AI and Machine Learning in Cybersecurity

Ever since ChatGPT (and arguably before), the pace of innovation in machine learning / AI has been quite impressive.

This post is my attempt to:

Given the pace at which things are moving, this will likely be an incomplete list.

If there are meaningful blog posts, talks, or tools I should be aware of, please reach out and let me know! 🙏 

At the time of this writing, applications of AI in reverse engineering seem to fall into a very finite set of buckets.

Nearly all tools leverage LLMs to aid in program understanding:

• Audit this code for vulnerabilities

• Validate another tool’s security findings (Semgrep, in Callisto’s case)

See the “Reverse Engineering” subsection in the References section for a summary of ~8 tools you can review.

Here are a few applications I find promising that do not yet seem to be explored.

Lower the barrier to entry for complex tools

IDA Pro, Ghidra, Binary Ninja, and the like are awesome, powerful tools, but they can be complex to learn how to use and have a high learning curve.

Instead of having to navigate many menus or read separate documentation, what if all of that info was indexed and there was helpful chat box in which you could simply ask, “How do I do ?” and it would give you a response right there, without interrupting your flow.

What if your tool was observing your behavior over time, after reversing many samples, and if you get stuck, perhaps offered advice like, “Last time you were in , you did , what if you tried that?”

And perhaps even automatically takes those actions for you, especially if, for example, there are a set of things you always do when starting a new reversing project.

Building on the personal assistant idea, what if there was a model trained on the reversing behaviors and workflows of the best reversers in the world?

And as you were reversing, you’d see a little pop-up, kind of like auto-complete in GMail or a Hacker Clippy, that’d recommend (and maybe even do for you) what an expert would do.

You could imagine a solid implementation of this enabling junior reversers to perform at an intermediate level much more quickly, and maybe even make intermediate or advanced reversers even more effective.

An ideal implementation would not just say, “Do this,” but rather additionally provide the reasoning and context, the why behind it, to upskill the user’s thought processes, not just actions.

Lastly, I’m not sure if this would be as useful as the above, but it would be interesting for the expert bot to even get down to as specific as understanding a particular reverser’s style, like “In this situation, Rolf Rolles would do or Malware Unicorn or Azeria would do .”

Perhaps this could even fund a creator-economy / expert-model-as-a-service income stream for skilled reversers where they could bundle that knowledge and expertise and license the model, which individuals or companies could subscribe to.

Index and make available relevant context

There are a number of sources of information that could be indexed (for example, in a vector DB) and made available to a local model in your reversing platform of choice that would save you time providing context and preempting duplicate work.

• Hashes, instruction sequences, and other IoCs of known malware, from VirusTotal, company blog write-ups, threat intel companies, and more.

  • This would make it easy to know if you’re reversing something similar or identical to known malware, so rather than reversing from scratch, you could leverage (and maybe programmatically import) the work others have already done.

• Indicators for common packers and obfuscators, as well as how to handle them.

• Sharing proprietary data from your colleagues who may have done similar work.

• Indexing known/popular functions or libraries so you’re wasting time reversing “known” functionality.

If you have feedback on any of these ideas or have other ideas I haven’t listed, I’d love to hear them! Happy to add them to this list if you’d like and credit you.

moyix/gpt-wpre:
Tool by Brendan Dolan-Gavitt that utilizes the text-davinci-003 model to generate a summary of an entire binary using decompiled code from Ghidra. It employs a recursive approach to create natural language summaries of a function’s dependencies, providing them as contextual information for the function itself in an attempt to get around token limitations.

JusticeRage/Gepetto
A Python script by Ivan Kwiatkowski which uses OpenAI’s gpt-3.5-turbo and GPT-4 models to provide meaning to functions decompiled by IDA Pro and rename variables.

MayerDaniel/ida_gpt
IDAPython script by Daniel Mayer that uses the unofficial ChatGPT API to generate a plain-text description of a targeted routine. The script then leverages ChatGPT again to obtain suggestions for variable and function names.

• Take the disassembly from Ghidra and feed it to OpenAI’s codex model to decompile the code

• Attempt to find vulnerabilities, generate a description, or decompile the Ghidra pseudocode using OpenAI

mahaloz/DAILA:
A decompiler-unified plugin by Zion Basque that leverages the OpenAI API to enhance your decompilation process by offering function identification, function summarisation and vulnerability detection. The plugin currently supports IDA, Binja and Ghidra.

JetP1ane/Callisto:
Callisto is an automated binary vulnerability analysis tool created by James B. It utilizes Ghidra for decompiling the binary, Semgrep for scanning the resulting C code, and GPT-3.5-Turbo to validate Semgrep’s findings and potentially identify additional vulnerabilities.

Thanks for reading to the end!

If there are other topics you’d like me to add to this list, please reach out, I’d love to hear from you 😃