Sanitizers & Probes

Probe mechanism

TritonDSE introduces a probe mechanism. A probe is a class exposing a set of callbacks to register on a given exploration or execution. That enables writing more complex checkers that can be easily registered on a callback manager.

A probe as the following interface:

class ProbeInterface(object):
    """ The Probe interface """
    def __init__(self):
        self._cbs: List[Tuple[CbType, Callable, Optional[str]]] = []

    @property
    def callbacks(self) -> List[Tuple[CbType, Callable, Optional[str]]]:
        return self._cbs

    def _add_callback(self, typ: CbType, callback: Callable, arg: str = None):
        """ Add a callback """
        self._cbs.append((typ, callback, arg))

So to write its own probe one, just have to call _add_callback with its own hooks (usually some other methods). They will automatically be picked by the callback manager and registered.

Using built-in sanitizers

TritonDSE provides few simple sanitizers developped as probes. These sanitizers are the following:

  • UAFSanitizer: checks for UaF using the simple built-in allocator (in ProcessState)

  • NullDerefSanitizer: checks that no read or write in memory is performed at address 0

  • FormatStringSanitizer: hooks various libc functions and checks that format string are not controlled

The registration of a probe can be done as follows:

[2]:

from tritondse import SymbolicExecutor, Config, Seed, Program, ProcessState, SymbolicExplorator, CoverageStrategy
from tritondse.sanitizers import NullDerefSanitizer

dse = SymbolicExplorator(Config(), Program("crackme_xor"))

dse.callback_manager.register_probe(NullDerefSanitizer())

The probe will now be enabled for all executions.

Writing a sanitizer

For the purpose of this tutorial, let’s write a sanitizer that will checks fopen libc call and its variant freopen cannot be hijacked to open an unwanted file (here /etc/passwd). We are first going to check that the string given in input is controllable and if it is, checking by SMT that it can be the intended string.

[3]:

from tritondse import ProbeInterface, SymbolicExecutor, ProcessState, CbType, SeedStatus
from tritondse.types import Addr, SolverStatus

class OpenSanitizer(ProbeInterface):

    PASSWD_FILE = "/etc/passwd"

    def __init__(self):
        super(OpenSanitizer, self).__init__()
        self._add_callback(CbType.PRE_RTN, self.fopen_check, 'fopen')
        self._add_callback(CbType.PRE_RTN, self.fopen_check, 'freopen')

    def fopen_check(self, se: SymbolicExecutor, pstate: ProcessState, rtn_name: str, addr: Addr):
        # the filepath is located in arg0 (ptr to a string)
        string_ptr = se.pstate.get_argument_value(0)

        symbolic = True
        cur_ptr = string_ptr
        while pstate.read_memory_int(cur_ptr, 1):        # while different from 0
            if not se.pstate.is_memory_symbolic(cur_ptr, 1): # check that the byte is symbolic
                symbolic = False
            cur_ptr += 1

        # if all memory bytes are symbolic and we have enough place to fit our string
        if symbolic and (cur_ptr - string_ptr) > len(self.PASSWD_FILE):

            # Try to solve by SMT that the filepath string is /etc/passwd
            constraints = [pstate.read_symbolic_memory_byte(string_ptr+i).getAst() == ord(pwd_byte) for i, pwd_byte in enumerate(self.PASSWD_FILE)]
            st, model = pstate.solve(constraints)

            if st == SolverStatus.SAT:                          # if formula satisfiable
                new_seed = se.mk_new_seed_from_model(model)  # create a new input from the model
                new_seed.status = SeedStatus.CRASH           # mark it as crash
                se.enqueue_seed(new_seed)                    # enqueue it *(so that it will put in the workspace..)*

Then we just have to register our new sanitizer!

[4]:

dse.callback_manager.register_probe(OpenSanitizer())

There are no open in the crackme (but one can try with another example)