dwarfcore.detectors.uaf module

class dwarfcore.detectors.uaf.DetectUseAfterFree(dwarfcore: dwarfcore.dwarfcore.DwarfCore, m: manticore.native.manticore.Manticore, poi_info: Optional[List[mate_common.models.integration.FreeUseInfo]], fast: bool = True, fast_all_poi: bool = False)

Bases: dwarfcore.plugins.heap_common.TrackHeapInformation

Plugin to detect use after free vulnerabilities by tracking allocations.

Parameters

  • dwarfcore (DwarfCore) –

  • m (Manticore) –

  • poi_info (Optional[List[FreeUseInfo]]) –

  • fast (bool) –

  • fast_all_poi (bool) –

MCORE_TESTCASE_LIST: Final[str] = 'DetectUseAfterFree_testcases'
static intercept_free(state: manticore.native.state.State)
Parameters

state (manticore.native.state.State) –

static intercept_malloc(state: manticore.native.state.State)
Parameters

state (manticore.native.state.State) –

manticore
record_testcase(state: manticore.native.state.State, message: str)
Parameters

  • state (manticore.native.state.State) –

  • message (str) –

property results: List[mate_common.models.integration.ReachingTestCase]

Any test case results found during execution.

static taint_allocation_with_va(state: manticore.native.state.State)
Parameters

state (manticore.native.state.State) –

static taint_allocation_with_va_after(state: manticore.native.state.State)
Parameters

state (manticore.native.state.State) –

will_read_memory_callback(state: manticore.native.state.State, where: Union[int, manticore.core.smtlib.expression.Expression], _size: Union[int, manticore.core.smtlib.expression.Expression])
Parameters

  • state (manticore.native.state.State) –

  • where (Union[int, manticore.core.smtlib.expression.Expression]) –

  • _size (Union[int, manticore.core.smtlib.expression.Expression]) –

will_write_memory_callback(state: manticore.native.state.State, where: Union[int, manticore.core.smtlib.expression.Expression], _expression: Union[int, manticore.core.smtlib.expression.Expression], _size: Union[int, manticore.core.smtlib.expression.Expression])
Parameters

  • state (manticore.native.state.State) –

  • where (Union[int, manticore.core.smtlib.expression.Expression]) –

  • _expression (Union[int, manticore.core.smtlib.expression.Expression]) –

  • _size (Union[int, manticore.core.smtlib.expression.Expression]) –