Implementing semantic ARM gadget searching in Ropper
Category: Penetration testing
Location: any
Contact:
Daniel Hulliger
Ropper is a powerful tool for finding ROP (Return-Oriented-Programming) gadgets. Since a while Ropper has implemented an experimental function for the semantic search of gadgets. However, this does not work for the ARM architecture.
Objectives
The aim of the work is to implement the semantic search in Ropper for the ARM architecture and ultimately to make it available to the Ropper project.
Depending on the work (bachelor thesis, master thesis) the scope can be adapted. The automatic ROP chain generation for common ARM payloads like execve("/bin/sh") or the enhancement/improvement of the semantic search for existing architectures are possibilities to extend the topic
Requirements
- Knowledge of symbolic solvers in general, specific knowledge of the Z3 solver is an advantage.
- Good understanding of arm assembly.
- Knowledge of binary exploitation on linux operating systems.
- Experience in reverse engineering.
- Knowledge of the Python scripting language or willingness to learn.
- Mindset to learn the additional skills.