-
Notifications
You must be signed in to change notification settings - Fork 9
/
sim.rb
3893 lines (3173 loc) · 106 KB
/
sim.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
#
# The exploitability simulator
#
# This simulator can be used to model the characteristics of exploitation
# techniques under a variety circumstances.
#
# The following conditions can be customized to broadly define the properties
# of the target being exploited:
#
# Environmental properties:
# - Hardware (ex: p3, p4, x64, ...)
# - Operating system (ex: win_vista_rtm, win_2000_sp4, ...)
# - Application (ex: ie6, ie8, svchost, any, ...)
#
# Flaw properties:
# - Flaw (ex: stack memory corruption, gs enabled, ...)
#
# The characteristics that are measured for each exploitation simulation include:
#
# - Exploitability
# The chance of successfully exploiting the flaw.
#
# - Desirability
# The attractiveness of using a technique based on subjective perceptions
# and chance of success.
#
# - Likelihood
# The subjective likelihood that a required assumption or predicate will be
# true for a given technique.
#
# - Homogeneity
# The population that is likely to be successfully exploited. A function
# of population size and exploitability.
#
# - Fitness
# The fitness (or fitness) of an exploitation strategy. A function
# of exploitability, desirability, and likelihood.
#
# The term optimistic is used to define a view-point where things are decided
# in the attacker's favor, thus increasing the chance of successful
# exploitation. The term pesimistic is dually defined.
#
# mamill
# 12/2008
#
require 'set'
require 'statemachine'
require 'env'
require 'technique'
Undesirable = 0.10
Desirable = 1.0
Unlikely = 0.10
Likely = 1.0
#
# Modifications to the Statemachine interface to facilitate automatic
# simulation.
#
module Statemachine
class Statemachine
attr_accessor :autosimulate
attr_accessor :simulation_stack
def state
@state
end
def states
@states
end
def transitions
@transitions
end
def simulate
@autosimulate = true
@simulation_stack = []
@state.enter if @state
end
end
class State
def enter(args=[])
@statemachine.trace("\tentering #{self}")
@statemachine.invoke_action(@entry_action, args, "entry action for #{self}") if @entry_action
# If we should auto simulate all of the events in the state machine,
# then do so now
if @statemachine.autosimulate
# Duplicate the state machine context
orig_context = @statemachine.context
orig_state = @statemachine.state
transitions.each_pair do |event, transition|
next if @statemachine.simulation_stack.member?(transition)
@statemachine.simulation_stack.push(transition)
@statemachine.context = orig_context.dup
@statemachine.context.current_transition = transition
@statemachine.context.current_event = event
# Process the event
begin
@statemachine.process_event(event, args)
rescue StatemachineException => ex
if @statemachine.context.track_impossible
@statemachine.context.transitions = @statemachine.simulation_stack.dup
@statemachine.context.aborted = true
@statemachine.context.abort_reason = ex.abort_reason
@statemachine.context.global.add_simulation @statemachine.context
end
end
# Restore the original context and state for the next iteration
@statemachine.simulation_stack.pop
@statemachine.context = orig_context
@statemachine.state = orig_state
end
end
end
end
end
module ExSim
# A predicate was not satisfied, abort the statemachine transition
class PredicateNotSatisfied < Statemachine::StatemachineException
def initialize(predicate)
@predicate = predicate
end
def abort_reason
(@predicate || '').to_s
end
attr_reader :predicate
end
# Global context shared across all branches of a given simulation
class GlobalSimulationContext
def initialize
@track_equivalent_only = false
@track_minimal_only = false
@simulations = {}
@simulation_count = 0
end
def simulations_sorted
sorted_values = @simulations.values.sort do |x, y|
[
y[:fitness],
x[:simulation].transitions.length
] <=> [
x[:fitness],
y[:simulation].transitions.length
]
end
if @track_equivalent_only
sorted_values.map do |val|
val[:simulation].equivalence_count = val[:member_count]
val[:simulation]
end
else
sims = []
sorted_values.each do |val|
sims = sims + val[:simulations]
end
sims
end
end
def min_fitness
min { |s| s.fitness}
end
def min_exploitability
min { |s| s.exploitability }
end
def min_desirability
min { |s| s.desirability }
end
def min_likelihood
min { |s| s.likelihood }
end
def min_homogeneity
min { |s| s.homogeneity }
end
def max_fitness
max { |s| s.fitness }
end
def max_exploitability
max { |s| s.exploitability }
end
def max_desirability
max { |s| s.desirability }
end
def max_likelihood
max { |s| s.likelihood }
end
def max_homogeneity
max { |s| s.homogeneity }
end
def avg_fitness
avg { |s| s.fitness}
end
def avg_exploitability
avg { |s| s.exploitability }
end
def avg_desirability
avg { |s| s.desirability }
end
def avg_likelihood
avg { |s| s.likelihood }
end
def avg_homogeneity
avg { |s| s.homogeneity }
end
#
# Add the simulation
#
def add_simulation(sim)
return if @track_minimal_only and sim.is_minimal? == false
eqid = sim.equivalence_id
if @simulations.has_key? eqid
@simulation_count += 1
@simulations[eqid][:member_count] += 1
if @track_equivalent_only == false
@simulations[eqid][:simulations] << sim
end
else
@simulation_count = 1
@simulations[eqid] = {
:fitness => sim.fitness,
:simulation => sim,
:member_count => 1
}
if @track_equivalent_only == false
@simulations[eqid][:simulations] = [ sim ]
end
end
end
attr_accessor :track_equivalent_only
attr_accessor :track_minimal_only
def each_simulation(&block)
@simulations.values.each do |simgroup|
if @track_equivalent_only
yield simgroup[:simulation]
else
simgroup[:simulations].each do |sim|
yield sim
end
end
end
end
def exploitability_range_counts
counts = {}
ranges = [ 0, 0.0001, 0.001, 0.01, 0.10, 0.25, 0.50, 0.75, 0.99, 1.0 ]
each_simulation do |simulation|
match_range = nil
prev_range = 0
ranges.each do |range|
if simulation.exploitability <= range
match_range = range
break
end
prev_range = range
end
if match_range.nil?
match_range = 0
end
if counts[match_range].nil?
counts[match_range] = {}
counts[match_range][:total_count] = 0
counts[match_range][:equiv_count] = 0
counts[match_range][:prev_range] = prev_range
end
counts[match_range][:total_count] += @simulations[simulation.equivalence_id][:member_count]
counts[match_range][:equiv_count] += 1
end
counts.to_a.sort do |x, y|
y[0] <=> x[0]
end
end
attr_reader :simulation_count
private
attr_accessor :simulations
def avg(&block)
return 0.0 if @simulations.length == 0
average = 0.0
cnt = 0
each_simulation do |simulation|
average += block.call(simulation)
cnt += 1
end
average /= cnt
end
def min(&block)
return 0.0 if @simulations.length == 0
min = nil
each_simulation do |simulation|
value = block.call(simulation)
if min.nil? or value < min
min = value
end
end
min
end
def max(&block)
return 0.0 if @simulations.length == 0
max = nil
each_simulation do |simulation|
value = block.call(simulation)
if max.nil? or value > max
max = value
end
end
max
end
end
#
# A context that is unique to a specific path taken by an
# exploitation strategy during simulation.
#
class SimulationContext
def dup
instance = super
instance.assumptions = @assumptions.dup
instance.techniques = @techniques.dup
instance
end
def initialize(global = GlobalSimulationContext.new)
@global = global
@target = Target.new
@allow_impossible = false
@track_impossible = false
@debug = false
@modes = []
@exploitability = 1.0
@desirability = 1.0
@likelihood = 1.0
@assumptions = {}
@techniques = Set.new
@assumption_id = 0
@predicate_id = 0
#
# By default we assume that things will go in the attacker's favor.
#
@pesimistic = false
@optimistic = true
end
SimulationModes =
[
:attack_favor,
:defense_favor,
:public_only,
:normal
]
@@evtcounts = {}
@@debugcount = 0
def target_detail_to_s
str = ''
Target.each_bit_desc do |bit, desc|
str << "#{desc[:name].to_s.ljust(50)}: #{desc[:get].call(self)}\n"
end
str
end
def target_detail_to_csv
str = ''
Target.each_bit_desc do |bit, desc|
val = desc[:get].call(self)
val = 1 if val == true
val = 0 if val == false
str << "," if str.length > 0
str << "#{val}"
end
str
end
def genkey(sym, *args)
return "#{sym}(#{args.map {|x| x.to_s }.join(",")})"
end
def predicate(sym, *args, &block)
if @debug
evt = "#{self.current_event}"
@@evtcounts[evt] = 0 if @@evtcounts[evt].nil?
@@evtcounts[evt] += 1
@@debugcount += 1
if ((@@debugcount + 1) % 200000) == 0
cache = @@evtcounts.keys.sort do |x, y|
@@evtcounts[x] <=> @@evtcounts[y]
end
cache.each do |cacheevt|
puts "#{cacheevt}: #{@@evtcounts[cacheevt]}"
end
end
end
key = genkey(sym, *args)
# If we've already evaluated this predicate, then don't do so again
# as we do not want to factor it into exploitability multiple times
return get_assumption(key)[:rv] if has_assumption(key)
# Evaluate the predicate
if block.nil?
rv = send(sym, *args)
else
rv = block.call(*args)
end
# Translate values
if rv == true
rv = 1.0
elsif rv == false
rv = 0.0
end
# If the predicate returns zero, then it was not satisfied. We can now
# abort the simulation because we have reached an impossible condition.
if rv == 0 and @allow_impossible == false
@exploitability = 0.0
raise PredicateNotSatisfied.new(sym)
end
# Create a new assumption based on the answer to the predicate
new_assumption(
key,
:id => @assumption_id += 1,
:rv => rv,
:predicated => true,
:transition => self.current_transition,
:event => self.current_event)
# Adjust the effective exploitability based on the degree
# to which the predicate was satisfied.
@exploitability *= rv
rv
end
def predicate_nocache(sym, *args, &block)
key = genkey(sym, *args)
rv = predicate(sym, *args, &block)
@assumptions.delete(key)
rv
end
#
# Associates the current event with a technique.
#
def technique(technique_class)
@techniques << technique_class if @techniques.member?(technique_class) == false
end
#
# A citation
#
def cite(name, opts = {})
end
#
# An opaque note associated with a transition.
#
def note(note)
# no-op currently
end
# Checks to see if a condition is assumed
def assumes?(sym, *args)
key = genkey(sym, *args)
not get_assumption(key).nil?
end
def assumed_true?(sym, *args)
key = genkey(sym, *args)
get_assumption(key).nil? == false and get_assumption(key)[:rv] == 1.0
end
def assumed_false?(sym, *args)
key = genkey(sym, *args)
get_assumption(key).nil? == false and get_assumption(key)[:rv] == 0.0
end
def assumed_false_or_nil?(sym, *args)
key = genkey(sym, *args)
get_assumption(key).nil? or assumed_false?(sym, *args)
end
# Get the assumption that corresponds to the provided key and flag it as
# having been used.
def get_assumption(key)
a = @assumptions[key]
if a
a[:used] = true
end
a
end
def has_assumption(key)
@assumptions[key]
end
# Assume the degree to which a condition is satisfied
def assume(sym, *args, &block)
key = genkey(sym, *args)
return if @assumptions[key]
# Evaluate the assumption
if block.nil? and respond_to?(sym)
rv = send(sym, *args)
elsif block
rv = block.call(*args)
else
rv = args.length == 1 ? args[0] : args
end
# Translate values
if rv == true
rv = 1.0
elsif rv == false
rv = 0.0
end
new_assumption(
key,
:id => @assumption_id += 1,
:rv => rv,
:predicated => false,
:transition => self.current_transition,
:event => self.current_event)
# Adjust the effective exploitability based on the degree
# to which the assumption is satisfied.
@exploitability *= rv
rv
end
def new_assumption(key, hash = {})
@assumptions[key] = hash
end
def explicitly_assume(sym, *args)
assume(sym, *args) do
1.0
end
end
def assume_true(sym, *args)
assume(sym, *args) do
1.0
end
end
def assume_zero(sym, *args)
assume(sym, *args) do
0.0
end
end
def inorder_assumptions
@assumptions.sort do |x, y|
x[1][:id] <=> y[1][:id]
end
end
# A simulation is minimal if all transitions contribute at least
# one assumption that is later predicated upon.
def is_minimal?
# Determine if there were any pre-exploitation transitions that had assumptions
# which were never used to enable exploitation (meaning they are superfluous).
transition_used = {}
@assumptions.values.each do |assumption|
transition = assumption[:transition]
next if transition.origin_id != :preparing_environment
transition_used[transition] = false if transition_used[transition].nil?
if assumption[:used]
transition_used[transition] = true
end
end
# If this sequence does not include any pre-exploitation transitions that
# contribute no value, then we consider this simulation to be 'minimal'.
not transition_used.values.include?(false)
end
# The global simulation context
attr_reader :global
attr_accessor :abort_reason
attr_accessor :aborted
attr_accessor :context_id
attr_accessor :allow_impossible
attr_accessor :track_impossible
attr_accessor :track_equivalent_only
attr_accessor :track_minimal_only
attr_accessor :debug
attr_accessor :modes
attr_accessor :statemachine
attr_accessor :transitions
attr_accessor :assumptions
attr_accessor :techniques
attr_accessor :equivalence_count
attr_accessor :current_transition
attr_accessor :current_event
# The target configuration.
attr_accessor :target
def fitness
exploitability * desirability * likelihood
end
# Likelihood describes the likelihood of certain conditions occurring in practice
def likelihood(n = nil)
key = genkey(:likelihood)
return @assumptions[key][:rv] if @assumptions[key]
if n
@likelihood *= n
end
@likelihood
end
# Desirabile gives a measure of ease-of-attack where easy attacks
# are more desirable than those that are not
def desirability(n = nil)
key = genkey(:desirability)
return @assumptions[key][:rv] if @assumptions[key]
if n
@desirability *= n
end
@desirability
end
# Exploitability describes the expected chance of successful exploitation
def exploitability(n = nil)
if n
@exploitability *= n
end
@exploitability
end
def population
if @population
return @population
else
target.hw.population * target.os.population * target.app.population
end
end
def population=(x)
@population = x
end
#
# Two simulations are considered equivalent if their fitness values are the
# same and they both employ the same exploitation techniques (or a subset
# thereof).
#
def equivalent(sim)
sim.equivalence_id == self.equivalence_id
end
def equivalence_id
[ self.fitness, self.techniques ]
end
def mode_is_attack_favor?
@modes.include? :attack_favor
end
def mode_is_defense_favor?
@modes.include? :defense_favor
end
def mode_is_public_only?
@modes.include? :public_only
end
def mode_is_normal?
@modes.include? :normal
end
def attacker_favors_true(v = nil)
if v.nil?
if mode_is_attack_favor?
true
elsif mode_is_defense_favor?
false
else
v
end
else
v
end
end
def attacker_favors_false(v = nil)
if v.nil?
if mode_is_attack_favor?
false
elsif mode_is_defense_favor?
true
else
v
end
else
v
end
end
def normally_true(v = nil)
if mode_is_normal? and v.nil?
true
else
v
end
end
def normally_false(v = nil)
if mode_is_normal? and v.nil?
false
else
v
end
end
#
# The current measure of homogeneity (e.g. the population density affected)
#
def homogeneity
population * @exploitability
end
###
###
### Predicate helper routines
###
###
#
# True if the attacker is able to leak an address within the provided virtual address region.
#
def can_discover_address(va)
case va
when :stack
attacker_favors_true target.cap.can_discover_stack_address
when :heap
attacker_favors_true target.cap.can_discover_heap_address
when :heapbase
attacker_favors_true target.cap.can_discover_heap_base_address
when :peb
attacker_favors_true target.cap.can_discover_peb_address
when :image
attacker_favors_true target.cap.can_discover_image_address
when :ntdll
attacker_favors_true target.cap.can_discover_ntdll_image_address
when :nonsafeseh
attacker_favors_true target.cap.can_discover_non_safeseh_image_address
else false
end
end
#
# Determines if the attacker can discover the stack cookie value.
#
def can_discover_stack_cookie
attacker_favors_true(normally_false(target.flaw.can_discover_stack_cookie))
end
#
# Determines if the attacker can discover the vtguard cookie value.
#
def can_discover_vtguard_cookie
attacker_favors_true(normally_false(target.flaw.can_discover_vtguard_cookie))
end
#
# The effective number of bits of entropy for the provided virtual address region (e.g. stack
# heap, or image).
#
def aslr_entropy_bits(va)
(
if is_kernel_app
case va
when :stack
target.os.kernel_aslr_entropy_stacks
when :image
bits = target.os.kernel_aslr_entropy_kernel_images
if bits.nil? or (target.os.kernel_aslr_entropy_driver_images and bits > target.os.kernel_aslr_entropy_driver_images)
bits = target.os.kernel_aslr_entropy_driver_images
end
bits
else
0.0
end
else
case va
when :stack
target.os.user_aslr_entropy_stacks
when :heap, :heapbase
target.os.user_aslr_entropy_heaps
when :peb
target.os.user_aslr_entropy_peb
when :bottom_up
target.os.user_aslr_entropy_bottom_up
when :image, :vtimage
bits = target.os.user_aslr_entropy_exe_images
if bits.nil? or (target.os.user_aslr_entropy_lib_images and bits > target.os.user_aslr_entropy_lib_images)
bits = target.os.user_aslr_entropy_lib_images
end
bits
when :force_relocate_image
target.os.user_aslr_entropy_force_relocation
else
0.0
end
end
) || 0.0
end
#
# The minimum number of entropy bits given a list of virtual address regions.
#
def min_aslr_entropy_bits(*va_list)
min_bits = nil
va_list.each { |va|
va_bits = aslr_entropy_bits(va)
min_bits = va_bits if min_bits.nil? or va_bits < min_bits
}
min_bits || 0.0
end
#
# Determines the degree to which ASLR inhibits discovering the an address
# within the provided virtual address region (such as an executable image)
# and returns the probability of ASLR inhibiting the guessing of an address
# where 0.0 means ASLR will never inhibit and 1.0 means ASLR will always inhibit.
#
def aslr_inhibition_degree(va)
case va
#
# ASLR does not inhibit the finding of a stack, heap, or PEB/TEB if their
# address can be leaked.
#
when :stack, :heap, :heapbase, :peb
if can_discover_address(va)
0.0
elsif aslr_entropy_bits(va) > 0
(1.0 - (1.0 / (2 ** aslr_entropy_bits(va))))
else
0.0
end
when :force_relocate_image
if aslr_entropy_bits(va) > 0
(1.0 - (1.0 / (2 ** aslr_entropy_bits(va))))
else
0.0
end
#
# ASLR does not inhibit the finding of writable data if the attacker can
# spray data bottom up or if they can leak the address of a writable
# memory region
#
when :data
if (assumed_true? :can_find_desired_data or
attacker_favors_true(target.cap.can_spray_data_bottom_up) or
can_discover_address :stack or
can_discover_address :heap or
can_discover_address :image)
0.0
elsif min_aslr_entropy_bits(:stack, :heap, :image) > 0
(1.0 - (1.0 / (2 ** min_aslr_entropy_bits(:stack, :heap, :image))))
else
0.0
end
#
# ASLR does not inhibit the finding of code if this is a local flaw, the attacker
# can spray code bottom up, or the attacker is able to leak the address of an image.
#
when :code, :image
if (is_local_flaw or
assumed_true? :can_find_desired_code or
assumed_true? :can_find_attacker_controlled_code or
attacker_favors_true(normally_false(target.cap.can_spray_code_bottom_up)) or
can_discover_address(:image))
0.0
elsif aslr_entropy_bits(:image) > 0
(1.0 - (1.0 / (2 ** aslr_entropy_bits(:image))))
else
0.0
end
when :vtimage
if aslr_entropy_bits(:image) > 0
(1.0 - (1.0 / (2 ** aslr_entropy_bits(:image))))
else
0.0
end
#
# The inhibition degree for a specific image.
#
when /^image/
if va == 'image:ntdll' and can_discover_address :ntdll
0.0
elsif is_local_flaw or can_discover_address :image
0.0
elsif aslr_entropy_bits(:image) > 0
(1.0 - (1.0 / (2 ** aslr_entropy_bits(:image))))
else