern tools to deal with .Net programs in a low-level manner, when decompilers fail. With this task, we'd like to fill this gap.

Assess requirements for midterm/final evaluation

Mentors

Links/Resources

^

Improve Windows platform support

Radare2 has a basic support for Windows but not all tests are passing under AppVeyor, debugging has still problems, and some features of radare2 does not work properly. This task consists from some small, some big unrelated tasks to improve the basic and advanced support of running radare2 on Windows platform. Note, task require the computer able to run Windows in virtual machine.

Tasks

  1. Fix current features on Windows platform:
  2. Improve PDB integration with analysis subsystem
  3. Improve WinDbg protocol support and integration with analysis
  4. Heap analysis (like it is done with dmh for glibc, unify the code)
  5. Make signatures for Windows libraries
  6. Better support for .dll (analysis and debugger) and kernel drivers loading.
  7. Add support of loading all kinds of kernel dumps (if not done through microtasks)
  8. Ability to find out WinMain automatically, parsing SEH and RTTI

Skills

The student should be comfortable with programming under Windows platform. They don't need to have a reverse engineering background, since most of the missing stuff is well documented. As a bonus point it would be interesting if they know some basic assembly.

Difficulty

Medium. If the student is comfortable with programming for Windows, there shouldn't be major challenges except WinDbg protocol support.

Benefits for the student

The student will gain experience in writing debuggers for Windows platform. Also, the student will learn the Windows platform crucial parts' internals, related to debugging.

Benefits for the project

Since radare2 has a better support for emulation and analysis, this will help to migrate from WinDbg to radare2.

Assess requirements for midterm/final evaluation

Mentors

Links/Resources

^

Real time collaboration platform

Radare2 has been a successfull reverse engineering framework and a toolset for years. But apart from the decompilation the biggest missing feature - lack of the real time collaboration, which is important in case of reversing large files, playing CTFs in a teams. There are successfull examples like collabREate, YaCo and solIDArity (proprietary/$$$). From public tools collabREate is the most complete and common, and it supports notifications (and online propagation) of those actions:

Task

  1. Implement a simple server in Go to handle connections of multiple radare2 instances
  2. Add the users and projects manager to the server
  3. Patch the radare2 to add hooks for the most important actions
  4. Write a simple unit tests for those hooks for easy testing on Travis CI and AppVeyor

Skills

Ability to code and understand C and Go (Go can be learnt in a couple weeks though).

Difficulty

Medium

Benefits for the student

Student will understand the problems of solving data conflicts in the realtime collaboration systems, which can be applied in any other domain.

Benefits for the project

Radare2 will have a long wanted feature for working in teams, reversing big files or collaborative CTF tasks solving.

Assess requirements for evaluation

Mentors

Links/Resources

^

ROPchain generator with ragg2

Since modern architectures are now enforcing W^X, exploiters are using ROP. (Un)fortunately, building ROP chain by hand can be tedious, this is why some tools can be used to ease this construction: ImmunityDBG has mona.py, there is also ROPgadget and dropper. It's a shame that despite having ESIL, radare2 doesn't have something similar yet. One of the possible solutions would be to build an external plugin or tool which will reuse power of libr and ragg2. Moreover it makes sense to think about SROP, COOP and BROP support.

Task

  1. Implement a "classic" (/bin/sh for example) ropchain as a proof-of-concept, like what ROPgadget does. This can be done is almost any language, thanks to the bindings/r2pipe.
  2. Caching ROP gadgets in SDB, for quicker retrieval
  3. Implement a ropchain syntax parser that uses ragg2, or something like: register reg1 = 0; register reg2 = whatever; register reg3 = reg1 + reg2; system(reg3);
  4. Write a compiler which uses SMT solver (like Z3 for example) to produce the ropchain.

Skills

The student should be comfortable with the C language, know some assembly and a high-level language. Also, knowing a little bit of automatic binary analysis wouldn’t hurt.

Difficulty

Medium

Benefits for the student

The student will improve their skills in software exploitation and solvers.

Benefits for the project

This feature would greatly help during exploits development, and people would be able to ditch mona.py for radare2 ;)

Assess requirements for evaluation

Mentors

Links/Resources

Rune GSoC (symex engine)

The main motive of the projects of the radare-rust ecosystem is to build a complete binary analysis framework. rune aims to be a library with replaceable modules for reasoning about sections of a binary through symbolic execution.

^

rune integration with radeco-lib and radare2

This task involves complete integration of the rune backend with radeco-lib and radare2.

Task

Skills

The student should be familiar with Rust and symbolic execution basics or be able to learn it quickly.

Difficulty

Advanced

Benefits for the student

The student will learn working with an experimental symbolic engine in its early stages of development. They would also involve themselves in understanding more about different program analysis techniques and their implementation.

Benefits for the project

This task allows rune to develop into a mature project. Apart from being a side-project under the radare umbrella, completion of the said tasks above would make it ready for use by the community.

Mentors

Assess requirements for midterm/final evaluation

Links/Resources



--radare2 @ 2018