public ReadToExecutePrimitive(
MemoryAddress controlTransferPointerAddress = null,
ControlTransferMethod?controlTransferMethod = null,
string name = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.ReadToExecute,
(name != null) ? name : "read content that is used as base of execute",
controlTransferPointerAddress
)
{
this.ControlTransferMethod = controlTransferMethod;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Execute,
"execute with controlled base",
baseState: context.CurrentViolation.ContentSrcState,
contentSrcState: MemoryAccessParameterState.Unknown,
contentDstState: MemoryAccessParameterState.Nonexistant,
displacementState: MemoryAccessParameterState.Nonexistant,
extentState: MemoryAccessParameterState.Nonexistant
);
v.InheritParameterStateFromContent(context.CurrentViolation);
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryExecute);
return(v);
};
this.ConstraintList.Add(
(context) =>
(
// base verifies that read address is equal to pointer address.
//
// The current violation must be a read violation that leads to this type
// of control transfer. No constraints are placed on being able to find
// desired code here, as this simply describes the constraints of going
// from a read to an execute.
//
(context.AttackerFavorsEqual(context.CurrentViolation.ControlTransferMethod, controlTransferMethod))
)
);
Update(constraints, nextViolation, onSuccess);
}
public override void InheritParameterState(Violation from, Violation to)
{
to.InheritParameterStateFromContent(from, MemoryAccessParameter.Content);
}
public override void InheritParameterState(Violation from, Violation to)
{
to.InheritParameterStateFromContent(from, this.CorruptedParameter);
}