Package org.jakstab.cfa

Examples of org.jakstab.cfa.Location

256
257
258
259
260
261
262
  /**
   * Set the program entry point to the given address.
   * @param entryAddress the new entry address
   */
  public void setEntryAddress(AbsoluteAddress entryAddress) {
    setStart(new Location(entryAddress));
  }
View Full Code Here
103
104
105
106
107
108
109
  /*
   * @see org.jakstab.rtl.RTLStatement#setLabel(org.jakstab.asm.AbsoluteAddress, int)
   */
  public void setLabel(AbsoluteAddress addr, int rtlId) {
    this.label = new Location(addr, rtlId);
  }
View Full Code Here
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
  }   

  private AbstractState singlePost(AbstractState state, CFAEdge cfaEdge, Precision precision) {

   
    Location edgeTarget = cfaEdge.getTarget();
    Location edgeSource = cfaEdge.getSource();
   
    // If the entire edge is outside the module, just wait and do nothing
    if (!isProgramAddress(edgeSource) && !isProgramAddress(edgeTarget)) {
      //logger.debug("Outside of module at edge " + cfaEdge);
      return state;
    }
   
    //logger.debug("Inside module " + cfaEdge);
   
    TraceReplayState tState = (TraceReplayState)state;
   
    RTLStatement stmt = (RTLStatement)cfaEdge.getTransformer();
   
    if (edgeTarget.getAddress().equals(tState.getCurrentPC()) && 
        !(stmt instanceof RTLAssume && ((RTLAssume)stmt).getSource().getType() == RTLGoto.Type.REPEAT)) {
      // Next statement has same address (and is no back jump from REP), so do not move forward in trace
      return tState;
    } else {
      // Next statement has a different address (or is the re-execution of a REP prefixed instruction)
     
      if (succ.containsKey(edgeTarget.getAddress())) {
        // Edge goes along a recorded edge
        return new TraceReplayState(succ, edgeTarget.getAddress());
      } else {
        // Edge diverges from trace - either other path or into library

        if (isProgramAddress(edgeTarget)) {
          // Target is in program, but on a different path not taken by this trace
          if (!tState.isBot())
            logger.debug("Visiting edge " + cfaEdge + ", trace expected " + tState.getNextPC() + " next.");
          return TraceReplayState.BOT;
        } else {
          // Target is not in program, so we went into another module (library) that the over-approximation models by a stub
          // In the trace, the TraceReplayAnalysis constructor collapsed the function to a single address
          logger.debug("Jumping out of module to " + edgeTarget + " (" + Program.getProgram().getSymbolFor(edgeTarget) + "), fast forwarding from " + cfaEdge.getSource());
         
          // If we are in a BOT state, we cannot figure out what the native address of the library function is
          if (tState.isBot())
            return TraceReplayState.BOT;
         
          // This only works if only a single library function can be called from each instruction
          //assert succ.get(edgeSource.getAddress()).size() == 1 : "Successors from " + edgeSource.getAddress() + ": " + succ.get(edgeSource.getAddress());
         
          if (succ.get(edgeSource.getAddress()).size() != 1) {
            logger.error("Cannot map virtual edge " + cfaEdge + " to trace, possible trace successors: " + succ.get(edgeSource.getAddress()));
            return TraceReplayState.BOT;
          }
         
          // Since state is not BOT, we know edgeSource is contained in succ.
          return new TraceReplayState(succ, succ.get(edgeSource.getAddress()).iterator().next());
        }
      }
    }
   
  }
View Full Code Here
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
    Set<Tuple<RTLNumber>> valuePairs = a.projectionFromConcretization(
        stmt.getCondition(), stmt.getTargetExpression());
    for (Tuple<RTLNumber> pair : valuePairs) {
      RTLNumber conditionValue = pair.get(0);
      RTLNumber targetValue = pair.get(1);
      Location nextLabel;
      // assume correct condition case
      assert conditionValue != null;
      RTLExpression assumption =
          ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
      if (conditionValue.equals(ExpressionFactory.FALSE)) {
        // assume (condition = false), and set next statement to fallthrough
        nextLabel = stmt.getNextLabel();
      } else {
        if (targetValue == null) {

          if (stmt.getType() == RTLGoto.Type.CALL) {
            // if it's a call TOP, add an unknown call edge if we're allowing unsound analysis
            RTLUnknownProcedureCall unknownCallEdge = new RTLUnknownProcedureCall(stmt);
            unknownCallEdge.setLabel(stmt.getLabel());
            unknownCallEdge.setNextLabel(stmt.getNextLabel());
            results.add(new CFAEdge(stmt.getLabel(), stmt.getNextLabel(), unknownCallEdge));
            logger.info(stmt.getLabel() + ": Cannot resolve target expression " +
                stmt.getTargetExpression() + " of call. Adding unknown call edge.");
            logger.debug("State is: " + a);
          } else {
            // if target could not be resolved, just leave the edge out for now
            logger.info(stmt.getLabel() + ": Cannot resolve target expression " +
                stmt.getTargetExpression() + ". Continuing with unsound underapproximation.");
            logger.debug("State is: " + a);
            unresolvedBranches.add(stmt.getLabel());
          }
          sound = false;

          continue;
        } else {
          // assume (condition = true AND targetExpression = targetValue)
          assumption = ExpressionFactory.createAnd(
              assumption,
              ExpressionFactory.createEqual(
                  stmt.getTargetExpression(),
                  targetValue)
          );
          // set next label to jump target
          nextLabel = new Location(new AbsoluteAddress(targetValue));
        }
      }
      assumption = assumption.evaluate(new Context());
      RTLAssume assume = new RTLAssume(assumption, stmt);
      assume.setLabel(stmt.getLabel());
View Full Code Here
125
126
127
128
129
130
131
132
133
134
135
      oldRemovalCount = removalCount;
      iterations++;

      while (!worklist.isEmpty() && !stop) {

        Location node = worklist.pick();
       
        SetOfVariables newLive = null;
        for (CFAEdge outEdge : outEdges.get(node)) {
          RTLStatement stmt = (RTLStatement)outEdge.getTransformer();
          SetOfVariables sLVin = new SetOfVariables(liveVars.get(outEdge.getTarget()));
View Full Code Here
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
    assert stmt.getCondition() != null;
    Set<CFAEdge> results = new FastSet<CFAEdge>();

    // Calls always get a fallthrough edge in optimistic mode
    if (stmt.getType() == RTLGoto.Type.CALL) {
      Location nextLabel = stmt.getNextLabel();

      if (Program.getProgram().getHarness().contains(stmt.getAddress())) {
        nextLabel = new Location(Program.getProgram().getHarness().getFallthroughAddress(stmt.getAddress()));
      }

      if (nextLabel != null) {
        RTLUnknownProcedureCall unknownCallEdge = new RTLUnknownProcedureCall(stmt);
        unknownCallEdge.setLabel(stmt.getLabel());
        unknownCallEdge.setNextLabel(nextLabel);
        results.add(new CFAEdge(stmt.getLabel(), nextLabel, unknownCallEdge));
        sound = false;
      }
    }
    // Replace return with halt, since control flow passes over calls anyway
    else if (stmt.getType() == RTLGoto.Type.RETURN) {
      sound = false;
      return Collections.emptySet();
    }

    Set<Tuple<RTLNumber>> valuePairs = a.projectionFromConcretization(
        stmt.getCondition(), stmt.getTargetExpression());
    for (Tuple<RTLNumber> pair : valuePairs) {
      RTLNumber conditionValue = pair.get(0);
      RTLNumber targetValue = pair.get(1);
      Location nextLabel;
      // assume correct condition case
      assert conditionValue != null;
      RTLExpression assumption =
          ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
      if (conditionValue.equals(ExpressionFactory.FALSE)) {
        // assume (condition = false), and set next statement to fallthrough
        nextLabel = stmt.getNextLabel();
      } else {
        if (targetValue == null) {
          // if target could not be resolved, just leave the edge out for now
          // Can only happen here with indirect jumps
          logger.info(stmt.getLabel() + ": Cannot resolve target expression " +
              stmt.getTargetExpression() + ".");
          logger.debug("State is: " + a);
          sound = false;
          unresolvedBranches.add(stmt.getLabel());
          continue;
        } else {
          // assume (condition = true AND targetExpression = targetValue)
          assumption = ExpressionFactory.createAnd(
              assumption,
              ExpressionFactory.createEqual(
                  stmt.getTargetExpression(),
                  targetValue)
              );
          // set next label to jump target
          nextLabel = new Location(new AbsoluteAddress(targetValue));
        }
      }
      assumption = assumption.evaluate(new Context());
      RTLAssume assume = new RTLAssume(assumption, stmt);
      assume.setLabel(stmt.getLabel());
View Full Code Here
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
    Set<Tuple<RTLNumber>> valuePairs = a.projectionFromConcretization(
        stmt.getCondition(), stmt.getTargetExpression());
    for (Tuple<RTLNumber> pair : valuePairs) {
      RTLNumber conditionValue = pair.get(0);
      RTLNumber targetValue = pair.get(1);
      Location nextLabel;
      // assume correct condition case
      assert conditionValue != null;
      RTLExpression assumption =
          ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
      if (conditionValue.equals(ExpressionFactory.FALSE)) {
        // assume (condition = false), and set next statement to fallthrough
        nextLabel = stmt.getNextLabel();
      } else {
        if (targetValue == null) {
          // if target could not be resolved, just leave the edge out for now
          logger.info(stmt.getLabel() + ": Cannot resolve target expression " +
              stmt.getTargetExpression() + ". Continuing with unsound underapproximation.");
          logger.debug("State is: " + a);
          sound = false;
          unresolvedBranches.add(stmt.getLabel());
          if (Options.debug.getValue())
            throw new ControlFlowException(a, "Unresolvable control flow from " + stmt.getLabel());
          continue;
        } else {
          // assume (condition = true AND targetExpression = targetValue)
          assumption = ExpressionFactory.createAnd(
              assumption,
              ExpressionFactory.createEqual(
                  stmt.getTargetExpression(),
                  targetValue)
              );
          // set next label to jump target
          nextLabel = new Location(new AbsoluteAddress(targetValue));
        }
      }
      assumption = assumption.evaluate(new Context());
      RTLAssume assume = new RTLAssume(assumption, stmt);
      assume.setLabel(stmt.getLabel());
      assume.setNextLabel(nextLabel);
      // Target address sanity check
      if (nextLabel.getAddress().getValue() < 10L) {
        logger.warn("Control flow from " + a.getLocation() + " reaches address " + nextLabel.getAddress() + "!");
      }

      results.add(assume);
    }
    return results;
View Full Code Here
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
    Set<Tuple<RTLNumber>> valuePairs = a.projectionFromConcretization(
        stmt.getCondition(), stmt.getTargetExpression());
    for (Tuple<RTLNumber> pair : valuePairs) {
      RTLNumber conditionValue = pair.get(0);
      RTLNumber targetValue = pair.get(1);
      Location nextLabel;
      // assume correct condition case
      assert conditionValue != null;
      RTLExpression assumption =
          ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
      if (conditionValue.equals(ExpressionFactory.FALSE)) {
        // assume (condition = false), and set next statement to fallthrough
        nextLabel = stmt.getNextLabel();
      } else {
        if (targetValue == null) {

          if (!Options.allEdges.getValue()) {
            // if target could not be resolved, just leave the edge out for now
            logger.info(stmt.getLabel() + ": Cannot resolve target expression " +
                stmt.getTargetExpression() + ". Continuing with unsound underapproximation.");
            logger.debug("State is: " + a);
            sound = false;
            unresolvedBranches.add(stmt.getLabel());
            if (Options.debug.getValue())
              throw new ControlFlowException(a, "Unresolvable control flow from " + stmt.getLabel());
            continue;
          } else {
            // Over-approximate target and add edges to all possible program locations (!)
            logger.warn(stmt.getLabel() + ": Cannot resolve target expression " +
                stmt.getTargetExpression() + ". Adding over-approximate edges to all program locations!");


            for (Iterator<AbsoluteAddress> it = Program.getProgram().codeAddressIterator(); it.hasNext();) {
              targetValue = it.next().toNumericConstant();
              assumption = ExpressionFactory.createEqual(stmt.getTargetExpression(), targetValue);
              // set next label to jump target
              nextLabel = new Location(new AbsoluteAddress(targetValue));
              RTLAssume assume = new RTLAssume(assumption, stmt);
              assume.setLabel(stmt.getLabel());
              assume.setNextLabel(nextLabel);
              results.add(new CFAEdge(assume.getLabel(), assume.getNextLabel(), assume));
            }

            continue;
          }
        } else {
          // assume (condition = true AND targetExpression = targetValue)
          assumption = ExpressionFactory.createAnd(
              assumption,
              ExpressionFactory.createEqual(
                  stmt.getTargetExpression(),
                  targetValue)
              );
          // set next label to jump target
          nextLabel = new Location(new AbsoluteAddress(targetValue));
        }
      }
      assumption = assumption.evaluate(new Context());
      RTLAssume assume = new RTLAssume(assumption, stmt);
      assume.setLabel(stmt.getLabel());
      assume.setNextLabel(nextLabel);
      // Target address sanity check
      if (nextLabel.getAddress().getValue() < 10L) {
        logger.warn("Control flow from " + a.getLocation() + " reaches address " + nextLabel.getAddress() + "!");
      }

      results.add(new CFAEdge(assume.getLabel(), assume.getNextLabel(), assume));
    }
    return results;
View Full Code Here
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232

        if (Options.procedureAbstraction.getValue() == 2) {
          // Calls always get a fallthrough edge in optimistic mode
          if (stmt.getType() == RTLGoto.Type.CALL) {
            Location nextLabel = stmt.getNextLabel();

            if (Program.getProgram().getHarness().contains(stmt.getAddress())) {
              nextLabel = new Location(Program.getProgram().getHarness().getFallthroughAddress(stmt.getAddress()));
            }

            if (nextLabel != null) {
              RTLUnknownProcedureCall unknownCallEdge = new RTLUnknownProcedureCall(stmt);
              unknownCallEdge.setLabel(stmt.getLabel());
              unknownCallEdge.setNextLabel(nextLabel);
              results.add(new CFAEdge(stmt.getLabel(), nextLabel, unknownCallEdge));
              sound = false;
            }
          }
          // Replace return with halt, since control flow passes over calls anyway
          else if (stmt.getType() == RTLGoto.Type.RETURN) {
            sound = false;
            return Collections.emptySet();
          }
        }

        DualCompositeState dcs = (DualCompositeState)a;

        // Add all edges from over-approximation
        for (Tuple<RTLNumber> pair : dcs.projectionFromConcretization(stmt.getCondition(), stmt.getTargetExpression())) {
          RTLNumber conditionValue = pair.get(0);
          RTLNumber targetValue = pair.get(1);
          Location nextLabel;
          // Start building the assume expression: assume correct condition case
          assert conditionValue != null;
          RTLExpression assumption =
              ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
          if (conditionValue.equals(ExpressionFactory.FALSE)) {
            // assume (condition = false), and set next statement to fallthrough
            nextLabel = stmt.getNextLabel();
          } else {
            if (targetValue == null) {
              logger.debug("No value from MAY-analysis at " + stmt.getLabel());
              sound = false;
              unresolvedBranches.add(stmt.getLabel());
              continue;
            }
            // assume (condition = true AND targetExpression = targetValue)
            assumption = ExpressionFactory.createAnd(
                assumption,
                ExpressionFactory.createEqual(
                    stmt.getTargetExpression(),
                    targetValue)
                );
            // set next label to jump target
            nextLabel = new Location(new AbsoluteAddress(targetValue));
          }
          assumption = assumption.evaluate(new Context());
          RTLAssume assume = new RTLAssume(assumption, stmt);
          assume.setLabel(stmt.getLabel());
          assume.setNextLabel(nextLabel);
          // Target address sanity check
          if (nextLabel.getAddress().getValue() < 10L) {
            logger.warn("Control flow from " + stmt.getLabel() + " reaches address " + nextLabel.getAddress() + "!");
          }

          results.add(new CFAEdge(assume.getLabel(), assume.getNextLabel(), assume, Kind.MAY));
        }

        // Add all edges from under-approximation

        for (Tuple<RTLNumber> pair : dcs.projection(stmt.getCondition(), stmt.getTargetExpression())) {
          RTLNumber conditionValue = pair.get(0);
          RTLNumber targetValue = pair.get(1);
          Location nextLabel;
          // Start building the assume expression: assume correct condition case
          assert conditionValue != null;
          RTLExpression assumption =
              ExpressionFactory.createEqual(stmt.getCondition(), conditionValue);
          if (conditionValue.equals(ExpressionFactory.FALSE)) {
            // assume (condition = false), and set next statement to fallthrough
            nextLabel = stmt.getNextLabel();
          } else {
            assert targetValue != null;

            // Translate real library addresses into stub addresses. Necessary because the static analysis component
            // does not know about concrete import addresses, so it uses a stub system.
            if (!isProgramAddress(targetValue)) {
              logger.debug(dcs.getLocation() + ": Jumping out of module to " + targetValue.toHexString());

              // Attempt to map this out-of-module location to a stub
              if (realToStub.containsKey(targetValue)) {
                // If we saw this concrete address before, replace it by the known stub
                logger.debug("Replacing concrete target " + targetValue.toHexString() + " with stub to " + program.getSymbolFor(new AbsoluteAddress(realToStub.get(targetValue))));
                targetValue = realToStub.get(targetValue);
              } else {

                // Check the statically produced edges for one that is not yet mapped to a concrete address.
                // If the over-approximation resolved an import to a stub, it's going to be contained.
                boolean foundStub = false;
                for (CFAEdge e : results) {
                  RTLNumber staticTarget = e.getTarget().getAddress().toNumericConstant();
                  if (!isProgramAddress(staticTarget) && !stubToReal.containsKey(staticTarget)) {
                    // Take the first one that's neither taken nor in the program
                    // TODO: This could map the wrong addresses in some (hopefully) rare cases depending on analysis order
                    stubToReal.put(staticTarget, targetValue);
                    realToStub.put(targetValue, staticTarget);
                    targetValue = staticTarget;
                    foundStub = true;
                    break;
                  }
                }

                if (!foundStub) {
                  // If we have not found anything suitable, we need to create a new stub
                  // FIXME: The new stub will likely have incorrect stack height adjustment.
                  //        We should extract that information from the trace.

                  logger.info(dcs.getLocation() + ": Creating new stub for unknown function at " + targetValue.toHexString());
                  RTLNumber stubTarget = Program.getProgram().getProcAddress("JAK_UNKNOWN", "proc" + targetValue.toHexString()).toNumericConstant();
                  stubToReal.put(stubTarget, targetValue);
                  realToStub.put(targetValue, stubTarget);
                  targetValue = stubTarget;
                }
              }

            }

            // assume (condition = true AND targetExpression = targetValue)
            assumption = ExpressionFactory.createAnd(
                assumption,
                ExpressionFactory.createEqual(
                    stmt.getTargetExpression(),
                    targetValue)
                );
            // set next label to jump target
            nextLabel = new Location(new AbsoluteAddress(targetValue));
          }
          assumption = assumption.evaluate(new Context());
          RTLAssume assume = new RTLAssume(assumption, stmt);
          assume.setLabel(stmt.getLabel());
          assume.setNextLabel(nextLabel);
View Full Code Here
57
58
59
60
61
62
63
64
65
66
67
      sink = sinks.pick();
    } else if (sinks.size() == 0) {
      throw new RuntimeException("CFA has no sink!");
    } else {
      // Generate artificial exit node
      sink = new Location(new AbsoluteAddress(0xFFFFFF01L));
      for (Location l : sinks) {
        reverseCFA.put(sink, new CFAEdge(l, sink, new RTLSkip()));
      }
    }
  }
View Full Code Here
TOP

Related Classes of org.jakstab.cfa.Location

  • org.jakstab.analysis.callstack.CallStackState
  • org.jakstab.analysis.callstack.CallStackStateTest
  • org.jakstab.analysis.tracereplay.TraceReplayAnalysis
  • org.jakstab.cfa.AlternatingStateTransformerFactory
  • org.jakstab.cfa.OptimisticStateTransformerFactory
  • org.jakstab.cfa.PessimisticBasicBlockFactory
  • org.jakstab.cfa.PessimisticStateTransformerFactory
  • org.jakstab.cfa.ReverseCFATransformerFactory
  • org.jakstab.cfa.SemiOptimisticStateTransformerFactory
  • org.jakstab.loader.DefaultHarness
    • Copyright © 2018 www.massapicom. All rights reserved.
    All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.