Closed Yuuoniy closed 3 years ago
Anyway,I run the analyzer on the linux ir you provide and the incomplete ir I generate in local. I have some questions about the result. Run command:
nohup ./analyzer -debug-verbose 0 -dump-leakers -dump-alias `find ~/o/w2l/code/linux-5.5.3-def-ir-
debug -name "*\.ll"` 2>../../out/all/latest-linux-5.5.3-def &
They both printing LeakStructMap with 43 structures and the information of AllocInst、LeakInst and so on.
Here are the 43 structures(grep the result with [+] struct
)
[+] struct.kobj_uevent_env
[+] struct.kioctx
[+] struct.proc_dir_entry
[+] struct.snd_pcm_mmap_control
[+] struct.snd_pcm_mmap_status
[+] struct.ip_sf_socklist
[+] struct.pipe_buffer
[+] struct.snd_pcm_runtime
[+] struct.xfrm_replay_state_esn
[+] struct.nlattr
[+] struct.rpc_task
[+] struct.station_info
[+] struct.sk_buff
[+] struct.dst_entry
[+] struct.group_info
[+] struct.nfs4_lockdata
[+] struct.nfs4_opendata
[+] struct.iovec
[+] struct.ipt_replace
[+] struct.elf64_phdr
[+] struct.nfs4_delegreturndata
[+] struct.ftrace_buffer_info
[+] struct.hid_device
[+] struct.bio_vec
[+] struct.scatterlist
[+] struct.xfrm_policy
[+] struct.fname
[+] struct.sem_array
[+] struct.inode
[+] struct.mon_reader_bin
[+] struct.policy_load_memory
[+] struct.vc_data
[+] struct.seq_file
[+] struct.dm_ioctl
[+] struct.mon_reader_text
[+] struct.n_tty_data
[+] struct.debug_buffer
[+] struct.usb_host_config
[+] struct.net_device
[+] struct.perf_event
[+] struct.configfs_buffer
[+] struct.usblp
[+] struct.regmap
Compared with the structure in Table 4 in paper, I find some structures in Table 4 do not show here. While according to my understanding, I think structures in LeakStructMap
should contain all the elastic objects shown in Table 4. And I miss something?
Besides, the result end with printing structModuleMap、leakInstMap、allocInstMap、leakerList、allocSyscallMap、leakSyscallMap
,but all of them are empty, It this result as expected? Or I need to configure something to make it work.
========= printing structModuleMap ==========
====== end printing structModuleMap ==========
========= printing leakInstMap ==========
====== end printing leakInstMap ==========
========= printing allocInstMap ==========
====== end printing allocInstMap ==========
========= printing leakerList ==========
====== end printing leakerList ==========
========= printing allocSyscallMap & leakSyscallMap ==========
======== end printing allocSyscallMap & leakSyscallMap =======
Sincerely hope to get your help with this, Thank you for any suggestion or comment.
Hi, thanks for your interest.
I am not sure if this is due to the incompleteness of IR. You're welcome to use this tool to generate a complete set of IR for the Linux kernel. After getting the IR, please enable --ignore-reachable
when running the analyzer.
We ran our experiments on Linux kernel 5.5.3, the results might be different if you test that on a different version of Linux kernel.
Thanks for your reply, I will look into this tool. After adding --ignore-reachable
, I get the 88 structures, including all elastic objects shown in Table 4.
By the way, as you mentioned in the paper (in A.3):
We will make all these vulnerabilities available in virtual machines and release the exploits crafted by using elastic kernel objects.
While I couldn't see them here. It would be very helpful if you kindly provide the virtual machines which including those vulnerabilities (or part of) you experiment on.
Thanks for your reply, I will look into this tool. After adding
--ignore-reachable
, I get the 88 structures, including all elastic objects shown in Table 4.By the way, as you mentioned in the paper (in A.3):
We will make all these vulnerabilities available in virtual machines and release the exploits crafted by using elastic kernel objects.
While I couldn't see them here. It would be very helpful if you kindly provide the virtual machines which including those vulnerabilities (or part of) you experiment on.
Thanks for reminding. I will pack them up when I get time. You can find some samples here.
Thank you very much. I would like to subscribe to it. XD
Hi, I occur some errors when using bitcodedst.py to generate ir for linux-5.5.3. it can generate ir for part of source, while has errors for other parts. Could you provide any suggestions to help me sort this out? Thank you very much. I follow the instructions:
Besides, it has some errors about finding include files:
and I find file
i915_drv.h
indrivers/gpu/drm/i915/i915_drv.h
(similar errors for files indrivers/gpu/drm/i915/display
, cause they couldn't find include files indrivers/gpu/drm/i915
) A anthoer specific example:and I see
scripts/Makefile.build:484: recipe for target '__build' failed
in error log many times. I look into this but don't why.Here is my environment: