def add(self, cst, gadget_num, preCond=CTrue()):
if (not cst in self.values):
self.values[cst] = []
self.preConditions[cst] = []
index = find_insert_index(self.values[cst], gadget_num)
self.values[cst].insert(index, gadget_num)
self.preConditions[cst].insert(index, preCond)
def addExpr(self,
addr_reg,
addr_cst,
reg,
cst,
gadget_num,
preCond=CTrue()):
if (not addr_cst in self.registers[addr_reg]):
self.registers[addr_reg][addr_cst] = REGList()
self.registers[addr_reg][addr_cst].add(reg, cst, gadget_num, preCond)
def flattenITE(self):
newArgs = [a[0].flattenITE() for a in self.args]
listArgs = [[[], CTrue()]]
tmp = []
for listA in newArgs:
for a in listA:
for arg in listArgs:
tmp.append(arg[0] + [a[0]], Cond(CT.AND, arg[1], a[1]))
listArgs = tmp
# listArgs contains now an array of couples ( list, condition )
res = [[Concat(a[0]), a[1]] for a in listArgs]
return res
def getSemantics(self, value):
if( isinstance( value, Expr)):
return self.semantics.get(value)
else:
# Try to translate into a reg
if( isinstance(value, int)):
num = value
elif( value in Arch.regNameToNum ):
num = Arch.n2r(value)
else:
return []
# Return corresponding if present
if( num in self.graph.lastMod ):
reg = SSAReg(num, self.graph.lastMod[num])
return self.semantics.get(reg)
# Or return the same
else:
return [SPair(SSAExpr(num, 0), CTrue())]
def flattenITE(self):
return [[self, CTrue()]]
from ropgenerator.Expressions import * from ropgenerator.Conditions import CTrue, CFalse Arch.currentArch = Arch.ArchX86 size = 32 r0_0 = SSAExpr(0, 0) r1_0 = SSAExpr(1, 0) r1_1 = SSAExpr(1, 1) r1_2 = SSAExpr(1, 2) r2_0 = SSAExpr(2, 0) r2_1 = SSAExpr(2, 1) expr1_1 = OpExpr(Op.ADD, [r0_0, ConstExpr(4, size)]) expr2_1 = OpExpr(Op.ADD, [r2_0, r1_1]) expr3_1 = Concat([r2_1, OpExpr(Op.SUB, [r0_0, r0_0])]) s = Semantics() s.registers[SSAReg(0, 0)] = [SPair(r0_0, CTrue())] s.registers[SSAReg(1, 0)] = [SPair(r1_0, CTrue())] s.registers[SSAReg(1, 1)] = [SPair(r0_0, CTrue())] s.registers[SSAReg(2, 1)] = [SPair(expr2_1, CTrue())] s.registers[SSAReg(2, 0)] = [SPair(r2_0, CTrue()), SPair(r0_0, CFalse())] s.registers[SSAReg(3, 1)] = [SPair(expr3_1, CTrue())] print(s) s.simplifyValues() print(s) s.simplifyConditions() print(s)
def addCst(self, addr_reg, addr_cst, cst, gadget_num, preCond=CTrue()):
if (not addr_cst in self.registers[addr_reg]):
self.registers[addr_reg][addr_cst] = CSTList()
self.registers[addr_reg][addr_cst].add(cst, gadget_num, preCond)
def add(self, reg, cst, gadget_num, preCond=CTrue()):
if (not reg in self.registers):
self.registers[reg] = CSTList()
self.registers[reg].add(cst, gadget_num, preCond)
def simplifyValues(self):
"""
Simplifies basic operations, conditions, etc, in order to have
only basic values left ('basic' is the initial state variables,
so Expr with SSA forms of R?_0)
"""
def simplifyReg(semantics, ssaReg):
"""
Compute the basic value for the register
"""
res = []
tmpRes = []
if (ssaReg.ind == 0):
semantics.simplifiedRegs[ssaReg] = True
return
# For each possible value
for pair in semantics.registers[ssaReg]:
newPairs = [pair]
# (1) For each sub register in expressions
for subReg in pair.expr.getRegisters():
# Simplify values for sub register
if (not subReg in semantics.simplifiedRegs):
simplifyReg(self, subReg)
# And replace by its possible values
tmp = []
for p in newPairs:
if (not subReg in p.expr.getRegisters()):
continue
for subPair in semantics.registers[subReg]:
tmp.append(SPair(p.expr.replaceReg(subReg, subPair.expr),\
Cond(CT.AND, subPair.cond, p.cond)))
newPairs = tmp
tmpRes += newPairs
# (2) For each sub register in conditions
for subReg in pair.cond.getRegisters():
# Simplify values for sub register
if (not subReg in semantics.simplifiedRegs):
simplifyReg(semantics, subReg)
# And replace by its possible values
tmp = []
for subPair in semantics.registers[subReg]:
for p in tmpRes:
tmp.append(SPair(p.expr, Cond(CT.AND, \
p.cond.replaceReg(subReg, subPair.expr), subPair.cond)))
tmpRes = tmp
res = tmpRes
# Dont forget to save and mark it as simplified ;)
semantics.registers[ssaReg] = res
semantics.simplifiedRegs[ssaReg] = True
# Initialize replaceTable
for reg in self.registers.keys():
if (len(self.registers[reg]) == 1):
self.simplifiedRegs[reg] = True
# Replace interatively registers until
for reg in self.registers:
simplifyReg(self, reg)
# Replace registers in memory accesses
newMemory = dict()
for addr in self.memory:
# (1) First we simplify what we write
memoryValues = []
for pair in self.memory[addr]:
# First we replace registers in expression fields
newPairs = [pair]
for subReg in pair.expr.getRegisters():
tmp = []
for subPair in self.registers[subReg]:
for p in newPairs:
tmp.append(SPair(p.expr.replaceReg(subReg, subPair.expr),\
Cond(CT.AND, p.cond, subPair.cond)))
newPairs = tmp
# Then we replace registers in the condition fields
for subReg in pair.cond.getRegisters():
tmp = []
for subPair in self.registers[subReg]:
for p in newPairs:
tmp.append( SPair(p.expr,Cond(CT.AND, subPair.cond,\
p.cond.replaceReg(subReg, subPair.expr))))
newPairs = tmp
memoryValues += newPairs
# (2) Then simplify where we write
addrValues = [SPair(addr, CTrue())]
for subReg in addr.getRegisters():
for subPair in self.registers[subReg]:
addrValues = [SPair(p.expr.replaceReg(subReg, subPair.expr), \
Cond(CT.AND, subPair.cond, p.cond)) for p in addrValues]
# Combine memoryValues and addressValues
for addrPair in addrValues:
tmp = [
SPair(p.expr, Cond(CT.AND, p.cond, addrPair.cond))
for p in memoryValues
]
newAddr = addrPair.expr.simplify()
newMemory[newAddr] = tmp
# Update memory semantics with the new ones
self.memory = newMemory