fixed pahole.py to support pahole version 1.21

README.md

@@ -1,3 +1,7 @@
+# IMPORTANT MESSAGE TO REPRO THIS CODE
+
+You must make sure you use the Ubuntu 18.04.6 LTS but **DO NOT DOWNLOAD UPDATES** when you install the OS. Make sure you use [this](https://releases.ubuntu.com/18.04/ubuntu-18.04.6-desktop-amd64.iso) iso. Make sure you are in your `$HOME` directory when cloning this repo or change `S2EDIR` in `./s2e/s2e_activate:30` accordingly.
+
 # KOOBE
 Towards Facilitating Exploit Generation of Kernel Out-Of-Bounds Write Vulnerabilities
 

aeg-analysis/aeg/commands/pahole.py

@@ -5,6 +5,15 @@
 
 from aeg.command import Command
 
+######################## Helper functions ########################
+DEBUG = False ### set this to True to see output from pdebug
+def pdebug(*args, **kwargs):
+    if not DEBUG:
+        return
+    print( "[DEBUG] "+" ".join(map(str,args)), **kwargs)
+def perror(*args, **kwargs):
+    raise Exception("[ERROR] "+" ".join(map(str,args)), **kwargs)
+##################################################################
 
 class CommonStruct:
     def __init__(self, name, lines, pahole):
@@ -22,12 +31,25 @@ def __init__(self, name, lines, pahole):
         offsetInfo = m.group(2).strip()
         cols = offsetInfo.split()
         if len(cols) == 2:
-            self._offset = int(cols[0])
-            self._size = int(cols[1])
+            try:
+                if cols[0].find(":") >= 0:
+                    self._offset = int(cols[0][0:cols[0].find(":")])
+                    self._size = int(cols[1])
+                else:
+                    self._offset = int(cols[0])
+                    self._size = int(cols[1])
+            except ValueError:
+                perror("[ERROR] Bad format in line: `"+line+"`")
         elif len(cols) == 1:
             self._size = int(cols[0])
+        elif len(cols) == 3:
+            try:
+                self._offset = int(cols[0][0:cols[0].rfind(':')])
+                self._size = int(cols[2])
+            except:
+                perror("Bad format in line: `"+line+"`")
         else:
-            raise Exception("Error")
+            perror("[ERROR] Unknown format in line: `"+line+"`")
 
     def getOffsetInfo(self):
         return self._offset, self._size
@@ -148,7 +170,16 @@ def __init__(self, line, pahole):
         self._size = 0
 
         line = line.strip()
+        if DEBUG:
+            self._line = line
         m = re.search('(.+)/\*\s(.+)\s+\*/', line)
+        if m is None:
+            self._type = "Alignment"
+            self._name = line[0:line.find(" ")]
+            self._reference = None
+            pdebug("Encountered alignment declaration with line: `"+line+"`")
+            return
+
         define = m.group(1).strip()
         offsetInfo = m.group(2).strip()
         cols = offsetInfo.split()
@@ -161,10 +192,10 @@ def __init__(self, line, pahole):
             elif len(cols) == 1:
                 self._size = int(cols[0])
             else:
-                raise Exception("Error")
+                perror("Error")
         if '*' in define:
             self._isPointer = True
-        if '(' in define:
+        if define[define.find(" "):].strip().startswith("(*"):
             self._type = "Function"
             self._name = ' '.join(define.split())
             self._isFunction = True
@@ -384,8 +415,9 @@ def find(self, name):
         return None
 
     def analyzeSize(self):
-        complete = subprocess.run(["pahole", "-s", self._vmlinux],
+        complete = subprocess.run(["pahole", "-s", "--structs", self._vmlinux],
                                   stdout=subprocess.PIPE)
+        total_num_obj = 0
         for line in complete.stdout.split(b'\n'):
             cols = line.split()
             if len(cols) != 3:
@@ -396,9 +428,11 @@ def analyzeSize(self):
             if esize not in self._bins:
                 self._bins[esize] = list()
             self._bins[esize].append((name, size))
+            total_num_obj += 1
+        pdebug("Found %d objects in size analysis!" % total_num_obj)
 
     def analyzeType(self):
-        complete = subprocess.run(["pahole", self._vmlinux],
+        complete = subprocess.run(["pahole", "--structs", self._vmlinux],
                                   stdout=subprocess.PIPE)
         start = False
         content = None
@@ -409,13 +443,18 @@ def analyzeType(self):
                 content = [line]
                 continue
             if start:
-                content.append(line)
-                if line.startswith('};'):
+                m = re.search("\}( ?__attribute__\((.+)\))?\;", line)
+                #if line.startswith('};'):
+                if m is not None and len(line) > 0:
                     struct = Struct(content, self)
                     self._structs[struct.getName()] = struct
                     start = False
                     if struct.isVariable():
                         self._special[struct.getName()] = struct
+                else:
+                    if len(line) > 0:
+                        content.append(line)
+        pdebug("Found %d objects in type analysis!" % len(self._structs))
 
     def getOffsetInfo(self, className):
         complete = subprocess.run(["pahole", "-C", className, self._vmlinux],

aeg-analysis/aeg/report.py

@@ -130,8 +130,11 @@ def get_node(nodes, addr):
                         continue
                     funCall = sym.name
                     target = inst.address
-                    fun_addr = int(inst.op_str, 16)
-                    sym = self._kernel.find_symbol(fun_addr, fuzzy=False)
+                    try:
+						fun_addr = int(inst.op_str, 16)
+                    except:
+						continue
+					sym = self._kernel.find_symbol(fun_addr, fuzzy=False)
                     retType = self.getType(sym.name)
                     self._funCall = sym.name
                     break

aeg-analysis/requirements.txt

@@ -1,3 +1,3 @@
-angr
+angr<9.0
 psutil
 pexpect

build.sh

@@ -12,5 +12,5 @@ source common.sh
 
 # build kernel
 sudo chmod ugo+r /boot/vmlinu*
-/bin/bash -c "source ${VIRTUAL_ENV} && cd ${S2EDIR} && s2e image_build debian-9.2.1-x86_64"
+/bin/bash -c "source ${VIRTUAL_ENV} && cd ${S2EDIR} && s2e image_build debian-9.2.1-x86_64 --gui"
 

s2e/s2e_activate

@@ -27,7 +27,7 @@ s2e_deactivate() {
 # unset irrelvant variables
 s2e_deactivate nondestructive
 
-S2EDIR="/home/wchen130/workplace/KOOBE/s2e"
+S2EDIR="$HOME/KOOBE/s2e"
 export S2EDIR
 
 if [ -z "${S2E_ENV_DISABLE_PROMPT-}" ] ; then
@@ -38,4 +38,4 @@ if [ -z "${S2E_ENV_DISABLE_PROMPT-}" ] ; then
         PS1="[S2E:`basename \"$S2EDIR\"`] $PS1"
     fi
     export PS1
-fi
+fi

s2e/source/guest-images/Linux/docker/Dockerfile.x86_64

@@ -26,16 +26,25 @@ FROM debian:9.3
 
 MAINTAINER Vitaly Chipounov <vitaly@cyberhaven.io>
 
+RUN sed -i 's/deb.debian.org/archive.debian.org/g' /etc/apt/sources.list
+RUN sed -i 's|security.debian.org|archive.debian.org/debian-security/|g' /etc/apt/sources.list
+RUN sed -i '/stretch-updates/d' /etc/apt/sources.list
+
+#RUN deb http://archive.debian.org/debian/ stretch-updates main contrib non-free
+#RUN deb http://archive.debian.org/debian-security/ stretch/updates main contrib non-free
+
+
 RUN                                                                             \
-    apt-get update &&                                                           \
+    apt-get update  &&                                                          \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends   \
     sudo apt-file texinfo flex bison patch python unzip git bc                  \
     bzip2 wget less nano g++ gcc file libc6-dev make                            \
     fakeroot build-essential devscripts libncurses5-dev                         \
     libdw-dev elfutils gettext && \
     apt-get clean && \
-    apt-file update
+    apt-file update || true
 
+RUN git config --global http.sslVerify false
 
 RUN \
     git clone git://sourceware.org/git/systemtap.git && \

s2e/source/s2e/scripts/determine_clang_binary_suffix.py

@@ -29,7 +29,7 @@
 no real use outside of this.
 """
 
-import platform
+import distro as dis
 import sys
 
 
@@ -79,7 +79,7 @@ def _get_ubuntu_version(version_string):
 
 def main():
     """The main function."""
-    distro, version, _ = platform.linux_distribution()
+    [distro, version] = [dis.id(), dis.version()]
 
     clang_ver_to_download = None
     if distro.lower() == 'debian':

setup.sh

@@ -6,7 +6,7 @@ sudo apt-get install python3-dev libffi-dev build-essential virtualenvwrapper de
 
 source common.sh
 
-virtualenv ${KOOBE} --python=$(which python3)
+virtualenv ${KOOBE} --python=$(which python3.8)
 # install s2e-env
 /bin/bash -c "source ${VIRTUAL_ENV} && cd s2e/source/s2e-env && pip install ."
 echo "S2EDIR=\"${S2EDIR}\"" >> $VIRTUAL_ENV