def test_congruency_2(self): ''' (set-logic ALL) (declare-fun recv_input_4_1024 () String) (assert (< ( str.indexof recv_input_4_1024 "\r\n\r\n" 0) 0)) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" 0))) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)))) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1)))) (assert (= "GET" ( str.substr ( str.substr recv_input_4_1024 (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1) ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1) ) ) 10 1014))) (check-sat) ''' recv_input = claripy.StringS('recv_input', 1024) constraints = [] def field_sep_idx(s, start_idx=0): return claripy.StrIndexOf(s, claripy.StringV(' \r\n'), start_idx, 32) constraints.append( claripy.StrIndexOf(recv_input, claripy.StringV('\r\n\r\n'), 0, 32) < 0) sep_idx_1 = field_sep_idx(recv_input) sep_idx_2 = field_sep_idx(recv_input, start_idx=sep_idx_1 + 1) sep_idx_3 = field_sep_idx(recv_input, start_idx=sep_idx_2 + 1) sep_idx_4 = field_sep_idx(recv_input, start_idx=sep_idx_3 + 1) constraints.append(sep_idx_1 >= 0) constraints.append(sep_idx_2 >= 0) constraints.append(sep_idx_3 >= 0) sub_start = sep_idx_2 + 1 sub_end = sep_idx_3 sub_str = claripy.StrSubstr(recv_input, sub_start, sub_end) constraints.append( claripy.StrSubstr(sub_str, 10, 1014) == claripy.StringV("GET")) results = self._collect_generic_solver_test_data((recv_input, ), constraints) self._generic_consistency_check(results) self._generic_congruency_check(results['solvers'], results)
def run(self, this_str, index): log.debug( 'Called SimProcedure java.lang.String.charAt with args: {} {}'. format(this_str, index)) char_str = claripy.StrSubstr(index, claripy.BVV(1, 32), self.state.memory.load(this_str)) return SimSootValue_StringRef.new_string(self.state, char_str)
def test_substr_simplification(self): str_concrete = claripy.StringV("concrete") solver = self.get_solver() # TODO: Make sure that semantics of Substr match the ones of SMTLib substr solver.add( claripy.StrSubstr(1, 2, str_concrete) == claripy.StringV('on')) self.assertTrue(solver.satisfiable()) result = solver.eval(str_concrete, 2) self.assertEqual(list(result), ["concrete"])
def test_substr(self): str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() solver.add(claripy.StrSubstr(1, 2, str_symbol) == claripy.StringV('o')) self.assertTrue(solver.satisfiable()) results = solver.eval(str_symbol, 2 if KEEP_TEST_PERFORMANT else 100) self.assertEqual(len(results), 2 if KEEP_TEST_PERFORMANT else 100) for s in results: self.assertTrue(s[1:2] == 'o')
def test_substr_BV_concrete_index(self): str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() bv1 = claripy.BVV(1, 32) bv2 = claripy.BVV(2, 32) res = claripy.StrSubstr(bv1, bv2, str_symbol) == claripy.StringV('on') solver.add(res) self.assertTrue(solver.satisfiable()) self.assertEqual('on', solver.eval(str_symbol, 1)[0][1:3])
def test_substr_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() solver.add( claripy.StrSubstr(1, 2, str_concrete) == claripy.StringV('on')) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_substr(self): correct_script = '''(set-logic ALL) (declare-fun {0}symb_subst () String) (assert (let ((.def_0 (= ( str.substr {0}symb_subst 1 2) "on"))) .def_0)) (check-sat) '''.format(String.STRING_TYPE_IDENTIFIER) str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() res = claripy.StrSubstr(1, 2, str_symbol) == claripy.StringV('on') solver.add(res) script = solver.get_smtlib_script_satisfiability() # with open("dump_substr.smt2", "w") as dump_f: # dump_f.write(script) self.assertEqual(correct_script, script)
def test_substr_BV_symbolic_index(self): str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() start = claripy.BVS("start_idx", 32) count = claripy.BVS("count", 32) res = claripy.StrSubstr(start, count, str_symbol) == claripy.StringV('on') solver.add(res) self.assertTrue(solver.satisfiable()) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 0, count == 2))[0][0:2]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 1, count == 2))[0][1:3]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 2, count == 2))[0][2:4]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 2, count == 3))[0][2:4]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 2, count == 4))[0][2:4]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 0, count == 3))[0]) self.assertEqual( 'on', solver.eval(str_symbol, 1, extra_constraints=(start == 1, count == 4))[0][1:])
def test_substr_BV_mixed_index(self): correct_script = '''(set-logic ALL) (declare-fun {0}symb_subst () String) (declare-fun symb_subst_start_idx () Int) (assert (let ((.def_0 (= ( str.substr {0}symb_subst symb_subst_start_idx 2) "on"))) .def_0)) (check-sat) '''.format(String.STRING_TYPE_IDENTIFIER) str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() bv1 = claripy.BVS("symb_subst_start_idx", 32, explicit_name=True) bv2 = claripy.BVV(2, 32) res = claripy.StrSubstr(bv1, bv2, str_symbol) == claripy.StringV('on') solver.add(res) script = solver.get_smtlib_script_satisfiability() # with open("dump_substr_bv_symbolic.smt2", "w") as dump_f: # dump_f.write(script) self.assertEqual(correct_script, script)