public MemoryAddress(MemoryContentDataType dataType, MemoryRegionType?region = null)
{
this.DataType = dataType;
if (region != null)
{
this.Region = region.Value;
}
else
{
this.Region = MemoryRegionType.Any;
}
}
public override void AddTransitionsToSimulation(Simulation simulation)
{
var dataTypes = new MemoryContentDataType[]
{
MemoryContentDataType.WriteBasePointer,
MemoryContentDataType.WriteDisplacement,
MemoryContentDataType.WriteContent,
MemoryContentDataType.WriteExtent,
MemoryContentDataType.ReadBasePointer,
MemoryContentDataType.ReadContent,
MemoryContentDataType.ReadDisplacement,
MemoryContentDataType.ReadExtent,
MemoryContentDataType.FunctionPointer,
MemoryContentDataType.CppVirtualTablePointer
};
foreach (MemoryContentDataType dataType in dataTypes)
{
MemoryAddress address = new MemoryAddress(dataType, MemoryRegionType.Stack);
simulation.AddRootTransition(
this,
new InitializeDestinationContentPrimitive(
String.Format("Initialize content at destination address ({0}) of write via stack local var initialization", address),
destinationAddress: address,
constraints: (context) =>
(
(context.AttackerFavorsAssumeTrue(AssumptionName.CanInitializeContentViaStackOverlappingLocal) == true)
)
)
);
simulation.AddRootTransition(
this,
new InitializeSourceContentPrimitive(
String.Format("Initialize content at source address ({0}) of read via stack local var initialization", address),
sourceAddress: address,
constraints: (context) =>
(
(context.AttackerFavorsAssumeTrue(AssumptionName.CanInitializeContentViaStackOverlappingLocal) == true)
)
)
);
}
}
public override void AddTransitionsToSimulation(Simulation simulation)
{
var dataTypes = new MemoryContentDataType[]
{
MemoryContentDataType.AttackerControlledData,
MemoryContentDataType.WriteBasePointer,
MemoryContentDataType.WriteDisplacement,
MemoryContentDataType.WriteContent,
MemoryContentDataType.WriteExtent,
MemoryContentDataType.ReadBasePointer,
MemoryContentDataType.ReadContent,
MemoryContentDataType.ReadDisplacement,
MemoryContentDataType.ReadExtent,
MemoryContentDataType.FunctionPointer,
MemoryContentDataType.CppVirtualTablePointer,
MemoryContentDataType.CppVirtualTable,
};
var regionTypes = new MemoryRegionType[]
{
MemoryRegionType.Heap,
MemoryRegionType.Any
};
foreach (MemoryRegionType regionType in regionTypes)
{
foreach (MemoryContentDataType dataType in dataTypes)
{
MemoryAddress address = new MemoryAddress(dataType, regionType);
simulation.AddRootTransition(
this,
new InitializeDestinationContentPrimitive(
String.Format("heap spray content to init dest {0}", address),
destinationAddress: address,
constraints: (context) =>
(
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
}
)
);
simulation.AddRootTransition(
this,
new InitializeSourceContentPrimitive(
String.Format("heap spray content to init src {0}", address),
sourceAddress: address,
constraints: (context) =>
(
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
}
)
);
}
}
//
// Heap spraying can also be used to spray code (on systems that don't support or enable
// NX).
//
MemoryAddress codeAddress = new MemoryAddress(MemoryContentDataType.AttackerControlledData);
simulation.AddRootTransition(
this,
new InitializeExecutableContentPrimitive(
String.Format("initialize content with code via heap spray"),
codeAddress,
constraints: (context) =>
(
// no need for this technique if we can already accomplish this via spraying data.
(context.CanExecuteMemoryAtAddress(new MemoryAddress(MemoryContentDataType.AttackerControlledData, null)) == false)
&&
(context.CanInitializeContentViaHeapSpray() == true)
),
onSuccess: (SimulationContext context, ref Violation v) =>
{
context.Assume(AssumptionName.CanInitializeContentViaHeapSpray);
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledData));
context.Assume(new Assumption.CanFindAddress(MemoryAddress.AddressOfAttackerControlledCode));
}
)
);
}
