public ReadToWritePrimitive(
MemoryAccessParameter controlledParameter,
MemoryAddress controlledAddress,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.ReadToWrite,
name: String.Format("read content from '{0}' that is used as '{1}' of write", controlledAddress, controlledParameter),
readAddress: controlledAddress
)
{
this.ControlledParameter = controlledParameter;
this.ControlledAddress = controlledAddress;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Write,
String.Format("write via content derived from '{0}'", controlledAddress)
);
InheritParameterState(context.CurrentViolation, v);
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryWrite);
return(v);
};
Update(constraints, nextViolation, onSuccess);
}
public static string GetAbbreviation(this MemoryAccessParameter parameter)
{
switch (parameter)
{
case MemoryAccessParameter.Base: return("b");
case MemoryAccessParameter.Content: return("c");
case MemoryAccessParameter.Displacement: return("d");
case MemoryAccessParameter.Extent: return("e");
default: return("?");
}
}
public WriteToReadPrimitive(
MemoryAccessParameter corruptedParameter,
MemoryAddress writeAddress,
string name = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.WriteToRead,
(name != null) ? name : String.Format("write content to '{0}' that is used as '{1}' of read", writeAddress, corruptedParameter),
writeAddress
)
{
this.CorruptedParameter = corruptedParameter;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Read,
String.Format("read using content derived from '{0}'", this.WriteAddress)
);
InheritParameterState(context.CurrentViolation, v);
v.Address = this.WriteAddress;
return(v);
};
this.OnSuccess += (SimulationContext context, ref Violation v) =>
{
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryRead);
};
Update(constraints, nextViolation, onSuccess);
}
public void SetParameterState(MemoryAccessParameter parameter, MemoryAccessParameterState state)
{
switch (parameter)
{
case MemoryAccessParameter.Base:
this.BaseState = state;
break;
case MemoryAccessParameter.Content:
this.ContentSrcState = state;
break;
case MemoryAccessParameter.Displacement:
this.DisplacementState = state;
break;
case MemoryAccessParameter.Extent:
this.ExtentState = state;
break;
default:
break;
}
}
public static MemoryAddress GetMemoryAddress(this MemoryAccessParameter parameter, MemoryAccessMethod method, MemoryRegionType?region = null)
{
MemoryContentDataType dataType;
switch (parameter)
{
case MemoryAccessParameter.Base:
if (method == MemoryAccessMethod.Read)
{
dataType = MemoryContentDataType.ReadBasePointer;
}
else if (method == MemoryAccessMethod.Write)
{
dataType = MemoryContentDataType.WriteBasePointer;
}
else
{
throw new NotSupportedException();
}
break;
case MemoryAccessParameter.Content:
if (method == MemoryAccessMethod.Read)
{
dataType = MemoryContentDataType.ReadContent;
}
else if (method == MemoryAccessMethod.Write)
{
dataType = MemoryContentDataType.WriteContent;
}
else
{
throw new NotSupportedException();
}
break;
case MemoryAccessParameter.Displacement:
if (method == MemoryAccessMethod.Read)
{
dataType = MemoryContentDataType.ReadDisplacement;
}
else if (method == MemoryAccessMethod.Write)
{
dataType = MemoryContentDataType.WriteDisplacement;
}
else
{
throw new NotSupportedException();
}
break;
case MemoryAccessParameter.Extent:
if (method == MemoryAccessMethod.Read)
{
dataType = MemoryContentDataType.ReadExtent;
}
else if (method == MemoryAccessMethod.Write)
{
dataType = MemoryContentDataType.WriteExtent;
}
else
{
throw new NotSupportedException();
}
break;
default:
throw new NotSupportedException();
}
return(new MemoryAddress(dataType, region));
}
public WriteToReadPrimitive(
MemoryAccessParameter corruptedParameter
)
: this(corruptedParameter, corruptedParameter.GetMemoryAddress(MemoryAccessMethod.Read))
{
}
public ReadToWritePrimitive(
MemoryAccessParameter controlledParameter
)
: this(controlledParameter, controlledParameter.GetMemoryAddress(MemoryAccessMethod.Write))
{
}
public static Simulation GetAllTechniquesSimulation(MemorySafetyModel model)
{
List <ExploitationTechnique> techniques = new List <ExploitationTechnique>();
var parameters = new MemoryAccessParameter[]
{
MemoryAccessParameter.Base,
MemoryAccessParameter.Content,
MemoryAccessParameter.Displacement,
MemoryAccessParameter.Extent
};
var regions = Enum.GetValues(typeof(MemoryRegionType));
//
// Multi-region generic techniques.
//
foreach (MemoryRegionType region in regions)
{
//
// Skip regions that are not relevant.
//
if (!MemoryAddress.WritableRegionTypes.Contains(region))
{
continue;
}
//
// r->r, r->w, and w->r techniques.
//
foreach (MemoryAccessParameter parameter in parameters)
{
if (parameter != MemoryAccessParameter.Content)
{
techniques.Add(
new SimpleTechnique(
new ReadToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region))
)
);
}
techniques.Add(
new SimpleTechnique(
new ReadToWritePrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Write, region))
)
);
techniques.Add(
new SimpleTechnique(
new WriteToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region))
)
);
}
}
techniques.Add(new CorruptFunctionPointer());
techniques.Add(new CorruptCppObjectVirtualTablePointer());
//
// Stack-specific techniques.
//
techniques.Add(new CorruptStackReturnAddress());
techniques.Add(new CorruptStackFramePointer());
techniques.Add(new CorruptStackStructuredExceptionHandler());
//
// Heap-specific techniques.
//
//
// Content initialization techniques.
//
techniques.Add(new HeapSpray());
techniques.Add(new StackLocalVariableInitialization());
techniques.Add(new LoadNonASLRImage());
techniques.Add(new LoadNonASLRNonSafeSEHImage());
//
// Code execution techniques.
//
techniques.Add(new ExecuteControlledDataAsCode());
techniques.Add(new ExecuteJITCode());
techniques.Add(new ExecuteROPPayload.StageViaVirtualAllocOrProtect());
techniques.Add(new ExecuteROPPayload.StageViaExecutableHeap());
techniques.Add(new ExecuteROPPayload.StageViaDisableNX());
techniques.Add(new ExecuteROPPayload.PureROP());
techniques.Add(
new SimpleTechnique(
new WriteToExecutePrimitive()
)
);
//
// Add the transitions to the simulation.
//
Simulation simulation = new Simulation(model);
simulation.BeginAddTransition();
foreach (ExploitationTechnique technique in techniques)
{
technique.AddTransitionsToSimulation(simulation);
}
simulation.EndAddTransition();
return(simulation);
}
