Sanitizers

class tritondse.sanitizers.FormatStringSanitizer[source]

Bases: ProbeInterface

Format String Sanitizer. This probes hooks standard libc functions like ‘printf’, ‘fprintf’, ‘sprintf’, ‘dprintf’, ‘snprintf’ and if one of them is triggered it checks the format string. If the format string is symbolic then it is user controlled. A warning is shown but the execution not interrupted. However, the sanitizer tries through SMT to generate format strings with many ‘%s’. If satisfiable a new input is generated which will then be added to inputs to process. That subsequent input might lead to a crash.

property callbacks: List[Tuple[CbType, Callable, Any | None]]
static check(se, pstate, fmt_ptr, extra_data: Tuple[str, tritondse.types.Addr] = None)[source]

Checks that the format string at fmt_ptr does not contain symbolic bytes. If so shows an alert and tries to generate new inputs with as many ‘%s’ as possible.

Parameters:
Returns:

True if the bug is present

class tritondse.sanitizers.IntegerOverflowSanitizer[source]

Bases: ProbeInterface

Integer Overflow Sanitizer. This probe checks on every instruction that the overflow flag is not set. If so mark the input as a crashing input. If not, but the value is symbolic, via SMT solving to make it to be set (and thus to overflow). If possible generates a new input to be executed.

property callbacks: List[Tuple[CbType, Callable, Any | None]]
static check(se: SymbolicExecutor, pstate: ProcessState, instruction: Instruction) bool[source]

The entry point of the sanitizer. This function check if a bug is present

Parameters:
Returns:

True if the bug is present

class tritondse.sanitizers.NullDerefSanitizer[source]

Bases: ProbeInterface

Null Dereference Sanitizer. Simply checks if any memory read or write is performed at address 0. If so an error is raised.

property callbacks: List[Tuple[CbType, Callable, Any | None]]
static check(se: SymbolicExecutor, pstate: ProcessState, ptr: tritondse.types.Addr, description: str = None) bool[source]

Checks that the ptr given is basically not 0.

Parameters:
Returns:

True if the bug is present

class tritondse.sanitizers.UAFSanitizer[source]

Bases: ProbeInterface

Use-After-Free Sanitizer. It is able to detect UaF and double-free. It works by hooking all memory read/write if it points to the heap in a freed area then the Use-After-Free is detected. It also hooks the free routine to detect double-free.

property callbacks: List[Tuple[CbType, Callable, Any | None]]
static check(se: SymbolicExecutor, pstate: ProcessState, ptr: tritondse.types.Addr, description: str = None) bool[source]

Checks whether the given ptr is symptomatic of a Use-After-Free by querying various methods of tritondse.heap_allocator.HeapAllocator.

Parameters:
Returns:

True if the bug is present