Uncategorized

LAVA: Large-scale Automated Vulnerability Addition for PANDA

Re: https://firmwaresecurity.com/2015/11/23/panda-vm/ and https://firmwaresecurity.com/2016/12/01/panda-2-0-released/

PANDA is an open-source Platform for Architecture-Neutral Dynamic Analysis. It is built upon the QEMU whole system emulator, and so analyses have access to all code executing in the guest and all data. PANDA adds the ability to record and replay executions, enabling iterative, deep, whole system analyses. Further, the replay log files are compact and shareable, allowing for repeatable experiments. A nine billion instruction boot of FreeBSD, e.g., is represented by only a few hundred MB. PANDA leverages QEMU’s support of thirteen different CPU architectures to make analyses of those diverse instruction sets possible within the LLVM IR. In this way, PANDA can have a single dynamic taint analysis, for example, that precisely supports many CPUs. PANDA analyses are written in a simple plugin architecture which includes a mechanism to share functionality between plugins, increasing analysis code re-use and simplifying complex analysis development.

LAVA (Large Scale Automated Vulnerability Addition) for PANDA:

Evaluating and improving bug-finding tools is currently difficult due to a shortage of ground truth corpora (i.e., software that has known bugs with triggering inputs). LAVA attempts to solve this problem by automatically injecting bugs into software. Every LAVA bug is accompanied by an input that triggers it whereas normal inputs are extremely unlikely to do so. These vulnerabilities are synthetic but, we argue, still realistic, in the sense that they are embedded deep within programs and are triggered by real inputs. Our work forms the basis of an approach for generating large ground-truth vulnerability corpora on demand, enabling rigorous tool evaluation and providing a high-quality target for tool developers. 

https://github.com/panda-re/lava

https://github.com/panda-re/panda

PANDA’s LAVA is separate from the Linaro LAVA project, which the Tags on this blog points to.

 

 

Standard
Uncategorized

Phasar, LLVM-based static-analysis framework

Phasar is a LLVM-based static analysis framework written in C++. It allows users to specify arbitrary data-flow problems which are then solved in a fully-automated manner on the specified LLVM IR target code. Computing points-to information, call-graph(s), etc. is done by the framework, thus you can focus on what matters.

https://phasar.org/

https://phasar.org/tutorial/

https://github.com/pdschubert/phasar

alt text

 

Standard
Uncategorized

Symbiotic: tool for finding bugs in computer programs based on instrumentation, program slicing and KLEE

Symbiotic is a tool for analysis of computer programs. It can check all common safety properties like assertion violations, invalid pointer dereference, double free, memory leaks, etc. Symbiotic uses three well-know techniques: instrumentation, program slicing, and symbolic execution. We use LLVM as program representation.

https://github.com/staticafi/symbiotic

http://staticafi.github.io/symbiotic/

Standard
Uncategorized

LLVM: Speculative Load Hardening (a Spectre variant #1 mitigation)

http://lists.llvm.org/pipermail/llvm-dev/2018-March/122085.html

 

Standard
Uncategorized

LLVM 6.0.0 Released, includuing Spectre variant2 mitigations

This release is the result of the community’s work over the past six months, including: retpoline Spectre variant 2 mitigation, significantly improved CodeView debug info for Windows, GlobalISel by default for AArch64 at -O0, improved scheduling on several x86 micro-architectures, Clang defaults to -std=gnu++14 instead of -std=gnu++98, support for some upcoming C++2a features, improved optimizations, new compiler warnings, many bug fixes, and more.

https://llvm.org/releases/download.html#6.0.0
https://llvm.org/releases/6.0.0/docs/ReleaseNotes.html
https://llvm.org/releases/6.0.0/tools/clang/docs/ReleaseNotes.html
https://llvm.org/releases/6.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html
https://llvm.org/releases/6.0.0/tools/lld/docs/ReleaseNotes.html
http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-announce

Standard
Uncategorized

Trail of Bits releases McSema 2.0: Framework for lifting x86, amd64, and aarch64 program binaries to LLVM bitcode

Heavy lifting with McSema 2.0

Four years ago, we released McSema, our x86 to LLVM bitcode binary translator. Since then, it has stretched and flexed; we added x86-64 support, put it on a performance-focused diet, and improved its usability and documentation. McSema wasn’t the only thing improving these past years, though. At the same time, programs were increasingly adopting modern x86 features like the advanced vector extensions (AVX) instructions, which operate on 256-bit wide vector registers. Adjusting to these changes was back-breaking but achievable work. Then our lifting goals expanded to include AArch64, the architecture used by modern smartphones. That’s when we realized that we needed to step back and strengthen McSema’s core. This change in focus paid off; now McSema can transpile AArch64 binaries into x86-64! Keep reading for more details.[…]

Heavy lifting with McSema 2.0

https://github.com/trailofbits/mcsema

https://github.com/trailofbits/mcsema/blob/master/docs/McSemaWalkthrough.md

https://www.trailofbits.com/research-and-development/mcsema/

 

Standard
Uncategorized

LLVM 5.0.0 released

Lots of changes for Intel/AMD/ARM/MIPS/PowerPC, eg AMD Rhyzen support. And new PDB tool. Clang has new diagnostic/”lint” abilities. The static analyzer uses Microsoft’s Z3 solver. New C and C++ features (wow, C++ is at C++17 already!). Many other changes! I wish I had time to look at it more detail today… 😦

http://releases.llvm.org/5.0.0/docs/ReleaseNotes.html
http://releases.llvm.org/5.0.0/tools/clang/docs/ReleaseNotes.html
http://releases.llvm.org/5.0.0/tools/clang/tools/extra/docs/ReleaseNotes.html

http://lists.llvm.org/pipermail/llvm-announce/2017-September/000075.html

https://en.wikipedia.org/wiki/C%2B%2B17

Standard