Push the Red Button

By popular request, I've updated the PANDA VM to a more recent version of PANDA. Get it here: pandavm-20141005.tar.bz2 The version in the VM is based on Git revision  28787825aaf514da22e11650fdfca3ba82b9fc57 . Enjoy!

Disclaimer : Although I think DRM is both stupid and evil, I don't advocate pirating music. Therefore, this post will stop short of providing a turnkey solution for ripping Spotify music, but it will fully describe the theory behind the technique and its implementation in PANDA. Don't be evil. Update 6/6/2014: The following post assumes you know what PANDA is (a platform for dynamic analysis based on QEMU). If you want to know more, check out my introductory post on PANDA . This past weekend I spoke at REcon, a conference on reverse engineering held every year in Montreal. I had a fantastic time there getting to meet other people interested in problems of memory analysis, reverse engineering, and dynamic analysis. One of the topics of my REcon talk was how to use PANDA to break Spotify DRM, and since the video from the talk won't be posted for a while, I thought I'd write up a post showing how we can use PANDA and statistics to pull out unencrypted OGGs from Spotif...

tl;dr : PANDA now supports detached replays (you don't need the underlying VM image to run a replay), and they can be shared at a new site called PANDA Share . Hooray for reproducibility! One of the most inspiring developments of the past few years has been the push for  open science , the movement to ensure that scientific publications, data, and software are freely available to all. In computer science, a big part of this has been a trend towards making software and experimental data available once a paper has been published, so that others can verify experiments and "stand on the shoulders of giants" by extending the software. There have also been  initiatives  aimed at making sure that the results of experiments in computer science can be replicated. In the latest release of PANDA, our Platform for Architecture-Neutral Dynamic Analysis, we've taken an important step in ensuring that experiments in dynamic analysis can be freely shared and replicated: as of  ...

I have just created a prebuilt Virtualbox VM for testing PANDA . It's a current Debian 7.1 install with the latest (as of 10/4/2013) version of PANDA and prerequisites installed. The username and password for the VM are " panda:panda ", with root password " panda ". Also included is a Debian i386 QCOW2 image (created by Aurelien Jarno ) that can be used to test PANDA. Once you have the VM booted and you're logged in, you can cd into the panda/qemu directory and do: panda@pandavm:~/panda/qemu$ x86_64-softmmu/qemu-system-x86_64 \ -m 256 -hda ~/qcow/debian_squeeze_i386_standard.qcow2 -monitor stdio This will start up an instance of PANDA and boot the Debian image. From there you can create recordings and replay them with PANDA's various plugins; see the documentation for more details. Hopefully this will make it easier for people to get started with PANDA!

I'm pleased to announce the initial release of a new open source dynamic analysis platform built on QEMU, named PANDA (Platform for Architecture-Neutral Dynamic Analysis) . It has a number of features that combine to make it a uniquely powerful platform for analyzing software as it executes: Record and Replay : PANDA is capable of recording the non-deterministic inputs during a whole-system execution and later deterministically replaying them. This means that heavyweight analyses that would be too slow to run on a live execution can be decoupled to run on the replayed execution instead. We recently used this in our 2013 ACM CCS paper to monitor every memory access made by an OS and applications, which would not have been feasible without record and replay. Record and replay is currently supported for i386, x86_64, and ARM, with more architectures planned. For more details see the record and replay documentation . Android Support : Thanks to excellent work by Josh Hodosh, PAND...

I've just gotten word that the Virtuoso source code has been approved by the sponsor for public release, so I've uploaded version 1.0 to the Virtuoso Google Code site ! Thanks to Tim Leek at MIT Lincoln Laboratory for seeing this project through the lengthy release review process! Also on Google Code, you can find an installation guide and a walkthrough to get you started. Check it out, and generate some memory analysis tools! If you run into trouble, you can shoot me an email and I'll do my best to help out, but keep in mind that this is a research project, and so there are still lots of rough edges. Enjoy!

Over the summer I worked at Microsoft Research , which has a fantastically smart bunch of people working on really cool and interesting problems. I just noticed that they've posted the video of my end-of-internship talk,  Monitoring Untrusted Modern Applications with Collective Record and Replay . Please take a look if you're curious about what it might look like to try and monitor mobile apps in the wild with low overhead!