public ReadToWritePrimitive( MemoryAccessParameter controlledParameter, MemoryAddress controlledAddress, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.ReadToWrite, name: String.Format("read content from '{0}' that is used as '{1}' of write", controlledAddress, controlledParameter), readAddress: controlledAddress ) { this.ControlledParameter = controlledParameter; this.ControlledAddress = controlledAddress; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Write, String.Format("write via content derived from '{0}'", controlledAddress) ); InheritParameterState(context.CurrentViolation, v); context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryWrite); return(v); }; Update(constraints, nextViolation, onSuccess); }
public CodeExecutionPrimitive( string name = "execute code", MemoryAddress codeExecutionAddress = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base(ExploitationPrimitiveType.ExecuteToExecute, "code_execution", name) { this.CodeExecutionAddress = codeExecutionAddress; this.ConstraintList.Add( (context) => ( (context.AttackerFavorsEqual(context.CurrentViolation.Method, MemoryAccessMethod.Execute) == true) && (context.AttackerFavorsEqual(context.CurrentViolation.Address, this.CodeExecutionAddress) == true) && (context.CanFindAddress(this.CodeExecutionAddress) == true) && (context.CanExecuteMemoryAtAddress(this.CodeExecutionAddress) == true) ) ); Update(constraints, nextViolation, onSuccess); }
public InitializeDestinationContentPrimitive( string name = "initialize content at destination address of write", MemoryAddress destinationAddress = null, MemoryAccessParameterState newContentState = MemoryAccessParameterState.Controlled, Expression <Func <SimulationContext, bool> > constraints = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base(ExploitationPrimitiveType.Identity, "initialize_destination_content", name) { this.DestinationAddress = destinationAddress; this.NewContentState = newContentState; this.ConstraintList.Add( (context) => ( (context.Global.AssumeContentInitializationPossible == false) && (context.AttackerFavorsEqual(context.CurrentViolation.Method, MemoryAccessMethod.Write) == true) && ( (context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Uninitialized) == true) || (context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Unknown) == true) ) && (context.AttackerFavorsEqual(context.CurrentViolation.Address, this.DestinationAddress) == true) && (context.CanCorruptMemoryAtAddress(this.DestinationAddress) == true) ) ); this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.CloneViolation(); v.ContentDstState = this.NewContentState; v.Address = this.DestinationAddress; return(v); }; this.OnSuccess += onSuccess; if (constraints != null) { this.ConstraintList.Add(constraints); } }
public ReadToExecutePrimitive( MemoryAddress controlTransferPointerAddress = null, ControlTransferMethod?controlTransferMethod = null, string name = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.ReadToExecute, (name != null) ? name : "read content that is used as base of execute", controlTransferPointerAddress ) { this.ControlTransferMethod = controlTransferMethod; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Execute, "execute with controlled base", baseState: context.CurrentViolation.ContentSrcState, contentSrcState: MemoryAccessParameterState.Unknown, contentDstState: MemoryAccessParameterState.Nonexistant, displacementState: MemoryAccessParameterState.Nonexistant, extentState: MemoryAccessParameterState.Nonexistant ); v.InheritParameterStateFromContent(context.CurrentViolation); context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryExecute); return(v); }; this.ConstraintList.Add( (context) => ( // base verifies that read address is equal to pointer address. // // The current violation must be a read violation that leads to this type // of control transfer. No constraints are placed on being able to find // desired code here, as this simply describes the constraints of going // from a read to an execute. // (context.AttackerFavorsEqual(context.CurrentViolation.ControlTransferMethod, controlTransferMethod)) ) ); Update(constraints, nextViolation, onSuccess); }
public ReadPrimitive( ExploitationPrimitiveType primitiveType, string name, MemoryAddress readAddress = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base(primitiveType, "read", name) { this.ReadAddress = readAddress; this.ConstraintList.Add( (context) => ( // // This must be a memory read, from a source address whose state is initialized and equal // to the specified read address, and whose content can actually be read. // (context.CurrentViolation.Method == MemoryAccessMethod.Read) && ( (context.Global.AssumeContentInitializationPossible == true) || (this.ReadAddress.IsImplicitlyInitialized) || (context.CurrentViolation.ContentSrcState == MemoryAccessParameterState.Controlled) || (context.CurrentViolation.ContentSrcState == MemoryAccessParameterState.Fixed) ) && (context.AttackerFavorsEqual(context.CurrentViolation.Address, this.ReadAddress) == true) && (context.CanReadMemoryAtAddress(this.ReadAddress) == true) ) ); Update(constraints, nextViolation, onSuccess); }
protected void Update( Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null) { if (constraints != null) { this.ConstraintList.Add(constraints); } if (nextViolation != null) { this.NextViolationDelegate = nextViolation; } if (onSuccess != null) { this.OnSuccess += onSuccess; } }
public WriteToReadPrimitive( MemoryAccessParameter corruptedParameter, MemoryAddress writeAddress, string name = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.WriteToRead, (name != null) ? name : String.Format("write content to '{0}' that is used as '{1}' of read", writeAddress, corruptedParameter), writeAddress ) { this.CorruptedParameter = corruptedParameter; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Read, String.Format("read using content derived from '{0}'", this.WriteAddress) ); InheritParameterState(context.CurrentViolation, v); v.Address = this.WriteAddress; return(v); }; this.OnSuccess += (SimulationContext context, ref Violation v) => { context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryRead); }; Update(constraints, nextViolation, onSuccess); }