Klee and Angr are tools for symbolic execution. Klee is a symbolic virtual machine that executes programs symbolically and generates test cases by solving constraints. It works on LLVM bitcode. Angr is a Python framework for analyzing binaries using static and dynamic symbolic analysis. It lifts binaries into an intermediate representation called VEX to analyze machine code across architectures. Both tools explore all paths in a program and solve path constraints to generate inputs that execute each path.
CTF for ビギナーズのバイナリ講習で使用した資料です。
講習に使用したファイルは、以下のリンク先にあります。
https://onedrive.live.com/redir?resid=5EC2715BAF0C5F2B!10056&authkey=!ANE0wqC_trouhy0&ithint=folder%2czip
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
Presentation to describe about Circuit Breakers, where to apply, how and examples. Using the Netflix Hystrix and Spring Retry to demonstrate how and examples available on Github.
https://github.com/BHRother/spring-hystrix-example
https://github.com/BHRother/spring-circuit-breaker-example
CTF for ビギナーズのバイナリ講習で使用した資料です。
講習に使用したファイルは、以下のリンク先にあります。
https://onedrive.live.com/redir?resid=5EC2715BAF0C5F2B!10056&authkey=!ANE0wqC_trouhy0&ithint=folder%2czip
The document discusses the history and development of the Document Object Model (DOM) from its early implementations in 1995 to modern standards. It outlines key milestones like DOM Level 1 in 1998, the rise of JavaScript frameworks like Prototype, jQuery and MooTools in 2005-2006, and ongoing work by the W3C and WHATWG. The talk will explore security issues that can arise from the DOM's ability to convert strings to executable code and demonstrate an attack technique called DOM clobbering.
Presentation to describe about Circuit Breakers, where to apply, how and examples. Using the Netflix Hystrix and Spring Retry to demonstrate how and examples available on Github.
https://github.com/BHRother/spring-hystrix-example
https://github.com/BHRother/spring-circuit-breaker-example
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
The document summarizes a talk on container performance analysis. It discusses identifying bottlenecks at the host, container, and kernel level using various Linux performance tools. It then provides an overview of how containers work in Linux using namespaces and control groups (cgroups). Finally, it demonstrates some example commands like docker stats, systemd-cgtop, and bcc/BPF tools that can be used to analyze containers and cgroups from the host system.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
While CMake has become the de-facto standard buildsystem for C++, it's siblings CTest and CPack are less well known. This talk gives a lightspeed introduction into these three tools and then focuses on best practices on building, testing, and packaging.
Kotlin Coroutines provide a new way to write asynchronous and concurrent code using suspending functions and structured concurrency. Coroutines avoid callbacks and allow sequencing of asynchronous code using async/await. Coroutines are lightweight threads that can be suspended and resumed. Channels allow coroutines to communicate and share data. Flows provide a reactive streams API for coroutines. Kotlin coroutines offer improvements over other asynchronous programming models like callbacks and RxJava.
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
The document discusses C++ exploitation techniques including name mangling, virtual function tables, vtable hijacking, vectors, strings, and memory allocation/deallocation functions like new and delete. It provides details on how virtual function tables are used to implement polymorphism in C++ and how vtable hijacking can be used to exploit vulnerabilities by forcing a vtable and hijacking the virtual function pointer to call shellcode. It also explains how vectors and strings are implemented dynamically in memory and their memory layout.
Build a full-functioned virtual machine from scratch, when Brainfuck is used. Basic concepts about interpreter, optimizations techniques, language specialization, and platform specific tweaks.
The document summarizes a talk on container performance analysis. It discusses identifying bottlenecks at the host, container, and kernel level using various Linux performance tools. It then provides an overview of how containers work in Linux using namespaces and control groups (cgroups). Finally, it demonstrates some example commands like docker stats, systemd-cgtop, and bcc/BPF tools that can be used to analyze containers and cgroups from the host system.
Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
Introduce Brainf*ck, another Turing complete programming language. Then, try to implement the following from scratch: Interpreter, Compiler [x86_64 and ARM], and JIT Compiler.
While CMake has become the de-facto standard buildsystem for C++, it's siblings CTest and CPack are less well known. This talk gives a lightspeed introduction into these three tools and then focuses on best practices on building, testing, and packaging.
Kotlin Coroutines provide a new way to write asynchronous and concurrent code using suspending functions and structured concurrency. Coroutines avoid callbacks and allow sequencing of asynchronous code using async/await. Coroutines are lightweight threads that can be suspended and resumed. Channels allow coroutines to communicate and share data. Flows provide a reactive streams API for coroutines. Kotlin coroutines offer improvements over other asynchronous programming models like callbacks and RxJava.
This document discusses software obfuscation techniques using C++ metaprogramming. It presents several implementations of string obfuscation using templates to encrypt strings at compile-time. It also discusses obfuscating function calls using finite state machines generated with metaprogramming. Debugger detection is added to fight dynamic analysis. The techniques aim to make reverse engineering and static/dynamic analysis more difficult without changing program semantics.
Valgrind is an open source tool for debugging and profiling Linux x86 programs. It uses dynamic binary instrumentation to detect memory errors like use of uninitialized values, memory leaks, and invalid reads/writes. It includes tools like Memcheck for memory errors, Massif for heap profiling, Helgrind for data race detection, and Callgrind for call graph and profiling information. The presentation discusses how Valgrind works, its various tools, and best practices for using it to improve code quality and find bugs.
Aiming at complete code coverage by unit tests tends to be cumbersome, especially for cases where external API calls a part of the code base. For these reasons, Python comes with the unittest.mock library, appearing to be a powerful companion in replacing parts of the system under test.
This full day course will give you a hands-on, deep dive into React Native. In this course, you will learn how to build cross-platform mobile applications from scratch using Facebook's React Native.
It is quite often that software developers have absolutely no clue about the cost of an error. It is very important that the error be found at the earliest possible stage.
This document provides an introduction to C++ programming including problem solving skills, software evolution, procedural and object oriented programming concepts, basic C++ programs, operators, header files, conditional statements, loops, functions, pointers, structures and arrays. It discusses topics such as analyzing problems, planning algorithms, coding solutions, evaluating results, procedural and object oriented paradigms, inheritance, polymorphism, flowcharts, basic syntax examples, and more. Various examples are provided to illustrate key concepts in C++.
The document discusses finding bugs in compilers through random testing. It found serious bugs in all tested C compilers, including 287 bugs reported so far in GCC and commercial compilers. Random testing programs are generated that perform random operations and check results. This uncovered wrong-code bugs where compilers generate code computing incorrect values as well as crash bugs. The majority of bugs were found in optimization levels above -O0. Further work is needed to expand testing to more platforms and language features and make the testing process more accessible to outside contributors.
This document provides an overview of CBStreams, a ColdFusion module that implements Java Streams functionality for processing data in a functional programming style. It discusses key concepts like lazy evaluation, intermediate operations that transform streams, and terminal operations that produce final results. Examples are given for building streams from various data sources, applying filters, maps, reductions and more. Lambda expressions and closures play an important role in functional-style stream processing.
Mock what? What Mock?Learn What is Mocking, and how to use Mocking with ColdFusion testing, development, and continuous integration. Look at Mocking and Stubbing with a touch of Theory and a lot of Examples, including what you could test, and what you should test… and what you shouldn't test (but might be fun).
Unit testing in iOS featuring OCUnit, GHUnit & OCMockRobot Media
This document provides an overview and introduction to unit testing in iOS. It discusses OCUnit, GHUnit and OCMock, which are common frameworks for unit testing, mock objects, and assertions in Objective-C and iOS. The key points covered include:
- OCUnit is the default unit testing framework for Objective-C, with built-in support in Xcode.
- GHUnit is an alternative open source framework that provides a GUI runner and additional macros.
- OCMock allows mocking objects to control and isolate dependencies in tests.
- Examples are provided of writing tests with OCUnit, GHUnit and using mock objects with OCMock.
- Reasons for unit testing like fixing bugs early and easier
Elixir is a dynamic, functional language designed for building scalable and maintainable applications. It leverages the Erlang VM, known for running low-latency, distributed and fault-tolerant systems. Elixir compiles to Erlang bytecode and provides developers' productivity through amazing tooling and documentation while enabling concurrency programming without locks or semaphores. The document then provides examples of Elixir types, functions, macros, and tools like Mix and Phoenix.
This document discusses code analysis and techniques for predicting runtime errors in source code. It describes existing solutions like detecting uninitialized variables, overflows, divide by zeros, incorrect argument data types. It also discusses detecting out-of-bounds array and pointer references, memory allocation/deallocation errors, and memory leaks. The document outlines the design of a code analyzer that takes C code as input, performs lexical and syntax analysis to generate intermediate code, and then uses the intermediate code to predict possible runtime errors. Further work mentioned includes evaluating the intermediate code to perform data and control flow analysis for error prediction.
Fortran & Link with Library & Brief Explanation of MKL BLASJongsu "Liam" Kim
This document discusses Fortran programming best practices and features. It recommends avoiding labeled DO loops, EQUIVALENCE, and COMMON blocks due to errors and complexity. Instead, it suggests using CYCLE and EXIT statements, WHERE constructs, and DO CONCURRENT for vectorization. The document also covers sparse matrix storage formats and using Intel MKL and BLAS routines for linear algebra operations.
Triton and Symbolic execution on GDB@DEF CON ChinaWei-Bo Chen
Triton and Symbolic execution on GDB is a talk about symbolic execution. It introduces Triton, a symbolic execution framework, and SymGDB, which combines Triton with GDB to enable symbolic execution directly within the GDB debugger. Key points include how Triton works, its components like the symbolic execution engine and AST representations, and how SymGDB utilizes the GDB Python API to synchronize Triton's state with the debugged program and allow symbolic analysis of programs within GDB. Examples demonstrating SymGDB on crackme programs that take symbolic user input are also presented.
SPARKNaCl: A verified, fast cryptographic libraryAdaCore
SPARKNaCl https://github.com/rod-chapman/SPARKNaCl is a new, freely-available, verified and fast reference implementation of the NaCl cryptographic API, based on the TweetNaCl distribution. It has a fully automated, complete and sound proof of type-safety and several key correctness properties. In addition, the code is surprisingly fast - out-performing TweetNaCl's C implementation on an Ed25519 Sign operation by a factor of 3 at all optimisation levels on a 32-bit RISC-V bare-metal machine. This talk will concentrate on how "Proof Driven Optimisation" can result in code that is both correct and fast.
JCConf 2020 - New Java Features Released in 2020Joseph Kuo
The document discusses new features in Java releases from JDK 13 to JDK 15, including syntax changes like switch expressions and text blocks, API changes like helpful NullPointerExceptions and reimplementing sockets, and improvements to garbage collectors like ZGC and NUMA-aware memory allocation for G1. It provides code examples to demonstrate the new features and explains their motivations and impacts.
This document discusses symbolic execution and the Triton framework. It begins with an introduction to symbolic execution and why it is useful for tasks like static and dynamic analysis. Triton is then introduced as a dynamic binary analysis framework that uses symbolic execution. Key components of Triton like the symbolic execution engine and AST representations are described. Finally, SymGDB is presented as a way to combine Triton with GDB to simplify symbolic execution debugging workflows. Examples analyzing crackme programs are provided to demonstrate SymGDB.
This document provides an introduction to Python programming including installation, basic syntax, data types, control flow, modules, sockets, structs, pwntools, vulnerabilities, practice problems, and references for further learning. It covers topics such as printing, taking input, lists, arithmetic, conditional statements, loops, functions, importing modules, sending/receiving data over sockets, packing/unpacking integers, using pwntools, and exploiting vulnerabilities like pickle injection. Example code is provided throughout to demonstrate the concepts.
1. The document discusses format string vulnerabilities and how to exploit them. Format strings allow printing variable values without specifying the type or number of parameters, allowing arbitrary memory reads and writes.
2. Examples show how to use format strings with the %n specifier to write specific values to arbitrary memory addresses by calculating offsets on the stack.
3. Exploiting format strings allows operations like GOT hijacking, leaking memory, and writing variable values to gain arbitrary code execution on vulnerable programs. The document provides resources for practicing these techniques.
This document provides information about x86 architecture including registers, flags, modes, common instructions, Intel and AT&T syntax, system calls, examples, and references. It defines the purpose of key registers like EAX, EBX, ESP and flags. It explains real and protect modes and differences between Intel and AT&T syntax. Examples demonstrate how to write assembly code and call system calls. References provided can be used to learn more about x86 assembly programming.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
2. $whoami
• 陳威伯(bananaappletw)
• Master of National Chiao Tung
University
• Organizations:
• Software Quality Laboratory
• Bamboofox member
• Vice president of NCTUCSC
• Specialize in:
• symbolic execution
• binary exploit
• Talks:
• HITCON CMT 2015
• HITCON CMT 2017
3. What is symbolic execution?
• Symbolic execution is a means of analyzing a program to determine
what inputs cause each part of a program to execute
• System-level
• S2e(https://github.com/dslab-epfl/s2e)
• User-level
• Angr(http://angr.io/)
• Triton(https://triton.quarkslab.com/)
• Code-based
• klee(http://klee.github.io/)
5. Klee
• Symbolic virtual machine built on top of the LLVM compiler
infrastructure
• Website: http://klee.github.io/
• Github: https://github.com/klee/klee
• Klee paper: http://llvm.org/pubs/2008-12-OSDI-KLEE.pdf (Worth
reading)
• Main goal of Klee:
1. Hit every line of executable code in the program
2. Detect at each dangerous operation
6. Installation
• Install docker
• sudo apt-get install docker.io
• Get klee image
• sudo docker pull klee/klee
• Run klee docker image
• sudo docker run --rm -ti --ulimit='stack=-1:-1' klee/klee
• Test environment
• Ubuntu 17.04 desktop amd64
7. Introduction
• Klee is a symbolic machine to generate test cases
• Need source code to compile to LLVM bitcode
• Steps:
• Replace input with Klee function to make memory region symbolic
• Compile source code to LLVM bitcode
• Run Klee
• Get the test cases and path's information
8. Steps
• Source code at ~/klee_src/examples/get_sign.c
• Include klee library
#include <klee/klee.h>
• Make input symbolic
klee_make_symbolic(&a, sizeof(a), "a");
• Compile to LLVM bitcode
clang -I ../../include -emit-llvm -c -g get_sign.c
9. Steps
• Examine LLVM bitcode
llvm-dis get_sign.bc
• Running KLEE
klee get_sign.bc
• Show information about test case
ktest-tool ./klee-last/*.ktest
13. Functions
• klee_make_symbolic(address, size, name)
Make memory address symbolic
klee_make_symbolic(&c, sizeof(c), "c");
Notice: Don't overlap symbolic memory regions
• klee_assume(condition)
Add condition constraint on input
klee_assume((c==2)||(d==3));
• klee_prefer_cex(object, condition)
When generating test cases, prefer certain values between equivalent test
cases
klee_prefer_cex(input, 32 <= input[i] && input[i] <= 126);
14. Functions
• Insert assert on target path
klee_assert(0)
• Find assert test case
ls ./klee-last/ | grep .assert
• Show information about test case
ktest-tool ./klee-last/*.ktest
• Using GNU c library functions
Run with --libc=uclibc --posix-runtime parameters
15. Environment Modeling
• For example:
• command-line arguments
• environment variables
• file
• data and metadata
• network packets
• ……
• Klee redirects library call to models
• If fd refers to a concrete file
Klee use pread to multiplex access from KLEE’s many states onto the one actual
underlying file descriptor
• If fd refers to a symbolic file
read() copies from the underlying symbolic buffer
16. Environment Modeling
• -sym-arg <N>
Replace by a symbolic argument with length N
• -sym-args <MIN> <MAX> <N>
Replace by at least MIN arguments and at most MAX arguments, each with
maximum length N
• -sym-files <NUM> <N>
Make NUM symbolic files (‘A’, ‘B’, ‘C’, etc.), each with size N (excluding stdin)
• -sym-stdin <N>
Make stdin symbolic with size N
18. Architecture
• Represent Klee as an interpreter loop which select a state to run and
then symbolically executes a single instruction in the context of that
state
• When Klee meets the conditional branch instruction, it clones the
state so that it could explore both paths
• By implementing heap as immutable map, portions of the heap
structure itself can also be shared amongst multiple states(copy on
write)
19. Architecture
• Potentially dangerous operations implicitly generate branches that
check if any input value exists that could cause an error(e.g., zero
divisor)
• When processing instruction, if all given operands are concrete,
performs the operation natively, returning a constant expression
• When KLEE detects an error or when a path reaches an exit call, Klee
solves the current path's constraints
20. Diagram
1. Step the program until it
meets the branch
#include <klee/klee.h>
int get_sign(int x) {
if (x == 0)
return 0;
if (x < 0)
return -1;
else
return 1;
}
int main() {
int a;
klee_make_symbolic(&a, sizeof(a), "a");
return get_sign(a);
}
21. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state.
#include <klee/klee.h>
int get_sign(int x) {
if (x == 0)
return 0;
if (x < 0)
return -1;
else
return 1;
}
int main() {
int a;
klee_make_symbolic(&a, sizeof(a), "a");
return get_sign(a);
}
22. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state
3. Step the states until they hit
exit call or error
X==0
Constraints:
X!=0
Next instruction:
if (x < 0)
Constraints:
X==0
Next instruction:
return 0;
23. Diagram
1. Step the program until it
meets the branch
2. If all given operands are
concrete, return constant
expression. If not, record
current condition constraints
and clone the state
3. Step the states until they hit
exit call or error
4. Solve the conditional
constraint
X==0
Constraints:
X!=0
Next instruction:
if (x < 0)
Constraints:
X==0
Next instruction:
return 0;
24. Diagram
1. Step the program until it meets the branch
2. If all given operands are concrete, return constant expression. If
not, record current condition constraints and clone the state
3. Step the states until they hit exit call or error
4. Solve the conditional constraint
5. Loop until no remaining states or user-defined timeout is reached
25. Exercises
• ccr
Sum of continuous number
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/67
• Suicide
Product of continuous number
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/68
26. Angr
• Website: http://angr.io/
• Angr is a python framework for analyzing binaries. It combines both
static and dynamic symbolic ("concolic") analysis, making it applicable
to a variety of tasks.
• Flow
• Loading a binary into the analysis program.
• Translating a binary into an intermediate representation (IR).
• Performing the actual analysis
27. Installation
• sudo apt-get install -y python-pip python-dev libffi-dev build-essential
virtualenvwrapper
• Virtualenv
• mkvirtualenv angr && pip install angr
• Direct install in system
• sudo pip install angr
• Test environment
• Ubuntu 17.04 desktop amd64
28. Flow
• Import angr
import angr
• Load the binary and initialize angr project
project = angr.Project('./ais3_crackme')
• Define argv1 as 100 bytes bitvectors
argv1 = claripy.BVS("argv1",100*8)
• Initialize the state with argv1
state = project.factory.entry_state(args=["./crackme1",argv1])
29. Flow
• Initialize the simulation manager
simgr = p.factory.simgr(state)
• Explore the states that matches the condition
simgr.explore(find= 0x400602)
• Extract one state from found states
found = simgr.found[0]
• Solve the expression with solver
solution = found.solver.eval(argv1, cast_to=str)
30. ais3 crackme
• Binary could be found in: https://github.com/angr/angr-
doc/blob/master/examples/ais3_crackme/
• Run binary with argument
• If argument is correct
print "Correct! that is the secret key!"
• else
print "I'm sorry, that's the wrong secret key!"
34. Loader
• Load the binary through angr.Project
• Loading options
• auto_load_libs
• When there is no SimProcedure
• True(Default, real library function is executed)
• False(return a generic "stub" SimProcedure called ReturnUnconstrained)
35. Intermediate Representation
• In order to be able to analyze and execute machine code from
different CPU architectures, Angr performs most of its analysis on an
intermediate representation
• Angr's intermediate representation is VEX(Valgrind), since the
uplifting of binary code into VEX is quite well supported
36. Intermediate Representation
• IR abstracts away several architecture differences when dealing with
different architectures
• Register names: VEX models the registers as a separate memory space, with
integer offsets
• Memory access: The IR abstracts difference between architectures access
memory in different ways
• Memory segmentation: Some architectures support memory segmentation
through the use of special segment registers
• Instruction side-effects: Most instructions have side-effects
37. Intermediate Representation
• addl %eax, %ebx • t3 = GET:I32(0)
• # get %eax, a 32-bit integer
• t2 = GET:I32(12)
• # get %ebx, a 32-bit integer
• t1 = Add32(t3,t2)
• # addl
• PUT(0) = t1
• # put %eax
38. Simulation Managers
• simgr.step()
Step forward all states in a given stash by one basic block
• simgr.run()
Step until everything terminates
• simgr.explore(conditions)
• find, avoid:
• An address to find or avoid
• A set or list of addresses to find or avoid
• A function that takes a state and returns whether or not it matches.
39. Bit-Vector Symbol
• claripy.BVS(name, size)
• name: The name of the symbol.
• size: The size (in bits) of the bit-vector.
• chop(bits)
• bits: A list of smaller bitvectors, each bits in length.
40. State
• Property
• registers: The state's register file as a flat memory region
• memory: The state's memory as a flat memory region
• solver(e.g., se): The solver engine for this state
• posix: information about the operating system or environment model(e.g.,
posix.files[fd])
• add_constraints(BVS condition)
• inspect.b(event, when=angr.BP_AFTER, action=debug_func)
• event: mem_read, reg_write
• when: BP_BEFORE or BP_AFTER
• action: debug_func
41. SimMemory
• load(addr, size=None)
• addr: memory address
• size: The sizein bytes
• find(addr, what)
• addr: The start address
• what: what to search for
• store(addr, data, size=None)
• addr: address to store at
• data: The data(claripy expression or something convertable to a claripy expression)
• size: The data size(claripy expression or something convertable to a claripy
expression)
42. Stash types
active This stash contains the states that will be stepped by default, unless an alternate stash is specified.
deadended
A state goes to the deadended stash when it cannot continue the execution for some reason,
including no more valid instructions, unsat state of all of its successors, or an invalid instruction
pointer.
pruned
When using LAZY_SOLVES, states are not checked for satisfiability unless absolutely necessary.
When a state is found to be unsat in the presence of LAZY_SOLVES, the state hierarchy is traversed
to identify when, in its history, it initially became unsat. All states that are descendants of that point
(which will also be unsat, since a state cannot become un-unsat) are pruned and put in this stash.
unconstrained
If the save_unconstrained option is provided to the SimulationManager constructor, states that are
determined to be unconstrained (i.e., with the instruction pointer controlled by user data or some
other source of symbolic data) are placed here.
unsat
If the save_unsat option is provided to the SimulationManager constructor, states that are
determined to be unsatisfiable (i.e., they have constraints that are contradictory, like the input
having to be both "AAAA" and "BBBB" at the same time) are placed here.
43. Hooking
• project.hook(address, hook)
• hook is a SimProcedure instance
• At every step, angr checks if the current address has been hooked,
and if so, runs the hook instead of the binary code at that address
• You could also use symbol to locate the address
• proj.hook_symbol(name, hook)
• You could use hook as function decorator, length is to jump after
finishing the hook @proj.hook(0x20000, length=5)
def my_hook(state):
state.regs.rax = 1
45. Symbolic Function
• Project tries to replace external calls to library functions by using
symbolic summaries termed SimProcedures
• Because SimProcedures are library hooks written in Python, it has
inaccuracy
• If you encounter path explosion or inaccuracy, you can do:
1. Disable the SimProcedure
2. Replace the SimProcedure with something written directly to the situation
in question
3. Fix the SimProcedure
46. Symbolic Function(scanf)
• Source code:
https://github.com/angr/angr/blob/master/angr/procedures/libc/sca
nf.py
1. Get first argument(pointer to format string)
2. Define function return type by the architecture
3. Parse format string
4. According format string, read input from file descriptor 0(i.e.,
standard input)
5. Do the read operation
47. Symbolic Function(scanf)
from angr.procedures.stubs.format_parser import FormatParser
from angr.sim_type import SimTypeInt, SimTypeString
class scanf(FormatParser):
def run(self, fmt):
self.argument_types = {0: self.ty_ptr(SimTypeString())}
self.return_type = SimTypeInt(self.state.arch.bits, True)
fmt_str = self._parse(0)
f = self.state.posix.get_file(0)
region = f.content
start = f.pos
(end, items) = fmt_str.interpret(start, 1, self.arg, region=region)
# do the read, correcting the internal file position and logging the action
self.state.posix.read_from(0, end - start)
return items
48. Symbolic Function(scanf)
class SimProcedure(object):
@staticmethod
def ty_ptr(self, ty):
return SimTypePointer(self.arch, ty)
class FormatParser(SimProcedure):
def _parse(self, fmt_idx):
"""
fmt_idx: The index of the (pointer to the) format string in the
arguments list.
"""
def interpret(self, addr, startpos, args, region=None):
"""
Interpret a format string, reading the data at `addr` in `region` into `args`
starting at `startpos`.
"""
51. Exercises
• angrman
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/69
Local binary
• magicpuzzle
Server response the base64-encoded binary, try to find out the differences,
and automatically generate the exploit
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/70
• Sushi
Server response the base64-encoded binary, try to find out the differences,
and automatically generate the exploit
https://bamboofox.cs.nctu.edu.tw/courses/1/challenges/72