AST::Ptr JumpTableFormatVisitor::visit(DataflowAPI::RoseAST *ast) { bool findIncorrectFormat = false; if (ast->val().op == ROSEOperation::derefOp) { // We only check the first memory read if (ast->child(0)->getID() == AST::V_RoseAST) { RoseAST::Ptr roseAST = boost::static_pointer_cast<RoseAST>(ast->child(0)); if (roseAST->val().op == ROSEOperation::derefOp) { // Two directly nested memory accesses cannot be jump tables parsing_printf("Two directly nested memory access, not jump table format\n"); findIncorrectFormat = true; } else if (roseAST->val().op == ROSEOperation::addOp) { Address tableBase = 0; if (roseAST->child(0)->getID() == AST::V_ConstantAST && roseAST->child(1)->getID() == AST::V_VariableAST) { ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); tableBase = (Address)constAST->val().val; } if (roseAST->child(1)->getID() == AST::V_ConstantAST && roseAST->child(0)->getID() == AST::V_VariableAST) { ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); tableBase = (Address)constAST->val().val; } if (tableBase) { Architecture arch = b->obj()->cs()->getArch(); if (arch == Arch_x86) { tableBase &= 0xffffffff; } #if defined(os_windows) tableBase -= b->obj()->cs()->loadAddress(); #endif if (!b->obj()->cs()->isValidAddress(tableBase)) { parsing_printf("\ttableBase 0x%lx invalid, not jump table format\n", tableBase); findIncorrectFormat = true; } if (!b->obj()->cs()->isReadOnly(tableBase)) { parsing_printf("\ttableBase 0x%lx not read only, not jump table format\n", tableBase); findIncorrectFormat = true; } } } } if (findIncorrectFormat) { format = false; } return AST::Ptr(); } if (!findIncorrectFormat) { unsigned totalChildren = ast->numChildren(); for (unsigned i = 0 ; i < totalChildren; ++i) { ast->child(i)->accept(this); } } return AST::Ptr(); }
AST::Ptr ComparisonVisitor::visit(DataflowAPI::RoseAST *ast) { // For cmp type instruction setting zf // Looking like <eqZero?>(<add>(<V([x86_64::rbx])>,<Imm:8>,),) // Assuming ast has been simplified if (ast->val().op == ROSEOperation::equalToZeroOp) { bool minuendIsZero = true; AST::Ptr child = ast->child(0); if (child->getID() == AST::V_RoseAST) { RoseAST::Ptr childRose = boost::static_pointer_cast<RoseAST>(child); if (childRose->val().op == ROSEOperation::addOp) { minuendIsZero = false; subtrahend = childRose->child(0); minuend = childRose->child(1); // If the minuend is a constant, then // the minuend is currently in its two-complement form if (minuend->getID() == AST::V_ConstantAST) { ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(minuend); uint64_t val = constAST->val().val; int size = constAST->val().size; if (size < 64) val = ((~val)+ 1) & ((1ULL << size) - 1); else if (size == 64) val = (~val) + 1; else parsing_printf("WARNING: constant bit size %d exceeds 64!\n", size); minuend = ConstantAST::create(Constant(val, size)); } else if (minuend->getID() == AST::V_RoseAST) { RoseAST::Ptr sub = boost::static_pointer_cast<RoseAST>(minuend); minuend = AST::Ptr(); if (sub->val().op == ROSEOperation::addOp && sub->child(0)->getID() == AST::V_RoseAST) { sub = boost::static_pointer_cast<RoseAST>(sub->child(0)); if (sub->val().op == ROSEOperation::invertOp) { // Otherwise, the minuend ast is in the form of add(invert(minuend), 1) // Need to extract the real minuend minuend = sub->child(0); } } } } } if (minuendIsZero) { // The minuend is 0, thus the add operation is subsume. subtrahend = ast->child(0); minuend = ConstantAST::create(Constant(0)); } } return AST::Ptr(); }
static bool IsVariableArgumentFormat(AST::Ptr t, AbsRegion &index) { if (t->getID() != AST::V_RoseAST) { return false; } RoseAST::Ptr rt = boost::static_pointer_cast<RoseAST>(t); if (rt->val().op != ROSEOperation::addOp) { return false; } if (rt->child(0)->getID() != AST::V_ConstantAST || rt->child(1)->getID() != AST::V_RoseAST) { return false; } RoseAST::Ptr c1 = boost::static_pointer_cast<RoseAST>(rt->child(1)); if (c1->val().op == ROSEOperation::addOp) { if (c1->child(0)->getID() == AST::V_RoseAST && c1->child(1)->getID() == AST::V_ConstantAST) { RoseAST::Ptr lc = boost::static_pointer_cast<RoseAST>(c1->child(0)); ConstantAST::Ptr rc = boost::static_pointer_cast<ConstantAST>(c1->child(1)); if (lc->val().op == ROSEOperation::invertOp && rc->val().val == 1) { return IsIndexing(lc->child(0), index); } } return false; } return IsIndexing(rt->child(1), index); }
AST::Ptr DeepCopyAnAST(AST::Ptr ast) { if (ast->getID() == AST::V_RoseAST) { RoseAST::Ptr roseAST = boost::static_pointer_cast<RoseAST>(ast); AST::Children kids; unsigned totalChildren = ast->numChildren(); for (unsigned i = 0 ; i < totalChildren; ++i) { kids.push_back(DeepCopyAnAST(ast->child(i))); } return RoseAST::create(ROSEOperation(roseAST->val()), kids); } else if (ast->getID() == AST::V_VariableAST) { VariableAST::Ptr varAST = boost::static_pointer_cast<VariableAST>(ast); return VariableAST::create(Variable(varAST->val())); } else if (ast->getID() == AST::V_ConstantAST) { ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(ast); return ConstantAST::create(Constant(constAST->val())); } else if (ast->getID() == AST::V_BottomAST) { BottomAST::Ptr bottomAST = boost::static_pointer_cast<BottomAST>(ast); return BottomAST::create(bottomAST->val()); } fprintf(stderr, "ast type %d, %s\n", ast->getID(), ast->format().c_str()); assert(0); return AST::Ptr(); }
void BoundFactsCalculator::CalcTransferFunction(Node::Ptr curNode, BoundFact *newFact){ SliceNode::Ptr node = boost::static_pointer_cast<SliceNode>(curNode); if (!node->assign()) return; if (node->assign() && node->assign()->out().absloc().type() == Absloc::Register && (node->assign()->out().absloc().reg() == x86::zf || node->assign()->out().absloc().reg() == x86_64::zf)) { // zf should be only predecessor of this node parsing_printf("\t\tThe predecessor node is zf assignment!\n"); newFact->SetPredicate(node->assign(), ExpandAssignment(node->assign()) ); return; } entryID id = node->assign()->insn()->getOperation().getID(); // The predecessor is not a conditional jump, // then we can determine buond fact based on the src assignment parsing_printf("\t\tThe predecessor node is normal node\n"); parsing_printf("\t\t\tentry id %d\n", id); AbsRegion &ar = node->assign()->out(); Instruction::Ptr insn = node->assign()->insn(); pair<AST::Ptr, bool> expandRet = ExpandAssignment(node->assign()); if (expandRet.first == NULL) { parsing_printf("\t\t\t No semantic support for this instruction. Assume it does not affect jump target calculation. Ignore it (Treat as identity function) except for ptest. ptest should kill the current predicate\n"); if (id == e_ptest) { parsing_printf("\t\t\t\tptest instruction, kill predciate.\n"); newFact->pred.valid = false; } return; } else { parsing_printf("\tAST: %s\n", expandRet.first->format().c_str()); } AST::Ptr calculation = expandRet.first; BoundCalcVisitor bcv(*newFact, node->block(), handleOneByteRead); calculation->accept(&bcv); AST::Ptr outAST; // If the instruction writes memory, // we need the AST that represents the memory access and the address. // When the AbsRegion represents memory, // the generator of the AbsRegion is set to be the AST that represents // the memory address during symbolic expansion. // In other cases, if the AbsRegion represents a register, // the generator is not set. if (ar.generator() != NULL) outAST = SimplifyAnAST(RoseAST::create(ROSEOperation(ROSEOperation::derefOp, ar.size()), ar.generator()), node->assign()->insn()->size()); else outAST = VariableAST::create(Variable(ar)); /* * Naively, bsf and bsr produces a bound from 0 to the number of bits of the source operands. * In pratice, especially in libc, the real bound is usually smaller than the size of the source operand. * Ex 1: shl %cl,%edx * bsf %rdx,%rcx * Here rcx is in range [0,31] rather than [0,63] even though rdx has 64 bits. * * Ex 2: pmovmskb %xmm0,%edx * bsf %rdx, %rdx * Here rdx is in range[0,15] because pmovmskb only sets the least significat 16 bits * In addition, overapproximation of the bound can lead to bogus control flow * that causes overlapping blocks or function. * It is important to further anaylze the operand in bsf rather than directly conclude the bound if (id == e_bsf || id == e_bsr) { int size = node->assign()->insn()->getOperand(0).getValue()->size(); newFact->GenFact(outAST, new BoundValue(StridedInterval(1,0, size * 8 - 1)), false); parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); return; } */ if (id == e_xchg) { newFact->SwapFact(calculation, outAST); parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); return; } if (id == e_push) { if (calculation->getID() == AST::V_ConstantAST) { ConstantAST::Ptr c = boost::static_pointer_cast<ConstantAST>(calculation); newFact->PushAConst(c->val().val); parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); return; } } if (id == e_pop) { if (newFact->PopAConst(outAST)) { parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); return; } } // Assume all SETxx entry ids are contiguous if (id >= e_setb && id <= e_setz) { newFact->GenFact(outAST, new BoundValue(StridedInterval(1,0,1)), false); parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); return; } if (bcv.IsResultBounded(calculation)) { parsing_printf("\t\t\tGenerate bound fact for %s\n", outAST->format().c_str()); newFact->GenFact(outAST, new BoundValue(*bcv.GetResultBound(calculation)), false); } else { parsing_printf("\t\t\tKill bound fact for %s\n", outAST->format().c_str()); newFact->KillFact(outAST, false); } if (calculation->getID() == AST::V_VariableAST) { // We only track alising between registers parsing_printf("\t\t\t%s and %s are equal\n", calculation->format().c_str(), outAST->format().c_str()); newFact->InsertRelation(calculation, outAST, BoundFact::Equal); } newFact->AdjustPredicate(outAST, calculation); // Now try to track all aliasing. // Currently, all variables in the slice are presented as an AST // consists of input variables to the slice (the variables that // we do not the sources of their values). newFact->TrackAlias(DeepCopyAnAST(calculation), outAST); // Apply tracking relations to the calculation to generate a // potentially stricter bound BoundValue *strictValue = newFact->ApplyRelations(outAST); if (strictValue != NULL) { parsing_printf("\t\t\tGenerate stricter bound fact for %s\n", outAST->format().c_str()); newFact->GenFact(outAST, strictValue, false); } parsing_printf("\t\t\tCalculating transfer function: Output facts\n"); newFact->Print(); }
AST::Ptr SimplifyRoot(AST::Ptr ast, Address addr) { if (ast->getID() == AST::V_RoseAST) { RoseAST::Ptr roseAST = boost::static_pointer_cast<RoseAST>(ast); switch (roseAST->val().op) { case ROSEOperation::invertOp: if (roseAST->child(0)->getID() == AST::V_RoseAST) { RoseAST::Ptr child = boost::static_pointer_cast<RoseAST>(roseAST->child(0)); if (child->val().op == ROSEOperation::invertOp) return child->child(0); } else if (roseAST->child(0)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); size_t size = child->val().size; uint64_t val = child->val().val; if (size < 64) { uint64_t mask = (1ULL << size) - 1; val = (~val) & mask; } else val = ~val; return ConstantAST::create(Constant(val, size)); } break; case ROSEOperation::extendMSBOp: case ROSEOperation::extractOp: case ROSEOperation::signExtendOp: case ROSEOperation::concatOp: return roseAST->child(0); case ROSEOperation::addOp: // We simplify the addition as much as we can // Case 1: two constants if (roseAST->child(0)->getID() == AST::V_ConstantAST && roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child0 = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); ConstantAST::Ptr child1 = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); uint64_t val = child0->val().val + child1->val().val; size_t size; if (child0->val().size > child1->val().size) size = child0->val().size; else size = child1->val().size; return ConstantAST::create(Constant(val,size)); } // Case 2: anything adding zero stays the same if (roseAST->child(0)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); if (child->val().val == 0) return roseAST->child(1); } if (roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); if (child->val().val == 0) return roseAST->child(0); } // Case 3: if v + v * c = v * (c+1), where v is a variable and c is a constant if (roseAST->child(0)->getID() == AST::V_VariableAST && roseAST->child(1)->getID() == AST::V_RoseAST) { RoseAST::Ptr rOp = boost::static_pointer_cast<RoseAST>(roseAST->child(1)); if (rOp->val().op == ROSEOperation::uMultOp || rOp->val().op == ROSEOperation::sMultOp) { if (rOp->child(0)->getID() == AST::V_VariableAST && rOp->child(1)->getID() == AST::V_ConstantAST) { VariableAST::Ptr varAST1 = boost::static_pointer_cast<VariableAST>(roseAST->child(0)); VariableAST::Ptr varAST2 = boost::static_pointer_cast<VariableAST>(rOp->child(0)); if (varAST1->val().reg == varAST2->val().reg) { ConstantAST::Ptr oldC = boost::static_pointer_cast<ConstantAST>(rOp->child(1)); ConstantAST::Ptr newC = ConstantAST::create(Constant(oldC->val().val + 1, oldC->val().size)); RoseAST::Ptr newRoot = RoseAST::create(ROSEOperation(rOp->val()), varAST1, newC); return newRoot; } } } } break; case ROSEOperation::sMultOp: case ROSEOperation::uMultOp: if (roseAST->child(0)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child0 = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); if (child0->val().val == 1) return roseAST->child(1); } if (roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child1 = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); if (child1->val().val == 1) return roseAST->child(0); } break; case ROSEOperation::xorOp: if (roseAST->child(0)->getID() == AST::V_VariableAST && roseAST->child(1)->getID() == AST::V_VariableAST) { VariableAST::Ptr child0 = boost::static_pointer_cast<VariableAST>(roseAST->child(0)); VariableAST::Ptr child1 = boost::static_pointer_cast<VariableAST>(roseAST->child(1)); if (child0->val() == child1->val()) { return ConstantAST::create(Constant(0 , 32)); } } break; case ROSEOperation::derefOp: // Any 8-bit value is bounded in [0,255]. // Need to keep the length of the dereference if it is 8-bit. // However, dereference longer than 8-bit should be regarded the same. if (roseAST->val().size == 8) return ast; else return RoseAST::create(ROSEOperation(ROSEOperation::derefOp), ast->child(0)); break; case ROSEOperation::shiftLOp: if (roseAST->child(0)->getID() == AST::V_ConstantAST && roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child0 = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); ConstantAST::Ptr child1 = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); return ConstantAST::create(Constant(child0->val().val << child1->val().val, 64)); } break; case ROSEOperation::andOp: if (roseAST->child(0)->getID() == AST::V_ConstantAST && roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child0 = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); ConstantAST::Ptr child1 = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); return ConstantAST::create(Constant(child0->val().val & child1->val().val, 64)); } break; case ROSEOperation::orOp: if (roseAST->child(0)->getID() == AST::V_ConstantAST && roseAST->child(1)->getID() == AST::V_ConstantAST) { ConstantAST::Ptr child0 = boost::static_pointer_cast<ConstantAST>(roseAST->child(0)); ConstantAST::Ptr child1 = boost::static_pointer_cast<ConstantAST>(roseAST->child(1)); return ConstantAST::create(Constant(child0->val().val | child1->val().val, 64)); } break; default: break; } } else if (ast->getID() == AST::V_VariableAST) { VariableAST::Ptr varAST = boost::static_pointer_cast<VariableAST>(ast); if (varAST->val().reg.absloc().isPC()) { MachRegister pc = varAST->val().reg.absloc().reg(); return ConstantAST::create(Constant(addr, getArchAddressWidth(pc.getArchitecture()) * 8)); } // We do not care about the address of the a-loc // because we will keep tracking the changes of // each a-loc. Also, this brings a benefit that // we can directly use ast->isStrictEqual() to // compare two ast. return VariableAST::create(Variable(varAST->val().reg)); } else if (ast->getID() == AST::V_ConstantAST) { ConstantAST::Ptr constAST = boost::static_pointer_cast<ConstantAST>(ast); size_t size = constAST->val().size; uint64_t val = constAST->val().val; if (size == 32) if (!(val & (1ULL << (size - 1)))) return ConstantAST::create(Constant(val, 64)); } return ast; }