illera88 / ponce Goto Github PK

We could show to the user a windows with all the configuration.

We could configure this things:

• Show debug info in the output windows
• Manage symbolic indexing #10
• Enable tracing the first time something is tainted (Maybe the user doesn't want to use tracing and he want to debug with step into/over)
• Limit the number of instructions in tracing mode (Maybe the user doesn't want to stop, or he could stop the tracing manually)
• Limit of instructions to execute before ask to the user #13
• Time limit before ask user #13
• Only use tainting mode #4
• Automatically rename the functions with tainted instructions/conditions, configurable prefix, only in tainted conditions? #9

We shoudl blacklist all the functions that does not modify the user input (printf, puts, free, malloc...).
We can hardcode some of them and letting the user the chance to add more through a file.

The plugin could be use just to do tainting analysis and know which instructions of the program are tainted and this is different to make a symbolic execution analysis where all the formulas (from the tainted instructions) are being generated.

Tainting analysis should be quite more light than symbolic execution. So in some scenarios it could be useful to allow the user just to do tainting without symbolic.

As we are doing in the Athena plugin it could be useful with very big program to rename the functions containing tainted instructions with a preffix "T0001_sub_401000".

It would be nice to have an environment to compile the plugin for other OS.

They are nasty!

I think this is related with the way we get the selected bytes from the hex view

congrats on the release of this interesting tool! nice to you are using Capstone here. linked to your project from our website now: http://www.capstone-engine.org/showcase.html

keep it up, cheers.

@0ca
I get this error:
..\..\..\Ponce\src\main.cpp(31): error C2664: 'void triton::API::addCallback(triton::callbacks::symbolicSimplificationCallback)' : cannot convert argument 1 from 'void (__cdecl *)(triton::arch::MemoryAccess &)' to 'triton::callbacks::getConcreteMemoryValueCallback'

Like the ones we have in Athena to test quickly the different functionality and do some demos.

Memory tainting is working in the hex view. We are using this code to get the current selection:

            selection_starts = action_activation_ctx->cur_sel.from.at->toea();
            selection_ends = action_activation_ctx->cur_sel.to.at->toea();

But with the disassembly windows is not very clear how to do it. IDA group into arrays some variables:

We should be able to from the current line get the size of the "item" and then taint all of them.

We are using tracing to automate the process of stopping in every instruction and instrument it. But tracing is also storing in IDA a trace log with all the registers/memory modified and their original values:

Maybe has better performance use step_into() or step_over().

In the future we can implement the option to solve/negate a condition and based in the solution inject the value in the process and change the flags to invert the condition.

The idea is use this option with manual stepping so the user could negate the conditions he wants and modify the execution in runtime.

In some cases this cannot work. When the input modified was used before in the program to do something additional, like active flags, or modified another input. But still I think it can work in simple cases and it is spectacular.

We need to implement the button solve a condition.

The idea is first to show the solution in the IDa output.

We could do more things:

• Inject the solution? If it is memory bytes it makes sense, but if they are registers we should have the eip in the same instruction where they were symbolized.
• Paint the solved/unsolved conditions with different color?
• Use another windows to show big or complex solutions?

Probably is related with a incorrectly disassembled instruction.

We could use this area to show the total number of analyzed insturctions. So the user can have feedback about what is doing Ponce.

Now when we run a program Ponce will stop at the breakpoint in the main and it would continue from there stepping.

But if we manually stop in a condition, we negate it and we run the progra, F9, we aren't going to do stepping, so from that point we would need to manually step for all the instructions.

I guess the idea is the first time the program run we should run it without stepping until we find a tainted input location (main, recv, fread). From there we do stepping and if the user manually stops the program to do things and he continues, F9, we should force the program to do stepping instead of real executing the program.

If the user is debugging the program and using the negate option, it could be very helpful to have an option to continue tracing until next tainted condition. So he could stop in the next tainted condition and decide if he wants to negate it or not.

If the user taints a register/memory used in the current instruction we should reanalyze the instruction so Triton can do the tainting analysis properly.

I think we are not setting the optimizations from triton, like optimization_align.

We should think too how we want to use the ONLY_TAINTED optimization.

If we use the plugin in tracing mode it would be useful to paint the executed instructions with a light color just to know the path the execution took.

Right now we are limiting a trace by the number of executed instructions. When this limit is reached we should ask to the user if he wants to stop or continue other X instructions.

Maybe it is also useful to add a time detection. So after X segx/mins the plugin can stop and ask to the user if he wants to continue.

We have some code with macros for x64. But IDA is x86 for both versions, so we cannot compile ponce for x64 bits. Instead we need to replace all the macros with a condition:

inf.is_32bit()

Original definition:

identifying all program code that can in any way affect the value of a given variable
This is now called “static backward slicing”

More info:
http://web.cs.iastate.edu/~weile/cs513x/5.TaintAnalysis2.pdf

The idea is from an instruction get all the previous instructions that modified the values used in the current instr.

This is very useful for exploiting. If you found an input is crashing a program via fuzzing, and you want to know where comes from the values from the registers, memory, you could use that.

They implemented in the past something similar in this paper. But they never released a fully functional version:
https://media.blackhat.com/us-13/US-13-Li-How-to-Grow-a-TREE-Slides.pdf
They show the previous functions involved in the tainting.

Right now we have a lot of commented code that we should clean up the make it more legible.

Im using IDA 6.8 and symbolize/taint works with 6.9 plugin (but crashes in Hex editor). It doesnt crash with the new plugin 6.8 version but I couldnt symbolize/taint memory (even used ctrl shift M).

Like taint memory, register

We could disable the menus we can't use to make it easy to use the plugin.

The plugin is painting the tainted instructions and maybe in the future is adding other info.

We should give the user the possibility to clear the previous results and re-execute the program tainting/making symbolic other variables.

There is some options:

• Use the snapshots. Ask to the user at the begining to create a snapshot and then he could restore the snapshot when he wants to do a different analysis.
• Add an options to paint white all the lines. But then we should do this for the main module and all the dlls, and this maybe is deleting info that the user already had.
• Store all the actions done (all the line painted, comments added) so we could restore all these items when the user wants.

We can use the IDA comments in the "next lines" to do this. It is a lot of information so it should be disabled by default.

To use Triton we need first to set the architecture with setArchitecture. It would be cool to get the type of binary, x86 or x64 and set the architecture accord to that.

Right now it is hardcoded to x86:
https://github.com/illera88/ponce/blob/master/Ponce/src/main.cpp#L71

It would be cool to color the tainted instructions in the decompiled code, but I don't know if that is possible.

We could add comments, that for sure.

If the color is not possible we could request that functionality.

Priority -1 ;)

But in the future we should check if with the built-in IDA icons it is enough or if we can/want to use external icons: http://www.famfamfam.com/lab/icons/

For example if we have this instruction:

add eax, ecx

The user would like to know which register was tainted to taint the whole instruction, eax, ecx, both?

This would help the user to follow the tainting analysis.

So the user can disable it and execute it as native.

But when the user does this, he cannot use the restore snashot, because if the instructions are executed native we don't know the changes in memory.

Should we reset the snapshot? Show a message to the user (with a tick to not show the message again)? Or we should just explain that very clear in the readme?

We should be timing the tracing when the user is stopped.

The problem now is that the tracing is tracing the exit function, which has a lot of instructions. Maybe if we add this function to the blacklist is enough.

Other options not so elegant are to put a breakpoint in the end of the main function or at every exit, ThreadExit, etc...

Right now I am using the dynamic library from Z3. So all the project is static except for this dll. You need to put the libz3.dll in the IDA directory to load the plugin properly.

We did it this in the past but I don't remember very well how.

We should use PIN in the future and compare the performance.

We should clear the trace so the user can see the tainted instructions and not all the executed instructions in yellow.

I'd like to play around with your plugin, but when I try to open the menu to symbolize the memory in debugging mode, IDA crashes. I confirmed that it's Ponce that is crashing the menu.

We could use the same code we already have for Athena.

The plugin only works well the first time we execute a program inside a binary.

We should reset the engines, and all the state after an execution ends.

It would be very useful to implement blacklisting per modules/dlls or per functions.

For example we should skip the printf implementation.

I think we should differentiate between this and heuristics or "apis simplification", p.e. (strcmp, srtcpy, etc..)

When we are debugging a program and we are in a symbolic condition, it could be very cool to have an option to negate the condition solving the formulas for the condition instruction.

We should inject the solution in the memory/registers and set the flags to satisfy the conditions (ZF or SF, or...).

It could be veeery useful to automatically taint all the possible user inputs.