def test_positive_taint_check(self):
mem_pos = 0x1000
program = Program([
Assign("foo", GetInput([UInt32(0)])),
Store(Value(UInt32(mem_pos)), Var("foo")),
Assign("blah", Load(Value(UInt32(mem_pos)))),
Goto(Var("blah"))
])
context = a_context().with_program(program).build()
self.assertRaises(AttackException, lambda: self.interpreter.run(context))
def test_taint_memory_address(self):
mem_pos = 0x1000
program = Program([
Assign("EAX", GetInput([UInt32(mem_pos)])),
Assign("EBX", Value(UInt32(1))),
Store(Var("EAX"), Var("EBX"))
])
context = self.build_context(program)
self.interpreter.run(context)
self.assertTrue(context.get_mem_address_taint(UInt32(0x1000)), 'Expected memory addressed tainted after writen '
'with memory address controlled by attacker')
def test_bed(self):
the_input = GetInput([UInt32(3), UInt32(1)])
program = Program([
Assign("X", MulOp(Value(UInt32(2)), the_input)),
IF(EQ(SubOp(Var("X"), AddOp(Value(UInt32(3)), Value(UInt32(2)))), Value(UInt32(15))), Value(UInt32(2)),
Value(UInt32(3))),
Assign("Y", AddOp(Value(UInt32(3)), Var("X"))),
IF(GT(Var("Y"), SubOp(the_input, Value(UInt32(20)))), Value(UInt32(4)), Value(UInt32(5)))
])
self.interpreter.run(a_context().with_program(program).build())
print str(self.interpreter.constraints)
print repr(self.interpreter.constraints)
def test_get_input_assign(self):
program = Program([
Assign('foo', GetInput([UInt32(1), UInt32(2), UInt32(3), UInt32(4)])),
Assign("blah", AddOp(Var("foo"), Value(UInt32(1))))
])
context = self.build_context(program)
result = self.interpreter.run(context)
self.assertEqual(UInt32(1), result.resolve_name("foo").value)
self.assertEqual(UInt32(2), result.resolve_name("blah").value)
def test_input_var(self):
program = Program([
Assign("foo", GetInput([UInt32(0)])),
Assign("blah", AddOp(Var("foo"), Value(UInt32(1))))
])
context = a_context().with_program(program).build()
self.interpreter.run(context)
self.assertTrue(context.resolve_name("foo").isTainted())
self.assertTrue(context.resolve_name("blah").isTainted())
def test_if(self):
program = Program([
Assign("foo", Value(UInt32(10))),
IF(AddOp(Value(UInt32(0)), Value(UInt32(1))), Value(UInt32(2)), Value(UInt32(3))),
Assign("foo", AddOp(Var("foo"), Value(UInt32(10)))),
Assign("blah", Value(UInt32(0)))
])
context = self.build_context(program)
self.interpreter.run(context)
self.assertEqual(UInt32(20), context.resolve_name("foo").value)
def test_taint_memory(self):
mem_pos = 0x1000
program = Program([
Assign("foo", GetInput([UInt32(0)])),
Store(Value(UInt32(mem_pos)), Var("foo")),
Assign("blah", Load(Value(UInt32(mem_pos)))),
])
context = a_context().with_program(program).build()
self.interpreter.run(context)
self.assertTrue(context.resolve_name("blah").isTainted())