Keeping current in infosec can be challenging. There are countless security projects under development at any given time and it's impossible to for the average person to keep track of them all. I’d like to take a minute to cover four projects that I as a security researcher find particularly exciting and worth keeping an eye on in 2017.
Stop trying to slice multi-gigabyte pcap files! Metron, formerly known as OpenSOC aims to modernize and scale open source security monitoring and event management. Metron can be considered an evolutionary step beyond the functionality of current security distributions such as Security Onion. By leveraging Apache Storm as its backbone stream processing engine, Metron is able to slice packets and events produced by Snort and Bro from Kafka spouts into an extendable “data enrichment” pipeline that adds supplementary data for indexing and storage into an Hbase and Hive cluster that is indexed by elasticsearch.
With at least initial backing of Cisco and Hortonworks, Metron has been accepted into the Apache Incubator program and is undergoing heavy development. It is far from production-ready, but the core is there. If you’d like to to play around with it, check out the single machine vagrant scripts to get a tap interface up and running fairly quickly.
The practice of taking existing technology and making it more functionally versatile and more user-friendly is fairly common practice. Unicorn kicks this up a notch by making developing for the qemu system emulator actually enjoyable. Unicorn is built on top of qemu, a multi-architecture emulator. It removes most of the traditional OS functionality and slaps a plethora of scripting interface on top of it all. This allows for very easy development of quite powerful dynamic tools such as PyAna, a dynamic and extremely compact shellcode analyzer.
Unicorn is evolving rapidly and bugs are bountiful, but there are many tools out there that utilize it already at their cores.
Dynamic symbolic execution, SAT solvers, and taint tracking, oh my! Jonathan Salwan has been very busy developing the Triton framework. Primarily focused toward those that prefer the formal methods of vulnerability discovery and security research, Triton offers many facilities for performing dynamic binary analysis with a focus on automated reverse engineering, program verification, and deobfuscation. Supporting over 200 of the most common instructions from the Intel x86-64 ISA with more exotic instructions being added frequently, Triton’s capabilities and real world applicability are rapidly progressing.
The IDA Pro disassembler has been the cornerstone of binary analysis for longer than information security has existed as an industry. But, let’s face it, IDA sucks to use. It has an archaic and clumsy interface. It lacks important features like “parallelism” and “undo.” Its APIs and bindings oftentimes fall short of being usable and forget about effectively collaborating with coworkers. There is also its price. Purchased new, my license, with all its bells and whistles, costs more than some cars.
Enter Binary Ninja. While nowhere near as full featured as IDA in its current state, it addresses many of the pitfalls of IDA at a fraction of the price. It can’t fully replace IDA yet, but I highly recommend grabbing the free demo version. With its parallelized analysis engine and security-research-first attitude it is sure to take a permanent role in many a researchers tools directory.