private void startSimulationButton_Click(object sender, EventArgs e)
{
#if false
SimulationCollection simulations = new SimulationCollection(this.Model);
Technique.AddAll(simulations);
foreach (Target target in this.Targets)
{
GlobalSimulationContext globalContext = new GlobalSimulationContext(target);
SimulationContext initialContext = new SimulationContext(globalContext);
Simulator simulator = Simulator.CreateControlledCodeExecutionSimulator(simulations, initialContext);
simulator.Run();
resultsGridView.Rows.Add(new object[] {
globalContext,
target.Hardware.FullSymbol,
target.OperatingSystem.FullSymbol,
target.Application.FullSymbol,
target.Violation.FullSymbol,
globalContext.SimulationCount > 0 ? globalContext.CompletedSimulationContexts.Max(x => x.Exploitability) : 0,
globalContext.SimulationCount > 0 ? globalContext.CompletedSimulationContexts.Average(x => x.Exploitability) : 0,
globalContext.SimulationCount
});
}
#endif
}
private void SimulateTechniques()
{
Target target = new Target()
{
Hardware = this.Model.HardwareModel.FullyQualifiedSymbolMap["x86/x86_pae"].Clone() as Hardware,
OperatingSystem = this.Model.OperatingSystemModel.FullyQualifiedSymbolMap["windows/xp/rtm/32bit"].Clone() as MSModel.OperatingSystem,
Application = this.Model.ApplicationModel.FullyQualifiedSymbolMap["windows/ie/ie6/32bit"].Clone() as MSModel.Application
};
Simulation simulation = Simulation.GetAllTechniquesSimulation(this.Model);
Console.WriteLine("Simulation graph has {0} edges", simulation.CompleteGraph.Edges.Count);
foreach (Transition transition in simulation.RootTransitions.Where(x => x.Primitive.IsIdentity == false))
{
Console.WriteLine("Exploring technique: {0} + {1}", transition.Technique.GetType(), transition.Technique.Name);
target.Violation = new Violation(transition.Primitive.FromMethod.Value);
target.Violation.ContentSrcState = MemoryAccessParameterState.Controlled;
GlobalSimulationContext globalContext = new GlobalSimulationContext(target)
{
TrackImpossible = false
};
SimulationContext initialContext = new SimulationContext(globalContext);
Simulator simulator = Simulator.CreateDesiredCodeExecutionSimulator(simulation, initialContext);
simulator.RestrictToRootTransitions(
simulation.Transitions.Where(x => x.Technique == transition.Technique)
);
simulator.Run();
Console.WriteLine("Simulation finished, press any key.");
//Console.ReadLine();
Console.WriteLine("{0}", globalContext.Description);
}
}
private void RunSimulation()
{
Simulation simulation = Simulation.GetAllTechniquesSimulation(this.Model);
List <Violation> sampleViolations = new List <Violation>();
PopulateSampleViolationList(sampleViolations);
foreach (Violation v in sampleViolations)
{
List <Target> targets = GetTargets(v);
foreach (Target target in targets)
{
Console.WriteLine("=================================================");
Console.WriteLine("Simulating violation: {0} [{1}]", v, v.Name);
GlobalSimulationContext globalContext = new GlobalSimulationContext(target)
{
TrackImpossible = (Environment.GetEnvironmentVariable("MSMTRACKALL") == "1") ? true : false
};
SimulationContext initialContext = new SimulationContext(globalContext);
Console.WriteLine("Simulation graph has {0} edges", simulation.CompleteGraph.Edges.Count);
Simulator simulator = Simulator.CreateDesiredCodeExecutionSimulator(simulation, initialContext);
simulator.Run();
Console.WriteLine("{0}", globalContext.Description);
Console.WriteLine("Simulation finished, press any key.");
}
}
}
private void UpdateGraphs()
{
Graph graph = new DirectedGraph();
this.TransitionChains = new Dictionary <MemoryAccessMethod, List <TransitionChain> >();
foreach (Transition transition in this.RootTransitions)
{
//
// Skip identity primitives for now.
//
if (transition.Primitive.IsIdentity)
{
continue;
}
//
// Use an open-ended violation of the method that the transition is from to ensure
// the constraints will match.
//
// TODO: also leverage expected parameter control?
//
Violation initialViolation = new Violation(
transition.Primitive.FromMethod.Value
);
GlobalSimulationContext globalContext = new GlobalSimulationContext(
new Target()
{
Violation = initialViolation
});
//
// Assume that content initialization is possible. Most transitions will require
// that content has been initialized, and it is expected that a content initialization
// primitive will have been used to accomplish this. However, for the purpose of classification,
// we do not want to select or imply any one initialization primitive.
//
globalContext.AssumeContentInitializationPossible = true;
SimulationContext initialContext = new SimulationContext(globalContext);
Simulator simulator = new Simulator(this, initialContext);
//
// Limit simulation to include only those primitives that are part of the same technique.
//
simulator.RestrictToTransitions(
this.Transitions.Where(x => x.Technique == transition.Technique)
);
//
// Add edges for contexts that reach a fixed point.
//
simulator.OnFixedPointReached += (context) =>
{
TransitionInformation contextRoot = context.VisitedTransitions.Where(x => x.Transition.Primitive.IsIdentity == false).FirstOrDefault();
if (contextRoot == null || contextRoot.Transition != transition)
{
return;
}
TransitionChain chain = new TransitionChain();
foreach (TransitionInformation ti in context.VisitedTransitions)
{
graph.AddEdge(
new DirectedEdge(
ti.PreViolation,
ti.PostViolation,
ti.Transition.Primitive
)
);
chain.Transitions.Add(ti);
}
if (!this.TransitionChains.ContainsKey(initialViolation.Method))
{
this.TransitionChains[initialViolation.Method] = new List <TransitionChain>();
}
this.TransitionChains[initialViolation.Method].Add(chain);
};
//
// Execute the simulation.
//
simulator.Run();
}
this.CompleteGraph = graph;
}
void PopulateSimulationText(GlobalSimulationContext globalContext)
{
ClearLog();
AppendLog(globalContext.Description);
}
