DomTreSat
1.0.0
DOMTRESAT(DTS)是一个静态分析系统,将源代码作为输入,并自动为从创建的Dominator树结构收集的路径生成路径可满足性报告。它以最少的人为干预获得了最大的代码覆盖范围。 Domtresat创建了一个用户控制变量的统治者树,然后在其值上输出约束和操作,以将其馈送到满意度求解器中。这在漏洞发现计划中产生了潜在的兴趣点。
该工具的主要用途是确定对程序中目标的可控输入的可及性,以及该输入需要到达目标。目标自动设置为树的最主要路径。这有助于审计师通过以下图表来识别一系列检查脆弱代码的路径。在这样的程序中,这是我们想要建造并分析使用定义链的最主要的路径。
INPUT
CHECK
/ |
FAIL CHECK
/ |
FAIL CHECK
/ |
FAIL VULNERABILITY
该工具默认是首先分析最主要的路径。这些路径可以描述为具有最大变量的路径。可以根据需求更改此方法,并建立一个快速的重新编译脚本来生成更改的库。
使用定义链(使用-DEF)是一个数据结构,该数据结构包括使用变量,并且该变量的所有定义可以在没有任何其他中间定义的情况下达到该使用。
该工具依赖于通过创建的Dominator树发现的最主要路径中拉出这些数据结构。基本思想是,给定有针对性的用法,即使用变量来到达或引起漏洞,我们可以通过其所有(重新)定义来追踪此变量,并确定a)是否是用户可控的,b)在此输入中使用了哪些操作,然后才能在漏洞中使用该变量(这些输入成为我们的约束)。
Domtresat已在LLVM 3.7.1上进行了测试。
brew install z3$./quick_setup.sh构建和运行测试$./partial_build.sh在更改分析方法后执行增量重建本节介绍了如何运行测试并将其馈送到SAT求解器。
通过最主导的路径来追踪变量(其使用链)定义的测试
$./test_base_case.sh
用Z3运行此测试以生成输入以满足目标路径:
$./complete_test_base_case.sh
通过最主要的路径来追踪变量(其使用链)的定义的测试,在该路径中,使用DEF链现在包含在变量上应用后包含重新定义。
$./test_addition.sh
运行通行证和Z3以生成输入以满足目标路径:
$./complete_test_addition.sh
通过最主要的路径来追踪变量(其使用链)的定义的测试,在该路径中,使用DEF链现在包含减法操作后的重新定义。
$./test_subtraction.sh
运行通行证和Z3以生成输入以满足目标路径:
$./complete_test_subtraction.sh
通过最主要的路径来追踪变量(其使用链)的定义的测试,在该路径中,使用DEF链现在在XOR操作应用于变量后包含重新定义。
$./test_xor.sh
运行通行证和Z3以生成输入以满足目标路径:
$./complete_test_xor.sh
$./complete_test_base_case.sh
...Starting LLVM to Z3 Solver...
[+] Starting Base Case Test
[ CLANG COMPILING TEST APP SOURCES ]
[ RUNNING DOMINATOR TREE PASS ]
<-- Starting analysis from main() -->
[+] Tracing first path of DominatorTree
[ COMPARE FOUND ]
Comparison Operator: IS EQUAL (==)
[+] VALUE TWO:
==> Found Constant Operand: Integer :: 69
[+] VALUE ONE:
Reovering variable operations and starting value....
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
.... Potential find. Store took value from :: argv
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[ COMPARE FOUND ]
Comparison Operator: IS EQUAL (==)
[+] VALUE TWO:
==> Found Constant Operand: Integer :: 68
[+] VALUE ONE:
Reovering variable operations and starting value....
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
.... Potential find. Store took value from :: argv
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[ COMPARE FOUND ]
Comparison Operator: IS EQUAL (==)
[+] VALUE TWO:
==> Found Constant Operand: Integer :: 67
[+] VALUE ONE:
Reovering variable operations and starting value....
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
.... Potential find. Store took value from :: argv
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[ COMPARE FOUND ]
Comparison Operator: IS EQUAL (==)
[+] VALUE TWO:
==> Found Constant Operand: Integer :: 66
[+] VALUE ONE:
Reovering variable operations and starting value....
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[!] FOUND TERMINATING ALLOCATION
[-] RECURSING THROUGH OPERATION
[ TRACING BACK HISTORY OF OPERAND VALUE ]
[+] Found StoreInst to trace
.... Potential find. Store took value from :: argv
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
[-] RECURSING THROUGH OPERATION
Breaking at end of first path with # of children
[ CHECK ]: 0 == 0
<-- Successfully Traversed Dominator Tree -->
[+] The below arguments are operated upon, then this redefinition must finally be equal to the comparisons shown below.
argv[0];== 69
argv[1];== 68
argv[2];== 67
argv[3];== 66
[ FINISHED ]
[ LLVM Ported to Z3 ]
['argv[0]', '== 69']
[ BUILDING EQUATION ]
x == 69
[+] Added all conditions to z3
[+] Checking Satisfiability
sat
argv[0]: 69
['argv[1]', '== 68']
[ BUILDING EQUATION ]
x == 68
[+] Added all conditions to z3
[+] Checking Satisfiability
sat
argv[1]: 68
['argv[2]', '== 67']
[ BUILDING EQUATION ]
x == 67
[+] Added all conditions to z3
[+] Checking Satisfiability
sat
argv[2]: 67
['argv[3]', '== 66']
[ BUILDING EQUATION ]
x == 66
[+] Added all conditions to z3
[+] Checking Satisfiability
sat
argv[3]: 66
[ KEY FOUND ]
EDCB
...Solver Finished...
