Skip to content

Feature: dependency graphs#82

Merged
serpilliere merged 4 commits intocea-sec:masterfrom
commial:feature-depgraph
Feb 20, 2015
Merged

Feature: dependency graphs#82
serpilliere merged 4 commits intocea-sec:masterfrom
commial:feature-depgraph

Conversation

@commial
Copy link
Copy Markdown
Contributor

@commial commial commented Feb 20, 2015

Introduce DependencyGraph, computing dependencies of elements.

The dependencies are computed through a list of blocs (IRA).
APIs .get* return an iterator on DependencyResult. Each one contains only relevant DependencyNode, which stand for an element at a given line in a given basic block. That way, outputs contain each elements involved in the targets' value computation.

Different outputs stand for different path through blocks (loop, if-then-else statements, ...).

In addition, the DependencyResult class offers some API, such as:

  • a DiGraph output
  • the symbolic execution of intermediary elements in order to get their expected value

By defining explicit dependencies as dependencies only involved by instruction semantics (unlike those involved by branching), the sub-algorithm NoMemory seems sound and complete.
The standard one (best effort) suffers from memory aliases.

This algorithm has been co-developped with @serpilliere .

An example of use is joined to this PR, through an IDA plug-in.

For instance, the source code of example/samples/simple_test.bin is (example/samples/simple_test.c):

int test(unsigned int argc, char** argv)
{
        unsigned int ret;
        if (argc == 0)
                ret = 0x1001;
        else if (argc < 2)
                ret = 0x1002;
        else if (argc <= 5)
                ret = 0x1003;
        else if (argc != 7 && argc*2 == 14)
                ret = 0x1004;
        else if (argc*2 == 14)
                ret = 0x1005;
        else if (argc & 0x30)
                ret = 0x1006;
        else if (argc + 3 == 0x45)
                ret = 0x1007;
        else
                ret = 0x1008;
        return ret;
}

Let's invoke the script on the return ret; statement (offset 0x88).
setting

Once launch is pressed, a first path is highlight.
1pass
Line dependencies are added as comments (here the stack, and the constant 0x1003).

In addition, on the console (we track EAX):

Get graph number 01
Dump the graph to /tmp/solution_0x00000088_01.dot
Possible value: 0x1003

By pressing Shift+N, one can get every solutions one after one:

Possible value: 0x1002
Possible value: 0x1008
...
Possible value: 0x1001
Done: 8 solutions

Regression tests are based on 10 graphs with different layout.

@commial
DiGraph: Inherite DiGraph from object
e520a0c
@commial
Analysis: Introduce DependencyGraph, computing dependencies of elements
5f1a1e6 
The dependencies are computed through a list of blocs (IRA).
APIs `.get*` return an iterator on DiGraph(DependencyNode). Each DiGraph
contains only relevant DependencyNode, which stand for an element at
a given line in a given basic block. That way, outputs contain each elements
involved in the target value computation.

Different outputs stand for different path through blocks (loop, ...).

This algorithm has been co-developped with @serpillere.
@commial
Test/Analysis: Regression tests for DependencyGraph
792a7ee
@commial
Example/IDA: add a script to highlight depnodes through IDA
d1a564f
serpilliere added a commit that referenced this pull request Feb 20, 2015
@serpilliere
Merge pull request #82 from commial/feature-depgraph
f8e5ad9 
Feature: dependency graphs
@serpilliere serpilliere merged commit f8e5ad9 into cea-sec:master Feb 20, 2015
@commial commial deleted the feature-depgraph branch February 27, 2015 16:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@commial @serpilliere