search

ucsb-seclab / heapster

Identify and test the security of dynamic memory allocators in monolithic firmware images
41 stars 4 forks source link

No vulnerabilities found in PoC blob #2

Closed NicolasFNino closed 6 months ago

NicolasFNino commented 7 months ago

Hello there,

I am trying your tool on the toy firmware that is used for the example commands. Everything seems to be working as expected until I try to trace the example PoC with HeapHopper, where it does not recognize a vulnerability but in the example it is implied that it should.

I would appreciate if you could please let me know if I am doing something wrong or if it might be configuration issues.

Thanks a lot.

~/heapster# python3 /root/heapster/heaphopper/heaphopper_client.py trace -c /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/analysis_bad_alloc.yaml -b /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin WARNING | 2024-01-29 19:59:57,430 | heap-tracer | Config at <_io.TextIOWrapper name='/root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/analysis_bad_alloc.yaml' mode='r' encoding='UTF-8'> CRITICAL | 2024-01-29 19:59:57,444 | heap-tracer | Loading project file at /root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/p2im_drone.bin.proj WARNING | 2024-01-29 19:59:57,566 | cle.backends.elf.elf | User specified <Arch ARMCortexM (LE)> but autodetected <Arch ARMHF (LE)>. Proceed with caution. INFO | 2024-01-29 19:59:57,600 | cle.loader | Loading libc.so.6... INFO | 2024-01-29 19:59:57,601 | cle.loader | ... not found INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking /root/fw-dataset/ground_truth/p2im_drone.bin/p2im_drone.bin INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking ram INFO | 2024-01-29 19:59:57,601 | cle.loader | Linking mmio WARNING | 2024-01-29 19:59:57,601 | cle.loader | The main binary is a position-independent executable. It is being loaded with a base address of 0x400000. INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping /root/heapster/heaphopper_analyses/p2im_drone.bin/p2im_drone.bin_fake_free_3/zoo_dir/bin/2.bin at 0x400000 INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping /root/fw-dataset/ground_truth/p2im_drone.bin/p2im_drone.bin at 0x8000000 INFO | 2024-01-29 19:59:57,601 | cle.loader | Mapping cle##externs at 0x500000 INFO | 2024-01-29 19:59:57,603 | cle.loader | Linking cle##externs INFO | 2024-01-29 19:59:57,603 | cle.loader | Mapping cle##externs at 0x600000 INFO | 2024-01-29 19:59:57,604 | cle.loader | Linking cle##tls INFO | 2024-01-29 19:59:57,604 | cle.loader | Mapping cle##tls at 0x700000 INFO | 2024-01-29 19:59:57,604 | cle.loader | Mapping cle##kernel at 0x800000 INFO | 2024-01-29 19:59:57,604 | heap-tracer | [+]PoC and Blob loaded inside HeapHopper INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Entry Point at [0x400445] INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Arch [ARMCortexM] INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Initial Stack Pointer [0x20005000] INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] PoC Regions: INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 0: <ELF Object 2.bin, maps [0x400000:0x4110a7]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 1: <ExternObject Object cle##externs, maps [0x500000:0x500009]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 2: <ExternObject Object cle##externs, maps [0x600000:0x608000]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 3: <ELFTLSObjectV1 Object cle##tls, maps [0x700000:0x705808]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 4: <KernelObject Object cle##kernel, maps [0x800000:0x808000]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 5: <Blob Object p2im_drone.bin, maps [0x8000000:0x80079c0]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 6: <NamedRegion ram, maps [0x1fff0000:0x30000000]> INFO | 2024-01-29 19:59:57,605 | heap-tracer | [+] Region 7: <NamedRegion mmio, maps [0x40000000:0x50000000]> INFO | 2024-01-29 19:59:57,633 | heaphopper.angr_tools | Updating memory with following pages: INFO | 2024-01-29 19:59:57,633 | heap-tracer | Heap base address is at 0x20001698 INFO | 2024-01-29 19:59:57,635 | heap-tracer | Setupping HeapHopper initial state INFO | 2024-01-29 19:59:57,635 | heap-tracer | ctrl_data_0 at 0x411068 INFO | 2024-01-29 19:59:57,635 | heap-tracer | ctrl_data_1 at 0x411070 INFO | 2024-01-29 19:59:57,635 | heap-tracer | Storing mem2chunk_offset value <BV32 0x4> at 0x411050 INFO | 2024-01-29 19:59:57,636 | heap-tracer | Storing sym_data value at 0x411078 INFO | 2024-01-29 19:59:57,636 | heap-tracer | Storing sym_data value at 0x41107c INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411080 INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411084 INFO | 2024-01-29 19:59:57,637 | heap-tracer | Storing sym_data value at 0x411088 INFO | 2024-01-29 19:59:57,638 | heap-tracer | Storing sym_data value at 0x41108c INFO | 2024-01-29 19:59:57,638 | heap-tracer | Storing sym_data value at 0x411090 INFO | 2024-01-29 19:59:57,639 | heap-tracer | Storing sym_data value at 0x411094 INFO | 2024-01-29 19:59:57,640 | heap-tracer | Storing write_mem_element value at 0x411008 INFO | 2024-01-29 19:59:57,640 | heap-tracer | Storing write_mem_element value at 0x41100c INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411010 INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411014 INFO | 2024-01-29 19:59:57,641 | heap-tracer | Storing write_mem_element value at 0x411018 INFO | 2024-01-29 19:59:57,642 | heap-tracer | Storing write_mem_element value at 0x41101c INFO | 2024-01-29 19:59:57,642 | heap-tracer | Storing write_mem_element value at 0x411020 INFO | 2024-01-29 19:59:57,643 | heap-tracer | Storing write_mem_element value at 0x411024 INFO | 2024-01-29 19:59:57,643 | heap-tracer | Storing write_mem_element value at 0x411028 INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x41102c INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x411030 INFO | 2024-01-29 19:59:57,644 | heap-tracer | Storing write_mem_element value at 0x411034 INFO | 2024-01-29 19:59:57,645 | heap-tracer | Storing write_mem_element value at 0x411038 INFO | 2024-01-29 19:59:57,645 | heap-tracer | Storing write_mem_element value at 0x41103c INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing write_mem_element value at 0x411040 INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing write_mem_element value at 0x411044 INFO | 2024-01-29 19:59:57,646 | heap-tracer | Storing header_size value <BV32 0x4> at 0x41104c [4264020, 4264024] INFO | 2024-01-29 19:59:57,648 | heap-tracer | Storing malloc_size value at 0x411054 INFO | 2024-01-29 19:59:57,649 | heap-tracer | Storing malloc_size value at 0x411058 INFO | 2024-01-29 19:59:57,649 | heap-tracer | Storing fill_size value <BV32 0x0> at 0x41105c INFO | 2024-01-29 19:59:57,650 | heap-tracer | Storing fill_size value <BV32 0x0> at 0x411060 INFO | 2024-01-29 19:59:57,651 | heap-tracer | Storing at 0x411098 INFO | 2024-01-29 19:59:57,652 | heap-tracer | Storing at 0x41109c INFO | 2024-01-29 19:59:57,652 | heap-tracer | Storing at 0x4110a0 INFO | 2024-01-29 19:59:57,830 | heap-tracer | [+] State is configured. Ready to execute. INFO | 2024-01-29 19:59:57,830 | heap-tracer | [+] Starting HeapHopper with timeout [1800] secs INFO | 2024-01-29 19:59:57,830 | angr.sim_manager | Stepping active of <SimulationManager with 1 active> DEBUG | 2024-01-29 19:59:57,833 | HHExecutor | [+] State to step is <SimState @ 0x400445> INFO | 2024-01-29 19:59:57,923 | angr.sim_manager | Stepping active of <SimulationManager with 1 active> DEBUG | 2024-01-29 19:59:57,925 | HHExecutor | [+] State to step is <SimState @ 0x400408> INFO | 2024-01-29 19:59:57,929 | angr.sim_manager | Stepping active of <SimulationManager with 1 active> DEBUG | 2024-01-29 19:59:57,931 | HHExecutor | [+] State to step is <SimState @ 0x500000> DEBUG | 2024-01-29 19:59:58,150 | HHExecutor | [+] Reached address 0xdeadbeef DEBUG | 2024-01-29 19:59:58,151 | HHExecutor | [!] Reached end of function. Exiting. INFO | 2024-01-29 19:59:58,151 | heap-tracer | [+] HeapHopper terminated! INFO | 2024-01-29 19:59:58,151 | heap-tracer | Found 0 vulns INFO | 2024-01-29 19:59:58,151 | heap-tracer | These are the errored state: END-METADATA-EXPERIMENTS POC-TRACING-TOTAL-TIME: 0.32115936279296875

EXPERIMENT-TOTAL-TIME: 0.7213466167449951

And this is the hb_state.json:

{"timestamp": "2024-01-29T18:28:31.803831",
 "dir_name": "/root/fw-dataset/ground_truth/p2im_drone.bin",
 "blob_name": "p2im_drone.bin",
 "hb_folder": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis",
 "blob_project": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/p2im_drone.bin.proj",
 "base_address": 134217728,
 "blob_entry_point": "0x80052b5", 
"blob_stack_pointer": "0x20005000", 
"num_of_functions": 190,
 "bf_candidates": [{
"name": "IdentifiableMemcpy", "pointer_regs": ["r0", "r1"], "addr": [134240637, 134240659]}, {
"name": "IdentifiableReverseMemcpy", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableMemset", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableReverseMemset", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableMemcmp", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrlen", "pointer_regs": ["r0"], "addr": [134218065]}, {
"name": "IdentifiableStrncat", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrcat", "pointer_regs": [], "addr": []}, {
"name": "IdentifiableStrncpy", "pointer_regs": [], "addr": []}], 
"find_bf_timestamp": "2024-01-29T18:34:07.617731",
 "identify_pointers_timestamp": "2024-01-29T18:48:34.426008", 
"pointer_sources": ["0x8005a61", "0x8005b69", "0x8007609"], 
"calls_analyzed": ["0x8005a61", "0x8005b69", "0x8007609"], 
"caller_analyzed": ["0x8005449", "0x8005349", "0x800402d", "0x8005391", "0x80047b1", "0x8004fd9", "0x8005b1d"], "discovery_contributions": {
"IdentifiableMemcpy": ["0x8005a61", "0x8005b69", "0x8007609"], 
"IdentifiableReverseMemcpy": [], 
"IdentifiableMemset": [], 
"IdentifiableReverseMemset": [], 
"IdentifiableMemcmp": [], 
"IdentifiableStrlen": [], 
"IdentifiableStrncat": [], 
"IdentifiableStrcat": [], 
"IdentifiableStrncpy": []}, 
"working_pointer_sources": [
{"ps_addr": 134240865,
"ps_ct": {"r1": 64, "r0": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "needs_unpacked_data": false},
 {"ps_addr": 134241129, 
"ps_ct": {"r0": 8, "r1": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005b69_0x80052b5_mem_dump.mem", "needs_unpacked_data": false}, 
{"ps_addr": 134247945, 
"ps_ct": {"r0": 8}, 
"hi_addr": 134238901, 
"dump_name": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8007609_0x80052b5_mem_dump.mem", "needs_unpacked_data": false}], 
"best_hml_pairs": [
{"malloc": "0x8005a61", 
"free": "0x80059c9", 
"hi": "0x80052b5", 
"mem_dump_path": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "malloc_ct": {"r1": 64, "r0": 8}, 
"free_ct": {"r0": "TOP", "r1": "TOP"}}], 
"malloc_args_info_constraints_proto": {"r1": 3, "r0": 1}, 
"malloc_args_info_usages_proto": {}, 
"free_args_info_constraints_proto": {"r0": 1, "r1": 3}, 
"free_args_info_usages_proto": {}, 
"final_allocator": 
{"malloc": "0x8005a61", 
"free": "0x80059c9", 
"hi": "0x80052b5", 
"mem_dump_path": "/root/fw-dataset/ground_truth/p2im_drone.bin/hb_analysis/0x8005a61_0x80052b5_mem_dump.mem", "malloc_ct": {"r1": 64, "r0": 8}, 
"free_ct": {"r0": "TOP", "r1": "TOP"}}, 
"malloc_prototype": "{\"ret\": \"r0\", \"arg_0\": \"arg_0\", \"arg_1\": \"size\"}", 
"malloc_prototype_string": "\"unsigned int * malloc(size_t arg_0,int size)\"", 
"free_prototype": "{\"arg_0\": \"arg_0\", \"arg_1\": \"ptr_to_free\"}", 
"free_prototype_string": "\"void free(size_t arg_0,unsigned int * arg_1)\"", 
"malloc_call": "malloc(malloc_sym_args[{}][{}],malloc_sizes[{}])", 
"free_call": "free(free_sym_args[{}][{}],ctrl_data_{}.global_var)", 
"fake_free_call": "free(free_sym_args[{}][{}],((uint8_t *) &sym_data.data) + mem2chunk_offset)", 
"double_free_call": "free(free_sym_args[{}][{}],ctrl_data_{}.global_var)", 
"malloc_unknown_arguments": 1, 
"malloc_unknown_arguments_vals": {"r0": [65536]}, 
"free_unknown_arguments": 1, 
"free_unknown_arguments_vals": {"r0": [65536]}, 
"malloc_to_hook_funcs": [], 
"free_to_hook_funcs": [], 
"heap_base": 536876696, 
"heap_grow_direction": ">", 
"mem2chunk_offset": 4, 
"header_size": 4, 
"allocator_works": 1}
degrigis commented 6 months ago

(Addressed via email)

@NicolasFNino let me know if you are good :)