From 01db19f604a5038881d32186514c63a18f3ee3e6 Mon Sep 17 00:00:00 2001
From: bdr7fv <bdr7fv@git.zephyr-software.com>
Date: Mon, 28 May 2012 04:46:19 +0000
Subject: [PATCH] Modified OffsetInference to consider dynamic stack frames
non-canary safe.
Also modified Rewrite_Utility and PnTransformDriver to keep track of inserted instructions so they can be removed on undo. This now sets up the possibility for a binary search style algorithm for transformation.
Former-commit-id: 6689033a8143434f3b3e74187d91f6a3f8b34b6d
---
tools/transforms/OffsetInference.cpp | 7 ++++
tools/transforms/PNTransformDriver.cpp | 49 ++++++++++++++++++++++----
tools/transforms/PNTransformDriver.hpp | 1 +
tools/transforms/Rewrite_Utility.cpp | 7 ++++
4 files changed, 58 insertions(+), 6 deletions(-)
diff --git a/tools/transforms/OffsetInference.cpp b/tools/transforms/OffsetInference.cpp
index c2039ad1c..4fba2e4f7 100644
--- a/tools/transforms/OffsetInference.cpp
+++ b/tools/transforms/OffsetInference.cpp
@@ -403,6 +403,13 @@ void OffsetInference::FindAllOffsets(Function_t *func)
pn_p1_offsets->SetStaticStack(false);
PN_safe = false;
+ //Consider this case not canary safe for now
+ //TODO: can I make this canary safe?
+ pn_direct_offsets->SetCanarySafe(false);
+ pn_scaled_offsets->SetCanarySafe(false);
+ pn_all_offsets->SetCanarySafe(false);
+ pn_p1_offsets->SetCanarySafe(false);
+
//TODO: this output should be removed after TNE
//only used to give Jason an indication that a
//non-static func has been detected.
diff --git a/tools/transforms/PNTransformDriver.cpp b/tools/transforms/PNTransformDriver.cpp
index 92f6cca2f..c70fbeea9 100644
--- a/tools/transforms/PNTransformDriver.cpp
+++ b/tools/transforms/PNTransformDriver.cpp
@@ -12,6 +12,8 @@ using namespace libIRDB;
//TODO: this var is a hack for TNE
extern bool DO_CANARIES;
+extern set<Instruction_t*>inserted_instr;
+extern set<AddressID_t*>inserted_addr;
void sigusr1Handler(int signum);
bool PNTransformDriver::timeExpired = false;
@@ -301,8 +303,10 @@ bool PNTransformDriver::CanaryTransformHandler(PNStackLayout *layout, Function_t
}
}
//cleanup??
- undo_list.clear();//TODO: handle undo better?
-
+ //undo_list.clear();//TODO: handle undo better?
+
+ reset_undo();
+
//TODO: cleanup new_virp? I don't want to double free.
//new_pidp->DropFromDB();
@@ -344,7 +348,8 @@ bool PNTransformDriver::PaddingTransformHandler(PNStackLayout *layout, Function_
cerr<<"PNTransformDriver: Final Transformation Success: "<<layout->ToString()<<endl;
transformed_history[layout->GetLayoutName()].push_back(layout);
success = true;
- undo_list.clear();
+ //undo_list.clear();
+ reset_undo();
}
//orig_virp->WriteToDB();
@@ -372,7 +377,8 @@ bool PNTransformDriver::LayoutRandTransformHandler(PNStackLayout *layout, Functi
cerr<<"PNTransformDriver: Final Transformation Success: "<<layout->ToString()<<endl;
transformed_history[layout->GetLayoutName()].push_back(layout);
success = true;
- undo_list.clear();
+ //undo_list.clear();
+ reset_undo();
}
//orig_virp->WriteToDB();
@@ -1045,10 +1051,12 @@ bool PNTransformDriver::Canary_Rewrite(PNStackLayout *orig_layout, Function_t *f
for(unsigned int i=0;i<canaries.size();i++)
{
ss.str("");
-
ss<<"mov dword [esp+0x"<<hex<<canaries[i].esp_offset<<"], 0x"<<hex<<canaries[i].canary_val;
instr = insertAssemblyAfter(virp,instr,ss.str());
- instr->SetComment("Canary Setup: "+ss.str());
+ if(i==0)
+ instr->SetComment("Canary Setup Entry: "+ss.str());
+ else
+ instr->SetComment("Canary Setup: "+ss.str());
}
}
else if(regexec(&(pn_regex.regex_ret), disasm_str.c_str(),5,pmatch,0)==0)
@@ -1678,7 +1686,36 @@ void PNTransformDriver::undo(map<Instruction_t*, Instruction_t*> undo_list, Func
// delete orig;
}
+
+
+ for(set<Instruction_t*>::const_iterator it=inserted_instr.begin();
+ it != inserted_instr.end();
+ ++it
+ )
+ {
+ orig_virp->GetInstructions().erase(*it);
+ delete *it;
+ }
+
+ for(set<AddressID_t*>::const_iterator it=inserted_addr.begin();
+ it != inserted_addr.end();
+ ++it
+ )
+ {
+ orig_virp->GetAddresses().erase(*it);
+ delete *it;
+ }
+
+
+ reset_undo();
+ //undo_list.clear();
+}
+
+void PNTransformDriver::reset_undo()
+{
undo_list.clear();
+ inserted_instr.clear();
+ inserted_addr.clear();
}
void sigusr1Handler(int signum)
diff --git a/tools/transforms/PNTransformDriver.hpp b/tools/transforms/PNTransformDriver.hpp
index d83965a90..ce8ea7c9b 100644
--- a/tools/transforms/PNTransformDriver.hpp
+++ b/tools/transforms/PNTransformDriver.hpp
@@ -42,6 +42,7 @@ protected:
virtual bool Validate(libIRDB::VariantIR_t *virp, libIRDB::Function_t *func);
//virtual void undo(std::map<libIRDB::Instruction_t*,std::string> undo_list, libIRDB::Function_t *func);
virtual void undo(std::map<libIRDB::Instruction_t*,libIRDB::Instruction_t*> undo_list, libIRDB::Function_t *func);
+ virtual void reset_undo();
virtual std::vector<PNStackLayout*> GenerateInferences(libIRDB::Function_t *func, int level);
virtual bool ShuffleValidation(int reps, PNStackLayout *layout,libIRDB::Function_t *func);
//virtual void GenerateTransforms2(libIRDB::VariantIR_t *virp,std::vector<libIRDB::Function_t*> funcs,std::string BED_script, int progid);
diff --git a/tools/transforms/Rewrite_Utility.cpp b/tools/transforms/Rewrite_Utility.cpp
index da29cd9b1..d3816e919 100644
--- a/tools/transforms/Rewrite_Utility.cpp
+++ b/tools/transforms/Rewrite_Utility.cpp
@@ -2,6 +2,9 @@
using namespace std;
using namespace libIRDB;
+set<Instruction_t*>inserted_instr; //used to undo inserted instructions
+set<AddressID_t*>inserted_addr; //used to undo inserted addresses
+
void setExitCode(VariantIR_t* virp, Instruction_t* exit_code);
//For all insertBefore functions:
@@ -107,6 +110,10 @@ Instruction_t* allocateNewInstruction(VariantIR_t* virp, db_id_t p_fileID,Functi
virp->GetInstructions().insert(instr);
virp->GetAddresses().insert(a);
+
+ inserted_instr.insert(instr);
+ inserted_addr.insert(a);
+
return instr;
}
--
GitLab