trailofbits / ManticoreUI

After completion of #35 we need to implement the backend logic that Manticore will use to process the 'find' and 'avoid' commands.

This backend will likely be a grpc service.

Upon reaching a 'find' instruction, Manticore will print the solution to all symbolic variables in that state and then kill all remaining states. A state that reaches an 'avoid' instruction will terminate itself (which helps with state explosion).

See this code snippet for more info on Manticore handling

ManticoreUI/mui/mui.py

Lines 87 to 103 in 903b976

    
           def avoid_f(state: StateBase): 
        
               state.abandon() 
        
           for addr in self.avoid: 
        
               m.hook(addr)(avoid_f) 
        
           def find_f(state: StateBase): 
        
               bufs = state.solve_one_n_batched(state.input_symbols) 
        
               for symbol, buf in zip(state.input_symbols, bufs): 
        
                   print(f"{symbol.name}: {buf!r}\n") 
        
               with m.locked_context() as context: 
        
                   m.kill() 
        
               state.abandon() 
        
           for addr in self.find: 
        
               m.hook(addr)(find_f)

From the call, the steps I would take to explore this functionality would be in the form of a Python prototype with grpc.

First stage would be following and creating a very simple Python grpc service from a tutorial and making sure that you know how the lifecycle works.

The service should mimic the commands we need and just echo those commands on the server:

Find instruction
- This should take a 64 bit unsigned integer
- Returns a boolean whether this was completed successfully
Avoid instruction
- This should take a 64 bit unsigned integer
- Returns a boolean whether this was completed successfully
Start with Manticore arguments
- (I think if we just send a list of strings that represent the CLI arguments, that should be okay)
- Returns a boolean whether this was completed successfully and/or some information that may be required for further interaction/status updates
Stop
- Returns a boolean whether this was completed successfully

Second stage would be to replace the simple server with a Manticore wrapper server that actually does something with the commands and test that this server works correctly with the commands above. This is where we should take advantage of the code in the ManticoreUI repo.

The Python server should exist in the Ghidra repo (for now) as a root directory (next to the top-level MUI directory), probably named MUICore for now. It should ideally support building with shiv so that we could deploy with an installed MUI-Ghidra plugin.

Third stage would be to replace the simple client with the Ghidra Java client. This involves setting up the necessary infrastructure to generate the grpc code and integrate it into the gradle build and testing everything to make sure it works as expected.

closed by trailofbits/ManticoreUI-Ghidra#14

	def avoid_f(state: StateBase):
	state.abandon()

	for addr in self.avoid:
	m.hook(addr)(avoid_f)

	def find_f(state: StateBase):
	bufs = state.solve_one_n_batched(state.input_symbols)
	for symbol, buf in zip(state.input_symbols, bufs):
	print(f"{symbol.name}: {buf!r}\n")

	with m.locked_context() as context:
	m.kill()
	state.abandon()

	for addr in self.find:
	m.hook(addr)(find_f)

George can 'find' and 'avoid' instructions (part 2: backend)