public TaintedSourceInfo(ulong id, MethodUniqueSignature method, ImmutableStack <string> callStack)
{
Id = id;
Method = method;
ForwardCallStack = callStack.Pop();
BackwardCallStack = ImmutableStack <string> .Empty.Push(callStack.Peek());
}
public TaintedSourceInfo(ulong id, MethodUniqueSignature method,
ImmutableStack <string> forwardCallStack, ImmutableStack <string> backwardCallStack)
{
Id = id;
Method = method;
ForwardCallStack = forwardCallStack;
BackwardCallStack = backwardCallStack;
}
private ICallGraphNode CreateCallGraphNode(string name)
{
var info = CallInfo.CreateFake(
new AssemblyInfo(UTF8String.Empty, AssemblyInfo.EmptyVersion),
MethodUniqueSignature.Create(name));
return(new CallInfoNode(info));
}
public MethodCall(MethodUniqueSignature signature, MethodDef methodDefinition,
SymbolicSlot[] parameters, CallKind callKind)
{
Signature = signature;
Definition = methodDefinition;
Parameters = parameters;
CallKind = callKind;
}
private CallGraphNode CreateCallGraphNode(string name)
{
var info = new CallInfo(
new AssemblyInfo(UTF8String.Empty, AssemblyInfo.EmptyVersion),
MethodUniqueSignature.Create(name),
OpCodes.Call,
true,
new List <MethodUniqueSignature>(0));
return(new CallGraphNode(info));
}
public void MethodUniqueNameGenericTest()
{
var name = MethodUniqueSignature.Create(
"YamlDotNet.Serialization.BuilderSkeleton`1<YamlDotNet.Serialization.DeserializerBuilder>::.ctor()");
Assert.That(name.ToString(), Is.EqualTo("YamlDotNet.Serialization.BuilderSkeleton::.ctor()"));
var name2 = MethodUniqueSignature.Create("System.Collections.Generic.IDictionary`2<System.String,System.Object> YamlDotNet.Serialization.Deserializer::Deserialize<System.Collections.Generic.IDictionary`2<System.String,System.Object>>(System.String)");
Assert.That(name2.ToString(), Is.EqualTo("System.Collections.Generic.IDictionary YamlDotNet.Serialization.Deserializer::Deserialize(System.String)"));
}
protected DataFlowAnalysisResult Execute(MethodDef method,
MethodUniqueSignature taintedSignature = null)
{
engine = new SymbolicEngine(index, taintedSignature, 20, true, InputTaintedMode);
var result = engine.ExecuteForward(method);
result?.Summary.Dump(@"C:\tmp\experiments\tests", method.Name);
result.Stat.DumpConsole();
Console.WriteLine($"All method calls/instructions: {result.Summary.MethodCallCount:N0} / {result.Summary.InstructionCount:N0}");
return(result);
}
public SymbolicEngine(IndexDb indexDb,
MethodUniqueSignature taintedCall,
uint virtualCallsLimit,
bool enableStaticFields,
bool inputTaintedMode)
{
this.indexDb = indexDb;
this.taintedCall = taintedCall;
this.virtualCallsLimit = virtualCallsLimit;
this.enableStaticFields = enableStaticFields;
this.inputTaintedMode = inputTaintedMode;
firstExecutionContextCreating = inputTaintedMode;
}
public ExecutionContext(ImmutableStack <string> callStack, MethodUniqueSignature signature, MethodDef method,
bool enableStaticFields, bool markInputArguments)
{
this.method = method;
this.enableStaticFields = enableStaticFields;
CallStack = callStack;
Signature = signature;
staticEntity = new SymbolicReference();
Static = new SymbolicSlot(staticEntity);
var countArguments = method.GetParameterCount();
Arguments = new ArgumentContext(signature, countArguments, markInputArguments);
InstructionCount = method.HasBody ? (double)method.Body.Instructions.Count : 0;
}
public ArgumentContext(MethodUniqueSignature signature, int count, bool markInput)
{
this.count = count;
root = new SymbolicReference();
slots = new SymbolicSlot[count];
for (int id = 0; id < count; id++)
{
var entity = new SymbolicReference(new ArgumentSource(id, signature));
if (markInput)
{
entity.MarkInput();
}
root.StoreField(SymbolicReference.ArgumentPrefix + id, entity);
slots[id] = new SymbolicSlot(entity);
}
}
public Summary(MethodUniqueSignature signature,
SymbolicReference staticContext,
SymbolicReference[] arguments,
SymbolicReference returnValue,
double methodCallCount,
double instructionCount)
{
Signature = signature;
Static = staticContext;
Arguments = arguments;
ReturnValue = returnValue;
MethodCallCount = methodCallCount;
InstructionCount = instructionCount;
//if (method.FullName.Contains("System.Text.StringBuilder::.ctor(System.Int32,System.Int32,System.Text.StringBuilder)"))
//if (method.FullName.Contains("UnsafeStringCopy"))
//if (method.FullName.Contains("Return"))
{
// Dump();
}
}
//[Ignore("for debugging only, change type and methodName vars for your case")]
public void SingleCase()
{
var type = typeof(KnowledgeBase.Cases.XslCompiledTransformPatterns);
var methodName = nameof(KnowledgeBase.Cases.XslCompiledTransformPatterns.XsltLoadWithPayload);
var context = Context.CreateToAnalyze();
var method = type.GetMethod(methodName, BindingFlags.Public | BindingFlags.Instance);
var errors = Loader.ExecuteCase(context, type, new[] { method });
//var patternGroup = Loader.GetPatternGroup(type, methodName);
Assert.That(errors, Is.Empty);
Assert.That(context.Patterns.Count, Is.GreaterThan(0));
var builder = new CallGraphBuilder(index);
var graph = builder.CreateGraph(context.Patterns);
Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0));
Assert.That(graph.EntryNodes.Keys
.Contains(MethodUniqueSignature.Create($"{type.FullName}::{methodName}()")));
}
public void AddPossibleInputTransformMethod(MethodUniqueSignature method, IEnumerable <string> callStack,
List <SymbolicSlot> outputSlots)
{
return;
MaterializeFields();
for (int i = 0; i < outputSlots.Count; i++)
{
var outputSlot = outputSlots[i];
if (outputSlot == this)
{
continue;
}
outputSlot.MaterializeFields();
for (int j = 0; j < entities.Length; j++)
{
var entity = entities[j];
entity.AddPossibleInputTransformMethod(method, callStack, outputSlot.entities);
}
}
}
public void AddTargetMethod(MethodUniqueSignature method, ImmutableStack <string> callStack,
DataFlowAnalysisResult result)
{
if (IsConstAfterSimplification())
{
return;
}
MaterializeFields(assert: false);
if (IsConstAfterSimplification())
{
return;
}
for (int i = 0; i < entities.Length; i++)
{
var entity = entities[i];
if (!entity.IsConst)
{
entity.AddTargetMethod(method, callStack, result);
}
}
}
public void AllCases()
{
foreach (var type in Loader.GetCaseTypes())
{
Console.WriteLine($"{type}:");
foreach (var method in Loader.GetCaseMethods(type))
{
Console.WriteLine($" {method}");
var context = Context.CreateToAnalyze();
var errors = Loader.ExecuteCase(context, type, new[] { method });
Assert.That(errors, Is.Empty);
Assert.That(context.Patterns.Count, Is.GreaterThan(0));
var builder = new CallGraphBuilder(index);
var graph = builder.CreateGraph(context.Patterns);
Assert.That(graph.EntryNodes.Count, Is.GreaterThan(0));
Assert.That(graph.EntryNodes.Keys
.Contains(MethodUniqueSignature.Create($"{type.FullName}::{method.Name}()")));
}
}
}
public bool IsValid(MethodUniqueSignature signature) => //whiteList.Contains(signature); !blackList.Contains(signature);
public SimpleNode(MethodUniqueSignature signature)
{
MethodSignature = signature;
}
public ArgumentSource(int index, MethodUniqueSignature signature)
{
this.signature = signature;
Index = index;
}
public TaintedSourceInfo(ulong id, MethodUniqueSignature method,
ImmutableStack <string> forwardCallStack, ImmutableStack <string> backwardCallStack,
ImmutableStack <(MethodUniqueSignature, ImmutableStack <string>)> attackTriggerCalls)
