public ReadToWritePrimitive( MemoryAccessParameter controlledParameter, MemoryAddress controlledAddress, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.ReadToWrite, name: String.Format("read content from '{0}' that is used as '{1}' of write", controlledAddress, controlledParameter), readAddress: controlledAddress ) { this.ControlledParameter = controlledParameter; this.ControlledAddress = controlledAddress; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Write, String.Format("write via content derived from '{0}'", controlledAddress) ); InheritParameterState(context.CurrentViolation, v); context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryWrite); return(v); }; Update(constraints, nextViolation, onSuccess); }
public static string GetAbbreviation(this MemoryAccessParameter parameter) { switch (parameter) { case MemoryAccessParameter.Base: return("b"); case MemoryAccessParameter.Content: return("c"); case MemoryAccessParameter.Displacement: return("d"); case MemoryAccessParameter.Extent: return("e"); default: return("?"); } }
public WriteToReadPrimitive( MemoryAccessParameter corruptedParameter, MemoryAddress writeAddress, string name = null, Expression <Func <SimulationContext, bool> > constraints = null, GetNextViolationDelegate nextViolation = null, PrimitiveTransitionSuccessDelegate onSuccess = null ) : base( ExploitationPrimitiveType.WriteToRead, (name != null) ? name : String.Format("write content to '{0}' that is used as '{1}' of read", writeAddress, corruptedParameter), writeAddress ) { this.CorruptedParameter = corruptedParameter; this.NextViolationDelegate = (context) => { Violation v = context.CurrentViolation.NewTransitiveViolation( MemoryAccessMethod.Read, String.Format("read using content derived from '{0}'", this.WriteAddress) ); InheritParameterState(context.CurrentViolation, v); v.Address = this.WriteAddress; return(v); }; this.OnSuccess += (SimulationContext context, ref Violation v) => { context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryRead); }; Update(constraints, nextViolation, onSuccess); }
public void SetParameterState(MemoryAccessParameter parameter, MemoryAccessParameterState state) { switch (parameter) { case MemoryAccessParameter.Base: this.BaseState = state; break; case MemoryAccessParameter.Content: this.ContentSrcState = state; break; case MemoryAccessParameter.Displacement: this.DisplacementState = state; break; case MemoryAccessParameter.Extent: this.ExtentState = state; break; default: break; } }
public static MemoryAddress GetMemoryAddress(this MemoryAccessParameter parameter, MemoryAccessMethod method, MemoryRegionType?region = null) { MemoryContentDataType dataType; switch (parameter) { case MemoryAccessParameter.Base: if (method == MemoryAccessMethod.Read) { dataType = MemoryContentDataType.ReadBasePointer; } else if (method == MemoryAccessMethod.Write) { dataType = MemoryContentDataType.WriteBasePointer; } else { throw new NotSupportedException(); } break; case MemoryAccessParameter.Content: if (method == MemoryAccessMethod.Read) { dataType = MemoryContentDataType.ReadContent; } else if (method == MemoryAccessMethod.Write) { dataType = MemoryContentDataType.WriteContent; } else { throw new NotSupportedException(); } break; case MemoryAccessParameter.Displacement: if (method == MemoryAccessMethod.Read) { dataType = MemoryContentDataType.ReadDisplacement; } else if (method == MemoryAccessMethod.Write) { dataType = MemoryContentDataType.WriteDisplacement; } else { throw new NotSupportedException(); } break; case MemoryAccessParameter.Extent: if (method == MemoryAccessMethod.Read) { dataType = MemoryContentDataType.ReadExtent; } else if (method == MemoryAccessMethod.Write) { dataType = MemoryContentDataType.WriteExtent; } else { throw new NotSupportedException(); } break; default: throw new NotSupportedException(); } return(new MemoryAddress(dataType, region)); }
public WriteToReadPrimitive( MemoryAccessParameter corruptedParameter ) : this(corruptedParameter, corruptedParameter.GetMemoryAddress(MemoryAccessMethod.Read)) { }
public ReadToWritePrimitive( MemoryAccessParameter controlledParameter ) : this(controlledParameter, controlledParameter.GetMemoryAddress(MemoryAccessMethod.Write)) { }
public static Simulation GetAllTechniquesSimulation(MemorySafetyModel model) { List <ExploitationTechnique> techniques = new List <ExploitationTechnique>(); var parameters = new MemoryAccessParameter[] { MemoryAccessParameter.Base, MemoryAccessParameter.Content, MemoryAccessParameter.Displacement, MemoryAccessParameter.Extent }; var regions = Enum.GetValues(typeof(MemoryRegionType)); // // Multi-region generic techniques. // foreach (MemoryRegionType region in regions) { // // Skip regions that are not relevant. // if (!MemoryAddress.WritableRegionTypes.Contains(region)) { continue; } // // r->r, r->w, and w->r techniques. // foreach (MemoryAccessParameter parameter in parameters) { if (parameter != MemoryAccessParameter.Content) { techniques.Add( new SimpleTechnique( new ReadToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region)) ) ); } techniques.Add( new SimpleTechnique( new ReadToWritePrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Write, region)) ) ); techniques.Add( new SimpleTechnique( new WriteToReadPrimitive(parameter, parameter.GetMemoryAddress(MemoryAccessMethod.Read, region)) ) ); } } techniques.Add(new CorruptFunctionPointer()); techniques.Add(new CorruptCppObjectVirtualTablePointer()); // // Stack-specific techniques. // techniques.Add(new CorruptStackReturnAddress()); techniques.Add(new CorruptStackFramePointer()); techniques.Add(new CorruptStackStructuredExceptionHandler()); // // Heap-specific techniques. // // // Content initialization techniques. // techniques.Add(new HeapSpray()); techniques.Add(new StackLocalVariableInitialization()); techniques.Add(new LoadNonASLRImage()); techniques.Add(new LoadNonASLRNonSafeSEHImage()); // // Code execution techniques. // techniques.Add(new ExecuteControlledDataAsCode()); techniques.Add(new ExecuteJITCode()); techniques.Add(new ExecuteROPPayload.StageViaVirtualAllocOrProtect()); techniques.Add(new ExecuteROPPayload.StageViaExecutableHeap()); techniques.Add(new ExecuteROPPayload.StageViaDisableNX()); techniques.Add(new ExecuteROPPayload.PureROP()); techniques.Add( new SimpleTechnique( new WriteToExecutePrimitive() ) ); // // Add the transitions to the simulation. // Simulation simulation = new Simulation(model); simulation.BeginAddTransition(); foreach (ExploitationTechnique technique in techniques) { technique.AddTransitionsToSimulation(simulation); } simulation.EndAddTransition(); return(simulation); }