OptiROP: hunting for ROP gadgets in style

Presented at Black Hat USA 2013, Aug. 1, 2013, 5 p.m. (Unknown duration)

Return-Oriented-Programming (ROP) is the fundamental technique to bypass the widely-used DEP-based exploitation mitigation. Unfortunately, available tools that can help to find ROP gadgets mainly rely on syntactic searching. This method proves to be in inefficient, time-consuming and makes the process of developing ROP-based shellcode pretty frustrated for exploitation writers. This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. OptiROP supports input binary of all executable formats (PE/ELF/Mach-O) on x86 & x86_64 architectures. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver, parallel processing and some heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode. In case where no suitable gadget is found, OptiROP tries to pick and chain available gadgets to create a sequence of gadgets satisfying the input requirements. This significantly eases the hard job of shellcode writers, so they can focus their time on other tedious parts of the exploitation process. Our talk will entertain the audience with some live demo, so they can see how OptiROP generates gadgets in reality.

Presenters:

  • Nguyen Anh Quynh - Coseinc
    Nguyen Anh Quynh is a security researcher. His interests include Operating System, Virtual machine, computer forensic and malware analysis. In the past years, he has published and presented his works in various academic and industrial conferences all around the world. Quynh holds a PhD degree in Computer Science and is a member of Vnsecurity group.

Links:

Similar Presentations: