Unicorn: Next Generation CPU Emulator Framework

Presented at Black Hat USA 2015, Aug. 5, 2015, 10:20 a.m. (50 minutes).

CPU emulator is a program emulating the internal operation of a physical CPU in software. CPU emulator plays a vital role and has a lot of applications in computer security area, such as reversing obfuscated malware or verifying code semantics. Unfortunately, such a fundamental component does not get the attention it absolutely deserves. At the moment, all the existing CPU emulators suffer from some major issues: Do not get updated with latest hardware. Example: PyEmu for X86 was released in 2009, but no longer developed since then.Mostly available only for Python, but support for other programming languages is not existent.Often restricted to some environments, thus cannot be used to build independent tools. Example: IDA-x86emu is for IDA Pro only.No single tool supports Intel X86_64, which is the dominant architecture at the moment.Solely focus on X86, but support for other important architectures are horribly missing: Arm, Arm64, Mips, PPC, Sparc, etc. It is unbelievable that the lack of such a fundamental component as CPU emulator has happened forever without a proper fix. We decided to step up and took the problem in our own hands to solve it once and for all. As a result, Unicorn emulator was born and succesfully handles all the outstanding problems. Unicorn offers some unparalleled features, as highlighted below: Provide an independent framework to develop independent security tools on top of it. Building plugins for other environment, such as IDA is also well supported.Multi-architectures: Unicorn can emulate all the popular architectures, such as X86 (including X86_64), ARM, ARMv8, M68K, Mips, PowerPC, and Sparc, etc.Multi-platforms: Natively available for Windows, Mac OSX, Linux & *BSD.Implemented in pure C, with bindings for Python available. Support for other languages are also in pipeline.Clean/simple/lightweight/intuitive architecture-neutral API.Thread-safe by design.Open source. This talk introduces some existing emulators, then goes into details of their design/implementation and explains their current issues. Next, we will present the architecture of Unicorn and the challenges of designing and implementing it. The audience will understand the advantages of our framework and see why the future is assured, so that Unicorn will keep getting better, stronger and become the emulator engine of choice for the security community. Unicorn aims to lay the ground for innovative works. To conclude the talk, some new advanced tools built on top of Unicorn will be introduced to demonstrate its power, so the audience can see how our framework can open up many opportunities for future of security research & development.

Presenters:

  • Hoang-Vu Dang - UIUC
    Hoang-Vu Dang is a security engineer and researcher. He is a member (under the alias w00d) of VNSECURITY, the pioneer and leading security research group in Vietnam. He is currently a PhD candidate, major in Computer Science at UIUC. During his free time, he contributes to Security Open Source projects, write exploits and play Capture-The-Flag (CTF) with his fellows at VNSECURITY.
  • Nguyen Anh Quynh - Coseinc
    Nguyen Anh Quynh is a security researcher. He has presented his researches in various conferences all around the world, such as EusecWest, HackInTheBox, Hack.lu, Syscan, DeepSec, Black Hat, and DEFCON, etc. Quynh holds a PhD degree in Computer Science, and is a member of Vnsecurity, a pioneer security research group in Vietnam. Quynh is also the author of Capstone disassembly engine (www.capstone-engine.org).

Links:

Similar Presentations: