private static int RunAnalysis(AnalyzeOptions options)
{
var indexDb = new IndexDb(options.Directory);
indexDb.Build();
indexDb.ShowStatistic();
var callGraphBuilder = new CallGraphBuilder(indexDb);
CreateCleanDirectory(options.Output);
foreach (var group in Loader.GetPatternGroups())
{
var callGraph = callGraphBuilder.CreateGraph(group.Patterns);
callGraphBuilder.ShowStatistic();
if (callGraph.IsEmpty)
{
continue;
}
callGraph.RemoveDuplicatePaths();
var groupDirectory = Path.Combine(options.Output, group.Name);
Directory.CreateDirectory(groupDirectory);
callGraph.Dump(Path.Combine(groupDirectory, "full.png"));
callGraph.RemoveNonPublicEntryNodes();
callGraph.Dump(Path.Combine(groupDirectory, "public.png"));
}
return(0);
}
//[Ignore("for debugging only, change type and methodName vars for your case")]
public void SingleCase()
{
var type = typeof(KnowledgeBase.Cases.XslCompiledTransformPatterns);
var methodName = nameof(KnowledgeBase.Cases.XslCompiledTransformPatterns.XsltLoadWithPayload);
var context = Context.CreateToAnalyze();
var method = type.GetMethod(methodName, BindingFlags.Public | BindingFlags.Instance);
var errors = Loader.ExecuteCase(context, type, new[] { method });
//var patternGroup = Loader.GetPatternGroup(type, methodName);
Assert.That(errors, Is.Empty);
Assert.That(context.Patterns.Count, Is.GreaterThan(0));
var builder = new CallGraphBuilder(index);
var graph = builder.CreateGraph(context.Patterns);
Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0));
Assert.That(graph.EntryNodes.Keys
.Contains(MethodUniqueSignature.Create($"{type.FullName}::{methodName}()")));
}
private static int RunAnalysis(AnalyzeOptions options)
{
var timer = Stopwatch.StartNew();
var indexDb = new IndexDb(options.Directory);
indexDb.Build();
indexDb.ShowStatistic();
var callGraphBuilder = new CallGraphBuilder(indexDb);
CreateCleanDirectory(options.Output);
foreach (var group in Loader.GetTemplateGroups())
{
var callGraph = callGraphBuilder.CreateGraph(group.Templates);
callGraphBuilder.ShowStatistic();
if (callGraph.IsEmpty)
{
continue;
}
callGraph.RemoveDuplicatePaths();
var groupDirectory = Path.Combine(options.Output, group.Name);
Directory.CreateDirectory(groupDirectory);
callGraph.Dump(Path.Combine(groupDirectory, "full.png"));
callGraph.DumpSeparateUsages(Path.Combine(groupDirectory, "usages"));
callGraph.RemoveSameClasses();
//callGraph.RemoveMiddleNodes();
callGraph.Dump(Path.Combine(groupDirectory, "classes.png"));
//callGraph.RemoveNonPublicEntryNodes();
//callGraph.Dump(Path.Combine(groupDirectory, "public.png"));
}
timer.Stop();
Console.WriteLine($"{timer.ElapsedMilliseconds}");
Console.WriteLine($"{timer}");
return(0);
}
public void AllCases()
{
foreach (var type in Loader.GetCaseTypes())
{
Console.WriteLine($"{type}:");
foreach (var method in Loader.GetCaseMethods(type))
{
Console.WriteLine($" {method}");
var context = Context.CreateToAnalyze();
var errors = Loader.ExecuteCase(context, type, new[] { method });
Assert.That(errors, Is.Empty);
Assert.That(context.Patterns.Count, Is.GreaterThan(0));
var builder = new CallGraphBuilder(index);
var graph = builder.CreateGraph(context.Patterns);
Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0));
Assert.That(graph.EntryNodes.Keys
.Contains(MethodUniqueSignature.Create($"{type.FullName}::{method.Name}()")));
}
}
}
private static int RunAnalysis(string input, string entryPoint, string output)
{
Console.WriteLine("Copying SerialDetector.Experiments...");
File.Copy(
typeof(Deserializers).Assembly.Location,
Path.Combine(input, Path.GetFileName(typeof(Deserializers).Assembly.Location)),
true);
Console.WriteLine($"[{DateTime.Now:T}]");
var indexDb = new IndexDb(input);
var v = new Version();
var methods = indexDb.Assemblies.FindSensitiveSinkCalls().ToList();
Console.WriteLine($"[{DateTime.Now:T}] {methods.Count} methods!");
var sensitiveSinks = methods
.Select(method => method.CreateMethodUniqueSignature())
.Distinct()
.Select(name => new TemplateInfo(name, v))
.ToList();
CreateCleanDirectory(output);
File.WriteAllLines(
Path.Combine(output, "sensitive-sinks.txt"),
sensitiveSinks.Select(info => info.Method.ToString()));
var setUp = GetEntryPointSetUp(entryPoint);
sensitiveSinks = new List <TemplateInfo>
{
new TemplateInfo(new MethodUniqueSignature(setUp.SensitiveSink), v)
};
Console.WriteLine($"[{DateTime.Now:T}] {sensitiveSinks.Count} patterns!");
foreach (var method in sensitiveSinks)
{
Console.WriteLine($" {method.Method}");
}
Console.WriteLine();
// TODO: remove convertedArgumentTypes
var convertedArgumentTypes = indexDb.Build();
indexDb.ShowStatistic();
Console.WriteLine($"[{DateTime.Now:T}]");
var callGraphBuilder = new CallGraphBuilder(indexDb);
var i = 0;
foreach (var sensitiveSink in sensitiveSinks)
{
var g = callGraphBuilder.CreateGraph(new List <TemplateInfo> {
sensitiveSink
});
Console.WriteLine();
Console.WriteLine($"[{DateTime.Now:T}] #{++i} {sensitiveSink.Method}");
callGraphBuilder.ShowStatistic();
if (g.IsEmpty)
{
Console.WriteLine("CFA: Not found!");
continue;
}
StoreEntryPoints(Path.Combine(output, $"{i}_ep_all.txt"), g);
Console.WriteLine($"Graph: nodes = {g.Nodes.Count}, entry nodes = {g.EntryNodes.Count}");
g.RemoveDuplicatePaths();
Console.WriteLine($"Graph: nodes = {g.Nodes.Count}, entry nodes = {g.EntryNodes.Count}");
g.RemoveNonPublicEntryNodes();
Console.WriteLine($"Graph: nodes = {g.Nodes.Count}, entry nodes = {g.EntryNodes.Count}");
g.RemoveNonPublicMiddleNodes();
Console.WriteLine($"Graph: nodes = {g.Nodes.Count}, entry nodes = {g.EntryNodes.Count}");
//ShowEntryPoints(currentPatterns, g);
StoreEntryPoints(Path.Combine(output, $"{i}_ep_public.txt"), g);
if (g.Nodes.Count > 1 && g.Nodes.Count < 1000)
{
g.Dump(Path.Combine(output, $"{i}_po.png"));
}
else
{
Console.WriteLine($"{i}_ep_public graph contains {g.Nodes.Count} nodes!");
}
// DFA
var symbolicEngine = new SymbolicEngine(indexDb, sensitiveSink.Method,
setUp.VirtualCallsLimit, setUp.EnableStaticFields, false);
var workingThread = new Thread(() =>
{
RunDataFlowAnalysis(indexDb, g, entryPoint, convertedArgumentTypes, symbolicEngine, output);
});
var timer = Stopwatch.StartNew();
workingThread.Start();
Console.WriteLine();
Console.WriteLine("Press q and <Enter> to exit...");
while (Console.ReadLine() != "q")
{
}
if (workingThread.IsAlive)
{
workingThread.Abort();
workingThread.Join();
timer.Stop();
symbolicEngine.CurrentStat?.DumpConsole();
symbolicEngine.CurrentStat?.DumpTxt(output, "dfa_stat.txt");
//symbolicEngine.CurrentStat?.DumpCsv(output, "dfa_stat.csv");
Console.WriteLine($"Analysis is aborted ({timer.ElapsedMilliseconds} ms)");
}
}
return(0);
}