Now that the instrumenter has options --no-return and --no-function, we get much shorter traces. Most of the time, function calls and returns are reconstructable, so it would be nice to actually have a script that could reconstruct them. Adding extra --short-circuit elements would be nice, too.
We could make it as an extra option for print_trace.py.
Note that this is a bit different from the current print trace, because we additionally have to use the traced software. The idea is to use a light symbolic execution approach: Ignore symbolic memory loads and stores, just follow the trace and report any extra trace elements on the way. angr has the state mode fastpath that should do this job, see here.
lks9
commented
11 months ago
Now that the instrumenter has options
--no-returnand--no-function, we get much shorter traces. Most of the time, function calls and returns are reconstructable, so it would be nice to actually have a script that could reconstruct them. Adding extra--short-circuitelements would be nice, too.We could make it as an extra option for
print_trace.py. Note that this is a bit different from the current print trace, because we additionally have to use the traced software. The idea is to use a light symbolic execution approach: Ignore symbolic memory loads and stores, just follow the trace and report any extra trace elements on the way. angr has the state modefastpaththat should do this job, see here.