Synthesis of code-reuse attacks from p-code programs

Conference item

We present a new method for automatically synthesizing code-reuse attacks—for example, using Return Oriented Programming—based on mechanized formal logic. Our method reasons about machine code via abstraction to the p-code intermediate language of Ghidra, a well-established software reverse-engineering framework. This allows it to be applied to binaries of essentially any architecture, and provides certain technical advantages. We define a formal model of a fragment of p-code in propositional logic, enabling analysis by automated reasoning algorithms. We then synthesize code-reuse attacks by identifying selections of gadgets that can emulate a given p-code reference program. This enables our method to scale well, in both reference program and gadget library size, and facilitates integration with external tools. Our method matches or exceeds the success rate of state-of-the-art ROP chain synthesis methods while providing improved runtime performance.

Authors: Melham, TF; DenHoed, M

• Publication status: Published
• Peer review status: Peer reviewed
• Publisher: Association for Computing Machinery
• Host title: SEC '25: Proceedings of the 34th USENIX Conference on Security Symposium
• Pages: 395 - 411
• Publication date: 2025-09-08
• Acceptance date: 2025-01-24
• Event title: 34th USENIX Security Symposium (USENIX 2025)
• Event location: Seattle, Washington, USA
• Event website: https://www.usenix.org/conference/usenixsecurity25
• Event start date: 2025-08-13
• Event end date: 2025-08-15
• ISBN: 9781939133526
• Language: English