--- language: - en - it license: mit tags: - pwn - ctf - rop - reverse-engineering - symbolic-execution - cybersecurity - angr - lightgbm - ranking datasets: - custom metrics: - ndcg --- # LCSAJdump Hybrid ML Gadget Ranker ## Model Overview This repository contains the pre-trained Machine Learning model used by the **[LCSAJdump](https://github.com/chris1sflaggin/LCSAJdump)** ROP/JOP/COP gadget finder. The model is a **LightGBM LambdaRank** engine designed to score and sort Return-Oriented Programming (ROP) gadgets extracted from binary executables. It was trained to differentiate between useless instruction sequences and highly valuable, exploit-ready gadgets by combining structural static analysis with **Deep Semantic Features** (extracted via `angr` symbolic execution). ## How it works Traditional gadget finders (like `ROPgadget` or `ropper`) rely on syntactic heuristics (e.g., "does it end with `ret`?" or "does it pop `rdi`?"). This approach often yields hundreds of false positives, especially in obfuscated binaries or complex architectures like ARM64 and RISC-V. This LambdaRank model receives a set of 29 features for each gadget, including: 1. **Structural Features:** Extracted by LCSAJdump's RainbowBFS algorithm (e.g., instruction count, presence of internal calls, clobbered registers). 2. **Semantic Features:** Extracted by running the gadget through the `angr` symbolic execution engine. The model mathematically knows if a gadget *actually* performs a stack pivot (`sm_stack_pivot_size`), controls argument registers (`sm_controls_arg_reg`), or performs memory writes (`sm_writes_memory`). By learning from a ground truth of **real-world CTF exploit scripts**, the model learns to prioritize gadgets that are genuinely useful for building exploit chains, achieving an **NDCG@5 of ~0.90** under group-aware 5-fold cross-validation. ## Architectures Supported The model is fully architecture-aware and currently supports: - **x86_64** - **x86_32** - **ARM64 (AArch64)** - **RISC-V (64-bit)** ## Usage in LCSAJdump This model is deeply integrated into the `LCSAJdump` CLI tool. You do not need to download or run this model manually. When you install `LCSAJdump`, the `.pkl` file is bundled in the `lcsajdump/ml/models/` directory. Simply run the tool against a binary: ```bash python3 -m lcsajdump.cli /path/to/binary ``` If the model is present, LCSAJdump will automatically activate the **ML re-ranking** engine and output: `[+] ML re-ranking active (chainfinder_v7_hybrid.pkl)` *(To disable the ML engine and fall back to pure static heuristics, use the `--algo` flag).* ## Training Data & Performance The model was trained on a custom dataset (`gadget_dataset.csv`, 2772 samples) built by automatically extracting and labeling gadgets used in **published exploit scripts** from major CTF competitions (e.g., DEF CON, LACTF, DiceCTF, ROP Emporium). Each binary is capped to its top-scoring gadgets so that no single target dominates and the four architectures stay balanced. **Performance (group-aware 5-fold cross-validation, mean ± std):** - **NDCG@1:** 0.914 ± 0.047 - **NDCG@3:** 0.895 ± 0.062 - **NDCG@5:** 0.900 ± 0.067 - **NDCG@10:** 0.922 ± 0.052 *(The low standard deviation across folds shows the ranking quality is stable and not tied to a particular train/test split.)* ## Feature Importances (SHAP) The most impactful features learned by the model are: 1. `is_ret_terminated` (Clean execution flow is paramount) 2. `heuristic_score` (Base syntactic score) 3. `frame_size_bytes` (Stack damage minimization) 4. `sm_stack_pivot_size` (Semantic stack control via `angr`) 5. `stack_slots` ## Author Created by [Chris1sFlaggin](https://chris1sflaggin.it/LCSAJdump/) for the LCSAJdump project.