Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wip/dumb tracer #33

Merged
merged 36 commits into from
May 11, 2021
Merged

Wip/dumb tracer #33

merged 36 commits into from
May 11, 2021

Conversation

Kyle-Kyle
Copy link
Collaborator

many changes:

  1. generate ropchain in a generator manner instead of finding the "best" gadget. This allows us to handle cases where the "best" gadgets are conflict with each other and fail the longer chain generation. For example, memory setter relies on using register setters for several times. It's possible that the "best" register setters do not work. In those cases, finding the second best gadget may resolve the issue
  2. support JOP in primitive way
  3. clean up the code for a bit
  4. add timeout mechanisms in gadget analyzer to prevent hangs during gadget analysis.
  5. angrop does not handle conditional execution in arm properly, so we disable it at the moment.

Kyle-Kyle and others added 30 commits February 20, 2021 11:50
@Kyle-Kyle
allow more symbolic memory access if the architecture does not have p…
e25e059 
…op instruction
@Kyle-Kyle
sometimes we don't want angrop to perform its toy rebase analysis
07f6088
@Kyle-Kyle
badbytes should be added to constraints
eb737ed
@Kyle-Kyle
the old method of handling badbytes filters some good addresses becau…
7ae7352 
…se those addresses can be rebased to be good again
@Kyle-Kyle
try other memory write gadget if the 'best' gadget fails
339f8f1
@Kyle-Kyle
lol legacy python2-3 issue
3b0e64a
@Kyle-Kyle
add jump gadget
e1c5149
@Kyle-Kyle
handle some weird corner cases
41e8b01
@Kyle-Kyle
give variables names that make sense
2c69ef3
@Kyle-Kyle
catch some error
b47a2f0
@Kyle-Kyle
never crashes during gadget analysis
7b8dbb8
@Kyle-Kyle
change how caching works in angrop
e4b0190
@Kyle-Kyle
do now allow analyzing a gadget for more than 3 seconds
03172b1
@Kyle-Kyle
goodbye python2
52df00f
@Kyle-Kyle
handle instruction alignment in ARM
1b50c78
@Kyle-Kyle
oops
d61ac18
@Kyle-Kyle
add some timeout
d47e5a8
@Kyle-Kyle
fix timeout stub
169705b
@Kyle-Kyle
filter gadgets containing badbytes from the beginning
f1ced8a
@Kyle-Kyle
don't nuke gadgets, make it a property
0da2da9
@Kyle-Kyle
rework angrop's message display
de2c937
@ltfish
Add tqdm as a dependency.
eccb0dc
@Kyle-Kyle
rewrite how set_regs work completely
e046c9e
@Kyle-Kyle
alright, add the old code back. use the new approach as a backup
2847ef1
@Kyle-Kyle
disable conditional execution code, for now
9d04da7
@Kyle-Kyle
really disable conditional execution for now
8cdd8a3
@Kyle-Kyle
wow, we just hit a case where our new algorithm can find solution and…
40423be 
… the old algorithm can not
@Lukas-Dresel
now that gadgets are filtered initially, we have to account for badby…
c3cb881 
…tes filtering out all gadgets in a range with badbytes, e.g. the binary addresses containing NULL bytes
@ltfish
Limit MIPS gadgets and eliminate the ones whose return address is not…
0deb7a3 
… right above sp.
@Kyle-Kyle
trigger CI
954d2b6
@Kyle-Kyle Kyle-Kyle requested review from salls and ltfish April 28, 2021 04:02
This was referenced May 5, 2021
Merged
Merged
Merged
@rhelmot
Copy link
Member

rhelmot commented May 7, 2021

This is way too big to review... can you add one or more tests verifying the new functionality?

@Kyle-Kyle
Copy link
Collaborator Author

Sure

@Kyle-Kyle
Copy link
Collaborator Author

I just added some tests:

  1. make sure gadget with conditional execution is filtered out on arm because currently angrop does not model conditional execution well.
  2. make sure angrop can make use of gadgets ending with jmp
  3. make sure angrop supports mips

@rhelmot
Copy link
Member

rhelmot commented May 8, 2021

lgtm!

@salls
Copy link
Member

salls commented May 8, 2021

Changes seem good to me

@ltfish
Copy link
Member

ltfish commented May 9, 2021

LGTM. Thank you!

@rhelmot rhelmot merged commit e629274 into master May 11, 2021
@rhelmot rhelmot deleted the wip/dumb_tracer branch May 11, 2021 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ltfish ltfish ltfish approved these changes

@salls salls Awaiting requested review from salls

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Kyle-Kyle @rhelmot @salls @ltfish @Lukas-Dresel