Sanitizers

class tritondse.sanitizers.FormatStringSanitizer

Bases: ProbeInterface

Format String Sanitizer. This probes hooks standard libc functions like ‘printf’, ‘fprintf’, ‘sprintf’, ‘dprintf’, ‘snprintf’ and if one of them is triggered it checks the format string. If the format string is symbolic then it is user controlled. A warning is shown but the execution not interrupted. However the sanitizer tries through SMT to generate format strings with many ‘%s’. If satisfiable a new input is generated which will then be added to inputs to process. That subsequent input might lead to a crash.

property callbacks: List[Tuple[CbType, Callable, Any | None]]

static check(se, pstate, fmt_ptr, extra_data: Tuple[str, tritondse.types.Addr] = None)

Checks that the format string at fmt_ptr does not contain symbolic bytes. If so shows an alert and tries to generate new inputs with as many ‘%s’ as possible.

Parameters:

• se (SymbolicExecutor) – symbolic executor

• pstate (ProcessState) – process state

• fmt_ptr (tritondse.types.Addr) – pointer address to check

• extra_data (Tuple[str, tritondse.types.Addr]) – additionnal infos given by the callbacks on routines (indicating function address)

Returns:

True if the bug is present

class tritondse.sanitizers.IntegerOverflowSanitizer

Bases: ProbeInterface

Integer Overflow Sanitizer. This probe checks on every instructions that the overflow flag is not set. If so mark the input as a crashing input. If not, but the value is symbolic, via SMT solving to make it to be set (and thus to overflow). If possible generates a new input to be executed.

property callbacks: List[Tuple[CbType, Callable, Any | None]]

static check(se: SymbolicExecutor, pstate: ProcessState, instruction: Instruction) → bool

The entry point of the sanitizer. This function check if a bug is present

Parameters:

• se (SymbolicExecutor) – symbolic executor

• pstate (ProcessState) – process state

• instruction (Instruction) – Instruction that has just been executed

Returns:

True if the bug is present

class tritondse.sanitizers.NullDerefSanitizer

Bases: ProbeInterface

Null Dereference Sanitizer. Simply checks if any memory read or write is performed at address 0. If so an error is raised.

property callbacks: List[Tuple[CbType, Callable, Any | None]]

static check(se: SymbolicExecutor, pstate: ProcessState, ptr: tritondse.types.Addr, description: str = None) → bool

Checks that the ptr given is basically not 0.

Parameters:

• se (SymbolicExecutor) – symbolic executor

• pstate (ProcessState) – process state

• ptr (tritondse.types.Addr) – pointer address to check

• description – description string printed in logger if an issue is detected

Returns:

True if the bug is present

class tritondse.sanitizers.UAFSanitizer

Bases: ProbeInterface

Use-After-Free Sanitizer. It is able to detect UaF and double-free. It works by hooking all memory read/write if it points to the heap in a freed area then the Use-After-Free is detected. It also hooks the free routine to detect double-free.

property callbacks: List[Tuple[CbType, Callable, Any | None]]

static check(se: SymbolicExecutor, pstate: ProcessState, ptr: tritondse.types.Addr, description: str = None) → bool

Checks whether the given ptr is symptomatic of a Use-After-Free by querying various methods of tritondse.heap_allocator.HeapAllocator.

Parameters:

• se (SymbolicExecutor) – symbolic executor

• pstate (ProcessState) – process state

• ptr (tritondse.types.Addr) – pointer address to check

• description – description string printed in logger if an issue is detected

Returns:

True if the bug is present