public ReadToExecutePrimitive( MemoryAddress controlTransferPointerAddress = null, ControlTransferMethod?controlTransferMethod = null, string name = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.ReadToExecute, (name != null) ? name : "read content that is used as base of execute", controlTransferPointerAddress ) { this.ControlTransferMethod = controlTransferMethod; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Execute, "execute with controlled base", baseState: context.CurrentViolation.ContentSrcState, contentSrcState: MemoryAccessParameterState.Unknown, contentDstState: MemoryAccessParameterState.Nonexistant, displacementState: MemoryAccessParameterState.Nonexistant, extentState: MemoryAccessParameterState.Nonexistant ); v.InheritParameterStateFromContent(context.CurrentViolation); context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryExecute); return(v); }; this.ConstraintList.Add( (context) => ( // base verifies that read address is equal to pointer address. // // The current violation must be a read violation that leads to this type // of control transfer. No constraints are placed on being able to find // desired code here, as this simply describes the constraints of going // from a read to an execute. // (context.AttackerFavorsEqual(context.CurrentViolation.ControlTransferMethod, controlTransferMethod)) ) ); Update(constraints, nextViolation, onSuccess); }
public override void InheritParameterState(Violation from, Violation to) { to.InheritParameterStateFromContent(from, MemoryAccessParameter.Content); }
public override void InheritParameterState(Violation from, Violation to) { to.InheritParameterStateFromContent(from, this.CorruptedParameter); }