dwarfcore.plugins.under_constrained_symex.uc_platform module

class dwarfcore.plugins.under_constrained_symex.uc_platform.GetTaints(regex=None)

Bases: object

Custom visitor to get expression taints but discard taints in ITE conditions.

property result
visit(expression)
class dwarfcore.plugins.under_constrained_symex.uc_platform.MemObject(uid: int, content_type_size: int, size: int = 0, name: str = '', *args, **kwargs)

Bases: manticore.native.memory.SMemory64

This class represents an unconstrained object allocated somewhere in memory.

Parameters

  • uid (int) –

  • content_type_size (int) –

  • size (int) –

  • name (str) –

init(content: List[manticore.core.smtlib.expression.Expression])

Fill the memory object with its content.

Should be called only once, it is separated from the __init__ constructor to make pickling easier

Parameters

content (List[manticore.core.smtlib.expression.Expression]) –

read(offset, size, constr: manticore.core.smtlib.constraints.ConstraintSet)

Read ‘size’ bits at ‘offset’ in the object.

Parameters

  • offset – offset of the read within the object, in bytes

  • size – number of bits to read

  • constr – symbolic constraints

  • constr (manticore.core.smtlib.constraints.ConstraintSet) –

write(offset, value, constr: manticore.core.smtlib.constraints.ConstraintSet)

Write ‘value’ at ‘offset’ in the object.

Parameters

  • offset – offset of the write within the object, in bytes

  • value – the value to write

  • constr – symbolic constraints

  • constr (manticore.core.smtlib.constraints.ConstraintSet) –

class dwarfcore.plugins.under_constrained_symex.uc_platform.UCLinux(programs, argv=None, envp=None, symbolic_files=None, disasm='capstone', pure_symbolic=False)

Bases: manticore.platforms.linux.SLinux

Modifies the stock SLinux platform to use the custom memory model.

class dwarfcore.plugins.under_constrained_symex.uc_platform.UCMemory64(constraints: Optional[manticore.core.smtlib.constraints.ConstraintSet] = None, symbols=None, *args, **kwargs)

Bases: manticore.native.memory.SMemory64

Wrapper around regular memory that automatically dispatches memory accesses between the stock memory and the UC memory manager.

It is also responsible for populating the UC memory on-the-fly when new objects are accessed

Parameters

constraints (Optional[manticore.core.smtlib.constraints.ConstraintSet]) –

check_oob_access(address, size, access, fix_oob=False)

Check if a memory access to an underconstrained memory object can be out of bounds. If the access can be out of bounds, an error is recorded in the error manager. If fix_oob is True, the method tries to add constraints to enforce the access to be valid. Otherwise a FatalSymexError exception is raised.

Parameters

  • access – either “read” or “write”

  • address – memory address that is accessed

  • size – number of bytes to read/write

  • fix_oob – if set to True and if offset can be out of bounds, try to add a constraint to the constraint set such that to enforce ‘offset’ to be in within the bounds of ‘obj’

read(address, size, force=False)

Memory read.

If ‘address’ points to an underconstrained object, it is assumed that the access has been validated by a prior call to check_oob_access()

uc_base_has_object(base: str) bool

Return True iff a MemObject was already allocated for this base.

Parameters

base (str) –

Return type

bool

uc_check_pointer_offset_integrity(base: manticore.core.smtlib.expression.Expression, offset: manticore.core.smtlib.expression.Expression)

Check that offset is a valid offset expression for a given base.

Parameters

  • base (manticore.core.smtlib.expression.Expression) –

  • offset (manticore.core.smtlib.expression.Expression) –

uc_dwarf_type_to_expr_list(dwarf_type: mate_query.cpg.models.node.dwarf.DWARFType, base_obj_name: str, obj_count: int = 1) List[manticore.core.smtlib.expression.Expression]

Translates a dwarf type to a list of symbolic expressions matching the type.

If the type is a built-in type (int, char, …), a single expression is created. If the type is a complex struct or class, the list of expressions matching the structure layout is returned.

Parameters

  • dwarf_type – The type of the object we need to fill

  • base_obj_name – The name of the parent object to use as a prefix to name the new symbolic variables

  • obj_count – Number of consecutive objects to create. This will always be 1

  • dwarf_type (mate_query.cpg.models.node.dwarf.DWARFType) –

  • base_obj_name (str) –

  • obj_count (int) –

Return type

List[manticore.core.smtlib.expression.Expression]

except for dynamic arrays that are referenced by a raw pointer: (type*) ptr

uc_fork_on_metavar(base: str, metavar: dwarfcore.plugins.under_constrained_symex.user_constraints.Metavar) None

Fork on possible values for an object meta variables.

Parameters
Return type

None

uc_func_arg_to_expr(arg) manticore.core.smtlib.expression.Expression

Translates an underconstrained function argument to a smt expression to be assigned to the corresponding register.

Return type

manticore.core.smtlib.expression.Expression

uc_get_all_dwarf_type_members(dwarf_type: mate_query.cpg.models.node.dwarf.DWARFType, additional_offset=0) Tuple[int, List[Any]]

Returns all the members of ‘dwarf_type’, including members inherited from parent classes.

Parameters
Return type

Tuple[int, List[Any]]

a structure or a class :param _sphinx_paramlinks_dwarfcore.plugins.under_constrained_symex.uc_platform.UCMemory64.uc_get_all_dwarf_type_members.additional_offset: Additional offset to add to offsets of ‘dwarf_type’ members. This is used to get the correct member layout for classes that inherit from multiple parent classes :return: A list of tuples (additional_offset, member_type) that contains all the member fileds for ‘dwarf_type’ in the correct order. For each tuple, ‘additional_offset’ must be added to ‘member_type.common.offset’ to get the real offset of the field in a class instance memory layout

uc_get_base_from_expr(expr: manticore.core.smtlib.expression.Expression) str

Extract the ‘base’ component of a pointer expression.

Parameters

expr (manticore.core.smtlib.expression.Expression) –

Return type

str

uc_get_dwarf_type_by_uuid(type_uuid, resolve_base: bool = False) mate_query.cpg.models.node.dwarf.DWARFType
Parameters

resolve_base (bool) –

Return type

mate_query.cpg.models.node.dwarf.DWARFType

uc_get_metavar_from_object_name(metavar: dwarfcore.plugins.under_constrained_symex.user_constraints.Metavar, obj_name: str) str

Return the variable name for a given meta-variable of object named ‘obj_name’.

Parameters
Return type

str

uc_get_new_base() str
Return type

str

uc_get_new_base_expr(ptr_type_uuid, type_uuid, name: str) manticore.core.smtlib.expression.Expression

Generate a new abstract expression representing an unconstrained pointer.

Parameters

name (str) –

Return type

manticore.core.smtlib.expression.Expression

uc_get_new_data_expr(size: int, name: str) manticore.core.smtlib.expression.Expression

Generate a new abstract expression representing unconstrained data.

Parameters

  • size – Size in bits

  • size (int) –

  • name (str) –

Return type

manticore.core.smtlib.expression.Expression

uc_get_object_for_base(base: str) dwarfcore.plugins.under_constrained_symex.uc_platform.MemObject

Return the MemObject referenced by this base :return: MemObject if successful, None on failure

Parameters

base (str) –

Return type

dwarfcore.plugins.under_constrained_symex.uc_platform.MemObject

uc_get_offset_from_expr(expr: manticore.core.smtlib.expression.Expression) Union[manticore.core.smtlib.expression.Expression, int]

Extract the ‘offset’ component of a pointer expression.

Parameters

expr (manticore.core.smtlib.expression.Expression) –

Return type

Union[manticore.core.smtlib.expression.Expression, int]

uc_get_possible_metavar_values(base: str, metavar: dwarfcore.plugins.under_constrained_symex.user_constraints.Metavar, maxcnt: int = 5) Set[int]

Return the possible values for meta-variables in the current state. This method should not be used for the $LEN variable. See uc_get_possible_object_lengths() instead.

Parameters
Returns

set of possible values

Return type

Set[int]

uc_get_possible_object_lengths(base: str, maxcnt=5) set

Return the possible lengths for object ‘base’ considered as an array.

Parameters

  • base – base of the object to fill

  • maxcnt – maximum count of possible lengths to return

  • base (str) –

Returns

set of possible sizes

Return type

set

uc_get_vtable_addr_for_class(class_name: str) int

Return the virtual address of the vtable for ‘class_name’.

Parameters

class_name (str) –

Return type

int

uc_new_object_for_base(base: str) dwarfcore.plugins.under_constrained_symex.uc_platform.MemObject

Effectively instanciate the object pointed to by the base.

Parameters

base (str) –

Return type

dwarfcore.plugins.under_constrained_symex.uc_platform.MemObject

write(address, value, force=False)

Memory write.

If ‘address’ points to an underconstrained object, it is assumed that the access has been validated by a prior call to check_oob_access()

dwarfcore.plugins.under_constrained_symex.uc_platform.expr_to_data(expr: manticore.core.smtlib.expression.Expression)

Transform an expression to a list of bytes.

Parameters

expr (manticore.core.smtlib.expression.Expression) –

dwarfcore.plugins.under_constrained_symex.uc_platform.get_expr_bases(expr: manticore.core.smtlib.expression.Expression)
Parameters

expr (manticore.core.smtlib.expression.Expression) –

dwarfcore.plugins.under_constrained_symex.uc_platform.get_write_value_size(value)

Get the size in bytes of a value.

Parameters

value – can be bytes or bitvector

dwarfcore.plugins.under_constrained_symex.uc_platform.has_base(expr: manticore.core.smtlib.expression.Expression) bool
Parameters

expr (manticore.core.smtlib.expression.Expression) –

Return type

bool