Beispiel #1
0
    def test_getchar(self):
        m = ManticoreWASM(if_check_file, env={"getchar": getchar2})
        m.main()
        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [-1, 0])
Beispiel #2
0
    def test_trace(self):
        """
        This checks the sequence of pushes and pops that take place during an example execution.
        That sequence isn't meant to be invariant, so if you change the implementation and break
        this test, by all means, replace it with the new sequence.
        :return:
        """

        def arg_gen(_state):
            return [I32(1337)]

        m = ManticoreWASM(wasm_file)
        tracker_plugin = StackTrackerPlugin()
        m.register_plugin(tracker_plugin)
        m.invoke("collatz", arg_gen)
        m.run()

        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [44])
        push_pop_seq = "".join(tracker_plugin.context.get("push_pop_seq"))

        self.assertEqual(push_pop_seq, "+-" * 892)
Beispiel #3
0
    def test_getchar(self):
        m = ManticoreWASM(wasm_file, env={"getchar": getchar})
        m.invoke("main")
        m.run()
        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [0, 1, 2, 5, 7, 8, 16])
Beispiel #4
0
    def test_symbolic_args(self):
        m = ManticoreWASM(wasm_file, env={})
        m.invoke("collatz", arg_gen)
        m.run()

        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [2, 3, 8])

        m.finalize()

        inputs = []
        for fn in glob.glob(m.workspace + "/*.input"):
            with open(fn, "r") as f:
                raw = f.read().strip()
                inputs.append(int(raw.replace("collatz_arg: ", "")))

        self.assertEqual(sorted(inputs), [4, 6, 8])
Beispiel #5
0
    def test_implicit_call(self):
        m = ManticoreWASM(collatz_file)
        counter_plugin = CallCounterPlugin()
        m.register_plugin(counter_plugin)
        m.collatz(lambda s: [I32(1337)])

        counts = counter_plugin.context.get("counter")

        self.assertEqual(counts["br_if"], 45)
        self.assertEqual(counts["loop"], 44)
        self.assertEqual(counts["i32.add"], 88)

        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [44])

        m.collatz(lambda s: [I32(1338)])
        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [70])
Beispiel #6
0
    def test_plugin(self):
        def arg_gen(_state):
            return [I32(1337)]

        m = ManticoreWASM(wasm_file)
        counter_plugin = CallCounterPlugin()
        m.register_plugin(counter_plugin)
        m.invoke("collatz", arg_gen)
        m.run()

        # counts = m.context.get("<class 'test_examples.CallCounterPlugin'>").get("counter")
        counts = counter_plugin.context.get("counter")

        self.assertEqual(counts["br_if"], 45)
        self.assertEqual(counts["loop"], 44)
        self.assertEqual(counts["i32.add"], 88)

        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [44])
Beispiel #7
0
    def test_br_if(self):
        m = ManticoreWASM(test_br_if_file)

        def arg_gen(state):
            arg = state.new_symbolic_value(32, "arg")
            state.context["arg"] = arg
            return [arg]

        m.main(arg_gen)
        m.run()

        assert any((self.can_terminate_with(0, state) for state in m.terminated_states))
Beispiel #8
0
from manticore.wasm import ManticoreWASM

from manticore.wasm.structure import MemInst
# from manticore.core.plugin import Plugin


def args(state):
    arg1 = state.new_symbolic_value(32, "arg1")
    arg2 = state.new_symbolic_value(32, "arg2")
    state.constrain(arg1 == 256)
    state.constrain(arg2 == 256)
    return [arg1, arg2]


mem = MemInst([0x0] * 1024 * 1024)
m = ManticoreWASM("tweetNacl.wasm", sup_env={"js": {"memory": mem}})
# m.register_plugin(PrintRetPlugin())
m.crypto_verify_16(args)

for idx, val_list in enumerate(m.collect_returns()):
    print("State", idx, "::", val_list[0])

m.finalize()
Beispiel #9
0
"""

from manticore.wasm import ManticoreWASM
from manticore.wasm.types import I32
from manticore.core.plugin import Plugin
from manticore.utils.log import set_verbosity


print(
    """

============ Example 1 ============
"""
)

m = ManticoreWASM("collatz.wasm")
set_verbosity(2)


def arg_gen(state):
    # Generate a symbolic argument to pass to the collatz function.
    # Possible values: 4, 6, 8
    arg = state.new_symbolic_value(32, "collatz_arg")
    state.constrain(arg > 3)
    state.constrain(arg < 9)
    state.constrain(arg % 2 == 0)
    return [arg]


# Tell Manticore to run the collatz function with the given argument generator.
# We use an argument generator function instead of a list of arguments because Manticore
Beispiel #10
0
    n = state.new_symbolic_value(32, "n")
    state.constrain(n == 16*4+16*4+16*4)

    ctr = state.new_symbolic_value(32, "ctr")
    state.constrain(ctr == 0)

    return [leng, out, text, key, n, ctr]

mem = MemInst([0x0] * 1024)
kremlin = { "mem":  mem}
m = ManticoreWASM("Hacl_Salsa20.wasm", 
        sup_env={ 
            "Kremlin": kremlin,
            "WasmSupport": {},
            "FStar": {},
            "Hacl_Impl_Blake2_Constants": {},
            "Hacl_Blake2b_32": {},
            "Hacl_Blake2s_32": {},
            "Hacl_Hash": {},
            "Hacl_SHA3": {},
            "Hacl_Chacha20": {}
            })
# m.register_plugin(PrintRetPlugin())
m.Hacl_Salsa20_salsa20_encrypt(args)

for idx, val_list in enumerate(m.collect_returns()):
    print("State", idx, "::", val_list[0])

m.finalize()
Beispiel #11
0
    """ Symbolic `getchar` implementation. Returns an arbitrary single byte """
    res = state.new_symbolic_value(32, "getchar_res")
    state.constrain(0 < res)
    state.constrain(res < 256)
    return [res]


class PrintRetPlugin(Plugin):
    """ A plugin that looks for states that returned zero and solves for their inputs """
    def will_terminate_state_callback(self, state, *args):
        retval = state.stack.peek()
        if retval == 0:
            print("Solution found!")
            for sym in state.input_symbols:
                solved = state.solve_one(sym)
                print(f"{sym.name}: {chr(solved)} --> Return {retval}")


# Pass our symbolic implementation of the `getchar` function into the WASM environment
# as an import.
m = ManticoreWASM("if_check.wasm", env={"getchar": getchar})

# Register our state termination callback
m.register_plugin(PrintRetPlugin())

# Run the main function, which will call getchar
m.main()

# Save a copy of the inputs to the disk
m.finalize()
Beispiel #12
0
    def test_resume(self):
        m = ManticoreWASM(collatz_file)
        plugin = CallCounterPlugin()
        m.register_plugin(plugin)
        m.collatz(lambda s: [I32(1337)])
        m.run()

        counts_canonical = plugin.context.get("counter")

        m = ManticoreWASM(collatz_file)
        plugin = SerializerPlugin()
        m.register_plugin(plugin)
        m.collatz(lambda s: [I32(1337)])
        m.run()

        counts_save = plugin.context.get("counter")

        m = ManticoreWASM.from_saved_state("/tmp/collatz_checkpoint.pkl")
        plugin = CallCounterPlugin()
        m.register_plugin(plugin)
        m.run()

        counts_resume = plugin.context.get("counter")

        for k in counts_canonical:
            with self.subTest(k):
                self.assertEqual(
                    counts_save.get(k, 0) + counts_resume.get(k, 0),
                    counts_canonical[k],
                    f"Mismatched {k} count",
                )

        results = []
        for idx, val_list in enumerate(m.collect_returns()):
            results.append(val_list[0][0])

        self.assertEqual(sorted(results), [44])
Beispiel #13
0
from manticore.wasm import ManticoreWASM

from manticore.wasm.structure import MemInst
# from manticore.core.plugin import Plugin

mem = MemInst([0x0] * 1024)
m = ManticoreWASM("pub_tea.wasm", sup_env={"js": {"memory": mem}})
# m.register_plugin(PrintRetPlugin())
m.encrypt()

for idx, val_list in enumerate(m.collect_returns()):
    print("State", idx, "::", val_list[0])

m.finalize()
Beispiel #14
0
    return [val]


def fd_write(state):
    val = state.new_symbolic_value(32, "fd_write")
    state.constrain(val == 0)
    return [val]


#mem = MemInst([0x0] * 1024)
m = ManticoreWASM(
    "lsod.wasm",
    sup_env={
        "wasi_snapshot_preview1": {
            "proc_exit": proc_exit,
            #      "poll_oneoff": poll_oneoff,
            #      "fd_close": fd_close,
            #      "fd_fdstat_get": fd_fdstat_get,
            #      "fd_seek": fd_seek,
            #      "fd_write": fd_write,
            "random_get": random_get
        }
    })
# m.register_plugin(PrintRetPlugin())
m.__original_main()

for idx, val_list in enumerate(m.collect_returns()):
    print("State", idx, "::", val_list[0])

m.finalize()
Beispiel #15
0
"""

from manticore.wasm import ManticoreWASM
from manticore.wasm.types import I32
from manticore.core.plugin import Plugin
from manticore.utils.log import set_verbosity


print(
    """

============ Example 1 ============
"""
)

m = ManticoreWASM("collatz.wasm")
set_verbosity(2)


def arg_gen(state):
    # Generate a symbolic argument to pass to the collatz function.
    # Possible values: 4, 6, 8
    arg = state.new_symbolic_value(32, "collatz_arg")
    state.constrain(arg > 3)
    state.constrain(arg < 9)
    state.constrain(arg % 2 == 0)
    return [arg]


# Set up Manticore to run the collatz function with the given argument generator.
# We use an argument generator function instead of a list of arguments because Manticore