Taint-based return oriented programming

Presented at REcon 2018, June 17, 2018, 11:30 a.m. (30 minutes)

There are roughly two kinds of tools for return oriented programming (ROP): _syntactic_ tools that return the disassembly of gadgets and sometimes perform template based automatic chaining, and _symbolic_ tools that compute a symbolic representation of the output state for each gadget and allow more powerful manipulations. The former are very fast but only allow regex queries, the latter allow symbolic queries but are much slower. We propose an intermediate approach, faster than symbolic tools and allowing more expressive queries than syntactic tools: taint-based ROP (T-Brop). T-Brop uses a coarse semantic of instructions. Instead of a precise symbolic I/Orelationship, it only relies on a dependency matrix reflecting how a taint would be propagated by a given gadget.

Presenters:

• François Khourbiga
  After more then fifteen years doing computer security for various french administrations, François Khourbiga is now a security engineer at [Orange Cyberdefense (https://cyberdefense.orange.com). He is manly interested in malware analysis.
• Colas Le Guernic
  Colas Le Guernic is a researcher in the information systems security departement of [DGA Maîtrise de l'Information](https://www.defense.gouv.fr/dga) and an associate member of the project-team [Tamis](https://team.inria.fr/tamis/) at Inria Rennes - Bretagne Atlantique. He his mainly interested in malware and binary software analysis.

Links:

• https://recon.cx/2018/montreal/schedule/events/129.html

Similar Presentations:

• DeepSec 2016 „Ten“ / Brace Yourselves - Exploit Automation is Coming!
• BSides Austin 2016 / WORKSHOP: Symbolic Execution: No need to be angr-y
• ToorCon San Diego 20 (2018) / Symbolic Computing, Moving On Up.