Release: ROPTool by Davee, could help homebrew development on the 3DS and PS Vita
If you don’t know who Davee is, here’s something to refresh your memory: before the PSVita ever existed, there was the PSP. And Davee was a major part of the hacking scene of the PSP for years. Between Kernel exploits, downgraders, and the occasional hint that he was still looking closely at the PS Vita, it was difficult to miss Davee from any hacking news site a few years ago. But he’s kind of gone off the radar recently…
His latest blog post, more or less one year after his previous one (did I mention he’s off the radar?), announces the release of ROPTool, a tool that will be useful to further analyze ARM systems in the context of an exploit.
ROP (Return Oriented Programming) is a technique widely used these days by hackers to exploit modern systems. Modern systems have various security in place to prevent running arbitrary code, and ROP is here to bypass that kind of security. Wikipedia explains it better than I could:
An attacker gains control of the call stack to hijack program control flow and then executes carefully chosen machine instruction sequences, called “gadgets”. Each gadget typically ends in a return instruction and is located in a subroutine within the existing program and/or shared library code. Chained together, these gadgets allow an attacker to perform arbitrary operations on a machine employing defenses that thwart simpler attacks.
The problem with ROP is how convoluted it is to use, so Davee started to work on ROPTool to facilitate the work, specifically on ARM processors (more tools exist for x86). Roptool “will take a script language and a list of gadgets and provide a binary stack layout with data references“. Most Mobile devices today use an ARM processor, making them an interesting target for hackers in general. As Davee says, releasing tools such as ROPTool is always a double edged sword, that could be used by security researchers and black-hat hackers alike.
Davee mentions the 3DS and the PS Vita (both running on flavors of ARM processors) as potential targets for this tool, and specifically explains it could help in the long term with homebrew development on these devices. The PS Vita is indeed leveraging several of the embedded security features of the ARM CPU, such as NX bit and ASLR. There’s a chance this could be useful for the people working on the recently announced Webkit exploit on Vita’s firmware 3.18.