From dd8acade05b0185771e1ea9950de03ab5445a981 Mon Sep 17 00:00:00 2001 From: albocoder Date: Wed, 1 Dec 2021 22:12:27 -0500 Subject: [PATCH 01/11] fixed pahole.py to support pahole version 1.21 --- aeg-analysis/aeg/commands/pahole.py | 57 ++++++++++++++++++++++++----- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/aeg-analysis/aeg/commands/pahole.py b/aeg-analysis/aeg/commands/pahole.py index e234eaf5d..b564988b2 100644 --- a/aeg-analysis/aeg/commands/pahole.py +++ b/aeg-analysis/aeg/commands/pahole.py @@ -5,6 +5,15 @@ from aeg.command import Command +######################## Helper functions ######################## +DEBUG = False ### set this to True to see output from pdebug +def pdebug(*args, **kwargs): + if not DEBUG: + return + print( "[DEBUG] "+" ".join(map(str,args)), **kwargs) +def perror(*args, **kwargs): + raise Exception("[ERROR] "+" ".join(map(str,args)), **kwargs) +################################################################## class CommonStruct: def __init__(self, name, lines, pahole): @@ -22,12 +31,25 @@ def __init__(self, name, lines, pahole): offsetInfo = m.group(2).strip() cols = offsetInfo.split() if len(cols) == 2: - self._offset = int(cols[0]) - self._size = int(cols[1]) + try: + if cols[0].find(":") >= 0: + self._offset = int(cols[0][0:cols[0].find(":")]) + self._size = int(cols[1]) + else: + self._offset = int(cols[0]) + self._size = int(cols[1]) + except ValueError: + perror("[ERROR] Bad format in line: `"+line+"`") elif len(cols) == 1: self._size = int(cols[0]) + elif len(cols) == 3: + try: + self._offset = int(cols[0][0:cols[0].rfind(':')]) + self._size = int(cols[2]) + except: + perror("Bad format in line: `"+line+"`") else: - raise Exception("Error") + perror("[ERROR] Unknown format in line: `"+line+"`") def getOffsetInfo(self): return self._offset, self._size @@ -148,7 +170,16 @@ def __init__(self, line, pahole): self._size = 0 line = line.strip() + if DEBUG: + self._line = line m = re.search('(.+)/\*\s(.+)\s+\*/', line) + if m is None: + self._type = "Alignment" + self._name = line[0:line.find(" ")] + self._reference = None + pdebug("Encountered alignment declaration with line: `"+line+"`") + return + define = m.group(1).strip() offsetInfo = m.group(2).strip() cols = offsetInfo.split() @@ -161,10 +192,10 @@ def __init__(self, line, pahole): elif len(cols) == 1: self._size = int(cols[0]) else: - raise Exception("Error") + perror("Error") if '*' in define: self._isPointer = True - if '(' in define: + if define[define.find(" "):].strip().startswith("(*"): self._type = "Function" self._name = ' '.join(define.split()) self._isFunction = True @@ -384,8 +415,9 @@ def find(self, name): return None def analyzeSize(self): - complete = subprocess.run(["pahole", "-s", self._vmlinux], + complete = subprocess.run(["pahole", "-s", "--structs", self._vmlinux], stdout=subprocess.PIPE) + total_num_obj = 0 for line in complete.stdout.split(b'\n'): cols = line.split() if len(cols) != 3: @@ -396,9 +428,11 @@ def analyzeSize(self): if esize not in self._bins: self._bins[esize] = list() self._bins[esize].append((name, size)) + total_num_obj += 1 + pdebug("Found %d objects in size analysis!" % total_num_obj) def analyzeType(self): - complete = subprocess.run(["pahole", self._vmlinux], + complete = subprocess.run(["pahole", "--structs", self._vmlinux], stdout=subprocess.PIPE) start = False content = None @@ -409,13 +443,18 @@ def analyzeType(self): content = [line] continue if start: - content.append(line) - if line.startswith('};'): + m = re.search("\}( ?__attribute__\((.+)\))?\;", line) + #if line.startswith('};'): + if m is not None and len(line) > 0: struct = Struct(content, self) self._structs[struct.getName()] = struct start = False if struct.isVariable(): self._special[struct.getName()] = struct + else: + if len(line) > 0: + content.append(line) + pdebug("Found %d objects in type analysis!" % len(self._structs)) def getOffsetInfo(self, className): complete = subprocess.run(["pahole", "-C", className, self._vmlinux], From 9a15da871fffdccce063c6585e0b07165d5b4dad Mon Sep 17 00:00:00 2001 From: albocoder Date: Sat, 14 Oct 2023 20:54:12 -0400 Subject: [PATCH 02/11] fixing debian 9.3 to work on ubuntu 18.04 with all packages archived --- aeg-analysis/requirements.txt | 2 +- .../guest-images/Linux/docker/Dockerfile.x86_64 | 12 ++++++++++-- setup.sh | 2 +- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/aeg-analysis/requirements.txt b/aeg-analysis/requirements.txt index b77b2ee67..f21b1f18c 100644 --- a/aeg-analysis/requirements.txt +++ b/aeg-analysis/requirements.txt @@ -1,3 +1,3 @@ -angr +angr<=8.6.0 psutil pexpect diff --git a/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 b/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 index 784707812..dbd2f76fd 100644 --- a/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 +++ b/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 @@ -26,15 +26,23 @@ FROM debian:9.3 MAINTAINER Vitaly Chipounov +RUN sed -i 's/deb.debian.org/archive.debian.org/g' /etc/apt/sources.list +RUN sed -i 's|security.debian.org|archive.debian.org/debian-security/|g' /etc/apt/sources.list +RUN sed -i '/stretch-updates/d' /etc/apt/sources.list + +#RUN deb http://archive.debian.org/debian/ stretch-updates main contrib non-free +#RUN deb http://archive.debian.org/debian-security/ stretch/updates main contrib non-free + + RUN \ - apt-get update && \ + apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ sudo apt-file texinfo flex bison patch python unzip git bc \ bzip2 wget less nano g++ gcc file libc6-dev make \ fakeroot build-essential devscripts libncurses5-dev \ libdw-dev elfutils gettext && \ apt-get clean && \ - apt-file update + apt-file update || true RUN \ diff --git a/setup.sh b/setup.sh index 5e7db01d5..677766a85 100755 --- a/setup.sh +++ b/setup.sh @@ -6,7 +6,7 @@ sudo apt-get install python3-dev libffi-dev build-essential virtualenvwrapper de source common.sh -virtualenv ${KOOBE} --python=$(which python3) +virtualenv ${KOOBE} --python=$(which python3.8) # install s2e-env /bin/bash -c "source ${VIRTUAL_ENV} && cd s2e/source/s2e-env && pip install ." echo "S2EDIR=\"${S2EDIR}\"" >> $VIRTUAL_ENV From 5571020d3155ab829f31383895304f81b140d3a3 Mon Sep 17 00:00:00 2001 From: albocoder Date: Sat, 14 Oct 2023 20:58:26 -0400 Subject: [PATCH 03/11] fix again --- aeg-analysis/requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/aeg-analysis/requirements.txt b/aeg-analysis/requirements.txt index f21b1f18c..efb4e94e0 100644 --- a/aeg-analysis/requirements.txt +++ b/aeg-analysis/requirements.txt @@ -1,3 +1,3 @@ -angr<=8.6.0 +angr<9.0 psutil pexpect From 10ef7cd3665d5c5e108102b96d37787196e24c3f Mon Sep 17 00:00:00 2001 From: albocoder Date: Sat, 14 Oct 2023 21:02:40 -0400 Subject: [PATCH 04/11] change platform to distro --- s2e/source/s2e/scripts/determine_clang_binary_suffix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/s2e/source/s2e/scripts/determine_clang_binary_suffix.py b/s2e/source/s2e/scripts/determine_clang_binary_suffix.py index 21d9bf139..a7645980f 100755 --- a/s2e/source/s2e/scripts/determine_clang_binary_suffix.py +++ b/s2e/source/s2e/scripts/determine_clang_binary_suffix.py @@ -29,7 +29,7 @@ no real use outside of this. """ -import platform +import distro as platform import sys From 98ee2eed31ea88e8e32065c85ee4f00b145a4b76 Mon Sep 17 00:00:00 2001 From: albocoder Date: Sat, 14 Oct 2023 21:09:29 -0400 Subject: [PATCH 05/11] fixed distro again lol --- s2e/source/s2e/scripts/determine_clang_binary_suffix.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/s2e/source/s2e/scripts/determine_clang_binary_suffix.py b/s2e/source/s2e/scripts/determine_clang_binary_suffix.py index a7645980f..90ba28127 100755 --- a/s2e/source/s2e/scripts/determine_clang_binary_suffix.py +++ b/s2e/source/s2e/scripts/determine_clang_binary_suffix.py @@ -29,7 +29,7 @@ no real use outside of this. """ -import distro as platform +import distro as dis import sys @@ -79,7 +79,7 @@ def _get_ubuntu_version(version_string): def main(): """The main function.""" - distro, version, _ = platform.linux_distribution() + [distro, version] = [dis.id(), dis.version()] clang_ver_to_download = None if distro.lower() == 'debian': From e79bdfbc5ab4710c8933ecbdaf377e97221e9cb3 Mon Sep 17 00:00:00 2001 From: albocoder Date: Sun, 15 Oct 2023 01:26:41 -0400 Subject: [PATCH 06/11] fixing systemtap git clone ssl verification error --- s2e/s2e_activate | 4 ++-- s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/s2e/s2e_activate b/s2e/s2e_activate index ace447bf7..57d72d44a 100644 --- a/s2e/s2e_activate +++ b/s2e/s2e_activate @@ -27,7 +27,7 @@ s2e_deactivate() { # unset irrelvant variables s2e_deactivate nondestructive -S2EDIR="/home/wchen130/workplace/KOOBE/s2e" +S2EDIR="$HOME/KOOBE/s2e" export S2EDIR if [ -z "${S2E_ENV_DISABLE_PROMPT-}" ] ; then @@ -38,4 +38,4 @@ if [ -z "${S2E_ENV_DISABLE_PROMPT-}" ] ; then PS1="[S2E:`basename \"$S2EDIR\"`] $PS1" fi export PS1 -fi \ No newline at end of file +fi diff --git a/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 b/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 index dbd2f76fd..309394766 100644 --- a/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 +++ b/s2e/source/guest-images/Linux/docker/Dockerfile.x86_64 @@ -44,6 +44,7 @@ RUN apt-get clean && \ apt-file update || true +RUN git config --global http.sslVerify false RUN \ git clone git://sourceware.org/git/systemtap.git && \ From 3a245b976c1c03983cddb1073087200f985c9dc0 Mon Sep 17 00:00:00 2001 From: Erin Avllazagaj Date: Mon, 6 May 2024 19:57:14 -0400 Subject: [PATCH 07/11] Update build.sh Updated it so that the users can manually edit the debian repository to `archive.debian.org` to have a successful image build for `s2e` --- build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.sh b/build.sh index 5430423d3..6648bfbf5 100755 --- a/build.sh +++ b/build.sh @@ -12,5 +12,5 @@ source common.sh # build kernel sudo chmod ugo+r /boot/vmlinu* -/bin/bash -c "source ${VIRTUAL_ENV} && cd ${S2EDIR} && s2e image_build debian-9.2.1-x86_64" +/bin/bash -c "source ${VIRTUAL_ENV} && cd ${S2EDIR} && s2e image_build debian-9.2.1-x86_64 --gui" From 443af618f355e66ee11ccdf0dfaa9b45d329d0c8 Mon Sep 17 00:00:00 2001 From: Erin Avllazagaj Date: Mon, 6 May 2024 19:59:29 -0400 Subject: [PATCH 08/11] Update README.md --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 350cbf1e3..e02107707 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,7 @@ +# IMPORTANT MESSAGE TO REPRO THIS CODE + +You must make sure you use the Ubuntu 18.04.6 LTS but
**DO NOT DOWNLOAD UPDATES**
when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. + # KOOBE Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities From f388e44150e8095a9656e9ad5be4cf46f19d20b9 Mon Sep 17 00:00:00 2001 From: Erin Avllazagaj Date: Mon, 6 May 2024 19:59:48 -0400 Subject: [PATCH 09/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e02107707..c75fd562b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IMPORTANT MESSAGE TO REPRO THIS CODE -You must make sure you use the Ubuntu 18.04.6 LTS but
**DO NOT DOWNLOAD UPDATES**
when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. +You must make sure you use the Ubuntu 18.04.6 LTS but **DO NOT DOWNLOAD UPDATES** when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. # KOOBE Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities From 653abfa74d0185f110dde7e29bd6046dcd943885 Mon Sep 17 00:00:00 2001 From: Erin Avllazagaj Date: Mon, 6 May 2024 20:01:44 -0400 Subject: [PATCH 10/11] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c75fd562b..8f6472fd9 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # IMPORTANT MESSAGE TO REPRO THIS CODE -You must make sure you use the Ubuntu 18.04.6 LTS but **DO NOT DOWNLOAD UPDATES** when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. +You must make sure you use the Ubuntu 18.04.6 LTS but **DO NOT DOWNLOAD UPDATES** when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. Make sure you are in your `$HOME` directory when cloning this repo or change `S2EDIR` in `./s2e/s2e_activate:30` accordingly. # KOOBE Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities From 31cc32956f2638008237a8e26da10abc30386cc8 Mon Sep 17 00:00:00 2001 From: Erin Avllazagaj Date: Mon, 6 May 2024 20:07:30 -0400 Subject: [PATCH 11/11] fixing report.py sometimes I get the wrong hex address of the form `0fffff...h`. This is not `0xfff...` so it's clearly missing `x` and has `h` in the end. We can fix this by making it appropriate hex or just ignore. I'm ignoring it for now but it may come back to bite later... BEWARE --- aeg-analysis/aeg/report.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/aeg-analysis/aeg/report.py b/aeg-analysis/aeg/report.py index a4570648c..277b14bd2 100644 --- a/aeg-analysis/aeg/report.py +++ b/aeg-analysis/aeg/report.py @@ -130,8 +130,11 @@ def get_node(nodes, addr): continue funCall = sym.name target = inst.address - fun_addr = int(inst.op_str, 16) - sym = self._kernel.find_symbol(fun_addr, fuzzy=False) + try: + fun_addr = int(inst.op_str, 16) + except: + continue + sym = self._kernel.find_symbol(fun_addr, fuzzy=False) retType = self.getType(sym.name) self._funCall = sym.name break