Documents
Software Reverse Engineering – GCHQ
June 22, 2015
TOP SECRET
Software Reverse Engineering
Network Defence performs reverse engineering both of malicious and ofnon-
malicious code i.e,.code is translated from machine-readable to human-readable
form so that its functions and vulnerabilities can be analysed more easily. Analysis of
non-malicious code is undertaken for two main reasons to establish the
vulnerability of Operating Systems and applications to electronic attack, and to
authenticate the claims made for security-related products and lheir general
suitability for HMG use. All this knowledge informs advice to HMG on
electronic attack.
Network Defence?s SRE work is mainly in support of the Response and IA teams, but
occasionally for other parts and external customers. Wimin ND, both the
VR and the ID teams perform SRE work.
P065: (VRL (ID).
Main Customers
Internal (0 Hlle.
Sources: where does the material come from?
Malicious code is acquired via various routes HARUSPEXIGORDIAN KNOT,
OGDs, commercial organisations.
Non-malicious code is acquired through normal commercial channels.
?Target? location
Not applicable
Legal Authorities
Reverse engineering ofmalicious code does not require a warrant, because there is
no agreement with the author that would be breached by carrying out that activity.
However, reverse engineering of commercial products needs to be warranted in
order to be lawful. Network Defence may rely on GO SRE warrant
renewable every 6 months). There are some limitations to this warrant it only
covers us under UK law, for example, and it only authorises work conducted for a
SIGINT or IA urpose. The authorisation for SRE work has been discussed with
d, the SRE co-ordinator for CCNE.
Local authorisation forms for commercial SRE work under this warrant are signed by
(for the ID team) or by one ofa list of named individuals (for the VR
team). Because it is hard for the ID team to predict which products it may have to
reverse engineer, and such work may need to be authorised at short notice, ID team
SRE work is authorised en masse on a yearly basis. Who approved this
arrangement?
Input from VerD is required every 6 months to support SRE warrant
renewal. This can be based on the local authorisation forms for that period.
?Iof2
- -
TOP SECRET
TOP SECRET
Software Reverse Engineering
Network Defence performs reverse engineering both of malicious and ofnon-
malicious code i.e,.code is translated from machine-readable to human-readable
form so that its functions and vulnerabilities can be analysed more easily. Analysis of
non-malicious code is undertaken for two main reasons to establish the
vulnerability of Operating Systems and applications to electronic attack, and to
authenticate the claims made for security-related products and lheir general
suitability for HMG use. All this knowledge informs advice to HMG on
electronic attack.
Network Defence?s SRE work is mainly in support of the Response and IA teams, but
occasionally for other parts and external customers. Wimin ND, both the
VR and the ID teams perform SRE work.
P065: (VRL (ID).
Main Customers
Internal (0 Hlle.
Sources: where does the material come from?
Malicious code is acquired via various routes HARUSPEXIGORDIAN KNOT,
OGDs, commercial organisations.
Non-malicious code is acquired through normal commercial channels.
?Target? location
Not applicable
Legal Authorities
Reverse engineering ofmalicious code does not require a warrant, because there is
no agreement with the author that would be breached by carrying out that activity.
However, reverse engineering of commercial products needs to be warranted in
order to be lawful. Network Defence may rely on GO SRE warrant
renewable every 6 months). There are some limitations to this warrant it only
covers us under UK law, for example, and it only authorises work conducted for a
SIGINT or IA urpose. The authorisation for SRE work has been discussed with
d, the SRE co-ordinator for CCNE.
Local authorisation forms for commercial SRE work under this warrant are signed by
(for the ID team) or by one ofa list of named individuals (for the VR
team). Because it is hard for the ID team to predict which products it may have to
reverse engineer, and such work may need to be authorised at short notice, ID team
SRE work is authorised en masse on a yearly basis. Who approved this
arrangement?
Input from VerD is required every 6 months to support SRE warrant
renewal. This can be based on the local authorisation forms for that period.
?Iof2
- -
TOP SECRET
TOP SECRET
Note: Untii' Feb 03 the i0 team were not foi'i'o wing the internai' authorisation
procedure. This error was reported on 29roroe and has now been corrected. SRE
performed by the i0 team before that date has been authorised retrospectivety.
Local Policy statements
The Internal rocess for authorisin SRE work is described at:
tsrele
SRE Warrant:
9014a
SRE renewal Junl]. ..
See also emails of 14t1t08, 23t6t08.
Details of team SRE work, including completed authorisation forms and the list of
people who can authorise VR team SRE work:
T:i_lilA RA Staff
RA ID Malicious Code
Researchi_SRE Legalities
Auditing arrangements
The following are responsible for ensuring that SRE work complies with the
terms of the warrant, if applicable:
List of local authorisers (VR team)
(ID team)
Status:
Updated 15cm, following meeting with
2 of 2
This irii-orriiatiori is exempt disclosure under the Freedorii of Iritorriialj-oii riot and may be subject to exeri'ritioii under
other UK iriiorriiati-ori legislation. Refer-disclosure requests to GCHCI on (non-see] or email @Q?liq
TOP SECRET
TOP SECRET
Note: Untii' Feb 03 the i0 team were not foi'i'o wing the internai' authorisation
procedure. This error was reported on 29roroe and has now been corrected. SRE
performed by the i0 team before that date has been authorised retrospectivety.
Local Policy statements
The Internal rocess for authorisin SRE work is described at:
tsrele
SRE Warrant:
9014a
SRE renewal Junl]. ..
See also emails of 14t1t08, 23t6t08.
Details of team SRE work, including completed authorisation forms and the list of
people who can authorise VR team SRE work:
T:i_lilA RA Staff
RA ID Malicious Code
Researchi_SRE Legalities
Auditing arrangements
The following are responsible for ensuring that SRE work complies with the
terms of the warrant, if applicable:
List of local authorisers (VR team)
(ID team)
Status:
Updated 15cm, following meeting with
2 of 2
This irii-orriiatiori is exempt disclosure under the Freedorii of Iritorriialj-oii riot and may be subject to exeri'ritioii under
other UK iriiorriiati-ori legislation. Refer-disclosure requests to GCHCI on (non-see] or email @Q?liq
TOP SECRET