Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Eager for the VM of BOPC #13

Open
yingchuan-d opened this issue Mar 15, 2021 · 2 comments
Open

Eager for the VM of BOPC #13

yingchuan-d opened this issue Mar 15, 2021 · 2 comments

Comments

@yingchuan-d
Copy link

This is a great work. And my research is relevent to BOP. So I have tried to reproduce BOPC but I can't run it because of an error of angr. That means finally I failed. So I hope you can give me the way to get the virtual machine of BOPC mentioned in your slides? @balbassam
@balbassam
Copy link

We'd love to help.

Currently we are trying to figure out where to host the VM. So it may take time.

In the meantime, can you please provide us with more information about the angr issue you are facing?

@yingchuan-d
Copy link
Author

When I use "./source/BOPC.py -dd --binary nginx1 --source infloop.spl --abstractions load --entry 0x41c750 --format gdb" try to find payload, I meet the issue. Just like this:

[14:30:22,633] [WARNING] RSVP concretized but it has an invalid address '0x100'.
PRIOR VALUE at 0xd8002200L :: <BV64 mem_d8002200_416_64{UNINITIALIZED}>
[14:30:22,644] [+] Writing RSVP *0xd8002200 = 0x0
[14:30:22,646] [+] Simluation a loop, starting from 0x41cc5f ...
[14:32:59,772] [*] Trying subpath (15): 0x41cc5f -> 0x41cc79 -> 0x41cc7f -> 0x41ca27 -> 0x41ca2c -> 0x4027d0 -> 0x1000308 -> 0x41ca40 -> 0x41ca4b -> 0x41ca50 -> 0x41cb46 -> 0x41cb50 -> 0x41cb5b -> 0x41cbe6 -> 0x41cc48 -> 0x41cc5f -> 0x41cc79 -> 0x41cc7f -> 0x41ca27 -> 0x41ca2c -> 0x4027d0 -> 0x1000308 -> 0x41ca40 -> 0x41ca4b -> 0x41ca50 -> 0x41cb46 -> 0x41cb50 -> 0x41cb5b -> 0x41cbe6 -> 0x41cc48 -> 0x41cc5f -> 0x41cc79 -> 0x41cc7f -> 0x41ca27 -> 0x41ca2c -> 0x4027d0 -> 0x1000308 -> 0x41ca40 -> 0x41ca4b -> 0x41ca50 -> 0x41cb46 -> 0x41cb50 -> 0x41cb5b -> 0x41cbe6 -> 0x41cc48
state.inspect.mem_read_address <BV64 0x688928>
state.inspect.mem_read_address <BV64 mem_688928_403_64 + 0x100>
WARNING | 2020-12-28 14:32:59,785 | angr.engines.vex.engine | 0x41cc5f hit an error while analyzing statement 9
Traceback (most recent call last):
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/engine.py", line 257, in _handle_irsb
    self._handle_statement(state, successors, stmt)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/engine.py", line 363, in _handle_statement
    s_stmt = translate_stmt(stmt, state)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/statements/__init__.py", line 29, in translate_stmt
    s.process()
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/statements/base.py", line 37, in process
    self._execute()
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/statements/wrtmp.py", line 6, in _execute
    data = self._translate_expr(self.stmt.data)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/statements/base.py", line 44, in _translate_expr
    e = translate_expr(expr, self.state)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/expressions/__init__.py", line 14, in translate_expr
    e.process()
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/expressions/base.py", line 35, in process
    self._execute()
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/engines/vex/expressions/load.py", line 28, in _execute
    self.expr = self.state.memory.load(addr.expr, size, endness=self._expr.endness)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/storage/memory.py", line 745, in load
    mem_read_condition=condition_e
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/sim_state.py", line 252, in _inspect
    self.inspect.action(*args, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/inspect.py", line 249, in action
    bp.fire(self.state)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/inspect.py", line 201, in fire
    self.action(state)
  File "/home/dyc_lab/BOPC/source/simulate.py", line 515, in __dbg_read_hook
    self.__alloc_un(state, state.inspect.mem_read_address)
  File "/home/dyc_lab/BOPC/source/simulate.py", line 371, in __alloc_un
    addr = state.se.eval(symv)                  # try to concretize it
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 706, in eval
    return self.eval_upto(e, 1, **kwargs)[0]
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 689, in eval_upto
    cast_vals = [self._cast_to(e, v, cast_to) for v in self._eval(e, n, **kwargs)]
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 155, in concrete_shortcut_tuple
    return f(self, *args, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/sim_action_object.py", line 53, in ast_stripper
    return f(*new_args, **new_kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 86, in wrapped_f
    return f(*args, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/angr/state_plugins/solver.py", line 481, in _eval
    return self._solver.eval(e, n, extra_constraints=self._adjust_constraint_list(extra_constraints), exact=exact)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontend_mixins/concrete_handler_mixin.py", line 7, in eval
    return super(ConcreteHandlerMixin, self).eval(e, n, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontend_mixins/constraint_filter_mixin.py", line 40, in eval
    return super(ConstraintFilterMixin, self).eval(e, n, extra_constraints=ec, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontend_mixins/sat_cache_mixin.py", line 56, in eval
    extra_constraints=extra_constraints, **kwargs
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontend_mixins/simplify_helper_mixin.py", line 13, in eval
    return super(SimplifyHelperMixin, self).eval(e, n, *args, **kwargs)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontend_mixins/constraint_expansion_mixin.py", line 12, in eval
    **kwargs
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontends/composite_frontend.py", line 281, in eval
    self._ensure_sat(extra_constraints=extra_constraints)
  File "/home/dyc_lab/.virtualenvs/angr/local/lib/python2.7/site-packages/claripy/frontends/composite_frontend.py", line 259, in _ensure_sat
    raise UnsatError("CompositeSolver is already unsat")
SimUnsatError: ('Got an unsat result', <class 'claripy.errors.UnsatError'>, UnsatError('CompositeSolver is already unsat',))
Stashes defaultdict(<type 'list'>, {'pruned': [], 'deadended': [<SimState @ 0x41cc5f>], 'active': [], 'unconstrained': [], 'errored': [], 'unsat': [], 'stashed': []})

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@balbassam @yingchuan-d