unROP: A Tool for In-Memory ROP Exploitation Detection and Traceback

Presented at ShmooCon X (2014), Jan. 19, 2014, 11 a.m. (60 minutes)

The talk is about how to help security researcher to automatically traceback from an identified attack to the exact software bug that is the entrance point of the exploitation. Specifically, our open-source software unROP is to help researchers to analyze ROP exploitations and automatically unwrap the detected ROP chain.

Analyzing ROP based exploitations currently requires serious manual effort from security researchers for finding and unrolling the chain of hundreds and thousands of gadgets. The talk presents an approach to reduce this manual effort by identifying ROP components from memory dump and automatically tracing back to the software vulnerability. The unROP tool is based on the characteristics of ROP gadget that we collected from the popular gadget generation software. The unROP tool also scans memory for signs of other exploitation techniques, such as stack pivoting and heap spray attacks. The talk includes demonstrations of applying the software tool on recent ROP-based exploitations.


  • Lee Harrison
    Lee is a computer security researcher and member of the CTF team disekt. His research interests include reverse engineering and mobile security. He currently resides in the state of Georgia.
  • Xiaoning Li
    Xiaoning Li is a security researcher for a Fortune 50 company. For the past 10 years, his work has been focusing on vulnerability research, new exploit development, malware analysis and reverse engineering.
  • Kang Li
    Kang Li is an Associate Professor of Computer Science at the University of Georgia. He graduated with his Ph.D from Oregon Graduate Institute. Before joined University of Georgia, he was a research scientist at Georgia Tech. His research interests are in the areas of computer security and operating systems.

Similar Presentations: