System Call Audit #1384
Merged
System Call Audit #1384
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 10 commits
February 28, 2019 18:28
Adds [wrapt module](https://wrapt.readthedocs.io/en/latest/) from pypi
A few have been left in linux.py because they're necessary for other projects
* Removed extraneous void argument for getpid and gettid * Added missing sigsetsize parameter for rt_sigaction * Removed incorrect 'flags' parameter on accept (should be on accept4 * Fixed 'SocketDesc' has no attribute 'close' error * (Partially) Fixed duplicate constraint error with socket file descriptors
Pretend that sockets are pipes and pipes are sockets
ekilmer
reviewed
Apr 16, 2019
added 16 commits
April 16, 2019 13:04
ehennenfent
commented
May 10, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 16 files reviewed, 2 unresolved discussions (waiting on @ekilmer, @feliam, and @Mossberg)
manticore/core/manticore.py, line 868 at r4 (raw file):
self.remove_all() self._save_run_data()
@feliam Would like to get your thoughts on this. Not sure if you removed this call for a reason but . I noticed that the output directory and total time were no longer being printed.
manticore/platforms/platform.py, line 14 at r1 (raw file):
Previously, ekilmer (Eric Kilmer) wrote…
The change looks good! Thank you 👍
Resolved. Also added did/will_execute_syscall callbacks that should make this cleaner
feliam
reviewed
May 10, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 16 files reviewed, 2 unresolved discussions (waiting on @ehennenfent, @ekilmer, @feliam, and @Mossberg)
manticore/core/manticore.py, line 868 at r4 (raw file):
Previously, ehennenfent (Eric Hennenfent) wrote…
@feliam Would like to get your thoughts on this. Not sure if you removed this call for a reason but . I noticed that the output directory and total time were no longer being printed.
It's friendlier to have it in a context[] item. So it will count the time of a run() iff you finalize immediatelly after that run(). Note that EVM will call run() several times, one for each tx. Not sure if "Total time" makes sense for EVM? I'd instantly agree to add the "save_run_data" to ManticoreLinux. The saving of the config file and (if not included in manticore.yml) the commandline needs work in general.
ehennenfent
commented
May 13, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 2 unresolved discussions (waiting on @ekilmer, @feliam, and @Mossberg)
manticore/core/manticore.py, line 868 at r4 (raw file):
Previously, feliam (feliam) wrote…
It's friendlier to have it in a context[] item. So it will count the time of a run() iff you finalize immediatelly after that run(). Note that EVM will call run() several times, one for each tx. Not sure if "Total time" makes sense for EVM? I'd instantly agree to add the "save_run_data" to ManticoreLinux. The saving of the config file and (if not included in manticore.yml) the commandline needs work in general.
Okay, moved this implementation to native/manticore.py for now. I notice that even with the old implementation, it only gets triggered when one explicitly calls finalize, which doesn't seem to happen from the command line tool. Was that deliberate?
feliam
reviewed
May 13, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 2 unresolved discussions (waiting on @ehennenfent, @ekilmer, and @Mossberg)
manticore/core/manticore.py, line 868 at r4 (raw file):
Previously, ehennenfent (Eric Hennenfent) wrote…
Okay, moved this implementation to native/manticore.py for now. I notice that even with the old implementation, it only gets triggered when one explicitly calls
finalize, which doesn't seem to happen from the command line tool. Was that deliberate?
I think it was not deliberate. Previously linux generated the testcases online. We need to add an explicit finalize() somewhere in the Linux flavor to replicate old and expected behavior. Possible at main() in native/cli.py?
feliam
reviewed
May 14, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 7 unresolved discussions (waiting on @ehennenfent, @ekilmer, and @Mossberg)
examples/script/aarch64/basic.py, line 26 at r5 (raw file):
@m.init def init(m, ready_states): for state in ready_states:
The alternative to consider is to do it from Manticore. Like m.ready_states instead of passing it as an explicit argument.
manticore/core/manticore.py, line 815 at r5 (raw file):
self._publish('will_run', self.ready_states) with self.locked_context() as context: context['time_started'] = time.time()
Maybe move this to ManticoreNative.run() ?
manticore/core/manticore.py, line 877 at r5 (raw file):
############################################################################ def _save_run_data(self):
Delete this?
manticore/core/worker.py, line 161 at r5 (raw file):
# Saved to a fresh id in case other worker have an old # version this state cached over the old id m._publish('will_terminate_state', current_state, exc)
This should not happen normally. The state here is in an exceptional condition like having a not feasible path constraint or other impossible thing. Not 100% sure the callbacks can deal with this kind of states? Maybe yes.
manticore/native/memory.py, line 383 at r5 (raw file):
def __del__(self): if hasattr(self, '_data'):
maybe the getattr way? or not.
ehennenfent
commented
May 14, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 18 files reviewed, 6 unresolved discussions (waiting on @ekilmer, @feliam, and @Mossberg)
examples/script/aarch64/basic.py, line 26 at r5 (raw file):
Previously, feliam (feliam) wrote…
The alternative to consider is to do it from Manticore. Like
m.ready_statesinstead of passing it as an explicit argument.
Hmm, open to discussion on this. I figured adding a param would make it more clear that the API had changed. I suppose we really ought to make a formal spec for all the plugin callbacks and then inspect them before actually invoking
manticore/core/manticore.py, line 868 at r4 (raw file):
Previously, feliam (feliam) wrote…
I think it was not deliberate. Previously linux generated the testcases online. We need to add an explicit finalize() somewhere in the Linux flavor to replicate old and expected behavior. Possible at main() in native/cli.py?
Done. The old cli looped over all the states and called generate_testcase. Now we just call finalize.
manticore/core/manticore.py, line 815 at r5 (raw file):
Previously, feliam (feliam) wrote…
Maybe move this to ManticoreNative.run() ?
Going to leave as-is for now since native/manticore doesn't have a run method and this could theoretically be useful for evm scripts too
manticore/core/manticore.py, line 877 at r5 (raw file):
Previously, feliam (feliam) wrote…
Delete this?
Done.
manticore/core/worker.py, line 161 at r5 (raw file):
Previously, feliam (feliam) wrote…
This should not happen normally. The state here is in an exceptional condition like having a not feasible path constraint or other impossible thing. Not 100% sure the callbacks can deal with this kind of states? Maybe yes.
It looks like most other callbacks ignore the exc parameter, so we should be good on that front. The reason I re-added this is that we have some internal tooling that needs to be able to catch exceptions in Manticore. Basically everything gets caught right here and squashed. With this callback, we can still get access to those, even if it's not with a try...except
manticore/native/memory.py, line 383 at r5 (raw file):
Previously, feliam (feliam) wrote…
maybe the getattr way? or not.
Not sure what you mean. There's not really a good default case to past to munmap afaik. It's just that we don't want to try to unmap a nonexistent page.
added 4 commits
May 14, 2019 18:37
I think it makes sense now
|
manticore/core/worker.py, line 161 at r5 (raw file): Previously, ehennenfent (Eric Hennenfent) wrote…
The state here is not terminated but it is killed. |
feliam
approved these changes
May 16, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 20 files reviewed, 3 unresolved discussions (waiting on @ehennenfent, @ekilmer, and @Mossberg)
manticore/core/manticore.py, line 815 at r5 (raw file):
Previously, ehennenfent (Eric Hennenfent) wrote…
Going to leave as-is for now since native/manticore doesn't have a run method and this could theoretically be useful for evm scripts too
import timeit; timet.timeit(m.run(..)).
It may be useful to evm scripts that want to time just the last transaction, ignore all the others and execute a finalize().
added 2 commits
May 16, 2019 13:46
There's gotta be a better pun about 'overthrowing the state' in there somewhere
ehennenfent
commented
May 16, 2019
There was a problem hiding this comment.
Reviewable status: 0 of 20 files reviewed, 3 unresolved discussions (waiting on @ekilmer, @feliam, and @Mossberg)
manticore/core/manticore.py, line 815 at r5 (raw file):
Previously, feliam (feliam) wrote…
import timeit; timet.timeit(m.run(..)).
It may be useful to evm scripts that want to time just the last transaction, ignore all the others and execute a finalize().
Done.
manticore/core/worker.py, line 161 at r5 (raw file):
Previously, feliam (feliam) wrote…
The state here is not terminated but it is killed.
I think that we now have a list for exceptional states. "killed_states"
Maybe we need to have different events for killing and terminating a correct state.
Maybe this tools need to subscribe to "will_kill_state" ?
Done.
ekilmer
added a commit
that referenced
this pull request
May 17, 2019
* master: (28 commits) AArch64: fix ldrb size (#1433) System Call Audit (#1384) ManticoreBase refactor (#1385) Add missing checks for ARM boundaries (#1429) aarch64: add instruction tests: T-U (#1423) aarch64: add instruction tests: M-S (#1422) aarch64: add instruction tests: C-L (#1421) aarch64: add instruction tests: A-B (#1420) aarch64: add everything except instructions (#1418) fixup: support ARM64 in '_reg_name' Revert "fixup: remove x86-specific code from '_reg_name'" review: avoid wildcard imports review: rename the file fixup: remove x86-specific code from '_reg_name' fixup: do not use relative imports Generates a more sensible symbolic default for constructor arguments (#1414) aarch64: add instructions aarch64: add everything except instructions Switches the Travis-CI badge from .org to .com (#1416) Performance optimization : use set instead of list (#1415) ...
bradlarsen
pushed a commit
that referenced
this pull request
Apr 21, 2020
We only were using `wrapt` in a single place -- to implement the `unimplemented` syscall decorator. That dependency was added in #1384, so that the old syscall mechanism could work with the decorator. Now, with the rework of Manticore's syscall mechanism, this is no longer necessary, and a "regular" Python decorator implemented using `functools.wraps` should work just fine.
bradlarsen
pushed a commit
that referenced
this pull request
Apr 22, 2020
* Rework syscall invocation for proper behavior under typeguard Previously, using Typeguard with Manticore would break several emulated syscalls. With this commit, it does not. Some background information: When a syscall is made from an emulated binary, Manticore uses the syscall number to look up the appropriate Python method that models that syscall, and then uses Python introspection to massage arguments to that syscall model function as deemed appropriate. Previously, this mechanism used the deprecated `inspect.getfullargspec` to determine the number of arguments to the model function, and whether or not it takes varargs. However, `inspect.getfullargspec` doesn't look through wrapper functions; it looks only at exactly the function object it is given. This is an issue, however, when trying to inspect _decorated_ functions. (The use of a decorator in Python introduces a _new_ function object that wraps the decorated item.) How did that break Manticore when using Typeguard? It turns out that When using Typeguard via the `--typeguard-packages=manticore` option to `pytest`, the Typeguard plugin implicitly adds a `@typeguard.check_types` decorator on _every_ function & method in the `manticore` package. In this way, each syscall implementation function in Manticore ends up with a wrapper around it, and the syscall invocation mechanism based on `inspect.getfullargspec` would somewhat quietly cause syscalls to break. Now, instead of using `inspect.getfullargspec`, Manticore's syscall invocation mechansim uses the non-deprecated `inspect.signature` API to get the needed information. This API _does_ look through wrapper functions. Additionally, it allows us to get rid of some conditional logic, about whether `self` appears in a function's parameter list or not. * Update manticore/native/cpu/abstractcpu.py * Get rid of the `wrapt` library We only were using `wrapt` in a single place -- to implement the `unimplemented` syscall decorator. That dependency was added in #1384, so that the old syscall mechanism could work with the decorator. Now, with the rework of Manticore's syscall mechanism, this is no longer necessary, and a "regular" Python decorator implemented using `functools.wraps` should work just fine. * Fix rewrite of `unimplemented` * Rework platform `unimplemented` decorator, take 3 Additionally, add some extra tests for the decorator, to get better coverage from where it is used. * Clean up `test_sycalls.py` imports * Fix an unbound variable error (found with `mypy --check-untyped-defs` and some grep) * Get rid of some unused imports
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Sep 29, 2020
The complete changelog up to this version: ## 0.3.4 - 2020-06-26 Thanks to our external contributors! - [jimpo](https://github.com/trailofbits/manticore/commits?author=jimpo) - [langston-barrett](https://github.com/trailofbits/manticore/commits?author=langston-barrett) ### Ethereum * Support and test against EVM Istanbul [#1676](trailofbits/manticore#1676) * **[Added API]** Added a `manticore-verifier` script for checking properties of smart contracts [#1717](trailofbits/manticore#1717) * Fixed RETURNDATASIZE [#1612](trailofbits/manticore#1612) * Added strategies for symbolic SHA3 replacement [#1609](trailofbits/manticore#1609) * Fixed GAS instruction [#1633](trailofbits/manticore#1633) * Improved balance-related exploration [#1615](trailofbits/manticore#1615) * Add `__format__` to EVM accounts [#1613](trailofbits/manticore#1613) * Discard basic blocks that unavoidably REVERT [#1630](trailofbits/manticore#1630) * Extract printable bytes from return data [#1671](trailofbits/manticore#1671) * Support CHAINID, EXTCODEHASH, and SELFBALANCE instructions [#1644](trailofbits/manticore#1644) * **[Changed API]** Renamed several arguments in EVM API, including `gaslimit` --> `gas` [#1652](trailofbits/manticore#1652) * Explore states that self-destruct [#1699](trailofbits/manticore#1699) * Lazy solving for the Ethereum leak detector [#1727](trailofbits/manticore#1727) ### Native * Support for ARM modified-immediate encodings [#1638](trailofbits/manticore#1638) * Support for `/proc/self/maps` [#1639](trailofbits/manticore#1639) * Support for `llseek` [#1640](trailofbits/manticore#1640) * Support for `arm_fadvise64_64` [#1648](trailofbits/manticore#1648) * Allow symbolic sockets in `accept` [#1618](trailofbits/manticore#1618) * Fixes to `open` [#1657](trailofbits/manticore#1657) * Overhauled filesystem emulation [#1673](trailofbits/manticore#1673) * Fixed system call argument concretization [#1697](trailofbits/manticore#1697) * **[Added API]** Add a symbolic model for `strcpy` [#1681](trailofbits/manticore#1681) ### WASM * Delay branch condition concretization for better coverage [#1641](trailofbits/manticore#1641) ### Other * **[Added API]** Added a snapshot system [#1710](trailofbits/manticore#1710) * Transparent compression for state files [#1624](trailofbits/manticore#1624) * Unify around singleton interface for solver [#1649](trailofbits/manticore#1649) * Use `__slots__` to reduce memory usage in expression system [#1635](trailofbits/manticore#1635) * **[Removed API]** Removed `policy` argument from ManticoreBase, added `outputspace_url` to optionally separate working files from output files [#1651](trailofbits/manticore#1651) * Disable broken `get_related` logic [#1674](trailofbits/manticore#1674) * Disable flaky Z3 tactics [#1691](trailofbits/manticore#1691) * Remove Keystone engine from dependencies [#1684](trailofbits/manticore#1684) * Improved error messages [#1632](trailofbits/manticore#1632), [#1704](trailofbits/manticore#1704) * Made ConstraintSets hashable [#1703](trailofbits/manticore#1703) * Added system to dynamically enable/disable plugins [#1696](trailofbits/manticore#1696) [#1708](trailofbits/manticore#1708) * Re-establish support for Yices and CVC4 [#1714](trailofbits/manticore#1714) * Improved constant folding and constraint set slicing [#1706](trailofbits/manticore#1706) ## 0.3.3 - 2020-01-30 Thanks to our external contributors! - [catenacyber](https://github.com/trailofbits/manticore/commits?author=catenacyber) ### Ethereum * **[added API]** Flag to only generate alive states when finalizing Manticore [#1554](trailofbits/manticore#1554) * Fix gas check [#1587](trailofbits/manticore#1587) ### Native * **[added API]** Add post-instruction hooks [#1579](trailofbits/manticore#1579) * Fix issue with re-using stdio file descriptors after they'd been closed [#1604](trailofbits/manticore#1604) ### WASM * **[added API]** getattr-style calls for WASM functions [#1578](trailofbits/manticore#1578) * **[changed API]** Pass state to function calls instead of constraint sets [#1578](trailofbits/manticore#1578) * **[added API]** Added read/write helper methods to memory instances [#1589](trailofbits/manticore#1589) ### Other * **[added API]** Added streamlined state serialization interface [#1596](trailofbits/manticore#1596) * Fixed Z3 version parsing [#1551](trailofbits/manticore#1551) * Unique names for ArrayVars [#1552](trailofbits/manticore#1552) * Improve pickling and multiprocessing compatibility [#1583](trailofbits/manticore#1583) * Fix SMTLib visitor bug that broke the example tests [#1577](trailofbits/manticore#1577) * Optimize MinMax SMTLib operations [#1599](trailofbits/manticore#1599) ## 0.3.2 - 2019-11-11 Thanks to our external contributors! - [Srinivas11789](https://github.com/trailofbits/manticore/commits?author=Srinivas11789) - [catenacyber](https://github.com/trailofbits/manticore/commits?author=catenacyber) - [Boyan-MILANOV](https://github.com/trailofbits/manticore/commits?author=Boyan-MILANOV) ### Ethereum * **[added API]** Use higher-level test generation to symbolically execute SHA3 [#1526](trailofbits/manticore#1526) * **[added API]** Added fast unsound SHA3 strategy [#1549](trailofbits/manticore#1549) * **[added API]** Added plugin for discarding states without changes to storage [#1507](trailofbits/manticore#1507) * **[fixed API]** Fix `ADDMOD` and `MULMOD` [#1531](trailofbits/manticore#1531) * Warn on missing bytecode [#1534](trailofbits/manticore#1534) * Simplifiy PC upon modification [#1523](trailofbits/manticore#1523) ### Native * Better memory tests ([#1506](trailofbits/manticore#1506), [1524](trailofbits/manticore#1524)) * Memory IO performance improvements [#1509](trailofbits/manticore#1509) * **[added API]** Expose ELF dynamic load addresses [#1515](trailofbits/manticore#1515) * Optimize instruction decoding ([#1522](trailofbits/manticore#1522), [#1527](trailofbits/manticore#1527)) * Add partial support for `recvfrom` syscall [#1514](trailofbits/manticore#1514) * **[fixed API]** Add `will_write_memory` event to `write_bytes` [#1535](trailofbits/manticore#1535) * Update supported Unicorn version [#1536](trailofbits/manticore#1536) * Fix file pointer leak in ELF interpreter [#1538](trailofbits/manticore#1538) * Deduplicate socket symbol names [#1542](trailofbits/manticore#1542) * Improve environment variable parsing [#1545](trailofbits/manticore#1545) * **[fixed API]** Reduce chance of orphaned `did_execute_instruction` event [#1529](trailofbits/manticore#1529) ### WASM * **[added API]** Added initial support for webassembly [#1495](trailofbits/manticore#1495) ### Other * Incorporate type checking (mypy) into CI [#1544](trailofbits/manticore#1544) * Fixes to smtlib ([#1512](trailofbits/manticore#1512), [#1511](trailofbits/manticore#1511)) * Remove runtime type checking from smtlib to improve performance [#1543](trailofbits/manticore#1543) * Logging improvements ([#1518](trailofbits/manticore#1518), [#1520](trailofbits/manticore#1520)) * Simplify unsigned division constant folding [#1530](trailofbits/manticore#1530) * Improve signed division logic [#1540](trailofbits/manticore#1540) * **[changed API]** Move to manticore-specific exception types [#1537](trailofbits/manticore#1537) * **[changed API]** Save profiling data in the workspace instead of the current directory [#1539](trailofbits/manticore#1539) ## 0.3.1 - 2019-08-06 Thanks to our external contributors! - [arcz](https://github.com/trailofbits/manticore/commits?author=arcz) ### Ethereum * Smart contracts are now compiled using [Crytic-Compile](https://github.com/crytic/crytic-compile) [#1406](trailofbits/manticore#1406) * Added detector for strict comparisons to BALANCE [#1481](trailofbits/manticore#1481) * Added bitshift instructions [#1498](trailofbits/manticore#1498) * Added stub for STATICCALL (does not enforce static nature) [#1494](trailofbits/manticore#1494) * Updated EVM Examples [#1486](trailofbits/manticore#1486) ### Native * Fixed `getdents` syscall [#1472](trailofbits/manticore#1472) * Fixed state merging examples [#1482](trailofbits/manticore#1482) * Support LSR.W on ARMV7 [#1363](trailofbits/manticore#1363) * Fixed CrackMe Example [#1502](trailofbits/manticore#1502) * Optimize CMPXCHG8B [#1501](trailofbits/manticore#1501) * Added `fast_crash` configuration setting that causes Manticore to immediately produce a finding on memory unsafety [#1485](trailofbits/manticore#1485) ### Other * **[changed API]** Moved `issymbolic` into SMTLib to improve performance [#1456](trailofbits/manticore#1456) * Refactored API Docs [#1469](trailofbits/manticore#1469) * Fixed `FileNotFound` Error on state loading [#1480](trailofbits/manticore#1480) ## 0.3.0 - 2019-06-06 Thanks to our external contributors! - [catenacyber](https://github.com/trailofbits/manticore/commits?author=catenacyber) - [binaryflesh](https://github.com/trailofbits/manticore/commits?author=binaryflesh) ### Major Changes ##### Executor Refactor ([#1385](trailofbits/manticore#1385)) We've completed a major refactor of the core executor that reorganizes Manticore's state machine to be more amenable toward use with the multiprocesssing module. This refactor introduces some small API changes: * One must explicitly call the `finalize` method to dump test cases from a run * The `will_start_run` event has been renamed to `will_run` * The `solver` module requires explicitly accessing the Z3Solver singleton. `from manticore.core.smtlib import solver` becomes: ```python from manticore.core.smtlib.solver import Z3Solver solver = Z3Solver.instance() ``` * `manticore.running_states` has been renamed to `manticore._busy_states` For more information about changes to the state machine, see [the diagram in core/manticore.py](https://github.com/trailofbits/manticore/blob/451965f03a5e0d6766e499bf3246e4796b35638f/manticore/core/manticore.py#L132-L239) ##### Blacken ([#1438](trailofbits/manticore#1438)) We've run the [`black`](https://black.readthedocs.io/en/stable/index.html) autoformatter on the master branch of Manticore, and added a check for compliance to our CI. To ensure your code is properly formatted, run `black -t py36 -l 100 .` in your Manticore directory before committing. ##### Support for statically-linked AArch64 binaries ([#1424](trailofbits/manticore#1424)) Contractor [nkaretnikov](https://github.com/trailofbits/manticore/commits?author=nkaretnikov) spent several months adding support for AArch64 on Linux. As this is a brand new architecture, we've left in most of the debugging assertions, which may slow it down slightly. We look forward to getting feedback on this architecture so we can eventually remove the debugging assertions. ### Ethereum * Added Symbolic EVM Tests for the Frontier fork. Note that we don't support any other forks (i.e. Constantinople) yet. ([#1431](trailofbits/manticore#1431), [#1441](trailofbits/manticore#1441)) * **[fixed API]** Fixed relative paths for .sol files ([#1393](trailofbits/manticore#1393)) * **[fixed API]** Support dynamic parameters in constructors ([#1414](trailofbits/manticore#1414)) * Fixed detector failure when PC is symbolic ([#1395](trailofbits/manticore#1395)) * Transfers from etherless contracts no longer report STOP ([#1392](trailofbits/manticore#1392)) ### Native * Added stubs for missing system calls & downgraded most missing calls from exceptions to warnings ([#1384](trailofbits/manticore#1384)) * Fixed DECREE magic pages ([#1413](trailofbits/manticore#1413)) * Store x86 registers in a set instead of a list ([#1415](trailofbits/manticore#1415)) * Fix register boundary check for non-x86 architectures ([#1429](trailofbits/manticore#1429)) * Support `movhps` on x86 ([#1444](trailofbits/manticore#1444)) ### Other * Only publish events when there is at least one subscriber ([#1388](trailofbits/manticore#1388)) * Added sandshrew example ([#1396](trailofbits/manticore#1396)) * Updated Unicorn to track latest master ([#1440](trailofbits/manticore#1440)) * **[fixed API]** Now respects coverage file argument ([#1442](trailofbits/manticore#1442)) ## 0.2.5 - 2019-03-18 Thanks to our external contributors! - [werew](https://github.com/trailofbits/manticore/commits?author=werew) - [NicolaiSoeborg](https://github.com/trailofbits/manticore/commits?author=NicolaiSoeborg) - [Joool](https://github.com/trailofbits/manticore/commits?author=Joool) ### Ethereum * **[added API]** `json_create_contract` - support creating EVM contracts from Truffle JSON artifacts ([#1376](trailofbits/manticore#1376)) * **[changed API]** Moved default gas value to config module ([#1346](trailofbits/manticore#1346)) * **[fixed API]** Fixed account creation with a code field ([#1371](trailofbits/manticore#1371)) * **[fixed API]** Fixed an incorrect attribute in `last_return` ([#1341](trailofbits/manticore#1341)) * **[refactor]** Inlined get_possible solutions function as it's only used once ([#1372](trailofbits/manticore#1372)) * Fixed `_check_jumpdest` when run with detectors - this bug could lead to not detecting an int overflow due to tainting made by another detector ([#1347](trailofbits/manticore#1347)) * Made findings print addresses in hex ([#1339](trailofbits/manticore#1339)) ### Native * **[added API]** Added Unicorn preloading, for quickly performing concrete emulation until a target address is reached. ([#1356](trailofbits/manticore#1356)) * Fixed incorrect return value in `sys_lseek` ([#1355](trailofbits/manticore#1355)) * Added check for missing native packages ([#1367](trailofbits/manticore#1367)) ### Other * **[added API]** Added context managers for the config module, allowing for temporary configurations ([#1345](trailofbits/manticore#1345)) * Updated Capstone to 4.0.1 ([#1312](trailofbits/manticore#1312)) * Embedded parsetab.py so users no longer need to generate it ([#1383](trailofbits/manticore#1383)) ## 0.2.4 - 2019-01-10 ### Ethereum * **[added API]** Fixed VerboseTrace plugin ([#1305](trailofbits/manticore#1305)) and added VerboseTraceStdout plugin ([#1305](trailofbits/manticore#1305)): those can be used to track EVM execution (`m.regiser_plugin(VerboseTraceStdout())`) * **[changed API]** Made gas calculation faithfulness configurable: this way, you can choose whether you respect or ignore gas calculations with `--evm.oog <opt>` (see `--help`); also, the gas calculations has been decoupled into its own methods ([#1279](trailofbits/manticore#1279)) * **[changed API]** Changed default gas to 3000000 when creating contract ([#1332](trailofbits/manticore#1332)) * **[changed API]** Launching manticore from cli will display all registered plugins ([#1301](trailofbits/manticore#1301)) * Fixed a bug where it wasn't possible to call contract's function when its name started with an underscore ([#1306](trailofbits/manticore#1306)) * Fixed `Transaction.is_human` usage and changed it to a property ([#1323](trailofbits/manticore#1323)) * Fixed `make_symbolic_address` not preconstraining the symbolic address to be within all already-known addresses ([#1318](trailofbits/manticore#1318)) * Fixed bug where a terminated state became a running one if `m.running_states` or `m.terminated_states` were generated ([#1326](trailofbits/manticore#1326)) ### Native * **[added API]** Added symbol resolution feature, so it is possible to grab a symbol address by using `m.resolve(symbol)` ([#1302](trailofbits/manticore#1302)) * **[changed API]** The `stdin_size` CLI argument has been moved to config constant and so has to be passed using `--native.stdin_size` instead of `--stdin_size` ([#1337](trailofbits/manticore#1337)) * Speeded up Armv7 execution a bit ([#1313](trailofbits/manticore#1313)) * Fixed `sys_arch_prctl` syscall when wrong `code` value was passed and raise a NotImplementedError instead of asserting for not supported code values ([#1319](trailofbits/manticore#1319)) ### Other * **[changed API]** Fixed missing CLI arguments that came from config constants - note that `timeout` has to be passed using `core.timeout` now ([#1337](trailofbits/manticore#1337)) * We now explicitly require Python>=3.6 when using CLI or when importing Manticore ([#1331](trailofbits/manticore#1331)) * `__main__` now fetches manticore version from installed modules ([#1310](trailofbits/manticore#1310)) * Refactored some of the codebase (events [#1314](trailofbits/manticore#1314), solver [#1334](trailofbits/manticore#1334), tests [#1308](trailofbits/manticore#1308), py2->py3 [#1307](trailofbits/manticore#1307), state/platform [#1320](trailofbits/manticore#1320), evm stuff [#1329](trailofbits/manticore#1329)) * Some other fixes and minor changes ## 0.2.3 - 2018-12-11 Thanks to our external contributors! - [NeatMonster](https://github.com/NeatMonster) - [evgeniuz](https://github.com/evgeniuz) - [stephan-tolksdorf](https://github.com/stephan-tolksdorf) - [yeti-detective](https://github.com/yeti-detective) - [PetarMI](https://github.com/PetarMI) - [hidde-jan](https://github.com/hidde-jan) - [catenacyber](https://github.com/catenacyber) ### Added - Support for ARM THUMB instructions: ADR, ADDW, SUBW, CBZ, TBB, TBH, STMDA, STMDB - `State.solve_minmax()` API for querying a BitVec for its min/max values - New SMTLIB optimization for simplifying redundant concat/extract combinations; helps reduce expression complexity, and speed up queries - Ethereum: `--txpreconstrain` CLI flag. Enabling this avoids sending ether to nonpayable functions, primarily avoiding exploration of uninteresting revert states. - Research memory model (LazySMemory) allowing for symbolic memory indexing to be handled without concretization (opt in, currently for research only) ### Changed - Linux/binary analysis has been moved to `manticore.native`, `manticore.core.cpu` has been moved to `manticore.native.cpu`. Please update your imports. - The binary analysis dependencies are now not installed by default. They can be installed with `pip install manticore[native]`. This is to prevent EVM users from installing binary dependencies. - The symbolic `stdin_size` is now a config variable (in `main` config group) with a default of 256 (it was like this before). - `ManticoreEVM.generate_testcase()` 'name' parameter is now optional - Manticore CLI run on a smart contract will now use all detectors by default (detectors can be listed with --list-detectors, excluded with --exclude <detectors> or --exclude-all) - Misusing the ManticoreEVM API, for example by using old keyword arguments that are not available since some versions (like ManticoreEVM(verbosity=5)) will now raise an exception instead of not applying the argument at all. ### Fixed - Ethereum: Fixed CLI timeout support - Numerous EVM correctness fixes for Frontier fork - Fixed handling of default storage and memory in EVM (reading from previously unused cell will return a zero now) - ARM THUMB mode, Linux syscall emulation fixes - Creation of multiple contracts with symbolic arguments (ManticoreEVM.solidity_create_contract with args=None fired more than once failed before) ### Removed - `Manticore.evm` static method ## 0.2.2 - 2018-10-30 Thanks to our external contributors! - [charliecjung](https://github.com/charliecjung) - [redyoshi49q](https://github.com/redyoshi49q) - [yeti-detective](https://github.com/yeti-detective) - [Srinivas11789](https://github.com/srinivas11789) - [stephan-tolksdorf](https://github.com/stephan-tolksdorf) - [catenacyber](https://github.com/catenacyber) - [MJ10](https://github.com/MJ10) ### Added - New API for generating a testcase only if a certain condition can be true in the state. Useful for conveniently checking an invariant in a state, and (`ManticoreEVM.generate_testcase(..., only_if=)`) generating a testcase if it can be violated. - New `constrain=` optional parameter for `State.solve_one` and `State.solve_buffer`. After solving for a symbolic variable, mutate the state by applying that solution as a constraint. Useful if concretizing a few symbolic variables, and later concretizations should take into account previously solved for values. - `ManticoreEVM.human_transactions` top level API. Mirrors `ManticoreEVM.transactions`, but does not contain any internal transactions. - Emit generated transaction data in human readable format (JSON) - Warning messages if number of passed arguments to a Solidity function is inconsistent with the number declared - CLI support for the ReentrancyAdvancedDetector - Colored CLI output - Configuration system. Allows configuration options to be specified in a config file. New configurations are available, notably including solver parameters such as solver timeout, and memory limits. - Support for some unimplemented x86 XMM instructions - Customizable symbolic stdin input buffer size - Support for [Etheno](https://github.com/trailofbits/etheno) - `RaceConditionDetector` that can be used to detect transaction order dependencies bugs ### Changed - Improve the DetectExternalCallAndLeak detector and reduce false positives - Numerous improvements and changes to the SolidityMetadata API - Ethereum contract addresses are no longer random, but are deterministically calculated according to the Yellow Paper - Manticore no longer supports contracts with symbolic addresses creating new contracts. This is a consequence of supporting determinstic contrat address calculation. There are plans for reenabling this capability in a future release. ### Deprecated - Several SolidityMetadata APIs: `.get_hash()`, `.functions`, `.hashes` ### Fixed - Numerous fixes and enhancements to the Ethereum ABI implementation - Better handling of overloaded functions in SolidityMetadata, and other bug fixes - Fixes for the FilterFunctions plugin - Fixes for symbolic SHA3 handling - Many EVM correctness/consensus fixes - Numerous spelling errors ## 0.2.1.1 - 2018-09-01 In this release, the codebase has been relicensed under the AGPLv3 license. Please [contact us](opensource@trailofbits.com) if you're looking for an exception to these terms! Thanks to our external contributors! - [s0b0lev](https://github.com/s0b0lev) - [redyoshi49q](https://github.com/redyoshi49q) ### Added - Full suite of Ethereum detectors - Selfdestruct (`--detect-selfdestruct`): Warns if a selfdestruct instruction is reachable by the user - Ether Leak (`--detect-externalcall`): Warns if there is a call to the user, or a user controlled address, and ether can be sent. - External Call (`--detect-externalcall`): Warns if there is a call to the user, or a user controlled address. - Reentrancy (`--detect-reentrancy`): Warns if there is a change of storage state after a call to the user, or a user controlled address, with >2300 gas. This is an alternate implementation enabled in the CLI. The previous implementation is still available for API use (`DetectReentrancyAdvanced`). - Delegatecall (`--detect-delegatecall`): Warns if there is a delegatecall to a user controlled address, or to a user controlled function. - Environmental Instructions (`--detect-env`): Warns if certain instructions are used that can be potentially manipulated. Instructions: BLOCKHASH, COINBASE, TIMESTAMP, NUMBER, DIFFICULTY, GASLIMIT, ORIGIN, GASPRICE. - New Ethereum command line flags - `--no-testcases`: Do not generate testcases for discovered states - `--txnoether`: Do not make the transaction value symbolic in executed transactions - SMTLIB: Advanced functionality for expression migration. Expressions from arbitrary constraint sets can be mixed to create arbitrary constraints, expressions are transparently migrated from constraint set to another, avoiding SMT naming collisions. ### Changed - Command line interface uses new reentrancy detector based on detection of user controlled call addresses ### Fixed - Ethereum: Support for overloaded solidity functions - Ethereum: Significantly improved ability to create symbolic variables and constraints at the global level - Ethereum: Improved gas support - State serialization improvements and fixes ## 0.2.0 - 2018-08-10 In this release, the codebase has been ported to Python 3.6, which is a breaking change for API clients. Beginning with 0.2.0, client programs of Manticore must be compatible with Python 3.6. Thanks to our external contributors! - [ianklatzco](https://github.com/ianklatzco) - [devtty1er](https://github.com/devtty1er) - [catenacyber](https://github.com/catenacyber) ### Added - Ethereum: More flexibility for Solidity compilation toolchains - Ethereum: Detectors for unused return value, reentrancy - Ethereum: Support for Solidity `bytesM` and `bytes` types - Ethereum: Beta API for preconstraining inputs (`ManticoreEVM.constrain`) - Improved performance for smtlib module - Ability to transparently operate on bytearray and symbolic buffer (ArrayProxy) types (e.g: concatenate, slice) ### Changed - **Codebase has been entirely ported to Python 3.6+** - Ethereum: `ManticoreEVM.make_symbolic_value()` can be size adjustable - Ethereum: Ethereum ABI (`manticore.ethereum.ABI`) API refactor, including real Solidity prototype parser - Ethereum: Improved APIs for accessing transaction history - Ethereum: Significant internal refactor ### Fixed - Linux: Bugs related to handling of closed files - Ethereum: Handling of symbolic callers/addresses - Ethereum: Handling of gas handling on CALL instructions - Various smtlib/expression fixes ### Removed - Support for Python 2 - EVM disassembler/assembler module (EVMAsm) has been removed and separately released as [pyevmasm](https://github.com/trailofbits/pyevmasm) - Experimental support for Binary Ninja IL emulation ## 0.1.10 - 2018-06-22 Thanks to our external contributors! - [khorben](https://github.com/khorben) - [catenacyber](https://github.com/catenacyber) - [dwhjames](https://github.com/dwhjames) - [matiasb](https://github.com/matiasb) - [reaperhulk](https://github.com/reaperhulk) - [lazzarello](https://github.com/lazzarello) ### Added - ARM: New instructions to better support Raspberry Pi binaries (UTXH, UQSUB8) - Linux: Can use `--env` and `LD_LIBRARY_PATH` to specify alternate ELF interpreter locations for dynamic binaries - Linux: Partial chroot(2) and fork(2) models - Initial support for NetBSD hosts - Ethereum: `--avoid-constant` cli argument to enable heuristics to avoid unnecessary exploration of constant functions ### Changed - Ethereum detectors are now opt-in, via cli flags: `--detect-overflow`, `--detect-invalid`, `--detect-uninitialized-memory`, `--detect-uninitialized-storage`, `--detect-all` - Ethereum: Complete internal refactor. - Model memory using smtlib arrays to better support symbolic indexing - Numerous internal API improvements - Better symbolic gas support - More advanced overflow detection heuristics - Account names, scripts can assign names to accounts or contracts - Better ABI serializer/deserializer for canonical types, supports tuples/structs and recursive types - State list iterations improvements, modifications to state persist - Symbolic caller, address, value and data in transactions ### Fixed - Linux: Generate concretized file content for symbolic files - Linux: Fixes in various syscall models (brk, stat*), and miscellaneous fixes - Ethereum: Inaccurate transaction history in some cases
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As of 03/06/19, Manticore supports roughly 1/4th of the Linux system calls. For most binaries this is fine, but sometimes we run into binaries that require unimplemented system calls. The dev-syscall-audit branch will track efforts to evaluate which of the unimplemented system calls are most important to implement, and identify discrepancies between our implementations and the behavior expected by Linux programs.
I've started off by adding auto-generated stubs for most of the currently unimplemented calls. These stubs change the default behavior, so that instead of throwing a
SyscallNotDefinedexception when manticore reaches an unimplemented syscall, it will simply ignore it and continue execution.This PR adds the wrapt library as a dependency. It's used for making sure that decorators properly copy wrapped function attributes. It's used to fix the problem of wrapped system calls having incorrect argument signatures
This change is