Announcing REVEN version 2.8

Apr 06, 2021
by Louis and Marc
Categories: REVEN -
Tags: REVEN - Announcement - Releases -

Tetrane is pleased to announce the release of REVEN Enterprise and REVEN Professional 2.8.

REVEN is an automated Reverse Engineering Platform designed to go x10 faster & x10 deeper using Timeless Analysis. Technically, REVEN captures a time slice of a full system execution (CPU, Memory, Hardware events) to provide unique analysis features that speed up and scale your reverse engineering process.

REVEN version 2.8 doubles down on REVEN 2.7’s effort to provide you with a “bird’s eye view” over the execution trace. about what happens in your scenarios at a glance. This version brings new features also on the automation side with advanced recording options to dig into complex bugs, and new scripts to automatically detect vulnerabilities.

This article covers these new features and tools and the other important changes introduced in the REVEN 2.8 release.

Displaying past and future calls as a tree

The Call Tree view makes its debut! This view works a bit like some kind of super-charged backtrace: it allows you to see not only the calling functions at your current point in the trace, but also the calls done by the current function, and the next calls of the parent function. Getting this full genealogy of the calls quickly provides a lot of information, both global and detailed, about what occurs in a trace, which enables a fast identification of PoIs and understanding of a system/component.

Leveraging the timeless nature of REVEN means that the Call Tree view also displays calls that take place at a future point in the trace!

You can think of this view as a new way to browse REVEN traces at a higher-level.

Buffer Overflow detection

REVEN version 2.8 includes a notebook that allows you to search for heap BOF vulnerabilities in software or OS using REVEN!

We used the script to automatically detect the BOFs in two recent CVEs: CVE-2020-17087, a Windows kernel local privilege escalation, and CVE-2021-3156, a Linux heap buffer overflow in sudo (“baron samedit”).

More information about this feature in the dedicated blog article!

Use-of-uninitialized-memory detection

With this notebook, you can detect the uses of uninitialized memory in software. In particular, uses of uninitialized memory that impact the control flow are reported prioritarily.

Using the system-wide capabilities of REVEN, we can even detect interprocess uses of uninitialized memory!

Find more information about this notebook in the dedicated blog article.

REVEN now sports a good collection of vulnerability detection notebooks! Find them all on GitHub.

REVEN Enterprise edition now makes it possible to start and stop recording using the ASM stub, even when performing an automatic binary record. This allows for more flexiblity in the record options, and makes recording non-deterministic vulnerabilities easier.

You can refer to our recent article on the topic for more information.

And More

  • REVEN now runs on Debian Buster, and uses Python 3.7!
  • Taint performance improved up to x4 in some workloads (long taints with lots of tainted memory benefit most from the improvement).
  • Improved the behavior of the “%” plugin and the Transition.find_inverse API entry, so that they are more accurate on more instructions.
  • The Binary Ninja integration is confirmed working! It comes on top of the other REVEN integrations such as IDA, Ghidra and WinDbg!

The full list of improvements and fixes is available in the release notes.

Want to try REVEN? An extensive set of learning scenarios is available online, so just pick one from our demo catalog! Tutorials are available in most demos.

Interested in REVEN? Compare the features of REVEN Professional and REVEN Enterprise.

Next post: Success Story - How 0patch uses REVEN to speed up micropatching
Previous post: Recording vulnerabilities related to non-deterministic bugs, crashes or other complex cases