Making ROP Better with CPU Emulation and Realtime Analysis
Dylan Knoff
Gadget searchers have remained basic and relatively unchanged throughout the years. Generally, with these tools you specify a binary, a type of search query and comb through the results. While these ROP tools are reliable, they are primitive and lack functionality such as data aggregation and memory analysis, which could help a developer build a more desirable payload.
Introducing ROPView, a gadget analysis framework for BinaryNinja that integrates granular per-instruction based analysis, memory side-effect visualization, pre-state definitions and complex semantic and logical display filters. ROPView features an analysis pane for any selected gadget, backed by Unicorn Engine, to run powerful and compactly designed emulations, diff side effects on registers and memory and save the results into queryable DataFrames.
These emulations utilize a real-time resolving algorithm that strategically maps target memory ranges from the binary as requested, providing a fast, but accurate analysis. These heuristics, along with other gadget attributes are then cached and saved into Pandas DataFrames, allowing for advanced logical and semantic based searches unlike any other tool. The result of these features is a much more capable effect-based gadget search engine and interestingly designed gadget analysis/search/query algorithms that are worth seeing!
Speaker Bio:
Dylan Knoff is currently an undergraduate student at George Mason University, previously a Reverse Engineering intern at Battelle Memorial Institute and is a founding engineer at Bhartee AI. In his free time he competes in Capture-the-Flag competitions, and was a member of the Season III US Cyber Team with a specialty focus on the PWN and RE categories. He is currently also the President of Mason Competitive Cyber, a university cybersecurity club responsible for running the largest CTF in Virginia, PatriotCTF as well as hosting talks and workshops from a variety of sponsors for students. He enjoys reverse engineering devices in his free time with an embedded focus.
