HITB-Invoice-Logo-1.png

An Ode to Rabbit Holes: Writing a New Decompiler Just for a Security Audit

Date

August 24, 2023

Time

17:30

Track

Track 1

When looking for vulnerabilities in products, we sometimes come across software running on seldom used technology without much documentation. We are then left with two choices: moving on, because going down this road will not offer a good return on investment of our time, or… ignore all common sense and dive down the rabbit hole to shed some light on that mysterious piece of tech.

Choosing the latter is how I crossed paths with JRuby. Unlike Scala, this Java Virtual Machine language isn’t very popular, but it is used by Elastic, RedHat, and eazyBI among others. It has even been labelled as a “high performance” alternative to the standard Ruby implementation. JRuby and its Intermediate Representation (IR) format provide ahead-of-time compilation that turns standard Ruby files into Java ones that contain a serialized IR of the original code.

In this talk, we will dive right down the rabbit hole of navigating through poorly documented software to turn black-box research to grey. We will look at vulnerabilities found during the audit of products that use JRuby thanks to this research and introduce YBurj, a new free and open-source JRuby IR decompiler released during the conference that allows the automated recovery of compiled source code.