Cisco Blogs
Share

Project FIRST: Share Knowledge, Speed up Analysis


December 1, 2016 - 0 Comments

Project FIRST is lead by Angel M. Villegas. This post is authored by Holger Unterbrink.

Talos is pleased to announce the release of the Function Identification and Recovery Signature Tool (FIRST). It is an open-source framework that allows sharing of knowledge about similar functions used across file types that IDA Pro can analyze. The aim is to create a community for the infosec analysts and reverse engineers that promotes the sharing of information.

The main idea behind FIRST is to preserve an engineer’s analysis of certain functions (name, prototype, comment, etc) by using methods like opcode hashing, mnemonic hashing, locality sensitive hashing, etc. By collecting and storing these signatures centrally the framework can provide them later to the community via the API/Plugin. The goal is to provide quick lookups for similar functions (see Fig. A) to avoid losing time with analysing a function which was already analysed before in another sample or by another engineer.

<< Read More >>

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.