Frustrating Emulation with Delay Slots in MIPS and MIPS16

Presented at TROOPERS18 (2018), March 13, 2018, 2:30 p.m. (Unknown duration)

In the same way that ARM has Thumb as its 16-bit compressed instruction set, MIPS has MIPS16 for compressed instructions. Both MIPS and MIPS16 support delay slots, and these delay slots are far more complicated than the "just execute the instruction after the branch" rule that you learned in undergrad Computer Organization. In this talk, we'll explain how delay slots work in the real world, and how to measure and test their behavior for quirks. We will also show how to abuse these quirks to rewrite executables in a way that frustrates reverse engineering and emulation. The usefulness for sandbox detection has been well-documented and researched on traditional x86/64 systems, and to some extent on ARM systems. These techniques have been used for defeating malware analysis sandboxes, interfering with debugging, identifying specific systems, and for other purposes. However, the good techniques are highly processor dependent and similar techniques have not been found for embedded processors. Our talk presents novel techniques, and how we found them, for the MIPS16 instruction family. This can be used to frustrate reverse engineering and emulation of malware for home routers and other embedded targets.


  • Travis Goodspeed
    Travis Goodspeed is a reverse engineer from Southern Appalachia. His projects include the GoodFET, the Facedancer, PoC||GTFO, and a World War 2 comedy novel featuring the 509th Airborne Infantry. His wristwatch contains a hex editor, disassembler and ham radio. With Ryan Speers and the Dartmouth Scooby Crew, he invented the Packet-in-Packet technique for remotely injecting Layer 1 radio frames given control of only Layer 7 data.
  • Ryan Speers