ucsb-seclab / karonte

Karonte is a static analysis tool to detect multi-binary vulnerabilities in embedded firmware
BSD 2-Clause "Simplified" License
391 stars 60 forks source link

The result of running with Docker is different from the result in the database #10

Closed puzhuoliu closed 3 years ago

puzhuoliu commented 3 years ago

Hello. I used docker to run D-Link's Dir-880 firmware. Why the result obtained is different from the result in the database. In the results, no dangerous loops were found in cgibin, but several buffer overflows were found. I want to know what special configuration is needed?

badnack commented 3 years ago

Karonte's runs are not 100% deterministic. By default, Karonte analyzes each function up to a certain time limit, and, because of this, some paths might be left unexplored. On top of this, the paths traveled in each run are picked randomly, so it can happen that in a run you'll visit different paths than in another run.

Another source of non-determinism is the fact that each run might concretize symbolic variables and addresses with different values (still in compliance with the current symbolic state).