Flag: Tornado!
Hurricane!
|
|
Topic created on: November 14, 2006 00:23 CST by stam321  .
Hi,
I was wondering if anyone knows which is better, HBGary's inspector or binnavi? They both seem to have nice features but I can't find any resources that compares them.
thx.
|
Our Inspector product has very strong graphing support, including proximity browsing (as expected), n-depth searching from current node up/down for regex, substring, exact match, and against disasm text, comment text, workitem (similar to a problem report/bookmark), sample data (samples are taken at runtime during tracing, register contents and strings pointed to, if they exist) - thats just graphing. We are a stand-alone product (we don't use IDA for anything), pretty good disasm on x86 bins (really good reversing of RPC endpoints for example), written all in c# so you can extend the platform w/ your own scripts/plugins using c#, support headless remote debugging over TCP/IP - full dataflow tracing (you say "trace this buffer" and we report every data move and arithmetic operation derived from that buffer - great for tracing packets off of recv() ) - have fuzzing scripts... lots of features. dang, im writing a damn data sheet here.. better yet I can do a webex and give you a live demo - just shoot [email protected] an email and he will set it up. I think our stuff is alot more expensive than Halvar's tho - so keep that in mind.
|
Hey Stam,
please contact [email protected] to arrange for evaluating BinNavi.
Apologies for not dumping the featurelist right now, it's 1am here. I will post more in a few days (we are still hard at work here).
Cheers,
Halvar
|
I have read about Inspector's path finding feature which is pretty cool. No matter whether it's a binary or source code analysis the first step is to filter out the less interesting code to which user input can't reach.
So path finding is a very useful feature which can be achieved through buffer mutation and logging all the instructions which branches upon, performs arithmetic operation upon, or changes user input.
Pydbg is useful for doing this kind stuff using snapshot functions. But I haven't played much with this kind of stuff. It will tremendously reduce the time required to do binary analysis if we can find out all the pieces of code user input can reach because this is the code which is of potential interest.
It very useful in case of software security assurance where you have to make sure that you reviewed most of the code and reported most of the security bugs.
Is it possible to achieve 80 percent or more code coverage???
Cheers
Morph
|
As far as I know, comparing the two products is not correct. You might think that Iam wrong, but here are my reasons on "why" you should not compare these two tools.
Inspector from HBGary is a reverse-engineering management system in itself having less attachment to IDA Pro since it has it's own disassembler and most features mentioned by our friend hoglund is automated.
Bin-Navi from Sabre Security is a brilliant plugin for IDA Pro. It does what it promises and it is a very good utility for binary navigation, and you can see the flash demo from it's website.Bin-navi expects you to have IDA Pro as the base for your disassembly unlike Inspector.
I think you shouldn't compare a tool that automates analysis, with a "plugin" that uses a disassembler to assess the structures,api calls, and other things manually with the help of a human.
As all of us know, manual auditing of binaries is much effective and covers code better but is time consuming though ...and automated analysis definitely with pre-defined "prototypes" will not cover the amount of code a person like Halvar can cover with this toolkit.
My 2 cents... ;)
My question to Stam: what do you intend to do with the tool ??
Perhaps people here will be able to help.
Cheers,
Kish
|
Basically, I wont to automate binary security auditing
process as much as possible.
|
|
It supports kernel mode debugging.
|
Hey all,
(I'll overlook the fact that I think one shouldn't compare the two products side-by-side as they're playing in very different markets IMO)
our 'proper' marketing material isn't ready yet (as a company we're very code-centric, and
a bit stretched on things like marketing), but I will pitch a few things that are important
in the upcoming BinNavi v1.2 release:
1) Openness of data storage
In this release, we have completely migrated to an open SQL format (of which we will make
the specifics available at the time of the release). Users can utilize an arbitrary disassembler
to dump the disassembly into a MySQL or PostgreSQL server and then use BinNavi on top of
that. We will supply an exporter that exports from IDA's into this format. This has
many advantages:
a) It is going to be easy to retrieve the data created during the analysis
b) It is going to be easy to use your-preferred-language-of-the-day to interface with
data created/collected while using BinNavi
c) Backups etc. can be done using regular database administration tools
d) If you happen to have your own disassembler for your-crazy-architecture-you-
can't-talk-about, you can just have your tool export to the SQL database and
then use BinNavi on top of that
<tongue-in-cheek>
e) If you buy Inspector and it doesn't have a feature that BinNavi has, you can
easily export from Inspector into BinNavi :-P - also, with BinNavi's pricing, buying
it in addition to Inspector will not change the overall bill much.
</tongue-in-cheek>
2) Strict Platform independence
BinNavi's GUI is written in pure Java which interfaces with an SQL server on the network. This
means that you can run the GUI on whichever OS you like. We ourselves have only tested it
on Windows, Linux and OS X, but if you happen to have an S390 standing around (and it
happens to run Java5), we'd be surprised if BinNavi wouldn't work.
Furthermore, we have put a lot of effort into our database format and are already using it
to analyze code compiled for x86, ARM and PPC, with more architectures to come.
3) Full Python AND Java Integration
BinNavi has a fully integrated Jython interpreter which allows extending BinNavi with Python
scripts. The beauty here is that you can subclass Java classes in Python and then work
with them.
The scripting is fully coupled with the debugger - e.g. you can register a script to a breakpoint,
and when that breakpoint is hit the script will be executed.
Also, the built-in-API has a lot of useful convenience functions:
for function in get_functions().values():
graph = Flowgraph( function )
print graph.get_loops()
This would iterate over all functions in the database and output the basic blocks belonging
to loops within the functions.
4) Debugging on diverse platforms
BinNavi v1.2 will be available in an advanced version that is capable of debugging such
diverse targets as Windows, Linux, Cisco IOS, Netscreen etc.
Debug from an OSX host into a Linux ? No Problem. Debug From Windows into IOS ? No
problem.
Anyhow, I need to get to sleep. Lots of work still to fix the remaining bugs in the next
release.
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,328 total registered users.
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}