public TaintedSourceInfo(ulong id, MethodUniqueSignature method, ImmutableStack <string> callStack) { Id = id; Method = method; ForwardCallStack = callStack.Pop(); BackwardCallStack = ImmutableStack <string> .Empty.Push(callStack.Peek()); }
public TaintedSourceInfo(ulong id, MethodUniqueSignature method, ImmutableStack <string> forwardCallStack, ImmutableStack <string> backwardCallStack) { Id = id; Method = method; ForwardCallStack = forwardCallStack; BackwardCallStack = backwardCallStack; }
private ICallGraphNode CreateCallGraphNode(string name) { var info = CallInfo.CreateFake( new AssemblyInfo(UTF8String.Empty, AssemblyInfo.EmptyVersion), MethodUniqueSignature.Create(name)); return(new CallInfoNode(info)); }
public MethodCall(MethodUniqueSignature signature, MethodDef methodDefinition, SymbolicSlot[] parameters, CallKind callKind) { Signature = signature; Definition = methodDefinition; Parameters = parameters; CallKind = callKind; }
private CallGraphNode CreateCallGraphNode(string name) { var info = new CallInfo( new AssemblyInfo(UTF8String.Empty, AssemblyInfo.EmptyVersion), MethodUniqueSignature.Create(name), OpCodes.Call, true, new List <MethodUniqueSignature>(0)); return(new CallGraphNode(info)); }
public void MethodUniqueNameGenericTest() { var name = MethodUniqueSignature.Create( "YamlDotNet.Serialization.BuilderSkeleton`1<YamlDotNet.Serialization.DeserializerBuilder>::.ctor()"); Assert.That(name.ToString(), Is.EqualTo("YamlDotNet.Serialization.BuilderSkeleton::.ctor()")); var name2 = MethodUniqueSignature.Create("System.Collections.Generic.IDictionary`2<System.String,System.Object> YamlDotNet.Serialization.Deserializer::Deserialize<System.Collections.Generic.IDictionary`2<System.String,System.Object>>(System.String)"); Assert.That(name2.ToString(), Is.EqualTo("System.Collections.Generic.IDictionary YamlDotNet.Serialization.Deserializer::Deserialize(System.String)")); }
protected DataFlowAnalysisResult Execute(MethodDef method, MethodUniqueSignature taintedSignature = null) { engine = new SymbolicEngine(index, taintedSignature, 20, true, InputTaintedMode); var result = engine.ExecuteForward(method); result?.Summary.Dump(@"C:\tmp\experiments\tests", method.Name); result.Stat.DumpConsole(); Console.WriteLine($"All method calls/instructions: {result.Summary.MethodCallCount:N0} / {result.Summary.InstructionCount:N0}"); return(result); }
public SymbolicEngine(IndexDb indexDb, MethodUniqueSignature taintedCall, uint virtualCallsLimit, bool enableStaticFields, bool inputTaintedMode) { this.indexDb = indexDb; this.taintedCall = taintedCall; this.virtualCallsLimit = virtualCallsLimit; this.enableStaticFields = enableStaticFields; this.inputTaintedMode = inputTaintedMode; firstExecutionContextCreating = inputTaintedMode; }
public ExecutionContext(ImmutableStack <string> callStack, MethodUniqueSignature signature, MethodDef method, bool enableStaticFields, bool markInputArguments) { this.method = method; this.enableStaticFields = enableStaticFields; CallStack = callStack; Signature = signature; staticEntity = new SymbolicReference(); Static = new SymbolicSlot(staticEntity); var countArguments = method.GetParameterCount(); Arguments = new ArgumentContext(signature, countArguments, markInputArguments); InstructionCount = method.HasBody ? (double)method.Body.Instructions.Count : 0; }
public ArgumentContext(MethodUniqueSignature signature, int count, bool markInput) { this.count = count; root = new SymbolicReference(); slots = new SymbolicSlot[count]; for (int id = 0; id < count; id++) { var entity = new SymbolicReference(new ArgumentSource(id, signature)); if (markInput) { entity.MarkInput(); } root.StoreField(SymbolicReference.ArgumentPrefix + id, entity); slots[id] = new SymbolicSlot(entity); } }
public Summary(MethodUniqueSignature signature, SymbolicReference staticContext, SymbolicReference[] arguments, SymbolicReference returnValue, double methodCallCount, double instructionCount) { Signature = signature; Static = staticContext; Arguments = arguments; ReturnValue = returnValue; MethodCallCount = methodCallCount; InstructionCount = instructionCount; //if (method.FullName.Contains("System.Text.StringBuilder::.ctor(System.Int32,System.Int32,System.Text.StringBuilder)")) //if (method.FullName.Contains("UnsafeStringCopy")) //if (method.FullName.Contains("Return")) { // Dump(); } }
//[Ignore("for debugging only, change type and methodName vars for your case")] public void SingleCase() { var type = typeof(KnowledgeBase.Cases.XslCompiledTransformPatterns); var methodName = nameof(KnowledgeBase.Cases.XslCompiledTransformPatterns.XsltLoadWithPayload); var context = Context.CreateToAnalyze(); var method = type.GetMethod(methodName, BindingFlags.Public | BindingFlags.Instance); var errors = Loader.ExecuteCase(context, type, new[] { method }); //var patternGroup = Loader.GetPatternGroup(type, methodName); Assert.That(errors, Is.Empty); Assert.That(context.Patterns.Count, Is.GreaterThan(0)); var builder = new CallGraphBuilder(index); var graph = builder.CreateGraph(context.Patterns); Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0)); Assert.That(graph.EntryNodes.Keys .Contains(MethodUniqueSignature.Create($"{type.FullName}::{methodName}()"))); }
public void AddPossibleInputTransformMethod(MethodUniqueSignature method, IEnumerable <string> callStack, List <SymbolicSlot> outputSlots) { return; MaterializeFields(); for (int i = 0; i < outputSlots.Count; i++) { var outputSlot = outputSlots[i]; if (outputSlot == this) { continue; } outputSlot.MaterializeFields(); for (int j = 0; j < entities.Length; j++) { var entity = entities[j]; entity.AddPossibleInputTransformMethod(method, callStack, outputSlot.entities); } } }
public void AddTargetMethod(MethodUniqueSignature method, ImmutableStack <string> callStack, DataFlowAnalysisResult result) { if (IsConstAfterSimplification()) { return; } MaterializeFields(assert: false); if (IsConstAfterSimplification()) { return; } for (int i = 0; i < entities.Length; i++) { var entity = entities[i]; if (!entity.IsConst) { entity.AddTargetMethod(method, callStack, result); } } }
public void AllCases() { foreach (var type in Loader.GetCaseTypes()) { Console.WriteLine($"{type}:"); foreach (var method in Loader.GetCaseMethods(type)) { Console.WriteLine($" {method}"); var context = Context.CreateToAnalyze(); var errors = Loader.ExecuteCase(context, type, new[] { method }); Assert.That(errors, Is.Empty); Assert.That(context.Patterns.Count, Is.GreaterThan(0)); var builder = new CallGraphBuilder(index); var graph = builder.CreateGraph(context.Patterns); Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0)); Assert.That(graph.EntryNodes.Keys .Contains(MethodUniqueSignature.Create($"{type.FullName}::{method.Name}()"))); } } }
public bool IsValid(MethodUniqueSignature signature) => //whiteList.Contains(signature); !blackList.Contains(signature);
public SimpleNode(MethodUniqueSignature signature) { MethodSignature = signature; }
public ArgumentSource(int index, MethodUniqueSignature signature) { this.signature = signature; Index = index; }
public TaintedSourceInfo(ulong id, MethodUniqueSignature method, ImmutableStack <string> forwardCallStack, ImmutableStack <string> backwardCallStack, ImmutableStack <(MethodUniqueSignature, ImmutableStack <string>)> attackTriggerCalls)