Skip to main content

Automated Static Analysis Framework

Project description

d20

D20 is an asynchronous framework that attempts to aid analysts in dissecting a binary (or other file) in a non-serial manner. This means malicious programs that exhibit complex workflows, which might not be parsable in a serialized fashion can be looked at in an automated fashion using D20.

D20's core approach to gaining deep insights and overcoming the problems of serialized workflows is based on the Blackboard System. Three components comprise the Blackboard within D20:

  • Object Table
  • Fact Table
  • Hypothesis Table

When you run D20 against a file, it is entered into the Object Table as Object 0. All available NPCs will then execute against Object 0 and apply their expertise to add additional Objects to the Object table, Facts to the Fact table, or Hyps to the Hypothesis Table. As additional objects are uncovered (say...unzipping Object 0), they can be added as additional objects to the table and are treated the same way with all NPCs executing against it. If a block of data is added to the object table that is identical to an existing object, it will not be duplicated, but a relationship will be created to reflect it.

The Fact and Hypothesis tables are effectively identical. The only difference is that Fact objects added to the Hypothesis table are marked "tainted" so you know it is a best-guess based on the information at hand. Each column in the Fact Table is of a specific FactType. When a Fact of a given type is added, it will be added to the associated column (like a new single-cell row).

Any Player registered with the system that has an interest in the FactType of a Fact that is added will get cloned and instructed to use that Fact to perform additional analysis, adding more Facts to the table. All NPCs and Players have full access to the Object, Fact, and Hypothesis tables to do further analysis. They can use the relationships between all of the Objects and Facts to navigate the tables and structures without restriction, understand context, and apply it to gain additional insights. More Facts are added, and more players are cloned and executed. Some Players can even put themselves into a WAITING state if they are looking for a specific FactType to hit the Fact Table that it needs to perform additional steps (ex: identifying an encrypted blob and waiting for a decryption key to be added to the table).

This process continues until all Players have either finished adding Facts, or are sitting in a WAITING state and will not get any additional Facts to work with. The game will end at this point. The Game Master will execute the chosen Screen to look at all of the information available in the system (from all three tables), and present the data. It can print the data in a certain format, save it to a file, generate a host of files with information in them, push the data to a database, pull data from another system and combine it with the results to do something else, etc. What happens to the results at this point is really up to your creativity.

For more detailed information, check readthedocs

If you'd like to see some code that enables D20 to do things, you can find a corpus of capabilities in the D20-Extras repository.

Approved for Public Release; Distribution Unlimited. Public Release Case Number 21-0601

©2021 The MITRE Corporation. ALL RIGHTS RESERVED.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

d20-framework-0.5.0.tar.gz (62.6 kB view details)

Uploaded Source

Built Distribution

d20_framework-0.5.0-py3-none-any.whl (73.6 kB view details)

Uploaded Python 3

File details

Details for the file d20-framework-0.5.0.tar.gz.

File metadata

  • Download URL: d20-framework-0.5.0.tar.gz
  • Upload date:
  • Size: 62.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.10.2

File hashes

Hashes for d20-framework-0.5.0.tar.gz
Algorithm Hash digest
SHA256 3410e7ae0327af52d69ab47e9ad1917eb0ed9b45e6ef64aa55f6cd8adbb1e2ec
MD5 94f549155e150a87e86f547d595639b4
BLAKE2b-256 4cc97ffa804fb05481606067debf53eaaee5612289829ba325df231cc4b28732

See more details on using hashes here.

File details

Details for the file d20_framework-0.5.0-py3-none-any.whl.

File metadata

  • Download URL: d20_framework-0.5.0-py3-none-any.whl
  • Upload date:
  • Size: 73.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.62.3 importlib-metadata/4.11.1 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.10.2

File hashes

Hashes for d20_framework-0.5.0-py3-none-any.whl
Algorithm Hash digest
SHA256 c9f2d10d4375ab668e8635561ecb4577bc065b9f44977ce027132f58bcfe925d
MD5 f9ca2da0a110916d3abab7a975df9199
BLAKE2b-256 105f55c9c54590a556633cb2b3dc61ca9c97b741e3c4c93ca622d465bcda016a

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page