smallworld-re 1.0.0__py3-none-any.whl

smallworld/analyses/field_detection/hints.py

@@ -0,0 +1,133 @@
+import dataclasses
+import typing
+
+from ... import hinting
+
+
+class ClaripySerializable(hinting.Serializable):
+    """Serializable wrapper that allows serializing claripy expressions in hints."""
+
+    @classmethod
+    def claripy_to_dict(cls, expr):
+        if (
+            expr is None
+            or isinstance(expr, int)
+            or isinstance(expr, str)
+            or isinstance(expr, bool)
+        ):
+            return expr
+        else:
+            return {"op": expr.op, "args": list(map(cls.claripy_to_dict, expr.args))}
+
+    def __init__(self, expr):
+        self.expr = expr
+
+    def to_dict(self):
+        return self.claripy_to_dict(self.expr)
+
+    @classmethod
+    def from_dict(cls, dict):
+        raise NotImplementedError(
+            "Rebuilding clairpy is a lot harder than tearing it apart"
+        )
+
+
+@dataclasses.dataclass(frozen=True)
+class FieldHint(hinting.Hint):
+    address: int = 0
+    size: int = 0
+
+    def pp(self, out):
+        out(self.message)
+        out(f"  address:    {hex(self.address)}")
+        out(f"  size:       {self.size}")
+
+
+@dataclasses.dataclass(frozen=True)
+class TrackedFieldHint(FieldHint):
+    label: str = ""
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  label:      {self.label}")
+
+
+@dataclasses.dataclass(frozen=True)
+class FieldEventHint(FieldHint):
+    """Hint representing a detected, unhandled field"""
+
+    pc: int = 0
+    guards: typing.List[typing.Tuple[int, ClaripySerializable]] = dataclasses.field(
+        default_factory=list
+    )
+    access: str = ""
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  pc:         {hex(self.pc)}")
+        out(f"  access:     {self.access}")
+        out("  guards:")
+        for pc, guard in self.guards:
+            out(
+                f"    {hex(pc)}: {guard.expr.shallow_repr()} [{list(filter(lambda x: x.op != 'BVV', guard.expr.leaf_asts()))}]"
+            )
+
+
+@dataclasses.dataclass(frozen=True)
+class UnknownFieldHint(FieldEventHint):
+    """Hint representing an access of an unknown field.
+
+    The expression loaded from memory is not
+    a simple slice of any known label.
+    """
+
+    message: str = "Accessed unknown field"  # Don't need to replace
+    expr: str = ""
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  expr:       {self.expr}")
+
+
+@dataclasses.dataclass(frozen=True)
+class PartialByteFieldAccessHint(FieldEventHint):
+    """Hint representing an access to part of a known field."""
+
+    message: str = "Partial access to known field"  # Don't need to replace
+    label: str = ""
+    start: int = 0
+    end: int = 0
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  field:      {self.label}[{self.start}:{self.end}]")
+
+
+@dataclasses.dataclass(frozen=True)
+class PartialByteFieldWriteHint(PartialByteFieldAccessHint):
+    """Hint representing a write to part of a known field.
+
+    Also includes the data I'm trying to write
+    """
+
+    message: str = "Partial write to known field"  # Don't need to replace
+    access: str = "write"  # Don't need to replace
+    expr: str = ""
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  expr:       {self.expr}")
+
+
+@dataclasses.dataclass(frozen=True)
+class PartialBitFieldAccessHint(FieldEventHint):
+    """Hint representing an access to a bit field within a known field."""
+
+    message: str = "Bit field access in known field"  # Don't need to replace
+    label: str = ""
+    start: int = 0
+    end: int = 0
+
+    def pp(self, out):
+        super().pp(out)
+        out(f"  field:      {self.label}[{self.start}:{self.end}]")

smallworld/analyses/field_detection/malloc.py

@@ -0,0 +1,211 @@
+import logging
+import typing
+
+import claripy
+
+from ... import emulators, exceptions, platforms, state
+from ...emulators.angr.exceptions import PathTerminationSignal
+
+log = logging.getLogger(__name__)
+
+
+class MallocModel(state.models.Model):
+    name = "malloc"
+    platform = platforms.Platform(
+        platforms.Architecture.X86_64, platforms.Byteorder.LITTLE
+    )
+    abi = platforms.ABI.SYSTEMV
+
+    _arg1_for_arch = {
+        platforms.Architecture.AARCH64: "x0",
+        platforms.Architecture.ARM_V5T: "r0",
+        platforms.Architecture.ARM_V7A: "r0",
+        platforms.Architecture.MIPS32: "a0",
+        platforms.Architecture.MIPS64: "a0",
+        platforms.Architecture.POWERPC32: "r3",
+        platforms.Architecture.X86_64: "rdi",
+    }
+
+    _ret_for_arch = {
+        platforms.Architecture.AARCH64: "x0",
+        platforms.Architecture.ARM_V5T: "r0",
+        platforms.Architecture.ARM_V7A: "r0",
+        platforms.Architecture.MIPS32: "v0",
+        platforms.Architecture.MIPS64: "v0",
+        platforms.Architecture.POWERPC32: "r3",
+        platforms.Architecture.X86_64: "rax",
+    }
+
+    def __init__(
+        self,
+        address: int,
+        heap: state.memory.heap.Heap,
+        platform: platforms.Platform,
+        read_callback,
+        write_callback,
+    ):
+        super().__init__(address)
+
+        self.arg1_reg = self._arg1_for_arch[platform.architecture]
+        self.ret_reg = self._ret_for_arch[platform.architecture]
+
+        if len(heap) > 0:
+            raise exceptions.ConfigurationError("This only works with a blank heap")
+        end = state.IntegerValue(heap.address + heap.get_capacity(), 8, None)
+        ptr = state.IntegerValue(heap.address + 16, 8, None)
+
+        heap.allocate(end)
+        heap.allocate(ptr)
+
+        self.heap_addr = heap.address
+        self.read_callback = read_callback
+        self.write_callback = write_callback
+
+        self.struct_lengths: typing.Dict[str, int] = dict()
+        self.struct_prefixes: typing.Dict[str, str] = dict()
+        self.struct_fields: typing.Dict[
+            str, typing.List[typing.Tuple[int, str]]
+        ] = dict()
+
+    def bind_length_to_struct(
+        self, field: str, prefix: str, labels: typing.List[typing.Tuple[int, str]]
+    ):
+        self.struct_lengths[field] = 0
+        self.struct_prefixes[field] = prefix
+        for size, label in labels:
+            self.struct_lengths[field] += size
+        self.struct_fields[field] = labels
+
+    def model(self, emulator: emulators.Emulator):
+        if not isinstance(emulator, emulators.AngrEmulator):
+            raise exceptions.ConfigurationError("Model only works with angr")
+        # Read the capacity.
+        # Bypass the smallworld API; I want to know if it's symbolic
+        fda = emulator.get_extension("fda")
+        capacity = emulator.read_register_symbolic(self.arg1_reg)
+        length = 0
+
+        if capacity.symbolic:
+            # Capacity is a symbolic expression.
+            # Check if it's collapsible
+            good = True
+            try:
+                vals = emulator.eval_atmost(capacity, 1)
+            except exceptions.UnsatError:
+                log.error("Capacity is unsat")
+                good = False
+            except exceptions.SymbolicValueError:
+                log.error("Capacity did not collapse to one value")
+                good = False
+
+            if not good or len(vals) > 1:
+                log.error("The following fields are lengths:")
+                for var in capacity.variables:
+                    log.error(f"   {var}")
+                log.error("Concretize them to continue analysis")
+                raise PathTerminationSignal()
+
+            length = vals[0]
+        else:
+            length = capacity.concrete_value
+
+        heap_end = int.from_bytes(
+            emulator.read_memory_content(self.heap_addr, 8), "little"
+        )
+        heap_ptr = int.from_bytes(
+            emulator.read_memory_content(self.heap_addr + 8, 8), "little"
+        )
+
+        if heap_end - heap_ptr < length:
+            # OOM; Return NULL
+            log.warning(
+                f"malloc: OOM! Need {length}, only have {hex(heap_end)} - {hex(heap_ptr)} = {heap_end - heap_ptr}"
+            )
+            res = 0
+        else:
+            # Return the pointer to the new region.
+            log.warning(f"malloc: Alloc'd {length} bytes at {hex(heap_ptr)}")
+            res = heap_ptr
+            heap_ptr += length
+            emulator.write_memory_content(
+                self.heap_addr + 8, heap_ptr.to_bytes(8, "little")
+            )
+
+            # Check if this is something we want to track.
+            fields = list(map(lambda x: x.split("_")[0], capacity.variables))
+
+            if len(fields) != 1:
+                # Don't track; too complex
+                log.warn("  Length has multiple variables; not solving")
+            elif fields[0] not in self.struct_lengths:
+                # Don't track; not something we asked to track
+                log.warn(f"  Length field {fields[0]} not known")
+            else:
+                struct_length = self.struct_lengths[fields[0]]
+                struct_prefix = self.struct_prefixes[fields[0]]
+                struct_labels = self.struct_fields[fields[0]]
+
+                sym = list(filter(lambda x: x.op == "BVS", capacity.leaf_asts()))[0]
+                if not isinstance(sym, claripy.ast.bv.BV):
+                    raise TypeError("BVS isn't a bitvector: {sym}")
+                n = emulator.eval_atmost(sym, 1)[0]
+
+                if length // n != struct_length:
+                    # Don't track; not an obvious "n * sizeof(struct foo)"
+                    log.warn(f"  {length} // {n} != {struct_length}")
+                elif length % struct_length != 0:
+                    # Don't track; not an obvious "n * sizeof(struct foo)"
+                    log.warn(f"  {length} not evenly divisible by {n}")
+                else:
+                    # Track!
+                    log.warn(f"  Alloc of {n} items")
+                    addr = res
+                    for i in range(0, n):
+                        struct_fields = list()
+                        off = 0
+                        for flen, fname in struct_labels:
+                            # Build a symbol for this field of this item
+                            flabel = struct_prefix + "." + str(i) + "." + fname
+                            expr = claripy.BVS(flabel, flen * 8, explicit_name=True)
+                            struct_fields.append(expr)
+
+                            # Track the new field
+                            r = range(addr + off, addr + off + flen)
+                            fda.fda_labels.add(flabel)
+                            fda.fda_addr_to_label[r] = flabel
+                            fda.fda_label_to_addr[flabel] = r
+                            fda.fda_bindings[flabel] = expr
+
+                            off += flen
+
+                        # Insert the whole struct into memory
+                        expr = claripy.Concat(*struct_fields)
+                        emulator.write_memory(addr, expr)
+
+                        addr += struct_length
+
+                    # Hook the entire array
+                    fda.fda_mem_ranges.add((res, res + length))
+                    emulator.hook_memory_read_symbolic(
+                        res, res + length, self.read_callback
+                    )
+                    emulator.hook_memory_write_symbolic(
+                        res, res + length, self.write_callback
+                    )
+
+        emulator.write_register_content(self.ret_reg, res)
+
+
+class FreeModel(state.models.Model):
+    name = "free"
+    platform = platforms.Platform(
+        platforms.Architecture.X86_64, platforms.Byteorder.LITTLE
+    )
+    abi = platforms.ABI.SYSTEMV
+
+    def __init__(self, address: int):
+        super().__init__(address)
+
+    def model(self, emulator: emulators.Emulator):
+        # Just free it.
+        return

smallworld/analyses/forced_exec/__init__.py

@@ -0,0 +1,3 @@
+from .forced_exec import ForcedExecution, ForcedExecutionUnderlay
+
+__all__ = ["ForcedExecution", "ForcedExecutionUnderlay"]

smallworld/analyses/forced_exec/forced_exec.py

@@ -0,0 +1,87 @@
+import logging
+import typing
+
+from ...emulators import AngrEmulator
+from ...exceptions import EmulationStop
+from ...platforms import Platform
+from ...state import Machine
+from ..underlays import AnalysisUnderlay
+
+log = logging.getLogger(__name__)
+
+
+class ForcedExecutionUnderlay(AnalysisUnderlay):
+    """Forced execution analysis underlay
+
+    This allows you to emulate arbitrary program slices
+    by forcing the emulator to visit specific instructions,
+    ignoring the normal program control flow.
+
+    This isn't a complete analysis;
+    instead, it's a dummy base class that makes it easy
+    to support forced execution mode by implementing
+    the complex logic as an overlay,
+    and building the actual analysis as a combination
+    of overlay and underlay.
+    See field detection to see what I mean.
+
+    NOTE: This is not compatible with all architectures.
+    The architecture needs to support single-stepping;
+    delay slot architectures such as MIPS can't
+    be single-stepped by angr.
+
+    Arguments:
+        trace:      The list of program counter addresses you want to visit
+
+    """
+
+    def __init__(self, trace: typing.List[typing.Dict[str, int]]):
+        self.trace: typing.List[typing.Dict[str, int]] = trace
+
+    def execute(self):
+        try:
+            for regs in self.trace:
+                for reg, val in regs.items():
+                    self.emulator.write_register_content(reg, val)
+                self.emulator.step()
+        except EmulationStop:
+            pass
+
+
+class ForcedExecution(ForcedExecutionUnderlay):
+    """Forced execution using angr
+
+    This allows you to emulate arbitrary program slices
+    by forcing the emulator to visit specific instructions,
+    ignoring the normal program control flow.
+
+    NOTE: This is not compatible with all architectures.
+    The architecture needs to support single-stepping;
+    delay slot architectures such as MIPS can't
+    be single-stepped by angr.
+
+    Arguments:
+        platform:   The platform you want to emulate
+        trace:      The list of program counter addresses you want to visit
+    """
+
+    name = "forced-execution"
+    description = "Forced execution using angr"
+    version = "0.0.1"
+
+    def __init__(self, platform: Platform, trace: typing.List[typing.Dict[str, int]]):
+        super().__init__(trace)
+        self.platform: Platform = platform
+        self.emulator = AngrEmulator(platform)
+        self.emulator.enable_linear()
+
+    def run(self, machine: Machine):
+        emulator = self.emulator
+        if not isinstance(emulator, AngrEmulator):
+            raise TypeError("Impossible!")
+        machine.apply(emulator)
+        emulator.initialize()
+        self.execute()
+        for s in emulator.mgr.active:
+            log.info(s.solver.constraints)
+            s.registers.pp(log.info)

smallworld/analyses/underlays/__init__.py

@@ -0,0 +1,4 @@
+from .basic import BasicAnalysisUnderlay
+from .underlay import AnalysisUnderlay
+
+__all__ = ["AnalysisUnderlay", "BasicAnalysisUnderlay"]

smallworld/analyses/underlays/basic.py

@@ -0,0 +1,13 @@
+from ...exceptions import EmulationStop
+from .underlay import AnalysisUnderlay
+
+
+class BasicAnalysisUnderlay(AnalysisUnderlay):
+    """Basic analysis underlay that steps until done"""
+
+    def execute(self):
+        try:
+            while True:
+                self.emulator.step()
+        except EmulationStop:
+            pass

smallworld/analyses/underlays/underlay.py

@@ -0,0 +1,31 @@
+import abc
+
+from ...emulators import Emulator
+from ..analysis import Analysis
+
+
+class AnalysisUnderlay(Analysis):
+    """Base class for execution underlays
+
+    Some analyses are orthogonal to
+    exactly how their program gets actuated.
+    In those cases, the author can write the
+    bulk of the analysis in an overlay,
+    and pair that overlay with different underlays.
+    """
+
+    @property
+    def emulator(self) -> Emulator:
+        """The emulator to run
+        Underlays need the overlay to define the emulator.
+        """
+        return self._emulator
+
+    @emulator.setter
+    def emulator(self, emu: Emulator):
+        self._emulator = emu
+
+    @abc.abstractmethod
+    def execute(self) -> None:
+        """Exercise the emulator"""
+        raise NotImplementedError()

smallworld/analyses/unstable/__init__.py

@@ -0,0 +1,4 @@
+# from .colorizer import Colorizer
+# from .colorizer_summary import ColorizerSummary
+
+# __all__ = ["Colorizer", "ColorizerSummary"]

smallworld/analyses/unstable/angr/base.py

@@ -0,0 +1,12 @@
+from angr.storage.memory_mixins.memory_mixin import MemoryMixin
+
+
+class BaseMemoryMixin(MemoryMixin):  # type: ignore[misc]
+    """Base class for memory mixins.
+
+    I wanted to add the _setup_tui() method,
+    and needed a base class to make multiple inheritance happen cleanly.
+    """
+
+    def _setup_tui(self):
+        pass