Skip to content

Commit

Permalink
finished
Browse files Browse the repository at this point in the history
  • Loading branch information
hwk2077 committed May 12, 2023
1 parent bfb8894 commit 62671b0
Show file tree
Hide file tree
Showing 2 changed files with 152 additions and 55 deletions.
193 changes: 142 additions & 51 deletions libs2eplugins/src/s2e/Plugins/uEmu/DataInputChannelDetector.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@ S2E_DEFINE_PLUGIN(DataInputChannelDetector, "DataInputChannelDetector S2E plugin
class DataInputChannelDetectorState : public PluginState {
private:
ReadPerifMap m_readPerifSizeMap;
PerifAddrToReadCntMap m_readCnt;
PerifAddrToReadCntMap m_readCntExterIRQ;

public:
DataInputChannelDetectorState() {
Expand Down Expand Up @@ -56,9 +58,42 @@ class DataInputChannelDetectorState : public PluginState {
m_readPerifSizeMap[perifAddr].first = size;
m_readPerifSizeMap[perifAddr].second++;
}

PerifAddrToReadCntMap getReadCnt() {
return m_readCnt;
}

uint32_t getCntReadCnt(uint32_t perifAddr) {
return m_readCnt[perifAddr];
}

void incReadCnt(uint32_t perifAddr) {
m_readCnt[perifAddr]++;
}

PerifAddrToReadCntMap getReadCntExterIRQ() {
return m_readCntExterIRQ;
}

uint32_t getCntReadExterCntIRQ(uint32_t perifAddr) {
return m_readCntExterIRQ[perifAddr];
}

void incReadCntExterIRQ(uint32_t perifAddr) {
m_readCntExterIRQ[perifAddr]++;
}

uint32_t getCntReadNotExterCntIRQ(uint32_t perifAddr) {
return m_readCnt[perifAddr] - m_readCntExterIRQ[perifAddr];
}
};

void DataInputChannelDetector::initialize() {
ConfigFile *cfg = s2e()->getConfig();
const auto ram = cfg->getIntegerList(getConfigKey() + ".ram");
m_ramRange.first = ram[0];
m_ramRange.second = ram[0] + ram[1];
getDebugStream() << "ram range: " << hexval(m_ramRange.first) << " - " << hexval(m_ramRange.second) << "\n";

m_symbolicHardwareConn = s2e()->getPlugin<hw::SymbolicHardware>();
m_symbolicHardwareConn->onSymbolicRegisterReadEvent.connect(
Expand All @@ -80,30 +115,21 @@ void DataInputChannelDetector::onMMIORead(S2EExecutionState *state, SymbolicHard
unsigned perifSize, uint32_t *val, bool *perifFlag, std::stringstream *ss) {
uint32_t pc = state->regs()->getPc();

// record all read phs
DECLARE_PLUGINSTATE(DataInputChannelDetectorState, state);
plgState->incReadPerifSizeMap(perifAddr, perifSize);

m_AllMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc].insert(perifSize);
plgState->incReadCnt(perifAddr);

if (state->regs()->getInterruptFlag() && state->regs()->getExceptionIndex() > 15) {
// external irq handle
getDebugStream() << "MMIO read in external IRQ: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "[value: " << hexval(*val) << "] "
<< "\n";
m_IRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc].insert(perifSize);
}
for (const auto &it : m_IRQMMIOReadPerifPCToPerifSizeSetMap) {
for (const auto &it2 : it.second) {
getDebugStream() << "All peripherals read in IRQ: "
<< "[peripheral address: " << hexval(it.first) << "] "
<< "[pc: " << hexval(it2.first) << "] "
<< "\n";
for (const auto &it3 : it2.second) {
getDebugStream() << "[data size: " << it3 << "] "
<< "\n";
}
}
plgState->incReadCntExterIRQ(perifAddr);
m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc].insert(perifSize);
}
}

Expand All @@ -114,12 +140,21 @@ void DataInputChannelDetector::onSymbolicDataAccessConcreteMemory(S2EExecutionSt
<< "[symbolic value: " << symbVal << "] "
<< "\n";

if (!isWrite) {
getDebugStream() << "Not Write"
<< "\n";
return;
}
if (concreteAddr < m_ramRange.first || m_ramRange.second <= concreteAddr) {
getDebugStream() << "Not in RAM"
<< "\n";
return;
}

DECLARE_PLUGINSTATE(DataInputChannelDetectorState, state);
ReadPerifMap curStateReadPerifSizeMap = plgState->getReadPerifSizeMap();
ArrayVec results;
findSymbolicObjects(symbVal, results);
getDebugStream() << "[size of results: " << results.size() << "] "
<< "\n";
for (int i = results.size() - 1; i >= 0; --i) {
uint32_t perifAddr;
uint32_t pc;
Expand Down Expand Up @@ -148,13 +183,13 @@ void DataInputChannelDetector::onSymbolicDataAccessConcreteMemory(S2EExecutionSt
uint32_t val = condConcreteVal & (LSB - 1);

getDebugStream() << "solve symbolic value: "
<< "[peripheral address: " << hexval(perifAddr) << "]"
<< "[concrete address: " << hexval(perifAddr) << "]"
<< "[pc: " << hexval(pc) << "]"
<< "[hash of pc and context: " << hexval(hashVal) << "]"
<< "[number of value: " << no << "]"
<< "[value: " << hexval(val) << "]"
<< "\n";
identifyTB(perifAddr, pc);
identifyTB(state, perifAddr, pc);
}
}

Expand Down Expand Up @@ -215,23 +250,30 @@ void DataInputChannelDetector::onStateFork(S2EExecutionState *state, const std::
// IRQ
if (state->regs()->getInterruptFlag() && state->regs()->getExceptionIndex() > 15) {
// possible CR SR in IRQ
const auto &foundPossCRSR = m_IRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundPossCRSR != m_IRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
const auto &foundPossCRSR = m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundPossCRSR != m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
m_IRQMMIOReadPossCRSR[perifAddr].insert(pc);
getDebugStream() << "found a possible CR/SR peripheral in IRQ: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "\n";
auto foundFalsePositive = m_DRDetected.find(perifAddr);
if (foundFalsePositive != m_DRDetected.end()) {
m_DRDetected.erase(foundFalsePositive);
getDebugStream() << "delete false positive: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "\n";
}
}
} else {
if (val != 0) {
m_IRQMMIOReadPerifPCToValSetMap[perifAddr][pc].insert(val);
m_PerifPCToValSetMap[perifAddr][pc].insert(val);
}
identifyTA(perifAddr, pc);
}
}
}
identifyTC();
identifyTC(state);
}

void DataInputChannelDetector::identifyTA(const uint32_t &perifAddr, const uint32_t &pc) {
Expand All @@ -251,27 +293,28 @@ void DataInputChannelDetector::identifyTA(const uint32_t &perifAddr, const uint3
getDebugStream() << "return, already identified as DR: " << hexval(perifAddr) << '\n';
return;
}
m_DRDetected[perifAddr][pc] = m_IRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
m_DRDetected[perifAddr][pc] = m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
getDebugStream() << "Identified by TA: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "\n";
return;
}

const auto &foundOverlap = m_IRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundOverlap == m_IRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
const auto &foundOverlap = m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundOverlap == m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
getDebugStream() << "return, unable to find a overlap: " << hexval(perifAddr) << '\n';
return;
}
m_DRDetected[perifAddr][pc] = m_IRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
m_DRDetected[perifAddr][pc] = m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
getDebugStream() << "Identified by TA: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "\n";
}

void DataInputChannelDetector::identifyTB(const uint32_t &perifAddr, const uint32_t &pc) {
void DataInputChannelDetector::identifyTB(S2EExecutionState *state, const uint32_t &perifAddr, const uint32_t &pc) {
// DECLARE_PLUGINSTATE(DataInputChannelDetectorState, state);
getDebugStream() << "identifyTB "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] " << '\n';
Expand All @@ -288,35 +331,43 @@ void DataInputChannelDetector::identifyTB(const uint32_t &perifAddr, const uint3
getDebugStream() << "return, already identified as DR: " << hexval(perifAddr) << '\n';
return;
}
m_DRDetected[perifAddr][pc] = m_IRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
m_DRDetected[perifAddr][pc] = m_AllMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
getDebugStream() << "Identified by TB: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "\n";
return;
}

const auto &foundOverlap = m_IRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundOverlap == m_IRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
const auto &foundOverlap = m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.find(perifAddr);
if (foundOverlap == m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap.end()) {
getDebugStream() << "return, unable to find a overlap: " << hexval(perifAddr) << '\n';
return;
}
m_DRDetected[perifAddr][pc] = m_IRQMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
m_DRDetected[perifAddr][pc] = m_AllMMIOReadPerifPCToPerifSizeSetMap[perifAddr][pc];
getDebugStream() << "Identified by TB: "
<< "[peripheral address: " << hexval(perifAddr) << "] "
<< "[pc: " << hexval(pc) << "] "
<< "\n";
}

void DataInputChannelDetector::identifyTC() {
void DataInputChannelDetector::identifyTC(S2EExecutionState *state) {
DECLARE_PLUGINSTATE(DataInputChannelDetectorState, state);
getDebugStream() << "identifyTC" << '\n';
for (const auto &it : m_IRQMMIOReadPerifPCToValSetMap) {
for (const auto &it : m_PerifPCToValSetMap) {
const auto &foundPossIRQCRSR = m_IRQMMIOReadPossCRSR.find(it.first);
if (foundPossIRQCRSR != m_IRQMMIOReadPossCRSR.end()) {
getDebugStream() << "continue, peripheral is a possible CR/SR in IRQ: " << hexval(it.first) << '\n';
continue;
}
if (plgState->getCntReadNotExterCntIRQ(it.first) < 50) {
getDebugStream() << "continue, read counter not in External IRQ too small: "
<< plgState->getCntReadNotExterCntIRQ(it.first) << '\n';
continue;
}
getDebugStream() << "[peripheral address: " << hexval(it.first) << "] "
<< "[read counter not in External IRQ: " << plgState->getCntReadNotExterCntIRQ(it.first)
<< "] "
<< "\n";
for (const auto &it2 : it.second) {
const auto &foundSamePerif = m_DRDetected.find(it.first);
Expand All @@ -328,18 +379,9 @@ void DataInputChannelDetector::identifyTC() {
}
}

getDebugStream() << "[pc: " << hexval(it2.first) << "] "
<< "[same pc count: " << it2.second.size() << "] "
<< "\n";
if (it2.second.size() < 2) {
continue;
}
for (const auto &it3 : it2.second) {
getDebugStream() << "[value: " << hexval(it3) << "] ";
}
getDebugStream() << "\n";
if (it2.second.size() > 3) {
m_DRDetected[it.first][it2.first] = m_IRQMMIOReadPerifPCToPerifSizeSetMap[it.first][it2.first];
if (it2.second.size() >= 2) {
m_DRDetected[it.first][it2.first] = m_AllMMIOReadPerifPCToPerifSizeSetMap[it.first][it2.first];

getDebugStream() << "Identified by TC: "
<< "[peripheral address: " << hexval(it.first) << "] "
<< "\n";
Expand All @@ -351,8 +393,57 @@ void DataInputChannelDetector::identifyTC() {
void DataInputChannelDetector::onLearningTerminationDetection(S2EExecutionState *state, bool *actualEnd,
uint64_t tbNum) {
getDebugStream() << "onLearningTerminationDetection" << '\n';
// if(*actualEnd) {
// }
// if(*actualEnd) {
// }
getDebugStream() << "All peripherals MMIO Read: "
<< "\n";
for (const auto &it : m_AllMMIOReadPerifPCToPerifSizeSetMap) {
for (const auto &it2 : it.second) {
for (const auto &it3 : it2.second) {
getDebugStream() << "[peripheral address: " << hexval(it.first) << "] "
<< "[pc: " << hexval(it2.first) << "] "
<< "[data size: " << it3 << "] "
<< "\n";
}
}
}

getDebugStream() << "All peripherals MMIO Read in external IRQ: "
<< "\n";
for (const auto &it : m_ExterIRQMMIOReadPerifPCToPerifSizeSetMap) {
for (const auto &it2 : it.second) {
for (const auto &it3 : it2.second) {
getDebugStream() << "[peripheral address: " << hexval(it.first) << "] "
<< "[pc: " << hexval(it2.first) << "] "
<< "[data size: " << it3 << "] "
<< "\n";
}
}
}

getDebugStream() << "All possible CR SR: "
<< "\n";
for (const auto &it : m_IRQMMIOReadPossCRSR) {
getDebugStream() << "[peripheral address: " << hexval(it.first) << "] "
<< "\n";
}

getDebugStream() << "All multi-value Reg: "
<< "\n";
for (const auto &it : m_PerifPCToValSetMap) {
getDebugStream() << "[peripheral address: " << hexval(it.first) << "] "
<< "\n";
for (const auto &it2 : it.second) {
getDebugStream() << "[pc: " << hexval(it2.first) << "] "
<< "[same pc count: " << it2.second.size() << "] "
<< "\n";
for (const auto &it3 : it2.second) {
getDebugStream() << "[value: " << hexval(it3) << "] "
<< "\n";
}
}
}

saveKBtoFile(state, tbNum);
}

Expand Down Expand Up @@ -409,17 +500,17 @@ void DataInputChannelDetector::saveKBtoFile(S2EExecutionState *state, uint64_t t
getWarningsStream() << "Unable to open file: " << fileName << "\n";
exit(0);
}
for (const auto &it: m_DRDetected) {
for (const auto &it2: it.second) {
for (const auto &it3: it2.second) {
for (const auto &it : m_DRDetected) {
for (const auto &it2 : it.second) {
for (const auto &it3 : it2.second) {
// dr_perifAddr_pc_size
getDebugStream() << "dr_" << hexval(it.first) << "_" << hexval(it2.first) << "_" << hexval(it3) << "\n";
fKB << "dr_" << hexval(it.first) << "_" << hexval(it2.first) << "_" << hexval(it3) << std::endl;
}
}
}
fKB.close();
}


} // namespace plugins
} // namespace s2e
Loading

0 comments on commit 62671b0

Please sign in to comment.