Capstone: Next Generation Disassembly Framework

Presented at Black Hat USA 2014, Aug. 7, 2014, 5 p.m. (60 minutes)

Disassembly framework is the fundamental component in all binary analysis, reversing, and exploit development. However, it is shameful that until the end of 2013, there was no single framework that can handle multi-architecture machine code with a friendly license. Especially, with the shift of the computer industry towards multi-platforms products, the lack of such a disassembly engine becomes serious and should be fixed as soon as possible. Unfortunately, at that time, there was no light at the end of the tunnel, as apparently nobody proposed anything to fix it. We decided to step up and took the problem in our own hands to solve it once and for all. As a result, Capstone engine was born, and fixed all the outstanding issues. Our disassembly framework offers some unparalleled features, as highlighted below: - Multiple architectures: ARM, ARM64 (ARMv8), Mips, PowerPC, Sparc, SystemZ X86. - Multiple platforms: Windows & *nix (with Mac OSX, iOS, Android, Linux, *BSD & Solaris confirmed). - Implemented in pure C, with bindings for Python, Ruby, C#, Java, NodeJS, GO, OCaml & Vala available. - Clean/simple/lightweight/intuitive architecture-neutral API. - Provide details on disassembled instruction (called "decomposer" by some others). - Provide some semantics of the disassembled instruction, such as list of implicit registers read & written. - Thread-safe by design. - Special support for embedding into firmware or OS kernel. - Distributed under the open source BSD license. This talk introduces some existing disassembly frameworks, then goes into details of their design/implementation and explains their current issues. Next, we will present the architecture of Capstone and the challenges of designing and implementing it. The audience will understand the advantages of our engine and see why the future is assured, so that Capstone will keep getting better, stronger and become the ultimate disassembly engine of choice for the security community. Last but not least, we will introduce some cutting-edge binary analysis frameworks built on top of Capstone, which open the whole new potentials for a range of areas like reversing, exploitation development, and malware detection. Full source code of Capstone with new advanced features will be released at Black Hat USA 2014.

Presenters:

• Nguyen Anh Quynh - Coseinc   as Quynh Nguyen Anh
  Nguyen Anh Quynh is a security researcher. He has presented his researches in various conferences all around the world, such as EusecWest, Hack In The Box, Hack.lu, Syscan, DeepSec, Black Hat, DEF CON, XCon, etc. Quynh holds a PhD degree in Computer Science, and is a member of Vnsecurity, a pioneer security research group in Vietnam.

Links:

• https://www.blackhat.com/us-14/archives.html#capstone-next-generation-disassembly-framework
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2014/video/Capstone - Next Generation Disassembly Framework.mp4
• https://www.youtube.com/watch?v=cwyJm6b1F0k
• https://www.blackhat.com/docs/us-14/materials/us-14-NguyenAnh-Capstone-Next-Generation-Disassembly-Framework.pdf

Similar Presentations:

• REcon 2019 / The (Long) Journey To A Multi-Architecture Disassembler
• Black Hat USA 2016 / Keystone Engine: Next Generation Assembler Framework
• Black Hat USA 2015 / Unicorn: Next Generation CPU Emulator Framework