public Violation(
MemoryAccessMethod method,
string name = null,
MemoryAccessParameterState baseState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState contentSrcState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState contentDstState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState displacementState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState extentState = MemoryAccessParameterState.Unknown
)
{
Initialize();
this.Method = method;
this.BaseState = baseState;
this.ContentSrcState = contentSrcState;
this.ContentDstState = contentDstState;
this.DisplacementState = displacementState;
this.ExtentState = extentState;
this.Name = name;
if (this.Method == MemoryAccessMethod.Execute)
{
this.DisplacementState = MemoryAccessParameterState.Nonexistant;
this.ExtentState = MemoryAccessParameterState.Nonexistant;
this.AddressingMode = MemoryAddressingMode.Absolute;
}
else if (this.Method == MemoryAccessMethod.Read)
{
this.ContentDstState = MemoryAccessParameterState.Nonexistant;
}
this.Guid = Guid.NewGuid();
}
public Violation NewTransitiveViolation(
MemoryAccessMethod method,
string name = null,
MemoryAccessParameterState baseState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState contentSrcState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState contentDstState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState displacementState = MemoryAccessParameterState.Unknown,
MemoryAccessParameterState extentState = MemoryAccessParameterState.Unknown
)
{
Violation v = new Violation(method, name, baseState, contentSrcState, contentDstState, displacementState, extentState);
v.PreviousViolationObject = this;
v.AccessRequirement = this.AccessRequirement;
v.ExecutionDomain = this.ExecutionDomain;
v.Locality = this.Locality;
//
// Inherit the function's stack protection settings by default.
//
v.FunctionStackProtectionEnabled = this.FunctionStackProtectionEnabled;
v.FunctionStackProtectionEntropyBits = this.FunctionStackProtectionEntropyBits;
v.FunctionStackProtectionVersion = this.FunctionStackProtectionVersion;
return(v);
}
public InitializeDestinationContentPrimitive(
string name = "initialize content at destination address of write",
MemoryAddress destinationAddress = null,
MemoryAccessParameterState newContentState = MemoryAccessParameterState.Controlled,
Expression <Func <SimulationContext, bool> > constraints = null,
PrimitiveTransitionSuccessDelegate onSuccess = null
)
: base(ExploitationPrimitiveType.Identity, "initialize_destination_content", name)
{
this.DestinationAddress = destinationAddress;
this.NewContentState = newContentState;
this.ConstraintList.Add(
(context) =>
(
(context.Global.AssumeContentInitializationPossible == false)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Method, MemoryAccessMethod.Write) == true)
&&
(
(context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Uninitialized) == true)
||
(context.AttackerFavorsEqual(context.CurrentViolation.ContentDstState, MemoryAccessParameterState.Unknown) == true)
)
&&
(context.AttackerFavorsEqual(context.CurrentViolation.Address, this.DestinationAddress) == true)
&&
(context.CanCorruptMemoryAtAddress(this.DestinationAddress) == true)
)
);
this.NextViolationDelegate = (context) =>
{
Violation v = context.CurrentViolation.CloneViolation();
v.ContentDstState = this.NewContentState;
v.Address = this.DestinationAddress;
return(v);
};
this.OnSuccess += onSuccess;
if (constraints != null)
{
this.ConstraintList.Add(constraints);
}
}
public static string GetAbbreviation(this MemoryAccessParameterState state)
{
switch (state)
{
case MemoryAccessParameterState.Controlled: return("c");
case MemoryAccessParameterState.Fixed: return("f");
case MemoryAccessParameterState.Uninitialized: return("u");
case MemoryAccessParameterState.Unknown: return("?");
default: return("?");
}
}
public static string GetName(this MemoryAccessParameterState state)
{
switch (state)
{
case MemoryAccessParameterState.Controlled: return("controlled");
case MemoryAccessParameterState.Fixed: return("fixed");
case MemoryAccessParameterState.Uninitialized: return("uninitialized");
case MemoryAccessParameterState.Unknown: return("unknown");
default: return("unknown");
}
}
public void InheritParameterStateFromContent(Violation from, params MemoryAccessParameter[] parameters)
{
foreach (MemoryAccessParameter parameter in parameters)
{
switch (parameter)
{
case MemoryAccessParameter.Base:
this.BaseState = from.ContentSrcState;
break;
case MemoryAccessParameter.Content:
this.ContentSrcState = from.ContentSrcState;
break;
case MemoryAccessParameter.Displacement:
this.DisplacementState = from.ContentSrcState;
break;
case MemoryAccessParameter.Extent:
this.ExtentState = from.ContentSrcState;
break;
default:
throw new NotSupportedException();
}
}
if ((parameters.Contains(MemoryAccessParameter.Base)) ||
(this.Method == MemoryAccessMethod.Execute))
{
this.AddressingMode = MemoryAddressingMode.Absolute;
}
else
{
this.AddressingMode = MemoryAddressingMode.Relative;
}
}
public void SetParameterState(MemoryAccessParameter parameter, MemoryAccessParameterState state)
{
switch (parameter)
{
case MemoryAccessParameter.Base:
this.BaseState = state;
break;
case MemoryAccessParameter.Content:
this.ContentSrcState = state;
break;
case MemoryAccessParameter.Displacement:
this.DisplacementState = state;
break;
case MemoryAccessParameter.Extent:
this.ExtentState = state;
break;
default:
break;
}
}
public Violation(MemoryAccessParameterState defaultParameterState)
{
this.DefaultParameterState = defaultParameterState;
Initialize();
}
