REVEN-Axion 2017v1.4.0
Change log

Every notable change to the REVEN project will be documented in this file.

1.4.0 - 2017-01-20

Does not break scenario compatibility if correctly migrated, but some fixes require scenario regeneration to be applied. Note that sequence number might change from previous versions.

Does break python compatibility, and all saves will be unloadable.

Also see the Python API changelog and the low-level Python API changelog.

Changed

  • Major symbol backend rework - see documentation.
  • Updated Axion to Qt5
  • Now ships VirtualBox 5
  • PCAP files are now downloaded from http server by default
  • Better IDA sync plugin
  • More criteria in search widget
  • Axion connection timeout is now much higher, since projects can take up to minutes to parse PDB files if cache is cold
  • Axion's error log is now a colored, message log
  • Axion's delta context is now per instruction, not per sequence
  • Sequence split conditions changed (not needed anymore on TLB flushes)
  • Hardened PE/Core Parser.
  • More robust linux binary loader: does handle PIC code correctly

Fixed issues

  • Various emulation issues:
    • VirtualBox FPU context bug
    • FPU exceptions on fsincos & fptan
    • Inspector's reads are now const
    • SSE exceptions support improved
    • Better handling of simultaneous interrupts and EPT violation on REPs
    • Undetected pages faults due to TLB inconsistencies and other various TLB-related issues. Requires scenario regerenation
    • Order of issued PFs on some instructions was wrong if both operands were unmapped
    • SIDT/SGDT instructions issues
    • FWORD operands were sometimes incorrectly disassembled
    • Display order of port I/O instructions was reversed
    • Eflags's RF bit was lost in some circumstances
    • Segment override issue on MOVS instruction
    • Flag correction on interrupts
    • Added support for psadbw, loope & loopne
    • Forced preemption from host to enhance synchronisation
    • Various unmanaged instructions are now advertised to guest as unavailable via the CPUID: XSAVE, MOVBE, POPCNT, RDRAND, and all SSE4.2 and AES instructions. In most cases this means the OS will refrain from using these, but note that this won't prevent an application from blindly doing so, in which case a desync will likely occur.
  • Multiple bugs on tainter:
    • Sometimes tainted memory interval was not properly propagated. Due to this, memory intervals are now displayed byte per byte. This will probably change in a future revision
    • Taint propagation issues on REP instruction
    • Out-of-bounds last_tainted_point issues
    • Backward taint on first instruction could cause crash
  • Issues in hexdump:
    • Unaligned segment's pages could be incomplete
    • Access duplication or missing
    • Missing accesses with exec_after_write inspector
    • various fixes on physical history
  • Axion crash when combining trace filtering (PMF) and sequence tree view filtering
  • Consistency issue in reven.rc's optional fields
  • Crash with licence server
  • Cron cleaning job sometimes stole the /tmp/reven project, preventing further project opening
  • Better UI for cancelling scenario recording
  • No more issues when Axion's client machine has no configured network interface
  • Plugin widgets now restore in their previous states, just like any other widget
  • Better handling of /tmp being full
  • VM names can now contain spaces.
  • Automatic scenario recording used to fail on binary with spaces in their names
  • Allow multiline bookmarks.
  • Previous/next inconsistency on split sequences
  • Error on reven daemon start used to lead to 100% CPU consumption
  • Issues with file uploading, using Axion or Python API
  • Many fixes to prevent crashes when manipulating unexpected or nonexistent execution points.

And other smaller or internal additions and fixes.

Known issues

  • Various unsolved emulation problems:
    • Eflags are sometimes wrong (parity flag in particular)
    • Interrupts should have priority over page faults when both happen at the same time
    • Accessed flag is updated for page on access that actually cause write protection fault
    • Hardware accesses sometimes appear to be duplicated
    • Instruction RDRAND and RDSEED are disassembled as VMPTRLD and VMPTRST. See the faq for more info.
  • Gdbstub plugin will not work as expected by IDA on big traces (slow breakpoint set)
  • Previous taint button has an inconsistent behavior when the taint is over.
  • Python API's Project.connected property is not updated as would be expected.
  • Python API behavior may not report failure of connection when no licence is available.

1.3.1 - 2016-05-25

Does not break scenario, save or python compatibility.

Fixed

  • Fix "binaries not mapped" bug due to a change in dump_process for windows.
  • Cleaner cron job used to chown /tmp/reven to root, breaking further executions.

1.3.0 - 2016-05-02

Added

  • New Python API based on the previous, low-level api. It simplifies many common uses, and wraps specific knowledge into a much more pythonic API.
  • Native support for PDB files, we don't require converting them into our own format anymore.

Changed

  • Low level python renamed from reven to reven_api.
  • Huge improvements on the FPU edge cases and flag management.
  • Improvements on SSE edge cases as well as ~10 new instructions implemented.
  • MMU is now closer to actual hardware.
  • Better handling of invalid instructions.
  • Matching between a binary file & its PDB is now based on the GUID & version number, as intended.

Fixed

  • Various bugs fixed on hardware sync.
  • Two bugs fixed on VBox, including a crash on early VNC connection.
  • Axion UI bugs fixed.
  • Fixes and improvements to the, still unsupported, tainter graph experimental feature.

1.2.0 - 2015-12-02

Added

  • Gdbstub plugin provides a gdb-compatible interface for communicating with REVEN.
  • QbSync plugin now supported: enables synchronisation between IDA and Axion.
  • PCAP extraction & sync with Wireshark.
  • RvnKd: create a core dump file which WinDBG can read.
  • (Experimental) Tainter Graph: a more interactive taint procedure.
  • (Experimental) Strace-like: parses the execution trace and analyses the system calls.
  • Added missing SSE instructions from common programs.
  • Handle multiple anti-disassembly tricks used in obfuscated binaries.

Changed

  • FPU is more precise on exception flags.

Fixed

  • Various bugs fixed on hardware sync.

1.1.0 - 2015-10-27

Changed

  • multiple improvements on emulation and scenario creation.

Fixed

  • Fix python API unusable types.

1.0.0 - 2015-03-30

  • Initial release.
TETRANE © 2015 Last update on: Fri Jan 20 2017