public ReadToWritePrimitive(
MemoryAccessParameter controlledParameter,
MemoryAddress controlledAddress,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.ReadToWrite,
name: String.Format("read content from '{0}' that is used as '{1}' of write", controlledAddress, controlledParameter),
readAddress: controlledAddress
)
{
this.ControlledParameter = controlledParameter;
this.ControlledAddress = controlledAddress;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Write,
String.Format("write via content derived from '{0}'", controlledAddress)
);
InheritParameterState(context.CurrentViolation, v);
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryWrite);
return(v);
};
Update(constraints, nextViolation, onSuccess);
}
public CodeExecutionPrimitive(
string name = "execute code",
MemoryAddress codeExecutionAddress = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(ExploitationPrimitiveType.ExecuteToExecute, "code_execution", name)
{
this.CodeExecutionAddress = codeExecutionAddress;
this.ConstraintList.Add(
(context) =>
(
(context.AttackerFavorsEqual(context.CurrentViolation.Method, MemoryAccessMethod.Execute) == true)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Address, this.CodeExecutionAddress) == true)
&&
(context.CanFindAddress(this.CodeExecutionAddress) == true)
&&
(context.CanExecuteMemoryAtAddress(this.CodeExecutionAddress) == true)
)
);
Update(constraints, nextViolation, onSuccess);
}
public InitializeDestinationContentPrimitive(
string name = "initialize content at destination address of write",
MemoryAddress destinationAddress = null,
MemoryAccessParameterState newContentState = MemoryAccessParameterState.Controlled,
Expression <Func <SimulationContext, bool> > constraints = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(ExploitationPrimitiveType.Identity, "initialize_destination_content", name)
{
this.DestinationAddress = destinationAddress;
this.NewContentState = newContentState;
this.ConstraintList.Add(
(context) =>
(
(context.Global.AssumeContentInitializationPossible == false)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Method, MemoryAccessMethod.Write) == true)
&&
(
(context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Uninitialized) == true)
||
(context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Unknown) == true)
)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Address, this.DestinationAddress) == true)
&&
(context.CanCorruptMemoryAtAddress(this.DestinationAddress) == true)
)
);
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.CloneViolation();
v.ContentDstState = this.NewContentState;
v.Address = this.DestinationAddress;
return(v);
};
this.OnSuccess += onSuccess;
if (constraints != null)
{
this.ConstraintList.Add(constraints);
}
}
public ReadToExecutePrimitive(
MemoryAddress controlTransferPointerAddress = null,
ControlTransferMethod?controlTransferMethod = null,
string name = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.ReadToExecute,
(name != null) ? name : "read content that is used as base of execute",
controlTransferPointerAddress
)
{
this.ControlTransferMethod = controlTransferMethod;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Execute,
"execute with controlled base",
baseState: context.CurrentViolation.ContentSrcState,
contentSrcState: MemoryAccessParameterState.Unknown,
contentDstState: MemoryAccessParameterState.Nonexistant,
displacementState: MemoryAccessParameterState.Nonexistant,
extentState: MemoryAccessParameterState.Nonexistant
);
v.InheritParameterStateFromContent(context.CurrentViolation);
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryExecute);
return(v);
};
this.ConstraintList.Add(
(context) =>
(
// base verifies that read address is equal to pointer address.
//
// The current violation must be a read violation that leads to this type
// of control transfer. No constraints are placed on being able to find
// desired code here, as this simply describes the constraints of going
// from a read to an execute.
//
(context.AttackerFavorsEqual(context.CurrentViolation.ControlTransferMethod, controlTransferMethod))
)
);
Update(constraints, nextViolation, onSuccess);
}
public ReadPrimitive(
ExploitationPrimitiveType primitiveType,
string name,
MemoryAddress readAddress = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(primitiveType, "read", name)
{
this.ReadAddress = readAddress;
this.ConstraintList.Add(
(context) =>
(
//
// This must be a memory read, from a source address whose state is initialized and equal
// to the specified read address, and whose content can actually be read.
//
(context.CurrentViolation.Method == MemoryAccessMethod.Read)
&&
(
(context.Global.AssumeContentInitializationPossible == true)
||
(this.ReadAddress.IsImplicitlyInitialized)
||
(context.CurrentViolation.ContentSrcState == MemoryAccessParameterState.Controlled)
||
(context.CurrentViolation.ContentSrcState == MemoryAccessParameterState.Fixed)
)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Address, this.ReadAddress) == true)
&&
(context.CanReadMemoryAtAddress(this.ReadAddress) == true)
)
);
Update(constraints, nextViolation, onSuccess);
}
protected void Update(
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null)
{
if (constraints != null)
{
this.ConstraintList.Add(constraints);
}
if (nextViolation != null)
{
this.NextViolationDelegate = nextViolation;
}
if (onSuccess != null)
{
this.OnSuccess += onSuccess;
}
}
public WriteToReadPrimitive(
MemoryAccessParameter corruptedParameter,
MemoryAddress writeAddress,
string name = null,
Expression <Func <SimulationContext, bool> > constraints = null,
GetNextViolationDelegate nextViolation = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(
ExploitationPrimitiveType.WriteToRead,
(name != null) ? name : String.Format("write content to '{0}' that is used as '{1}' of read", writeAddress, corruptedParameter),
writeAddress
)
{
this.CorruptedParameter = corruptedParameter;
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.NewTransitiveViolation(
MemoryAccessMethod.Read,
String.Format("read using content derived from '{0}'", this.WriteAddress)
);
InheritParameterState(context.CurrentViolation, v);
v.Address = this.WriteAddress;
return(v);
};
this.OnSuccess += (SimulationContext context, ref Violation v) =>
{
context.AttackerFavorsAssumeTrue(AssumptionName.CanTriggerMemoryRead);
};
Update(constraints, nextViolation, onSuccess);
}
