Giters

ucsb-seclab / heapster

Identify and test the security of dynamic memory allocators in monolithic firmware images

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

No vulnerabilities found in PoC blob

NicolasFNino opened this issue · comments

commented

Hello there,

I am trying your tool on the toy firmware that is used for the example commands. Everything seems to be working as expected until I try to trace the example PoC with HeapHopper, where it does not recognize a vulnerability but in the example it is implied that it should.

I would appreciate if you could please let me know if I am doing something wrong or if it might be configuration issues.

Thanks a lot.

~/heapster# python3 /root/heapster/heaphopper/heaphopper_client.py trace -c /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/analysis_bad_alloc.yaml -b /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin
WARNING | 2024-01-29 19:59:57,430 | heap-tracer | Config at <_io.TextIOWrapper name='/root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/analysis_bad_alloc.yaml' mode='r' encoding='UTF-8'>
CRITICAL | 2024-01-29 19:59:57,444 | heap-tracer | Loading project file at /root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/p2im_drone.bin.proj
WARNING | 2024-01-29 19:59:57,566 | cle.backends.elf.elf | User specified <Arch ARMCortexM (LE)> but autodetected <Arch ARMHF (LE)>. Proceed with caution.
INFO | 2024-01-29 19:59:57,600 | cle.loader | Loading libc.so.6...
INFO | 2024-01-29 19:59:57,601 | cle.loader | ... not found
INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin
INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking /root/fw-dataset/ground_truth/p2im_drone.bin/p2im_drone.bin
INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking ram
INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking mmio
WARNING | 2024-01-29 19:59:57,601 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000.
INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin at 0x400000
INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping /root/fw-dataset/ground_truth/p2im_drone.bin/p2im_drone.bin at 0x8000000
INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping cle##externs at 0x500000
INFO | 2024-01-29 19:59:57,603 | cle.loader | Linking cle##externs
INFO | 2024-01-29 19:59:57,603 | cle.loader | Mapping cle##externs at 0x600000
INFO | 2024-01-29 19:59:57,604 | cle.loader | Linking cle##tls
INFO | 2024-01-29 19:59:57,604 | cle.loader | Mapping cle##tls at 0x700000
INFO | 2024-01-29 19:59:57,604 | cle.loader | Mapping cle##kernel at 0x800000
INFO | 2024-01-29 19:59:57,604 | heap-tracer | [+]PoC and Blob loaded inside HeapHopper
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Entry Point at [0x400445]
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Arch [ARMCortexM]
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Initial Stack Pointer [0x20005000]
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Regions:
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 0: <ELF Object 2.bin, maps [0x400000:0x4110a7]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 1: <ExternObject Object cle##externs, maps [0x500000:0x500009]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 2: <ExternObject Object cle##externs, maps [0x600000:0x608000]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 3: <ELFTLSObjectV1 Object cle##tls, maps [0x700000:0x705808]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 4: <KernelObject Object cle##kernel, maps [0x800000:0x808000]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 5: <Blob Object p2im_drone.bin, maps [0x8000000:0x80079c0]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 6: <NamedRegion ram, maps [0x1fff0000:0x30000000]>
INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 7: <NamedRegion mmio, maps [0x40000000:0x50000000]>
INFO | 2024-01-29 19:59:57,633 | heaphopper.angr_tools | Updating memory with following pages:
INFO | 2024-01-29 19:59:57,633 | heap-tracer | Heap base address is at 0x20001698
INFO | 2024-01-29 19:59:57,635 | heap-tracer | Setupping HeapHopper initial state
INFO | 2024-01-29 19:59:57,635 | heap-tracer | ctrl_data_0 at 0x411068
INFO | 2024-01-29 19:59:57,635 | heap-tracer | ctrl_data_1 at 0x411070
INFO | 2024-01-29 19:59:57,635 | heap-tracer | Storing mem2chunk_offset value <BV32 0x4> at 0x411050
INFO | 2024-01-29 19:59:57,636 | heap-tracer | Storing sym_data value at 0x411078
INFO | 2024-01-29 19:59:57,636 | heap-tracer | Storing sym_data value at 0x41107c
INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411080
INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411084
INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411088
INFO | 2024-01-29 19:59:57,638 | heap-tracer | Storing sym_data value at 0x41108c
INFO | 2024-01-29 19:59:57,638 | heap-tracer | Storing sym_data value at 0x411090
INFO | 2024-01-29 19:59:57,639 | heap-tracer | Storing sym_data value at 0x411094
INFO | 2024-01-29 19:59:57,640 | heap-tracer | Storing write_mem_element value at 0x411008
INFO | 2024-01-29 19:59:57,640 | heap-tracer | Storing write_mem_element value at 0x41100c
INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411010
INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411014
INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411018
INFO | 2024-01-29 19:59:57,642 | heap-tracer | Storing write_mem_element value at 0x41101c
INFO | 2024-01-29 19:59:57,642 | heap-tracer | Storing write_mem_element value at 0x411020
INFO | 2024-01-29 19:59:57,643 | heap-tracer | Storing write_mem_element value at 0x411024
INFO | 2024-01-29 19:59:57,643 | heap-tracer | Storing write_mem_element value at 0x411028
INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x41102c
INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x411030
INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x411034
INFO | 2024-01-29 19:59:57,645 | heap-tracer | Storing write_mem_element value at 0x411038
INFO | 2024-01-29 19:59:57,645 | heap-tracer | Storing write_mem_element value at 0x41103c
INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing write_mem_element value at 0x411040
INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing write_mem_element value at 0x411044
INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing header_size value <BV32 0x4> at 0x41104c
[4264020, 4264024]
INFO | 2024-01-29 19:59:57,648 | heap-tracer | Storing malloc_size value at 0x411054
INFO | 2024-01-29 19:59:57,649 | heap-tracer | Storing malloc_size value at 0x411058
INFO | 2024-01-29 19:59:57,649 | heap-tracer | Storing fill_size value <BV32 0x0> at 0x41105c
INFO | 2024-01-29 19:59:57,650 | heap-tracer | Storing fill_size value <BV32 0x0> at 0x411060
INFO | 2024-01-29 19:59:57,651 | heap-tracer | Storing at 0x411098
INFO | 2024-01-29 19:59:57,652 | heap-tracer | Storing at 0x41109c
INFO | 2024-01-29 19:59:57,652 | heap-tracer | Storing at 0x4110a0
INFO | 2024-01-29 19:59:57,830 | heap-tracer | [+] State is configured. Ready to execute.
INFO | 2024-01-29 19:59:57,830 | heap-tracer | [+] Starting HeapHopper with timeout [1800] secs
INFO | 2024-01-29 19:59:57,830 | angr.sim_manager | Stepping active of <SimulationManager with 1 active>
DEBUG | 2024-01-29 19:59:57,833 | HHExecutor | [+] State to step is <SimState @ 0x400445>
INFO | 2024-01-29 19:59:57,923 | angr.sim_manager | Stepping active of <SimulationManager with 1 active>
DEBUG | 2024-01-29 19:59:57,925 | HHExecutor | [+] State to step is <SimState @ 0x400408>
INFO | 2024-01-29 19:59:57,929 | angr.sim_manager | Stepping active of <SimulationManager with 1 active>
DEBUG | 2024-01-29 19:59:57,931 | HHExecutor | [+] State to step is <SimState @ 0x500000>
DEBUG | 2024-01-29 19:59:58,150 | HHExecutor | [+] Reached address 0xdeadbeef
DEBUG | 2024-01-29 19:59:58,151 | HHExecutor | [!] Reached end of function. Exiting.
INFO | 2024-01-29 19:59:58,151 | heap-tracer | [+] HeapHopper terminated!
INFO | 2024-01-29 19:59:58,151 | heap-tracer | Found 0 vulns
INFO | 2024-01-29 19:59:58,151 | heap-tracer | These are the errored state:
END-METADATA-EXPERIMENTS
POC-TRACING-TOTAL-TIME: 0.32115936279296875

EXPERIMENT-TOTAL-TIME: 0.7213466167449951

And this is the hb_state.json:

{"timestamp": "2024-01-29T18:28:31.803831",
 "dir_name": "/root/fw-dataset/ground_truth/p2im_drone.bin",
 "blob_name": "p2im_drone.bin",
 "hb_folder": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis",
 "blob_project": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/p2im_drone.bin.proj",
 "base_address": 134217728,
 "blob_entry_point": "0x80052b5", 
"blob_stack_pointer": "0x20005000", 
"num_of_functions": 190,
 "bf_candidates": [{
"name": "IdentifiableMemcpy", "pointer_regs": ["r0", "r1"], "addr": [134240637, 134240659]}, {
"name": "IdentifiableReverseMemcpy", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableMemset", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableReverseMemset", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableMemcmp", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrlen", "pointer_regs": ["r0"], "addr": [134218065]}, {
"name": "IdentifiableStrncat", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrcat", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrncpy", "pointer_regs": [], "addr": []}], 
"find_bf_timestamp": "2024-01-29T18:34:07.617731",
 "identify_pointers_timestamp": "2024-01-29T18:48:34.426008", 
"pointer_sources": ["0x8005a61", "0x8005b69", "0x8007609"], 
"calls_analyzed": ["0x8005a61", "0x8005b69", "0x8007609"], 
"caller_analyzed": ["0x8005449", "0x8005349", "0x800402d", "0x8005391", "0x80047b1", "0x8004fd9", "0x8005b1d"], "discovery_contributions": {
"IdentifiableMemcpy": ["0x8005a61", "0x8005b69", "0x8007609"], 
"IdentifiableReverseMemcpy": [], 
"IdentifiableMemset": [], 
"IdentifiableReverseMemset": [], 
"IdentifiableMemcmp": [], 
"IdentifiableStrlen": [], 
"IdentifiableStrncat": [], 
"IdentifiableStrcat": [], 
"IdentifiableStrncpy": []}, 
"working_pointer_sources": [
{"ps_addr": 134240865,
"ps_ct": {"r1": 64, "r0": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "needs_unpacked_data": false},
 {"ps_addr": 134241129, 
"ps_ct": {"r0": 8, "r1": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005b69_0x80052b5_mem_dump.mem", "needs_unpacked_data": false}, 
{"ps_addr": 134247945, 
"ps_ct": {"r0": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8007609_0x80052b5_mem_dump.mem", "needs_unpacked_data": false}], 
"best_hml_pairs": [
{"malloc": "0x8005a61", 
"free": "0x80059c9", 
"hi": "0x80052b5", 
"mem_dump_path": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "malloc_ct": {"r1": 64, "r0": 8}, 
"free_ct": {"r0": "TOP", "r1": "TOP"}}], 
"malloc_args_info_constraints_proto": {"r1": 3, "r0": 1}, 
"malloc_args_info_usages_proto": {}, 
"free_args_info_constraints_proto": {"r0": 1, "r1": 3}, 
"free_args_info_usages_proto": {}, 
"final_allocator": 
{"malloc": "0x8005a61", 
"free": "0x80059c9", 
"hi": "0x80052b5", 
"mem_dump_path": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "malloc_ct": {"r1": 64, "r0": 8}, 
"free_ct": {"r0": "TOP", "r1": "TOP"}}, 
"malloc_prototype": "{\"ret\": \"r0\", \"arg_0\": \"arg_0\", \"arg_1\": \"size\"}", 
"malloc_prototype_string": "\"unsigned int * malloc(size_t arg_0,int size)\"", 
"free_prototype": "{\"arg_0\": \"arg_0\", \"arg_1\": \"ptr_to_free\"}", 
"free_prototype_string": "\"void free(size_t arg_0,unsigned int * arg_1)\"", 
"malloc_call": "malloc(malloc_sym_args[{}][{}],malloc_sizes[{}])", 
"free_call": "free(free_sym_args[{}][{}],ctrl_data_{}.global_var)", 
"fake_free_call": "free(free_sym_args[{}][{}],((uint8_t *) &sym_data.data) + mem2chunk_offset)", 
"double_free_call": "free(free_sym_args[{}][{}],ctrl_data_{}.global_var)", 
"malloc_unknown_arguments": 1, 
"malloc_unknown_arguments_vals": {"r0": [65536]}, 
"free_unknown_arguments": 1, 
"free_unknown_arguments_vals": {"r0": [65536]}, 
"malloc_to_hook_funcs": [], 
"free_to_hook_funcs": [], 
"heap_base": 536876696, 
"heap_grow_direction": ">", 
"mem2chunk_offset": 4, 
"header_size": 4, 
"allocator_works": 1}
commented

(Addressed via email)

@NicolasFNino let me know if you are good :)