Taint-based return oriented programming

Presented at REcon 2018, June 17, 2018, 11:30 a.m. (30 minutes).

There are roughly two kinds of tools for return oriented programming (ROP): _syntactic_ tools that return the disassembly of gadgets and sometimes perform template based automatic chaining, and _symbolic_ tools that compute a symbolic representation of the output state for each gadget and allow more powerful manipulations. The former are very fast but only allow regex queries, the latter allow symbolic queries but are much slower. We propose an intermediate approach, faster than symbolic tools and allowing more expressive queries than syntactic tools: taint-based ROP (T-Brop). T-Brop uses a coarse semantic of instructions. Instead of a precise symbolic I/Orelationship, it only relies on a dependency matrix reflecting how a taint would be propagated by a given gadget.

Presenters:

  • Colas Le Guernic
    Colas Le Guernic is a researcher in the information systems security departement of [DGA Maîtrise de l'Information](https://www.defense.gouv.fr/dga) and an associate member of the project-team [Tamis](https://team.inria.fr/tamis/) at Inria Rennes - Bretagne Atlantique. He his mainly interested in malware and binary software analysis.
  • François Khourbiga
    After more then fifteen years doing computer security for various french administrations, François Khourbiga is now a security engineer at [Orange Cyberdefense (https://cyberdefense.orange.com). He is manly interested in malware analysis.

Links:

Similar Presentations: