search

Stab1el / BAGUA

11 stars 3 forks source link

How to set up the initial heap layout? #6

Open Hanseltu opened 1 year ago

Hanseltu commented 1 year ago

Hi,

May I ask a quick question, please? How do I set up the initial heap layout? As shown in your previous commit (https://github.com/Stab1el/BAGUA/commit/8db1225f431a0455c68ab241fff308762f5a14fd), you regenerated a new init heap layout for exim in test/exim_cve_2018_6789/layout, may I know how did you get the new layout file? Does the current published code implementation support generating this file?

Thanks, Haoxin

Stab1el commented 1 year ago

Hi, the initial heap layout is generated manually within debugging tools such as GDB toolkit. We dump the heap layout before manipulation based on a crash input. When we run the program in different operating system or starting with a new crash input, we might get a new heap layout.

Hanseltu commented 1 year ago

Hi @Stab1el, thank you very much for your reply!

I have used GDB to find out the actual address of dynamically allocated memory objects in a test program, but I have a further question about the heap allocator simulator. Can I seek your help again? Thanks!

Your paper mentioned, We implement a heap allocator emulator by integrating mainstream heap allocators. It is able to accurately simulate the behaviors of allocation and freeing of heap chunks, in terms of the property of chains, the side effect of the state-varied feature, and the allocation order that are related to HLM. How can I map the heap allocator emulator behavior to be the same as the native heap allocator? Specifically, how can I find the top_chunk address in my machine for my own test program, for example, the one as shown here https://github.com/Stab1el/BAGUA/blob/main/test/exim_cve_2018_6789/layout#L158. It seems the folder heap_helper code is implemented for this purpose. Is it? If so, can you explain more about how I can run it and ensure the simulated heap allocator behavior is the same as in the native?

I simply re-compile client.c and run python2 server.py. Finally, I got the error:

0
not init!!!!!!!!!!!!!!!!!!!!!!!!!
SERVER: Listening port 1500

SERVER: SIMULATOR knock knock!

Traceback (most recent call last):
  File "/home/haoxin/haoxin-data/dut-research/experiments/BAGUA-test/server.py", line 167, in <module>
    hp.get_holes_for_fuzzer(op_list)
  File "/home/haoxin/haoxin-data/dut-research/experiments/BAGUA-test/server.py", line 148, in get_holes_for_fuzzer
    return self._parse_holes(send_buff)
  File "/home/haoxin/haoxin-data/dut-research/experiments/BAGUA-test/server.py", line 55, in _parse_holes
    cur_hole_addr, cur_hole_size, cur_hole_type, cur_prim_num, cur_op_index, cur_alloc_index = struct.unpack("<QQBBBQ", data)
struct.error: unpack requires a string argument of length 27

The error happens when the data is EEE, so the length of data is 3, causing the mismatched length. May I know how can I fix this?

Many thanks again, Haoxin