SMT Solvers for Software Security

George Nosenko,
Security researcher at Digital Security
SMT Solvers for Software Security

#whoami

• Member of DSecRG.
• System Developer
• Reverse Engineer
• Security Researche...
SMT Solvers in very simple terms

What is a SMT Solver?

Just like the first time using a SMT
constraint solver
© 2002—201...
SMT Solvers in very simple terms

What is a SMT Solver?

 Solver is a program
 You ask a question
“What is the meaning o...
SMT Solvers in very simple terms

How can I ask a question?

 Question is a logical formula
b+2 = c, f(read(write(a,b,3),...
SMT Solvers in very simple terms

What solver should I choose?

There are many SMT-solvers (over 20)
CVC3, CVC4, STP, Alt...
SMT Solvers in very simple terms

SAT or not SAT? Ask a question.

 structure of formula
 declaration
 precondition
 p...
SMT Solvers in very simple terms

Properties of SMT solvers

 Mathematical precision
 Expressive power
 Data model
 Ef...
SMT Solvers for Software Security

SMT Solvers for Software Security

© 2002—2013, Digital Security
SMT Solvers for Software Security

Applications
 Bug Hunting
 Fuzzing (whitebox or blackbox)
 Program Verification & An...
SMT Solvers for Software Security

What’s the point?

Idea: convert portions of code into logical formulas,
and use SMT so...
SMT Solvers for Software Security

BV Operations in SMT-LIB 2.0

=/bvcomp
distinct
ite

bvand
bvor
bvxor
bvnot
bvnand
bvno...
SMT Solvers for Software Security

Array Operations in SMT-LIB 2.0: select-store axioms
1. Expression (select a i) returns...
SMT Solvers for Software Security

Binary Analysis Platform: http://bap.ece.cmu.edu/

BIL code for add %rax, %rbx
addr 0x0...
SMT Solvers for Software Security

Bug Hunting

© 2002—2013, Digital Security
Bug Hunting

Vulnerability related with Integer

 CWE-190,191,192,194,196







May cause:
Bypass sanity check
Buf...
Bug Hunting

Integer Overflow in Linux Kernel. CVE-2013-2596

© 2002—2013, Digital Security
Bug Hunting

Integer Overflow in Linux Kernel. CVE-2013-2596
static int fb_mmap(struct file *file, struct vm_area_struct *...
Bug Hunting

How does Motochopper work?
1728 open("/dev/graphics/fb0", O_RDWR) = 6
...
1728 mmap2(NULL, 4096, PROT_READ|PR...
Bug Hunting

Integer Overflow in Linux Kernel. CVE-2013-2596

© 2002—2013, Digital Security
Bug Hunting

Integer Overflow in OpenSSH. CVE-2002-0639

© 2002—2013, Digital Security
Bug Hunting

Integer Overflow in OpenSSH. CVE-2002-0639
input_userauth_info_response(){
...
u_int nresp;
...
nresp = packe...
Bug Hunting

Integer Overflow in OpenSSH. CVE-2002-0639
(declare-const

sizeof (_ BitVec 32))

(declare-const

nresp

(_ B...
Bug Hunting

Verification & Static analyze with SMT
 Single collaborative framework
 It’s not heuristic bug-finding
 It...
Bug Hunting

Jessie: verification tools for C programs

 Jessie is a plug-in for the Frama-C
 Functional Checking
 Safe...
Bug Hunting

Jessie: Integer Overflow Safety
#pragma JessieTerminationPolicy(user)
//@ requires n >= 0 && valid_range(t,0,...
Bug Hunting

Immunity Debugger & SMT: Infrastructure

SequenceAnalyzer – Models x86 as operations over a set of SMT primit...
Bug Hunting

Immunity Debugger & SMT: !find_int_overwlow.py

© 2002—2013, Digital Security
SMT in protection analysis

PROTECTION ANALYSIS

© 2002—2013, Digital Security
SMT in protection analysis

Using SMT to defeat simple hashing algorithms
def round_hash(a, b, c, d):
out = [ ]
for i, n i...
SMT in protection analysis

Automated KeyGen Generation. Kao’s Toy Project

© 2002—2013, Digital Security
SMT in protection analysis

Automated KeyGen Generation. Kao’s Toy Project
 Lift the checking algorithm to BIL
./toil -bi...
SMT in protection analysis

Create precondition and postcondition

© 2002—2013, Digital Security
AEG

Automatic Exploit Generation

 Automatically craft an input that redirects control
flow
Loosely defined as “Given a ...
AEG

Automatically craft an input that hijacks control flow

 Get the trace to vulnerable code
 Convert the trace into s...
AEG

Automatically craft an input that hijacks control flow
Freach =
{ t0= eax + ebx, zf ==1 }
Cval =
{ eax = 0xdeadbeef }...
AEG

Automatically craft an input that hijacks control flow
Freach =
{t0 = eax + ebx, zf == 1}
Cval =
{ eax = 0xdeadbeef }...
Automate Generation Payload

Automated Payload Creation
 Data Execution Prevention (DEP)
 Windows 8 ROP mitigation enfor...
Automate Generation Payload

An interesting example from 0verckl0ck
Given:


we can write into eax, but only ASCII printa...
Automate Generation Payload

An interesting example from 0verckl0ck

source: http://rise4fun.com/Z3Py/OrzP
assert( init_ea...
Automate Generation Payload

Finding gadgets with specific samntics

http://www.immunitysec.com/downloads/sean_ruxcon2010....
Automate Generation Payload

Immunity Debugger: !find_gadget

This script looks for a sequence that satisfies
the constrai...
Automate Generation Payload

OptiROP

© 2002—2013, Digital Security
Automate Generation Payload

OptiROP

© 2002—2013, Digital Security
Automate Generation Payload

ROPC: https://github.com/pakt/ropc

© 2002—2013, Digital Security
Automate Generation Payload

ROPC : Type of gadgets that ROPC find &use
Name

Input

NopG

_

_

nop

LoadConstG

OutReg, ...
Automate Generation Payload

ROPC-LLVM: https://github.com/programa-stic/ropcllvm

© 2002—2013, Digital Security
SMT Solvers for Software Security

Questions ?

© 2002—2013, Digital Security
Upcoming SlideShare
Loading in...5
×

Georgy Nosenko - An introduction to the use SMT solvers for software security

1,076

Published on

Published in: Technology, News & Politics

Georgy Nosenko - An introduction to the use SMT solvers for software security

  1. 1. SMT Solvers for Software Security George Nosenko, Security researcher at Digital Security
  2. 2. SMT Solvers for Software Security #whoami • Member of DSecRG. • System Developer • Reverse Engineer • Security Researcher © 2002—2013, Digital Security
  3. 3. SMT Solvers in very simple terms What is a SMT Solver? Just like the first time using a SMT constraint solver © 2002—2013, Digital Security
  4. 4. SMT Solvers in very simple terms What is a SMT Solver?  Solver is a program  You ask a question “What is the meaning of life?”  Solver tries to answer “42” © 2002—2013, Digital Security
  5. 5. SMT Solvers in very simple terms How can I ask a question?  Question is a logical formula b+2 = c, f(read(write(a,b,3), c-2)) ≠ f(c-b+1)  SMT-LIB: Language for expressing formulas http://smtlib.org/  All solvers understand this language © 2002—2013, Digital Security
  6. 6. SMT Solvers in very simple terms What solver should I choose? There are many SMT-solvers (over 20) CVC3, CVC4, STP, Alt-Ergo, Yices, Z3, etc Z3 is my choice  Efficient SMT solver  Open Source Project: http://z3.codeplex.com  Python, C/C++, .NET binding  Available online  Support Windows & Linux © 2002—2013, Digital Security
  7. 7. SMT Solvers in very simple terms SAT or not SAT? Ask a question.  structure of formula  declaration  precondition  postcondition  answer  sat, unsat, unknown  satisfiability  validity  model Taint Nobody Got Time for Crash © 2002—2013, Digital Security (declare-const work Int) (declare-const sleep Int) (declare-const fun Int) (assert (>= work 40)) (assert (>= sleep 42)) (assert (>= fun work)) (assert (= (+ work (+ sleep fun)) 168)) (check-sat) (get-model) sat (model (sleep: 42, fun: 63, work 63) http://rise4fun.com/Z3/pLpMc
  8. 8. SMT Solvers in very simple terms Properties of SMT solvers  Mathematical precision  Expressive power  Data model  Efficient implementation Support Bit-vector & Array © 2002—2013, Digital Security
  9. 9. SMT Solvers for Software Security SMT Solvers for Software Security © 2002—2013, Digital Security
  10. 10. SMT Solvers for Software Security Applications  Bug Hunting  Fuzzing (whitebox or blackbox)  Program Verification & Analysis  Exploit Generation  PoC, AEG, APEG  Automate generate payload  Protection Analysis  Obfuscation  Crypto Analysis  Malware Analysis © 2002—2013, Digital Security
  11. 11. SMT Solvers for Software Security What’s the point? Idea: convert portions of code into logical formulas, and use SMT solver to prove properties about them add eax, ebx xor ebx, ebx sub ecx, 0x123 setz bl add eax, ebx Is this snippet equivalent to “add eax, ebx”? sub bl, bl What value must EAX have at the beginning movzx ebx, bl add ebx, 0xbbbbbbbb of this snippet in order for EAX to be 0x12345678 after the snippet executes? add eax, ebx http://recon.cx/2012/schedule/attachments/52_semantics-based-methods.pdf Taint Nobody Got Time for Crash © 2002—2013, Digital Security
  12. 12. SMT Solvers for Software Security BV Operations in SMT-LIB 2.0 =/bvcomp distinct ite bvand bvor bvxor bvnot bvnand bvnor bvxnor bvneg bvadd bvmul bvudiv bvurem bvsub bvsdiv bvsrem bvsmod bvshl bvlshr bvashr bvult bvule bvugt bvuge bvslt bvsle bvsgt bvsge concat extract bvshl bvlshr bvashr repeat zero_extend sign_extend rotate_left rotate_right Slides - SMT Workshop 2013 © 2002—2013, Digital Security
  13. 13. SMT Solvers for Software Security Array Operations in SMT-LIB 2.0: select-store axioms 1. Expression (select a i) returns the value stored at position i of the array a; 2. And (store a i v) returns a new array identical to a, but on position i it contains the value v. (declare-const x Int) (declare-const y Int) (declare-const a1 (Array Int Int)) (assert (= (select a1 x) x)) (assert (= (store a1 x y) a1)) (check-sat) © 2002—2013, Digital Security
  14. 14. SMT Solvers for Software Security Binary Analysis Platform: http://bap.ece.cmu.edu/ BIL code for add %rax, %rbx addr 0x0 @asm "add %rax,%rbx" label pc_0x0 T_t1:u64 = R_RBX:u64 T_t2:u64 = R_RAX:u64 R_RBX:u64 = R_RBX:u64 + T_t2:u64 R_CF:bool = R_RBX:u64 < T_t1:u64 R_OF:bool = high:bool((T_t1:u64 ^ ~T_t2:u64) & (T_t1:u64 ^ R_RBX:u64)) R_AF:bool = 0x10:u64 == (0x10:u64 & (R_RBX:u64 ^ T_t1:u64^T_t2:u64)) R_PF:bool = ~low:bool(let T_acc:u64 := R_RBX:u64 >> 4:u64 ^ R_RBX:u64 in let T_acc:u64 := T_acc:u64 >> 2:u64 ^ T_acc:u64 in T_acc:u64 >> 1:u64 ^ T_acc:u64) R_SF:bool = high:bool(R_RBX:u64) R_ZF:bool = 0:u64 == R_RBX:u64 © 2002—2013, Digital Security
  15. 15. SMT Solvers for Software Security Bug Hunting © 2002—2013, Digital Security
  16. 16. Bug Hunting Vulnerability related with Integer  CWE-190,191,192,194,196       May cause: Bypass sanity check Buffer Overflow Dangling Pointer Use after free Application specific © 2002—2013, Digital Security
  17. 17. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 © 2002—2013, Digital Security
  18. 18. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 static int fb_mmap(struct file *file, struct vm_area_struct * vma){ if (!info) return -ENODEV; ... off = vma->vm_pgoff << PAGE_SHIFT; fb = info->fbops; if (!fb) return -ENODEV; ... /* frame buffer memory */ start = info->fix.smem_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info->fix.smem_len); if (off >= len) { /* memory mapped io */ off -= len; ... start = info->fix.mmio_start; len = PAGE_ALIGN((start & ~PAGE_MASK) + info>fix.mmio_len); } mutex_unlock(&info->mm_lock); start &= PAGE_MASK; if ((vma->vm_end - vma->vm_start + off) > len) return -EINVAL; ... fb_pgprotect(file, vma, off); if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, vma->vm_end - vma->vm_start, vma>vm_page_prot)) return -EAGAIN; return 0; } © 2002—2013, Digital Security
  19. 19. Bug Hunting How does Motochopper work? 1728 open("/dev/graphics/fb0", O_RDWR) = 6 ... 1728 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x400f2000 ... 1728 munmap(0x4015b000, 9433088) = 0 1728 mmap2(NULL, 9437184, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = 0x4015b000 1728 munmap(0x4015b000, 9437184) = 0 1728 mmap2(NULL, 9441280, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0) = -1 EINVAL (Invalid argument) 1728 mmap2(NULL, 1728 mmap2(NULL, (Out of memory) 1728 mmap2(NULL, (Out of memory) ... (Out of memory) 1728 mmap2(NULL, NAME 2415919104, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x70900) = -1 ENOMEM 2231369728, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7b900) = -1 ENOMEM 2214592512, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x7c900) = -1 ENOMEM 2113929216, PROT_READ|PROT_WRITE, MAP_SHARED, 6, 0x82900) = 0x4015b000 mmap2 - map files or devices into memory #include <sys/mman.h> void *mmap2(void *addr, size_t length, int prot, int flags, int fd, off_t pgoffset); © 2002—2013, Digital Security
  20. 20. Bug Hunting Integer Overflow in Linux Kernel. CVE-2013-2596 © 2002—2013, Digital Security
  21. 21. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 © 2002—2013, Digital Security
  22. 22. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 input_userauth_info_response(){ ... u_int nresp; ... nresp = packet_get_int(); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); } packet_check_eom(); } © 2002—2013, Digital Security
  23. 23. Bug Hunting Integer Overflow in OpenSSH. CVE-2002-0639 (declare-const sizeof (_ BitVec 32)) (declare-const nresp (_ BitVec 32)) (declare-const mult (_ BitVec 32)) (assert ( = 4 sizeof (assert ( = mult nresp*sizeof (_ bv4 32))) (bvmul nresp sizeof))) (assert ( bvugt nresp (assert ( bvult nresp mult nresp)) (get-model) © 2002—2013, Digital Security ; (_ bv0 32) )) ; nresp > 0 (assert ( = mult (_ bv256 32))) nresp*sizeof = 256 (check-sat) ; sizeof (char*) = ; nresp*sizeof < ;
  24. 24. Bug Hunting Verification & Static analyze with SMT  Single collaborative framework  It’s not heuristic bug-finding  It allows user to manipulate  Functional specification  Prove that source code satisfies specification  Expands with plug-ins  ACSL is a behavioral specification language © 2002—2013, Digital Security
  25. 25. Bug Hunting Jessie: verification tools for C programs  Jessie is a plug-in for the Frama-C  Functional Checking  Safety Checking  Memory Safety  Integer Overflow  Checking Termination © 2002—2013, Digital Security
  26. 26. Bug Hunting Jessie: Integer Overflow Safety #pragma JessieTerminationPolicy(user) //@ requires n >= 0 && valid_range(t,0,n−1); int binary_search(long t[], int n, long v) { int l = 0, u = n-1; //@ loop invariant 0 <= l && u <= n−1; while (l <= u) { int m = l + (u - l) / 2; //int m = (l + u) / 2; if (t[m] < v) l = m + 1; else if (t[m] > v) u = m - 1; else return m; } return -1; } > frama-c -jessie binary-search.c © 2002—2013, Digital Security
  27. 27. Bug Hunting Immunity Debugger & SMT: Infrastructure SequenceAnalyzer – Models x86 as operations over a set of SMT primitives. Solver – Ctypes interface to the CVC3 SMT solver API. Supports a variety of theories including quantifier free, bit-vector arithmetic, linear arithmetic etc. CodeGraph/PathGenerator – Purely static CFG building and path generation. PathWalker – SMT based path traversal. Each conditional jump is checked for feasibility and the path discarded if not SAT. BugChecker – Subclasses provide the check_ins method which will be passed the SMT context representing the current path. © 2002—2013, Digital Security
  28. 28. Bug Hunting Immunity Debugger & SMT: !find_int_overwlow.py © 2002—2013, Digital Security
  29. 29. SMT in protection analysis PROTECTION ANALYSIS © 2002—2013, Digital Security
  30. 30. SMT in protection analysis Using SMT to defeat simple hashing algorithms def round_hash(a, b, c, d): out = [ ] for i, n in enumerate((a, b, c, d)): nn = 0 for j in range(32): nn |= (rotl(n, SCRAMBLE_TABLE[(i << 2)+j]) & 1) << j nn ^= XOR_TABLE[i] out.append(nn) out[0] = rotl(out[0], ROT_TABLE[0]) out[1] = rotl(out[1], ROT_TABLE[1]) out[2] = rotl(out[2], ROT_TABLE[2]) out[3] = rotl(out[2], ROT_TABLE[3]) return out a ^= c b ^= d for i in range(128): a, b, c, d = round_hash(a, b, c, d) © 2002—2013, Digital Security
  31. 31. SMT in protection analysis Automated KeyGen Generation. Kao’s Toy Project © 2002—2013, Digital Security
  32. 32. SMT in protection analysis Automated KeyGen Generation. Kao’s Toy Project  Lift the checking algorithm to BIL ./toil -binrange ~/toyproject.exe 0x401105 0x401111 -o checkUnlockCode.il  Convert BIL to single static assignment form (SSA), unroll loop ./iltrans -il checkUnlockCode.il -to-ssa -simp-ssa -to-cfg -unroll 31 -rm-cycles -rm-indirect-ast -to-ast -normalize-mem -flatten-mem -pp-ast checkUnlockUnroll.il egrep -v '^cjmp.*$' checkUnlockUnroll.il > checkUnlockUnrollOpt.il  Convert BIL to SMT-formula ./topredicate -il checkUnlockUnrollOpt.il -noopt -solver z3 -stp-out checkLoop.smt line 18: assert --> define-fun alg () (Array (_ BitVec 32) (_ BitVec 8)) line 921: false --> ?mem_array_83_670 © 2002—2013, Digital Security
  33. 33. SMT in protection analysis Create precondition and postcondition © 2002—2013, Digital Security
  34. 34. AEG Automatic Exploit Generation  Automatically craft an input that redirects control flow Loosely defined as “Given a program and a vulnerability, automatically craft an input that redirects control flow to malicious code”  Automated Payload Creation © 2002—2013, Digital Security
  35. 35. AEG Automatically craft an input that hijacks control flow  Get the trace to vulnerable code  Convert the trace into set of constraints Freach  Generate the set of conditions that make code exploitable Fexploit = Cval U Caddr  Solve (Freach U Fexploit)  SMT-solver defines required input © 2002—2013, Digital Security
  36. 36. AEG Automatically craft an input that hijacks control flow Freach = { t0= eax + ebx, zf ==1 } Cval = { eax = 0xdeadbeef } Caddr = { t1= ebp + 4, t1 = ebp +ecx } Fexploit = Cval U Caddr © 2002—2013, Digital Security
  37. 37. AEG Automatically craft an input that hijacks control flow Freach = {t0 = eax + ebx, zf == 1} Cval = { eax = 0xdeadbeef } Caddr = {t1 = ebp + 4, t1 = ebp + ecx} Fexploit = Cval U Caddr Input ={eax = 0xdeadbeef, ebx = 0x21524111, ecx = 4} (declare-const t0 (_ BitVec 32)) (declare-const t1 (_ BitVec 32)) (declare-const eax (_ BitVec 32)) (declare-const ebx (_ BitVec 32)) (declare-const ecx (_ BitVec 32)) (declare-const ebp (_ BitVec 32)) ; Freach = {zf = 1, t0 = eax + ebx} (assert (= t0 (bvadd eax ebx))) ; t0 = eax + ebx (assert (= t0 #x00000000)) ; zf = 1 ; Cval = { eax = 0xDEADBEEF } (assert (= eax #xdeadbeef)) ; eax = 0xDEADBEEF ; Caddr = { t1 = ebp + 4, t1 = ebp + ecx} (assert (and (= t1 (bvadd ebp #x00000004)) ; t1 = ebp + 4 (= t1 (bvadd ebp ecx))) ; t2 = ebp + ecx ) sat (model (define-fun ecx () (_ BitVec 32) #x00000004) (define-fun eax () (_ BitVec 32) #xdeadbeef) (define-fun ebx () (_ BitVec 32) #x21524111) ) http://rise4fun.com/Z3/j2Y © 2002—2013, Digital Security
  38. 38. Automate Generation Payload Automated Payload Creation  Data Execution Prevention (DEP)  Windows 8 ROP mitigation enforces policies on who/where can call VirtualAlloc() or VirtualProtect() to enable memory executable at run-time  IOS already totally forbid code injection: Writable pages have NX permission & only signed pages are executable  Return Oriented Programming  fun at first time, then hurt  hundreds and thousands of ROP-gadgets  “bad characters"  find a suitable gadget can be difficult  research efforts aimed at solving the problem of automatic generation ROP-chains © 2002—2013, Digital Security
  39. 39. Automate Generation Payload An interesting example from 0verckl0ck Given:  we can write into eax, but only ASCII printable char  we have ROP-gadgets like these: add eax, 0xc9f4458b; add eax, 0x0fcf; add eax, 0x1337; Goal: add eax, 0xdeadbeef; add eax, 0x13b2; add eax, 0x42;  make eax = 0xb00bdead  determine the initial value eax  find the minimum sequence of calls gadgets © 2002—2013, Digital Security
  40. 40. Automate Generation Payload An interesting example from 0verckl0ck source: http://rise4fun.com/Z3Py/OrzP assert( init_eax + g1*0xc9f4458b + g2*0xdeadbeef + g3*0x0fcf + g4*0x13b2 + g5*0x1337 + g6*0x42 = 0xb00bdead) assert(ascii_printable( init_eax ) ) sum (g1,g2,g3,g4,g5,g6) --> min answer: 0x522e707c + 3*0xc9f4458b + 8*0x13b2 = 0xb00bdead © 2002—2013, Digital Security
  41. 41. Automate Generation Payload Finding gadgets with specific samntics http://www.immunitysec.com/downloads/sean_ruxcon2010.pdf © 2002—2013, Digital Security
  42. 42. Automate Generation Payload Immunity Debugger: !find_gadget This script looks for a sequence that satisfies the constraints we specify © 2002—2013, Digital Security
  43. 43. Automate Generation Payload OptiROP © 2002—2013, Digital Security
  44. 44. Automate Generation Payload OptiROP © 2002—2013, Digital Security
  45. 45. Automate Generation Payload ROPC: https://github.com/pakt/ropc © 2002—2013, Digital Security
  46. 46. Automate Generation Payload ROPC : Type of gadgets that ROPC find &use Name Input NopG _ _ nop LoadConstG OutReg, Value _ OutReg  Value MoveRegG InReg, OutReg _ OutReg  InReg ArithmeticG InReg1, InReg2, OutReg op OutReg <- InReg1 op InReg2 StoreMemG AddrReg, InReg # Bytes, Offset M[AddrReg+Offset]<-InReg LoadMemReg AddrReg, OutReg # Bytes, Offset OutRegM[AddrReg+Offset] ArithmeticStoreG InReg, AddrReg # Bytes, Offset, op M[AddrReg+Offset] op  InReg ArithmeticLoadG OutReg, AddrReg © 2002—2013, Digital Security Parameters # Bytes, Offset, op Semantic Definition OutReg op  M[AddrReg+Offset
  47. 47. Automate Generation Payload ROPC-LLVM: https://github.com/programa-stic/ropcllvm © 2002—2013, Digital Security
  48. 48. SMT Solvers for Software Security Questions ? © 2002—2013, Digital Security
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×