staff++

Hi everyone,

I am the new member on team zynamics. My name is Tim Kornau. I recently finished my Diploma Thesis at the Ruhr-University Bochum in IT-Security which covered the topic of return-oriented programming for the ARM architecture. I will post a summary of the thesis here in a follow-up blog post soon. For the impatient, you can already go ahead and read it –here-.

Primarily I will be working with Sebastian Porst on BinNavi and extending its capabilities even further. Right now I am working on the new MIPS REIL translator featured in the upcoming BinNavi 3.0 release.

If you have any questions about REIL, BinNavi, ARM, return-oriented programming or are just interested in sharing ideas about the topics, I am happy to talk to you.

I am looking forward to an awesome time at zynamics and a lot of new things to learn and do.

5 Responses to “staff++”

  1. Andrew says:

    Nice thesis topic, that sounds like it would take some doing, I have been learning ARM assembly recently with a security interest in mind, seems like there is almost no information on the web about it, but I have seen a book by Syngress and a talk at Shmoocon (Washington DC conference).
    The whole return address being stored in r14 thing would mean you would need to over write the return address for the calling function, as the first esp instruction pointer.
    A lot of stuff that could go wrong between an strcopy() (or what ever) and the end of the calling subroutine, how did you go about accounting for all that extra error checking, exception throwing code that would be present? Ehh, sorry for stupid questions still not much of a shell coder, thanks and congratulations!

    • Andrew says:

      Oops, already found a mistake. I meant to say r13 instruction pointer, not esp (x86 stack pointer).

  2. Tim says:

    Hi,

    one of the resources which I used while writing the thesis was Tim Hurmans information on ARM exploitation http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=whitepapers&section=04_embedded. This document explains the approach really well and has some insights regarding your questions. As a quick summary the epilogue of a function in ARM has a
    LDMFD SP!, {ri-rn, LR} instruction present if it is not a leaf function. This instruction restores the link register from the stack, and therefore makes exploiting possible through a stack overflow.
    I hope this answers your question and i did not miss the point.

    Tim

  3. […] I have promised in my last post I will start a series about return-oriented programming. I start with a short introduction about […]

  4. […] I have promised in my last post I will start a series about return-oriented programming. I start with a short introduction about […]