Announcing PANDA: A Platform for Architecture-Neutral Dynamic Analysis

Platform for Architecture-Neutral Dynamic Analysis PANDA

I’m wondering if this system has any place in checking Apps destined for the SAFEplatform as discussed i.e App Store. Plugins can be written for a particular scenario.

In the video, 3 Demos are presented:

  1. Using taint to analyze a backdoored ssh-keygen
  2. Breaking Spotify DRM
  3. Live memory visualization with Hibbert curves (shown below)

PANDA has a number of features that combine to make it a uniquely powerful platform for analyzing software as it executes:

Record and Replay: PANDA is capable of recording the non-deterministic inputs during a whole-system execution and later deterministically replaying them. This means that heavyweight analyses that would be too slow to run on a live execution can be decoupled to run on the replayed execution instead.

We recently used this in our 2013 ACM CCS paper to monitor every memory access made by an OS and applications, which would not have been feasible without record and replay.

Android Support: PANDA can act as an Android emulator, running modern versions of Android.

Plugin Architecture: Plugins can be written in C and C++. PANDA supports callbacks for many types of event within QEMU, making it easy to write an analysis plugin; for example, a simple system call tracer is ~60 lines of code.

LLVM Execution: Borrowed from S2E, this execution mode translates guest code to LLVM and then JIT compiles it to native code; this means that plugins can analyze and transform the LLVM IR rather than working directly on native code.

Unique to PANDA is the ability to also translate QEMU’s helper functions (which are implemented in C and cover operations too complex to be handled in QEMU’s native IR) to LLVM, meaning analyses in PANDA can be complete.
This was recently used to implement architecture-neutral dynamic taint analysis.

Modern QEMU: PANDA is based on QEMU 1.0.1, with some additional fixes and enhancements backported. Unlike platforms such as BitBlaze/TEMU, which use QEMU 0.9.1, this allows PANDA to support modern OSes such as Windows 8

I asked if they could create a Docker image for testing purposes.

Video (64mins)