Coder Social home page Coder Social logo

lh-ycx / arcus Goto Github PK

View Code? Open in Web Editor NEW

This project forked from carter-yagemann/arcus

0.0 0.0 0.0 183.43 MB

Symbolic Execution Over Processor Traces

License: GNU General Public License v3.0

Makefile 0.28% C 97.11% Assembly 1.86% C++ 0.04% Shell 0.07% Perl 0.13% Awk 0.01% Python 0.44% GDB 0.01% Yacc 0.02% Lex 0.01% UnrealScript 0.01% SmPL 0.02% Scilab 0.01% Gherkin 0.01% XS 0.01% Raku 0.01% Roff 0.01% Clojure 0.01% M4 0.01%

arcus's Introduction

Analyzing Root Cause Using Symbex (ARCUS)

This project finds and explains low-level binary vulnerabilities (overflows, use-after-free, etc.) by symbolically analyzing program execution traces:

$ ./tools/angr/analysis.py ./tools/angr/test/test-data/traces/cve-2018-12327-poc
INFO    | 2021-03-26 08:53:39,389 | analysis | Disassembling PT trace for PID: 8159
INFO    | 2021-03-26 08:53:42,689 | analysis | Loading state from: ./tools/angr/test/test-data/traces/cve-2018-12327-poc/state.json
INFO    | 2021-03-26 08:53:42,696 | analysis | Loading regs from: ./tools/angr/test/test-data/traces/cve-2018-12327-poc/regs.json
INFO    | 2021-03-26 08:53:42,696 | analysis | No filesystem info provided
INFO    | 2021-03-26 08:53:42,697 | analysis | Loading misc from: ./tools/angr/test/test-data/traces/cve-2018-12327-poc/misc.json
INFO    | 2021-03-26 08:53:43,673 | analysis | Starting symbolic analysis
INFO    | 2021-03-26 08:53:43,686 | angrpt | Trace: 84971/374830 __libc_start_main+0x0 in extern-address space (0x358)
INFO    | 2021-03-26 08:53:43,920 | angrpt | Trace: 84991/374830 __libc_csu_init+0x0 in 55857a272000-ntpq (0x2ee00)
INFO    | 2021-03-26 08:53:43,939 | angrpt | Trace: 84992/374830 _init+0x0 in 55857a272000-ntpq (0x9b70)
INFO    | 2021-03-26 08:53:43,950 | angrpt | Trace: 84993/374830 _init+0x12 in 55857a272000-ntpq (0x9b82)
INFO    | 2021-03-26 08:53:43,958 | angrpt | Trace: 84994/374830 __libc_csu_init+0x31 in 55857a272000-ntpq (0x2ee31)
INFO    | 2021-03-26 08:53:43,967 | angrpt | Trace: 84995/374830 __libc_csu_init+0x36 in 55857a272000-ntpq (0x2ee36)
[... 30 seconds later ...]
INFO    | 2021-03-26 08:54:13,425 | angrpt | Trace: 296837/374830 openhost+0x2a4 in 55857a272000-ntpq (0xbae4)
INFO    | 2021-03-26 08:54:13,429 | angrpt | Trace: 296838/374830 openhost+0x218 in 55857a272000-ntpq (0xba58)
INFO    | 2021-03-26 08:54:13,456 | angrpt | Trace: 296839/374830 openhost+0x3bc in 55857a272000-ntpq (0xbbfc)
INFO    | 2021-03-26 08:54:13,465 | angrpt | Trace: 296840/374830 PLT.__stack_chk_fail+0x0 in 55857a272000-ntpq (0x9ca8)
INFO    | 2021-03-26 08:54:13,468 | angrpt | Trace: 296840/374830 __stack_chk_fail+0x0 in extern-address space (0x28)
INFO    | 2021-03-26 08:54:13,469 | plugins.detectors.vuln_hook | Reached __stack_chk_fail, which is an aborting error handler; we've triggered a bug
INFO    | 2021-03-26 08:54:13,470 | analysis | Updating reports with root cause analysis
INFO    | 2021-03-26 08:54:13,924 | plugins.detectors.symbolic_ip | Symbolic IP detected. Analyzing state...
INFO    | 2021-03-26 08:54:13,925 | plugins.detectors.symbolic_ip | Analyzing exit at openhost+0x218 in 55857a272000-ntpq (0xba58)
INFO    | 2021-03-26 08:55:21,283 | plugins.detectors.symbolic_ip | Blaming for unconstrained value: openhost+0x2dd in 55857a272000-ntpq (0xbb1d)
INFO    | 2021-03-26 08:55:21,285 | plugins.detectors.symbolic_ip | Analyzing root cause for behavior of openhost+0x2dd in 55857a272000-ntpq (0xbb1d)
INFO    | 2021-03-26 08:55:26,241 | plugins.detectors.symbolic_ip | Recommendation: Add [<SAO <Bool argv_21_2416[239:232] == 93>>] to <CFGENode openhost+0x2d8 0x55857a27db18[5]>

0-Day Discoveries: DMitry-Issue-3, hdContents-Issue-2, EDB-47254, EDB-49259, CVE-2019-17582, CVE-2019-19004, CVE-2019-19005, CVE-2020-9549, CVE-2020-14931, CVE-2020-35457, CVE-2021-42006.

Setup

Hardware Requirements:

  1. A physical Linux machine (virtual machines are not currently supported) with an Intel CPU that supports Intel PT.

Refer to this document if you are unsure whether your CPU supports Intel PT. Most modern Intel Core and Atom processors should work. Some Xeon processors will not.

Install Steps:

  1. Install a trace interface: Griffin or Perf.

See this document for trade-offs between the supported interfaces. This is only required if you want to record your own traces. You can analyze the pre-recorded traces in tools/angr/test/test-data/traces and the datasets below without performing this step.

  1. Install project specific tools and packages.

Usage

Datasets

Unit Tests

If you make contributions to the repository, please try to keep tools/angr/test/test.py up-to-date. For non-unit tests, create a new script in tools/angr/test. We currently do not have a unified framework for non-unit tests.

Publications

  • C. Yagemann, S. Chung, B. Saltaformaggio, W. Lee, Automated Bug Hunting With Data-Driven Symbolic Root Cause Analysis. Appeared in the 2021 ACM Conference on Computer and Communications Security (CCS’21). Seoul, Republic of Korea. November 15--19, 2021.

  • C. Yagemann, M. Pruett, S. P. Chung, K. Bittick, B. Saltaformaggio, W. Lee, ARCUS: Symbolic Root Cause Analysis of Exploits in Production Systems. Appeared in the 30th USENIX Security Symposium (USENIX'21). August 11--13, 2021.

Related Work

  • Barnum Tracer & Learner: An end-to-end system for program control-flow anomaly detection.

arcus's People

Contributors

altodd avatar carter-yagemann avatar lh-ycx avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.