GET ANSWERS NOW
Frequently Asked Questions about Zeropoint & Doppler
About Doppler & Zeropoint
GENERAL INQUIRIES
1Who is Zeropoint Dynamics?
We are a small startup that spun out of UNC Chapel Hill in 2016, and were one of only a handful of startups to receive commercialization assistance from the Department of Homeland Security's Transition to Practice (TTP). Our initial endeavours centered around identifying and inspecting malicious code present within 'weaponized' documents. We've since expanded to investigating defenses for next-gen attack vectors such as so-called data-oriented attacks. Primarily, we provide cyber security R&D services for the Department of Defense.
2Why build another disassembler?
Our daily routine requires examining binaries and understanding their behavior, whether for generic reverse engineering, malware forensics, or vulnerability analysis. We found that the existing state-of-the-art in binary analysis didn't cut it, and constantly required us to implement hacky plugins and glue code to combine analyses from multiple disparate tools. We decided it was time to go all-in and put resources towards developing the binary analysis tools that will make us much more efficient in the long-run.
3Why use Doppler instead of another disassembler?
Doppler has both beauty and brains, a killer combination that is not matched by any other disassembler. Under the hood we leverage the latest findings in binary analysis research, and we built Doppler's core analysis routines to be easily extensible such that our capabilities will continue to advance with the state-of-the-art. Everything is streamlined to optimize the operator's analysis -- expediant analysis time, handling of extremely large files, shortcuts for everything. Beyond everyday binary analysis, Doppler is a framework for developing complex systems requiring a reliable binary analysis component.
4When can I purchase Doppler?
We are currently in beta testing Phase I. Select organizations and researchers can get access to Doppler now at no cost. Through this beta period, you have the opportunity now to help focus R&D on your specific areas of need. At the conclusion of Phase I beta testing, Doppler will be available for purchase, and at the same time we will enter Phase II of beta testing with additional capabilities of Doppler. We plan to iteratively release and test Doppler with added feature sets, starting with a hardened core set of static analyses, followed by dynamic analyses, widened platform support, then release specialty feature-sets focused on malware, vulnerabilities and application security. Doppler will never be "finished", but rather will continually improve as does the research advances in binary analysis.
5Can I install Doppler offline?
Yes. You can sneaker-net the Doppler installer, no internet connection is required.
6What platforms are supported?
Currently, Doppler is available for Microsoft Windows. We are internally testing Linux and OSX builds and will make an announcement on cross-platform support by the time of public release.
7How do updates work?
Doppler will periodically check for updates and notify you that a new download is available. You will receive updates for a period of 1 year from your purchase date.
8Do you offer training?
Not yet, but we are in the process of designing a training program!
Doppler's Capabilities
FEATURES
1Does Doppler do debugging?
Not yet, but debugging is high on the priority list. Beyond basic debugging, we plan to provide an additional layer of semantic context by propagating and overlaying variable and object information over program memory. Our ultimate goal here is to provide a semantic label for every location in program memory.
2When will the scriptable API's SDK be ready?
The SDK release will coincide with the release of the public Doppler editions.
3Which architectures can Doppler disassemble?
Currently, we disassemble x86, x86-64 and ARM. You can build plugins to support more architectures, but we do plan on adding additional architectures ourselves in response to customer demand.
4Which binary file formats can Doppler parse?
Currently, we parse PE, ELF, lib and obj binary formats. You can build plugins to parse more binary formats, but we do plan on expanding the supported set ourselves in response to customer demand.
5What kind of symbol information can Doppler leverage?
Doppler leverages function names and addresses, variable definitions and structure definitions within Windows PDB symbol files. Function names and addresses are taken advantage of in ELF, Lib and Obj symbol tables.
6Does Doppler use an Intermediate Language (IL)?
Yes! Doppler uses a custom IL for core analysis passes. Machine code is also lifted to LLVM bitcode as part of the decompilation engine. These ILs are not currently exposed in the API, but we are working towards tighter integration and availability of these representations.
7Are multiple cores leveraged for analysis?
Not presently, but we put great effort into ensuring that analysis on a single core is more expediant than you might expect, making multi-core analysis a moot point.
8What is a 'Function Matching Engine'?
Function matching enables you to check if a function present in one binary is also present in another binary. To do so, we developed a method of 'fuzzy hashing' functions. We've used this engine to generate vast databases of known functions within compiler runtimes, 3rd-party libraries and malware families. Identified functions will be named within Doppler, giving you some useful semantic context to make analysis more expediant.
9Is the decompiler any good, how does it work?
Yes, it is amazing! Doppler implements the most practical, most readable, decompilation techniques from recent research efforts. In short, we first lift machine code to LLVM bitcode using an emulation-based lifting approach. Next, we simplify the code using a number of LLVM passes. We then generate an Abstract Syntax Tree (AST) from this simplified bitcode and run a series of passes to improve the human-readability of the code. Finally, we traverse the AST to generate high level code. A blog post will be available soon that further details the decompilation process.
10How do I write a plugin?
There are two types -- frontend or backend extensions. Frontend extensions enhance the presentation-layer with code annotations or new visualizations or types of display. These frontend plugins are written in typescript. Backend extensions, on the otherhand, provide additional analysis capabilities such as new CPU or binary format support, or enhanced disassembly or decompilation analysis passes. Backend extensions are natively written in Golang, but can also be scripted through the API using python or any other language capable of communicating over a RESTful JSON-RPC API. Tutorials will be available coinciding with the SDK release.
11What is 'Malware Lineage'?
The malware lineage capabilities available in the enterprise edition provide enhanced situational awareness for malware. A massive historical and current database of malware artifacts is leveraged to inform you of the malware family, how code used in that particular sample has evolved over time, the motives and goals of the campaign, and highlight the unique differences in that sample from other observed instances.
12How does static packer unpacking work?
It's estimated that around 80% of malware is packed. This is a nuisance to reverse engineers, and typically requires firing up an isolated virtual machine, manually debugging the binary, extracting unpacked code from memory, and reconstructing the original binary. Doppler can handle this for you in an automated way, without firing up a sandboxed virtual machine. To do so, we emulate the operating system environment and program execution, extract code from simulated memory, and reconstruct the original binary all in a single automated step. Unpacking does not work for every binary, but the vast majority of packed malware can be analyzed with this feature.
Protecting our Customers
PRIVACY & SECURITY
1Do you collect or track any information?
Doppler has in-built telemetry tracking, which does not include any personally identifying information, nor any information about the content of the files being analyzed. We use this information to help us assess the most-used features and improve the workflow of binary analysis with Doppler. We also make use of cookies on the website. Our privacy policy contains more information.
2What coding practices are in place to minimize vulnerabilities in Doppler?
The vast majority of our core parsing and analysis code is written in Golang. We implement secure coding practices with a heavy emphasis on input validation. We also enforce code test coverage and automated application security testing on every code commit.
3How do you ensure the safety of extensions in the Marketplace?
Extensions are sandboxed by default using Google Chrome's sandboxing engine. These sandboxed extensions are locked down in the same way that Chrome renderer processes prevent browser-based exploits from directly accessing your system.