NYU Researcher’s “Time Machine” for Analyzing Computer Code Honored By R&D Magazine

Tool Helps Uncover Malicious Software, Digital Rights, Censorship, and More

Brendan Dolan-Gavitt

Computer security researchers face a major hurdle in studying software systems: Once a piece of code runs, that precise execution, along with its flaws and vulnerabilities, is gone forever. Studying whole operating systems, web browsers, or embedded systems requires researchers to run software again and again, observing anew each time.

But what if a tool could capture and record a unique execution, allowing unlimited observation with perfect fidelity? Meet PANDA, the Platform for Architecture-Neutral Dynamic Analysis, an open-source tool developed by Brendan Dolan-Gavitt, an assistant professor of computer science and engineering at the NYU Tandon School of Engineering, along with collaborators at the MIT Lincoln Laboratory and Northeastern University.

The technology was honored among the R&D 100, an annual roundup of top technology breakthroughs published by R&D Magazine. 

PANDA is built on the QEMU, or Quick Emulator system, a whole-system emulator that allows researchers to run complex software in a safe “sandbox” environment and record the system in action. “When you run a piece of software, time moves forward, and if you’re looking for something and miss it, you can’t step backwards,” Dolan-Gavitt explained. “When we run a piece of software in PANDA, we can record everything and view it as many times as we want. It’s almost like having magical powers,” he said.

For example, each time a web browser runs, it may interact slightly differently with web sites, even if it visits the same site multiple times. If a researcher observes something of interest in a particular instance, the execution can be captured and shared with others.

PANDA is also of particular interest to researchers studying malware, as malicious software is, by nature, ephemeral and difficult to trace. By isolating malware within the PANDA environment, it’s possible to play and replay the code endlessly. “We can learn a great deal about these things over time,” Dolan-Gavitt said, explaining that he and his collaborators have amassed a library of nearly 31,000 entries detailing the inner workings of malicious software.

Dolan-Gavitt and his collaborators have used PANDA to identify vulnerabilities in the digital rights management systems used on Spotify (the company was notified), and to uncover censorship mechanisms in an instant-messaging service widely used in Asia.

Dolan-Gavitt joined the faculty of the Tandon School of Engineering in July 2015, following a postdoctoral fellowship at Columbia University. He and his collaborators began working on PANDA in 2013. Their work is supported by the U.S. Assistant Secretary of Defense for Research and Engineering as part of Congressional line funding to the MIT Lincoln Laboratory. Their paper, “Repeatable Reverse Engineering for the Greater Good with PANDA,” was recently presented at the Program Protection and Reverse Engineering Workshop (PPREW) and is available at https://mice.cs.columbia.edu/getTechreport.php?techreportID=1588&disposition=inline&format=pdf.

The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn. For more information, visit engineering.nyu.edu.