Return-Oriented-Programming (ROP) is the fundamental technique to bypass the widely-used DEP-based exploitation mitigation. Unfortunately, available tools that can help to find ROP gadgets mainly rely on syntactic searching. This method proves to be in inefficient, time-consuming and makes the process of developing ROP-based shellcode pretty frustrated for exploitation writers.
This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. OptiROP supports input binary of all executable formats (PE/ELF/Mach-O) on x86 & x86_64 architectures. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver, parallel processing and some heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
In case where no suitable gadget is found, OptiROP tries to pick and chain available gadgets to create a sequence of gadgets satisfying the input requirements. This significantly eases the hard job of shellcode writers, so they can focus their time on other tedious parts of the exploitation process.
Our talk will entertain the audience with some live demo, so they can see how OptiROP generates gadgets in reality.