New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: dependency graphs #82

Merged
merged 4 commits into from Feb 20, 2015

Conversation

Projects
None yet
2 participants
@commial
Member

commial commented Feb 20, 2015

Introduce DependencyGraph, computing dependencies of elements.

The dependencies are computed through a list of blocs (IRA).
APIs .get* return an iterator on DependencyResult. Each one contains only relevant DependencyNode, which stand for an element at a given line in a given basic block. That way, outputs contain each elements involved in the targets' value computation.

Different outputs stand for different path through blocks (loop, if-then-else statements, ...).

In addition, the DependencyResult class offers some API, such as:

  • a DiGraph output
  • the symbolic execution of intermediary elements in order to get their expected value

By defining explicit dependencies as dependencies only involved by instruction semantics (unlike those involved by branching), the sub-algorithm NoMemory seems sound and complete.
The standard one (best effort) suffers from memory aliases.

This algorithm has been co-developped with @serpilliere .

An example of use is joined to this PR, through an IDA plug-in.

For instance, the source code of example/samples/simple_test.bin is (example/samples/simple_test.c):

int test(unsigned int argc, char** argv)
{
        unsigned int ret;
        if (argc == 0)
                ret = 0x1001;
        else if (argc < 2)
                ret = 0x1002;
        else if (argc <= 5)
                ret = 0x1003;
        else if (argc != 7 && argc*2 == 14)
                ret = 0x1004;
        else if (argc*2 == 14)
                ret = 0x1005;
        else if (argc & 0x30)
                ret = 0x1006;
        else if (argc + 3 == 0x45)
                ret = 0x1007;
        else
                ret = 0x1008;
        return ret;
}

Let's invoke the script on the return ret; statement (offset 0x88).
setting

Once launch is pressed, a first path is highlight.
1pass
Line dependencies are added as comments (here the stack, and the constant 0x1003).

In addition, on the console (we track EAX):

Get graph number 01
Dump the graph to /tmp/solution_0x00000088_01.dot
Possible value: 0x1003

By pressing Shift+N, one can get every solutions one after one:

Possible value: 0x1002
Possible value: 0x1008
...
Possible value: 0x1001
Done: 8 solutions

Regression tests are based on 10 graphs with different layout.

commial added some commits Feb 11, 2015

Analysis: Introduce DependencyGraph, computing dependencies of elements
The dependencies are computed through a list of blocs (IRA).
APIs `.get*` return an iterator on DiGraph(DependencyNode). Each DiGraph
contains only relevant DependencyNode, which stand for an element at
a given line in a given basic block. That way, outputs contain each elements
involved in the target value computation.

Different outputs stand for different path through blocks (loop, ...).

This algorithm has been co-developped with @serpillere.

serpilliere added a commit that referenced this pull request Feb 20, 2015

@serpilliere serpilliere merged commit f8e5ad9 into cea-sec:master Feb 20, 2015

@commial commial deleted the commial:feature-depgraph branch Feb 27, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment