Hi,
I've been testing ERASan successfully on some of your provided PoCs.
However, when I tried some small examples of memory-safety vulnerabilites, ERASan showed some surprising behavior. The 4 examples I tested are: simple heap buffer overflow, stack buffer overflow, heap use-after-free, and a buffer overflow through rawptr-to-reference cast.
I attached a git patch file 0001-Minimal-tests.patch which contains the tests. You can apply it to your ERASan Repository via git apply 0001-Minimal-tests.patch
I would have expected ERASan to detect those vulnerabilities but ERASan did not.
Looking at the generated LLVM IR files (erasanOptAnalysis.ll), I found that annotations for raw pointers are missing. For example the file in MINIMAL-TEST-OBRAUNSDORF-RAWPTR: function fn foo(rawptr: *const i32) -> &'static i32 receives a rawptr parameter, however the parameter does not carry any annotation or argument attribute indicating it as rawptr.
define internal align 4 i32* @_ZN31MINIMAL_TEST_OBRAUNSDORF_RAWPTR3foo17haf8cea07a35d0c75E(i32* %rawptr) unnamed_addr #0 !dbg !577 {
...
}
I wonder if I made a mistake compiling my examples with ERASan or if this is an issue of the SVF analysis.
I would be glad if you can test those examples in your environment and maybe point me to what I did wrong.
Furthermore, I looked at your modifications to AddressSanitizer in ERASan.cpp. In lines 2997-3009 where you implemented the check elision, it seems like there is a bug: you are using Operand.getInsn() (which returns the Use Instruction of the Operand Value), to check if a Operand is classfiied as rawptr but most likely you wanted to use Operand.getPtr() (which returns the Definition Instruction of the Operand value. This is the value that ASAN usually instruments (see line 1712).
I am attaching a file containing a suggested fix for this bug: ERASan_CorrectedOB.cpp
Can you confirm those findings?
However, this still does not enable detection of vulnerabilities in my examples with ERASan because there are !rawptr annotations missing, as I mentioned above.
It would be great if you can steer me in the right direction, so I can continue to experiment with ERAsan.
Thank you very much!
Hi,
I've been testing ERASan successfully on some of your provided PoCs.
However, when I tried some small examples of memory-safety vulnerabilites, ERASan showed some surprising behavior. The 4 examples I tested are: simple heap buffer overflow, stack buffer overflow, heap use-after-free, and a buffer overflow through rawptr-to-reference cast.
I attached a git patch file 0001-Minimal-tests.patch which contains the tests. You can apply it to your ERASan Repository via
git apply 0001-Minimal-tests.patchI would have expected ERASan to detect those vulnerabilities but ERASan did not.
Looking at the generated LLVM IR files (
erasanOptAnalysis.ll), I found that annotations for raw pointers are missing. For example the file in MINIMAL-TEST-OBRAUNSDORF-RAWPTR: functionfn foo(rawptr: *const i32) -> &'static i32receives a rawptr parameter, however the parameter does not carry any annotation or argument attribute indicating it as rawptr.I wonder if I made a mistake compiling my examples with ERASan or if this is an issue of the SVF analysis.
I would be glad if you can test those examples in your environment and maybe point me to what I did wrong.
Furthermore, I looked at your modifications to AddressSanitizer in ERASan.cpp. In lines 2997-3009 where you implemented the check elision, it seems like there is a bug: you are using
Operand.getInsn()(which returns the Use Instruction of theOperandValue), to check if a Operand is classfiied asrawptrbut most likely you wanted to useOperand.getPtr()(which returns the Definition Instruction of theOperandvalue. This is the value that ASAN usually instruments (see line 1712).I am attaching a file containing a suggested fix for this bug: ERASan_CorrectedOB.cpp
Can you confirm those findings?
However, this still does not enable detection of vulnerabilities in my examples with ERASan because there are
!rawptrannotations missing, as I mentioned above.It would be great if you can steer me in the right direction, so I can continue to experiment with ERAsan.
Thank you very much!