Architecture-independent vulnerability discovery

The talk is about a Framework which helps in analyzing closed source applications and can aid heavily in CTF challenges. The Framework consists of several plugins to discover different kinds of vulnerabilities. The presentation will describe how to map certain vulnerabilities with an intermediate language and difficulties encountered during this process.

Today, identifying and pinning down vulnerabilities in closed source applications is mostly based on very time-consuming manual reverse engineering, maybe supported by IDA-Scripts, or some rather special enterprise solutions like MAYHEM from AllSecure, which can rarely be affordable by private persons, researcher institutions or small companies.

In this talk, we present a methodology to hunt for bugs independent of the CPU Architecture (e.g. ARM/X86/MIPS) using an intermediate language. The presentation covers different approaches for working with intermediate languages and handling various specific problems such as compiler optimizations. Furthermore, the talk includes case studies of already discovered vulnerabilities using the proposed methodology to underline its practicability.

Alongside the presentation, we release a Framework with several plugins to detect security issues in compiled programs using the Binary Ninja API. The Framework is built to be easily extendable by the community via plugins but several plugins are already part of the release. The released plugins aim to find some particular vulnerabilities, such as Buffer Overflows, Integer Overflows, uninitialized variables, and some more even in the case of heavy compiler optimization. Further, the Framework can help with code coverage to find problems in code paths which input already passed.

If you enjoy low-level vulnerability research then this talk is for you.

About the Speaker