search

moralismercatus / crete

Open source concolic testing tool for binaries
1 stars 1 forks source link

crete_make_symbolic not captured after direct call from crete_make_concolic #89

Open moralismercatus opened 9 years ago

moralismercatus commented 9 years ago

I attemped to call _crete_makesymbolic() from _crete_makeconcolic() as follows:

void crete_make_concolic(...)
{
...relay concolic data info to qemu...
crete_make_symbolic();
}

However, the generated custom instruction was uncaptured. Note that _crete_makeconcolic() must not be captured, so it was not placed in the filter include list. Then, I tried the following:

void crete_make_symbolic_internal()
{ 
crete_make_symbolic();
}

void crete_make_concolic(...)
{
...relay concolic data info to qemu...
crete_make_symbolic_internal();
}

I included _crete_make_symbolicinternal() in the filter list. This worked as expected.

What this indicates is that included functions called directly from excluded functions are not captured! More testing needed.

This could be very serious, as if an execution filtering traverses included and excluded function calls, important information could be missed.

moralismercatus commented 7 years ago

Is this still relevant since use of taint analysis was introduced?