def test_index_of_simplification(self): str_concrete = claripy.StringV("concrete") solver = self.get_solver() res = claripy.StrIndexOf(str_concrete, claripy.StringV("rete"), 0, 32) target_idx = 4 if KEEP_TEST_PERFORMANT else 100 solver.add(res == target_idx) self.assertTrue(solver.satisfiable()) self.assertEqual(tuple(), tuple(solver.constraints)) self.assertEqual((target_idx, ), solver.eval(res, 2))
def test_suffix_simplification(self): str_concrete = claripy.StringV("concrete") solver = self.get_solver() res = claripy.StrSuffixOf(claripy.StringV("rete"), str_concrete) solver.add(res) self.assertTrue(solver.satisfiable()) self.assertEqual(tuple(), tuple(solver.constraints)) self.assertEqual(("concrete", ), solver.eval(str_concrete, 2)) self.assertEqual((True, ), solver.eval(res, 2))
def test_substr_simplification(self): str_concrete = claripy.StringV("concrete") solver = self.get_solver() # TODO: Make sure that semantics of Substr match the ones of SMTLib substr solver.add( claripy.StrSubstr(1, 2, str_concrete) == claripy.StringV('on')) self.assertTrue(solver.satisfiable()) result = solver.eval(str_concrete, 2) self.assertEqual(list(result), ["concrete"])
def test_congruency_2(self): ''' (set-logic ALL) (declare-fun recv_input_4_1024 () String) (assert (< ( str.indexof recv_input_4_1024 "\r\n\r\n" 0) 0)) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" 0))) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)))) (assert (<= 0 ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1)))) (assert (= "GET" ( str.substr ( str.substr recv_input_4_1024 (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1) ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" (+ ( str.indexof recv_input_4_1024 " \r\n" 0) 1)) 1) ) ) 10 1014))) (check-sat) ''' recv_input = claripy.StringS('recv_input', 1024) constraints = [] def field_sep_idx(s, start_idx=0): return claripy.StrIndexOf(s, claripy.StringV(' \r\n'), start_idx, 32) constraints.append( claripy.StrIndexOf(recv_input, claripy.StringV('\r\n\r\n'), 0, 32) < 0) sep_idx_1 = field_sep_idx(recv_input) sep_idx_2 = field_sep_idx(recv_input, start_idx=sep_idx_1 + 1) sep_idx_3 = field_sep_idx(recv_input, start_idx=sep_idx_2 + 1) sep_idx_4 = field_sep_idx(recv_input, start_idx=sep_idx_3 + 1) constraints.append(sep_idx_1 >= 0) constraints.append(sep_idx_2 >= 0) constraints.append(sep_idx_3 >= 0) sub_start = sep_idx_2 + 1 sub_end = sep_idx_3 sub_str = claripy.StrSubstr(recv_input, sub_start, sub_end) constraints.append( claripy.StrSubstr(sub_str, 10, 1014) == claripy.StringV("GET")) results = self._collect_generic_solver_test_data((recv_input, ), constraints) self._generic_consistency_check(results) self._generic_congruency_check(results['solvers'], results)
def test_or(self): str_symb = claripy.StringS("Symb_or", 4, explicit_name=True) solver = self.get_solver() res = claripy.Or((str_symb == claripy.StringV("abc")), (str_symb == claripy.StringV("ciao"))) solver.add(res) self.assertTrue(solver.satisfiable()) result = solver.eval(str_symb, 3 if KEEP_TEST_PERFORMANT else 100) self.assertEqual({'ciao', 'abc'}, set(result))
def test_substr_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() solver.add( claripy.StrSubstr(1, 2, str_concrete) == claripy.StringV('on')) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_index_of_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() res = claripy.StrIndexOf(str_concrete, claripy.StringV("rete"), 0, 32) solver.add(res == 4) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_suffix_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() res = claripy.StrSuffixOf(claripy.StringV("rete"), str_concrete) solver.add(res) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_contains_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() res = claripy.StrContains(str_concrete, claripy.StringV("nc")) solver.add(res) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_concat(self): str_concrete = claripy.StringV("conc") str_symbol = claripy.StringS("symb_concat", 4, explicit_name=True) solver = self.get_solver() res = str_concrete + str_symbol solver.add(res == claripy.StringV("concrete")) self.assertTrue(solver.satisfiable()) result = solver.eval(str_symbol, 2) self.assertEqual(1, len(result)) self.assertEqual("rete", result[0]) result = solver.eval_to_ast(str_symbol, 2) self.assertEqual([claripy.StringV("rete")], list(result))
def test_or(self): correct_script = '''(set-logic ALL) (declare-fun {0}Symb_or () String) (assert (let ((.def_0 (= {0}Symb_or "ciao"))) (let ((.def_1 (= {0}Symb_or "abc"))) (let ((.def_2 (or .def_1 .def_0))) .def_2)))) (check-sat) '''.format(String.STRING_TYPE_IDENTIFIER) str_symb = claripy.StringS("Symb_or", 4, explicit_name=True) solver = self.get_solver() res = claripy.Or((str_symb == claripy.StringV("abc")), (str_symb == claripy.StringV("ciao"))) solver.add(res) script = solver.get_smtlib_script_satisfiability() # with open("dump_or.smt2", "w") as dump_f: # dump_f.write(script) self.assertEqual(correct_script, script)
def test_concat(self): correct_script = '''(set-logic ALL) (declare-fun {0}symb_concat () String) (assert (let ((.def_0 (str.++ "conc" {0}symb_concat))) (let ((.def_1 (= .def_0 "concrete"))) .def_1))) (check-sat) '''.format(String.STRING_TYPE_IDENTIFIER) str_concrete = claripy.StringV("conc") str_symbol = claripy.StringS("symb_concat", 4, explicit_name=True) solver = self.get_solver() res = str_concrete + str_symbol solver.add(res == claripy.StringV("concrete")) script = solver.get_smtlib_script_satisfiability() # with open("dump_concat.smt2", "w") as dump_f: # dump_f.write(script) self.assertEqual(correct_script, script)
def test_replace_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_to_replace = claripy.StringV("cane") sub_str_to_repl = claripy.StringV("a") replacement = claripy.StringV("b") repl_stringa = claripy.StrReplace(str_to_replace, sub_str_to_repl, replacement) solver = self.get_solver() solver.add(repl_stringa == claripy.StringV("cbne")) solver = self.get_solver() script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_replace_simplification(self): str_to_replace = claripy.StringV("cane") sub_str_to_repl = claripy.StringV("a") replacement = claripy.StringV("b") repl_stringa = claripy.StrReplace(str_to_replace, sub_str_to_repl, replacement) solver = self.get_solver() solver.add(repl_stringa == claripy.StringV("cbne")) self.assertTrue(solver.satisfiable()) result = solver.eval(repl_stringa, 2) self.assertEqual(["cbne"], list(result)) result = solver.eval(str_to_replace, 2) self.assertEqual(["cane"], list(result))
def run(self, this_ref, separator_ref): log.debug( 'Called SimProcedure java.lang.String.split with args: {}, {}'. format(this_ref, separator_ref)) self.this_ref = this_ref this = self.state.memory.load(this_ref) separator = self.state.memory.load(separator_ref) if this.concrete and separator.concrete: # FIXME: escaping should be fixed in claripy separator_value = self.state.solver.eval(separator).replace( '\\n', '\n') values = self.state.solver.eval(this).split(separator_value) str_array = SimSootExpr_NewArray.new_array( self.state, 'java.lang.String', claripy.BVV(len(values), 32)) for idx, value in enumerate(values): value_ref = SimSootValue_StringRef.new_string( self.state, claripy.StringV(value)) elem_ref = SimSootValue_ArrayRef(str_array, idx) self.state.memory.store(elem_ref, value_ref) else: str_array = SimSootExpr_NewArray.new_array( self.state, 'java.lang.String', claripy.BVS('array_size', 32)) str_array.add_default_value_generator(self.generate_symbolic_array) return str_array
def test_ne(self): str_symb = claripy.StringS("symb_ne", 12, explicit_name=True) solver = self.get_solver() solver.add(str_symb != claripy.StringV("concrete")) self.assertTrue(solver.satisfiable()) result = solver.eval(str_symb, 4 if KEEP_TEST_PERFORMANT else 100) self.assertTrue('concrete' not in result)
def test_substr_BV_concrete_index(self): str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() bv1 = claripy.BVV(1, 32) bv2 = claripy.BVV(2, 32) res = claripy.StrSubstr(bv1, bv2, str_symbol) == claripy.StringV('on') solver.add(res) self.assertTrue(solver.satisfiable()) self.assertEqual('on', solver.eval(str_symbol, 1)[0][1:3])
def run(self, this_ref): log.debug( 'Called SimProcedure java.lang.StringBuilder.<init> with args: {}'. format(this_ref)) str_ref = SimSootValue_StringRef.new_string(self.state, claripy.StringV('')) this_ref.store_field(self.state, 'str', 'java.lang.String', str_ref) return
def test_contains(self): str_symb = claripy.StringS("symb_contains", 4, explicit_name=True) res = claripy.StrContains(str_symb, claripy.StringV("an")) solver = self.get_solver() solver.add(res) self.assertTrue(solver.satisfiable()) solutions = solver.eval(str_symb, 4 if KEEP_TEST_PERFORMANT else 100) for sol in solutions: self.assertTrue('an' in sol)
def test_replace(self): str_to_replace_symb = claripy.StringS("symb_repl", 4, explicit_name=True) sub_str_to_repl = claripy.StringV("a") replacement = claripy.StringV("b") solver = self.get_solver() repl_stringa = claripy.StrReplace(str_to_replace_symb, sub_str_to_repl, replacement) solver.add(repl_stringa == claripy.StringV("cbne")) self.assertTrue(solver.satisfiable()) result = solver.eval(repl_stringa, 2) self.assertEqual(list(result), ["cbne"]) result = solver.eval(str_to_replace_symb, 2 if KEEP_TEST_PERFORMANT else 100) self.assertEqual(set(result), {"cbne", "cane"})
def test_substr(self): str_symbol = claripy.StringS("symb_subst", 4, explicit_name=True) solver = self.get_solver() solver.add(claripy.StrSubstr(1, 2, str_symbol) == claripy.StringV('o')) self.assertTrue(solver.satisfiable()) results = solver.eval(str_symbol, 2 if KEEP_TEST_PERFORMANT else 100) self.assertEqual(len(results), 2 if KEEP_TEST_PERFORMANT else 100) for s in results: self.assertTrue(s[1:2] == 'o')
def test_congruency_1(self): recv_input = claripy.StringS('recv_input', 1024) constraints = [] constraints.append(0 <= claripy.StrIndexOf( recv_input, claripy.StringV("\r\n\r\n"), 0, 32)) results = self._collect_generic_solver_test_data((recv_input, ), constraints) self._generic_consistency_check(results) self._generic_congruency_check(results['solvers'], results)
def test_concat_simplification(self): solver = self.get_solver() str_concrete = claripy.StringV("conc") res = str_concrete + str_concrete + str_concrete res2 = claripy.StrConcat(str_concrete, str_concrete) res3 = claripy.StrConcat(res2, str_concrete) solver.add(res == res3) self.assertTrue(solver.satisfiable()) result = solver.eval(str_concrete, 2) self.assertEqual(["conc"], list(result))
def test_replace(self): correct_script = '''(set-logic ALL) (declare-fun {0}symb_repl () String) (assert (let ((.def_0 (= ( str.replace {0}symb_repl "a" "b" ) "cbne"))) .def_0)) (check-sat) '''.format(String.STRING_TYPE_IDENTIFIER) str_to_replace_symb = claripy.StringS("symb_repl", 4, explicit_name=True) sub_str_to_repl = claripy.StringV("a") replacement = claripy.StringV("b") solver = self.get_solver() repl_stringa = claripy.StrReplace(str_to_replace_symb, sub_str_to_repl, replacement) solver.add(repl_stringa == claripy.StringV("cbne")) script = solver.get_smtlib_script_satisfiability() # with open("dump_replace.smt2", "w") as dump_f: # dump_f.write(script) self.assertEqual(correct_script, script)
def test_length_simplification(self): str_concrete = claripy.StringV("concrete") solver = self.get_solver() solver.add(claripy.StrLen(str_concrete, 32) == 8) self.assertTrue(solver.satisfiable()) result = solver.eval(str_concrete, 2) self.assertEqual(['concrete'], list(result)) for r in result: self.assertTrue(len(r) == 8)
def test_suffix(self): str_symb = claripy.StringS("symb_suffix", 4, explicit_name=True) res = claripy.StrSuffixOf(claripy.StringV("an"), str_symb) solver = self.get_solver() solver.add(res) self.assertTrue(solver.satisfiable()) solutions = solver.eval(str_symb, 4 if KEEP_TEST_PERFORMANT else 100) for sol in solutions: self.assertTrue(sol.endswith('an'))
def test_length_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' str_concrete = claripy.StringV("concrete") solver = self.get_solver() solver.add(claripy.StrLen(str_concrete, 32) == 8) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_str_to_int_simplification(self): target_num = 12 if not KEEP_TEST_PERFORMANT else 1000000 str_concrete = claripy.StringV(str(target_num)) solver = self.get_solver() res = claripy.StrToInt(str_concrete, 32) solver.add(res == target_num) self.assertTrue(solver.satisfiable()) self.assertEqual(tuple(), tuple(solver.constraints)) self.assertEqual((target_num, ), solver.eval(res, 2))
def test_int_to_str(self): correct_script = '''(set-logic ALL) (declare-fun symb_int () Int) (assert (let ((.def_0 (= ( int.to.str symb_int ) "12"))) .def_0)) (check-sat) ''' int_symb = claripy.BVS("symb_int", 32, explicit_name=True) res = claripy.IntToStr(int_symb) solver = self.get_solver() solver.add(res == claripy.StringV("12")) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)
def test_int_to_str_simplification(self): correct_script = '''(set-logic ALL) (check-sat) ''' int_concrete = claripy.BVV(0xc, 32) res = claripy.IntToStr(int_concrete) solver = self.get_solver() solver.add(res == claripy.StringV("12")) script = solver.get_smtlib_script_satisfiability() self.assertEqual(correct_script, script)