search

Vector35 / binaryninja-api

Public API, examples, documentation and issues for Binary Ninja
https://binary.ninja/
MIT License
927 stars 209 forks source link

Replace PAC intrinsics with authenticated pointer instruction attribute #3856

Closed fuzyll closed 1 year ago

fuzyll commented 1 year ago

The ARM64 lifter should stop emitting intrinsics for PAC instructions and should just lift them as normal, non-authenticated calls in loads or stores and then tag the instructions with an instruction attribute that says they are authenticated pointers.

This would make ARM64 code that uses PAC actually decipherable.

fuzyll commented 1 year ago

The solution to this also needs to not break the ability to express things like "find me any non-PAC calls". There is also concern that doing it this way could clutter up output.

A potential alternative to this that was suggested by a user is to mark the PAC intrinsic as optimizable so that MLIL and above have it removed.

fabianfreyer commented 1 year ago

The way I'm currently solving this is by lifting the PAC intrinsics to loads/stores at MLIL in a workflow, that works pretty well: https://github.com/fabianfreyer/binaryninja-depac-workflow

lwerdna commented 1 year ago

Hey, I'm reviewing issues. These parts:

The ARM64 lifter should stop emitting intrinsics for PAC instructions and should just lift them as normal, non-authenticated calls in loads or stores...

This would make ARM64 code that uses PAC actually decipherable.

are solved with the closing of: https://github.com/Vector35/binaryninja-api/issues/4638

But these parts:

...and then tag the instructions with an instruction attribute that says they are authenticated pointers.

The solution to this also needs to not break the ability to express things like "find me any non-PAC calls".

require we somehow mark or tag instructions, which would be a general feature and PAC is merely use case. In other words, I think this is an enhancement or feature request, and not an architecture, a64, or pac issue anymore. Maybe a new, separate issue is appropriate.

Workarounds: I can't think of any workarounds for searching PAC instructions. Sign, authenticate, and strip instructions now lift to nop so they don't appear in LLIL view. You'd have to search at disassembly level for known mnemonics like autda, pacib, xpacd, and so on. For "familiar operation + auth" instructions, we lift to the "familiar operation", so again you can get the address of the IL instruciton and head back to disassembly level, testing if the mnemonic is retaa instead of ret, for example. Visually:

image

lwerdna commented 1 year ago

api change: https://github.com/Vector35/binaryninja-api/commit/957f151baa1f2036d9c43fa2a4638f88fe256393 arch-arm64 change: https://github.com/Vector35/arch-arm64/commit/8c97d6fa6e5af81a92d0ae15925bd725e10346a2

Disasm on left, llil on right, and python console shows how attribute is read: image

psifertex commented 1 year ago

This is live in builds >= 4577