roptimizer / README.md
chris1sflaggin
Update to v7 model (balanced dataset, 5-fold CV metrics)
80d6395
|
Raw
History Blame Contribute Delete
3.75 kB
---
language:
- en
- it
license: mit
tags:
- pwn
- ctf
- rop
- reverse-engineering
- symbolic-execution
- cybersecurity
- angr
- lightgbm
- ranking
datasets:
- custom
metrics:
- ndcg
---
# LCSAJdump Hybrid ML Gadget Ranker
## Model Overview
This repository contains the pre-trained Machine Learning model used by the **[LCSAJdump](https://github.com/chris1sflaggin/LCSAJdump)** ROP/JOP/COP gadget finder.
The model is a **LightGBM LambdaRank** engine designed to score and sort Return-Oriented Programming (ROP) gadgets extracted from binary executables. It was trained to differentiate between useless instruction sequences and highly valuable, exploit-ready gadgets by combining structural static analysis with **Deep Semantic Features** (extracted via `angr` symbolic execution).
## How it works
Traditional gadget finders (like `ROPgadget` or `ropper`) rely on syntactic heuristics (e.g., "does it end with `ret`?" or "does it pop `rdi`?"). This approach often yields hundreds of false positives, especially in obfuscated binaries or complex architectures like ARM64 and RISC-V.
This LambdaRank model receives a set of 29 features for each gadget, including:
1. **Structural Features:** Extracted by LCSAJdump's RainbowBFS algorithm (e.g., instruction count, presence of internal calls, clobbered registers).
2. **Semantic Features:** Extracted by running the gadget through the `angr` symbolic execution engine. The model mathematically knows if a gadget *actually* performs a stack pivot (`sm_stack_pivot_size`), controls argument registers (`sm_controls_arg_reg`), or performs memory writes (`sm_writes_memory`).
By learning from a ground truth of **real-world CTF exploit scripts**, the model learns to prioritize gadgets that are genuinely useful for building exploit chains, achieving an **NDCG@5 of ~0.90** under group-aware 5-fold cross-validation.
## Architectures Supported
The model is fully architecture-aware and currently supports:
- **x86_64**
- **x86_32**
- **ARM64 (AArch64)**
- **RISC-V (64-bit)**
## Usage in LCSAJdump
This model is deeply integrated into the `LCSAJdump` CLI tool.
You do not need to download or run this model manually. When you install `LCSAJdump`, the `.pkl` file is bundled in the `lcsajdump/ml/models/` directory.
Simply run the tool against a binary:
```bash
python3 -m lcsajdump.cli /path/to/binary
```
If the model is present, LCSAJdump will automatically activate the **ML re-ranking** engine and output:
`[+] ML re-ranking active (chainfinder_v7_hybrid.pkl)`
*(To disable the ML engine and fall back to pure static heuristics, use the `--algo` flag).*
## Training Data & Performance
The model was trained on a custom dataset (`gadget_dataset.csv`, 2772 samples) built by automatically extracting and labeling gadgets used in **published exploit scripts** from major CTF competitions (e.g., DEF CON, LACTF, DiceCTF, ROP Emporium). Each binary is capped to its top-scoring gadgets so that no single target dominates and the four architectures stay balanced.
**Performance (group-aware 5-fold cross-validation, mean ± std):**
- **NDCG@1:** 0.914 ± 0.047
- **NDCG@3:** 0.895 ± 0.062
- **NDCG@5:** 0.900 ± 0.067
- **NDCG@10:** 0.922 ± 0.052
*(The low standard deviation across folds shows the ranking quality is stable and not tied to a particular train/test split.)*
## Feature Importances (SHAP)
The most impactful features learned by the model are:
1. `is_ret_terminated` (Clean execution flow is paramount)
2. `heuristic_score` (Base syntactic score)
3. `frame_size_bytes` (Stack damage minimization)
4. `sm_stack_pivot_size` (Semantic stack control via `angr`)
5. `stack_slots`
## Author
Created by [Chris1sFlaggin](https://chris1sflaggin.it/LCSAJdump/) for the LCSAJdump project.