jkrshnmenon / arbiter Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
arbiter's People
Contributors
Stargazers
Watchers
Forkers
gtt1995 zenhumany ioo0s alexsandershaw xuesu island255 iskindar c0de3 honghai0924 yyyayo killvxk makingw 4b5f5f4b wliuxingxiangyu n132 atlasnq aidanw709 nocbtm dhanushk23 angr bwry hemeshdj returnhere sionthanatos kajaaz smartxsparkarbiter's Issues
A bug in CheckpointHook causes false negatives
I think the globals in self.state.globals.get('globals', None) should be sym_vars. This can make CheckpointHook discard some sym_vars and give false negatives. Could you have a check if there are similar problems?
class CheckpointHook(DefaultHook):
def run(self, **kwargs):
assert 'arg_num' in kwargs['kwargs']
arg_num = kwargs['kwargs']['arg_num']
if self.state.globals.get('globals', None) is None:
self.state.globals['sym_vars'] = []
if arg_num == 0:
sym_var = claripy.BVS('ret', self.state.arch.bits)
self.state.globals['sym_vars'].append(sym_var)
return sym_var
vuln_templates is not in the Docker file
Hi,
while in Dockerfile I see you have copied vuln_templates folder, after pulling the docker image there is not such file in /home/test
TypeError: constrain() missing 1 required positional argument: 'site'
when I run CWE190_juliet_signed.py in your dataset like CWE190_s01, I get an error like this:
Traceback (most recent call last):
File "../../test_scripts/test_juliet_190_signed.py", line 78, in <module>
do_stuff(sys.argv[1])
File "../../test_scripts/test_juliet_190_signed.py", line 66, in do_stuff
se.run_all()
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 456, in run_all
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 446, in run_one
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 429, in _execute_one
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 286, in _explore_one
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 251, in _check_state
File "/usr/local/lib/python3.8/dist-packages/arbiter-0.0.1-py3.8.egg/arbiter/master_chief/symbolic_execution.py", line 172, in _apply_sz_constraints
TypeError: constrain() missing 1 required positional argument: 'site'
So I change the code in symbolic_execution.py, however, I get another erro when I run test_arbiter.py, so how can I run the code correctely
Redundant code in sa_advanced.py
Hi,
Do these codes have the same meaning? I think some of them maybe redundant.
all_matches = []
for x in self._checkpoint:
all_matches += list(filter(lambda y: x in y, names))
from line 482,
for x in checkpoints.copy():
if x not in names:
checkpoints.pop(x)
if len(checkpoints) == 0:
# Default to function entry
target.source = target.addr
else:
target.source = checkpoints
from line 512, and
filtered_checkpoints = {}
for x in checkpoints.copy():
for y in names:
if x in y:
filtered_checkpoints[y] = self._checkpoint[x]
target.source = filtered_checkpoints if len(filtered_checkpoints) > 0 else target.addr
from line 521.
No targets for SA advanced
Hi, I'm having touble using Arbiter. I use the CWE190 check template in vul_templete to detect CWE190_s in the dataset, but it prompts "No targets for SA advanced" or "has no attribute 'apply_constraint'" or "watch dog killed".
Running the tool on other dataset
Thanks for sharing you great work! All the code is nicely documented and well executed.
I am facing a problem to run the code on a toy dataset (binary file of C/C++). Can you please guide me how to run your tool on the binary file of C/C++?
Thanks!
Help me.. Please in docker
Hi, I sent you an email today, and I will write down my questions here too!
I'm experimenting with Docker because I want to experiment with it myself. (docker pull 4rbit3r/arbiter:latest) and in cmd, downloading arbiter from "Git" and trying to do what "README.md" tells me to do, but an error has occurred.
root@f0ae4c4b1270:/home/test/arbitergit# ls
Dockerfile Makefile README.md arbiter dataset examples overview.png setup.py some_json some_log test_files vuln_templates
The data that comes out when I enter the "ls" command is as above.
"python vuln_templates/run_arbiter.py -f examples/cve-vuln_templates/vd_cve-2018-10388.py -t examples/cve-binaries/cve-2018-10388 -l some_log -j some_json"
This is the command I entered. (/home/test/arbitergit)
WARNING | 2023-03-14 07:00:03,193 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
DEBUG | 2023-03-14 07:00:03,237 | arbiter.master_chief.sa_recon | Creating CFG
Traceback (most recent call last):
File "vuln_templates/run_arbiter.py", line 125, in
main(template, target)
File "vuln_templates/run_arbiter.py", line 48, in main
sa.analyze(ignore_funcs=BLACKLIST)
TypeError: analyze() got an unexpected keyword argument 'ignore_funcs'
It doesn't work when it comes out.
Could you tell me how to fix this error?
Thank you for reading
Open Source License?
I noticed this repository is missing a LICENSE file. I want to use this software as part of a project I'm developing. However, I legally cannot unless a compatible license is applied.
If this project is intended to be open source, please apply a license to make it so, such as the MIT license.
Thanks!
Help using Arbiter for CWE-134 (example: CVE-2005-0105)
Hi all,
I just read the paper and I think Arbiter is pretty neat, but I'm having some troubles understanding how to use the system.
As a demo, I'm trying to detect CVE-2005-0105. I picked this because it is a small program with a straightforward PoC to reproduce:
$ HOME="%s%%.%dx%%%d$hn%%.%dx%%%d$hn" ./typespeed
Segmentation faultHere is the analysis from my own tool, ARCUS, for reference (truncated for brevity):
INFO | 2022-03-17 14:32:04,834 | analysis | Disassembling PT trace for PID: 1109945
[...]
INFO | 2022-03-17 14:32:07,985 | analysis | Starting symbolic analysis
INFO | 2022-03-17 14:32:08,000 | angrpt | Trace: 89527/766929 __libc_start_main+0x0 in extern-address space (0x528)
[...]
INFO | 2022-03-17 14:32:11,090 | angrpt | Trace: 89616/766929 PLT.malloc+0x0 in 5639bd4ce000-typespeed (0x2320)
INFO | 2022-03-17 14:32:11,199 | angrpt | Trace: 89616/766929 malloc+0x0 in extern-address space (0x2d0)
INFO | 2022-03-17 14:32:11,215 | angrpt | Trace: 109007/766929 readconfig+0x25 in 5639bd4ce000-typespeed (0x3acc)
INFO | 2022-03-17 14:32:11,222 | angrpt | Trace: 109008/766929 PLT.getenv+0x0 in 5639bd4ce000-typespeed (0x2040)
INFO | 2022-03-17 14:32:11,227 | angrpt | Trace: 109008/766929 getenv+0x0 in extern-address space (0x1c0)
ERROR | 2022-03-17 14:32:11,284 | plugins.hooks.libc | Error in getenv hook: args' length must all be equal
INFO | 2022-03-17 14:32:11,288 | angrpt | Trace: 109048/766929 readconfig+0x34 in 5639bd4ce000-typespeed (0x3adb)
INFO | 2022-03-17 14:32:11,298 | angrpt | Trace: 109049/766929 PLT.sprintf+0x0 in 5639bd4ce000-typespeed (0x23e0)
WARNING | 2022-03-17 14:32:11,299 | plugins.detectors.format_string | Symbolic format string pointer
INFO | 2022-03-17 14:32:11,303 | angrpt | Trace: 109049/766929 sprintf+0x0 in extern-address space (0x5f8)
[...]
INFO | 2022-03-17 14:32:11,718 | plugins.detectors.format_string | Blaming for corrupting format string: readconfig+0x34 in 5639bd4ce000-typespeed (0x3adb)
INFO | 2022-03-17 14:32:11,718 | analysis | ** Analysis complete, final results **
INFO | 2022-03-17 14:32:11,718 | analysis | Reached Trace End: False
INFO | 2022-03-17 14:32:11,718 | analysis | Active: 1
INFO | 2022-03-17 14:32:11,718 | analysis | Format String: 1
INFO | 2022-03-17 14:32:11,718 | analysis | Format String Details:
[...]
The bug is in an invocation of sprintf, which I believe the example script vuln_templates/CWE134.py should already handle?
Here's what I tried:
git clone https://github.com/jkrshnmenon/arbiter.git
cd arbiter
python setup.py build && python setup.py install
pip install python-json-logger
mkdir logs
python ./vuln_templates/CWE134.py ./typespeedAnd the output I get is:
WARNING | 2022-03-17 14:47:58,994 | cle.backends.externs | Symbol was allocated without a known size; emulation may fail if it is used non-opaquely: stdscr
WARNING | 2022-03-17 14:47:58,996 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
WARNING | 2022-03-17 14:47:58,998 | cle.loader | For more information about "Symbol was allocated without a known size", see https://docs.angr.io/extending-angr/environment#simdata
Deprecation warning: Use self.model.get_any_node() instead of get_any_node
ERROR | 2022-03-17 14:48:02,400 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:02,894 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:02,911 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:04,054 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:04,084 | arbiter.master_chief.sa_advanced | Got constant value
WARNING | 2022-03-17 14:48:04,761 | angr.state_plugins.callstack | Returning to an unexpected address 0x2020202020202020
ERROR | 2022-03-17 14:48:05,026 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:05,601 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:09,431 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,509 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,529 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,568 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,596 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,623 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,640 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,660 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,674 | arbiter.master_chief.sa_advanced | Got constant value
ERROR | 2022-03-17 14:48:10,693 | arbiter.master_chief.sa_advanced | Got constant value
WARNING | 2022-03-17 14:48:10,714 | angr.project | Address is already hooked, during hook(0x5000b8, <SimProcedure StrlenHook>). Re-hooking.
WARNING | 2022-03-17 14:48:10,715 | angr.project | Address is already hooked, during hook(0x5000e0, <SimProcedure StrchrHook>). Re-hooking.
WARNING | 2022-03-17 14:48:10,716 | angr.project | Address is already hooked, during hook(0x500028, <SimProcedure GetenvHook>). Re-hooking.
ERROR | 2022-03-17 14:48:10,716 | angr.project | Could not find symbol strdup
ERROR | 2022-03-17 14:48:10,717 | angr.project | Could not find symbol gettext
ERROR | 2022-03-17 14:48:10,718 | angr.project | Could not find symbol dcgettext
ERROR | 2022-03-17 14:48:10,718 | angr.project | Could not find symbol dgettext
WARNING | 2022-03-17 14:48:10,720 | angr.calling_conventions | Guessing call prototype. Please specify prototype.
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | The program is accessing register with an unspecified value. This could indicate unwanted behavior.
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | angr will cope with this by generating an unconstrained symbolic variable and continuing. You can resolve this by:
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | 1) setting a value to the initial state
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | 2) adding the state option ZERO_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to make unknown regions hold null
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | 3) adding the state option SYMBOL_FILL_UNCONSTRAINED_{MEMORY,REGISTERS}, to suppress these messages.
WARNING | 2022-03-17 14:48:10,734 | angr.storage.memory_mixins.default_filler_mixin | Filling register r12 with 8 unconstrained bytes referenced from 0x403aa7 (readconfig+0x0 in typespeed (0x3aa7))
WARNING | 2022-03-17 14:48:10,736 | angr.storage.memory_mixins.default_filler_mixin | Filling register rbp with 8 unconstrained bytes referenced from 0x403aa9 (readconfig+0x2 in typespeed (0x3aa9))
WARNING | 2022-03-17 14:48:10,738 | angr.storage.memory_mixins.default_filler_mixin | Filling register rbx with 8 unconstrained bytes referenced from 0x403aaa (readconfig+0x3 in typespeed (0x3aaa))
WARNING | 2022-03-17 14:48:11,028 | angr.state_plugins.heap.heap_base | Allocation request of 4294967308 bytes exceeded maximum of 128 bytes; allocating 128 bytes
WARNING | 2022-03-17 14:48:11,096 | angr.project | Refusing to unhook external symbol strlen, replace it with another hook if you want to change it
WARNING | 2022-03-17 14:48:11,096 | angr.project | Address is already hooked, during hook(0x5000b8, <SimProcedure strlen>). Re-hooking.
WARNING | 2022-03-17 14:48:11,096 | angr.project | Refusing to unhook external symbol strchr, replace it with another hook if you want to change it
WARNING | 2022-03-17 14:48:11,097 | angr.project | Address is already hooked, during hook(0x5000e0, <SimProcedure strchr>). Re-hooking.
WARNING | 2022-03-17 14:48:11,097 | angr.project | Could not find symbol strdup
WARNING | 2022-03-17 14:48:11,097 | angr.project | Address is already hooked, during hook(0x500028, <SimProcedure ReturnUnconstrained>). Re-hooking.
WARNING | 2022-03-17 14:48:11,134 | angr.storage.memory_mixins.default_filler_mixin | Filling register rdx with 8 unconstrained bytes referenced from 0x4024c0 (_start+0x0 in typespeed (0x24c0))
WARNING | 2022-03-17 14:48:11,135 | angr.storage.memory_mixins.default_filler_mixin | Filling memory at 0x7ffffffffff0000 with 8 unconstrained bytes referenced from 0x4024c5 (_start+0x5 in typespeed (0x24c5))
WARNING | 2022-03-17 14:48:11,138 | angr.storage.memory_mixins.default_filler_mixin | Filling register rax with 8 unconstrained bytes referenced from 0x4024cd (_start+0xd in typespeed (0x24cd))
ERROR | 2022-03-17 14:48:11,146 | arbiter.master_chief.symbolic_execution | No paths found
The last line leads me to believe I did something wrong. Any suggestions or guidance?
Thanks!
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.