TOP SECRET Software Reverse Engineering Network Defence performs reverse engineering both of malicious and ofnon- malicious code i.e,.code is translated from machine-readable to human-readable form so that its functions and vulnerabilities can be analysed more easily. Analysis of non-malicious code is undertaken for two main reasons to establish the vulnerability of Operating Systems and applications to electronic attack, and to authenticate the claims made for security-related products and lheir general suitability for HMG use. All this knowledge informs advice to HMG on electronic attack. Network Defence?s SRE work is mainly in support of the Response and IA teams, but occasionally for other parts and external customers. Wimin ND, both the VR and the ID teams perform SRE work. P065: (VRL (ID). Main Customers Internal (0 Hlle. Sources: where does the material come from? Malicious code is acquired via various routes HARUSPEXIGORDIAN KNOT, OGDs, commercial organisations. Non-malicious code is acquired through normal commercial channels. ?Target? location Not applicable Legal Authorities Reverse engineering ofmalicious code does not require a warrant, because there is no agreement with the author that would be breached by carrying out that activity. However, reverse engineering of commercial products needs to be warranted in order to be lawful. Network Defence may rely on GO SRE warrant renewable every 6 months). There are some limitations to this warrant it only covers us under UK law, for example, and it only authorises work conducted for a SIGINT or IA urpose. The authorisation for SRE work has been discussed with d, the SRE co-ordinator for CCNE. Local authorisation forms for commercial SRE work under this warrant are signed by (for the ID team) or by one ofa list of named individuals (for the VR team). Because it is hard for the ID team to predict which products it may have to reverse engineer, and such work may need to be authorised at short notice, ID team SRE work is authorised en masse on a yearly basis. Who approved this arrangement? Input from VerD is required every 6 months to support SRE warrant renewal. This can be based on the local authorisation forms for that period. ?Iof2 - - TOP SECRET TOP SECRET Note: Untii' Feb 03 the i0 team were not foi'i'o wing the internai' authorisation procedure. This error was reported on 29roroe and has now been corrected. SRE performed by the i0 team before that date has been authorised retrospectivety. Local Policy statements The Internal rocess for authorisin SRE work is described at: tsrele SRE Warrant: 9014a SRE renewal Junl]. .. See also emails of 14t1t08, 23t6t08. Details of team SRE work, including completed authorisation forms and the list of people who can authorise VR team SRE work: T:i_lilA RA Staff RA ID Malicious Code Researchi_SRE Legalities Auditing arrangements The following are responsible for ensuring that SRE work complies with the terms of the warrant, if applicable: List of local authorisers (VR team) (ID team) Status: Updated 15cm, following meeting with 2 of 2 This irii-orriiatiori is exempt disclosure under the Freedorii of Iritorriialj-oii riot and may be subject to exeri'ritioii under other UK iriiorriiati-ori legislation. Refer-disclosure requests to GCHCI on (non-see] or email @Q?liq TOP SECRET