Travis Goodspeed & Ryan Speers – Confusing Disassemblers of Compressed RISC Instruction Sets
iSpeech.org
X86 has all sorts of fun ways to mess with reverse engineers at the instruction set level by varying offsets to execute in the middle of an instruction. In the holy ideal of RISC, this wouldn't happen because instructions are of fixed length.
But then RISC got all uppity while targeting the embedded market, trying to squeeze itself into 16-bit aligned instructions whose length can sort of--but not really--vary. MSP430, ARM, MIPS, and PowerPC all support these shortened instructions, so let's take a look at some specific examples in which disassemblers and reverse engineers can be confused by them. We'll split instructions apart, graft them back together as chimera freaks of nature, and the hardware will happily run it just as disassemblers run off-track.
Travis Goodspeed is a Southern Appalachian expat trapped in Pizza Rat City. When not fighting for elbow room on public transportation, he drives a 6.8 liter V10 with a fifty foot microwave tower. He and Ryan have collaborated on more than a few nifty papers, and you ought to read them.
Ryan Speers is a security researcher and developer who enjoys embedded systems, low-power radio protocols, and reversing proprietary systems. He has worked in offensive and defensive roles on networks, Windows, micro controllers, and many things in-between. As co-founder at River Loop Security, he tests embedded systems for security issues, and helps clients build more secure systems. He is also Director of Research for Ionic Security where he leads system and cryptographic research. He has previously spoken at a number of security conferences and written some articles for journals ranging from peer-reviewed academic publications to PoC||GTFO.
Presented at the Jailbreak Security Summit, April 28, 2017, Laurel, Maryland, USA.
source
Gloss