slicer.py

The slicer script make use of REVEN data tainting capabilities to display a list of instructions that manipulate tainted data.

It uses reven.Project.taint method to retrieve the list of execution Point which deal with tainted data and print them.

#!/usr/bin/env python2

import reven
import argparse

def parse_args():
    parser = argparse.ArgumentParser(description='Create a sliced trace based on some register taint propagation.')
    parser.add_argument('--host', metavar='host', dest='host', help='the reven host', default="localhost")
    parser.add_argument('--port', metavar='port', dest='port', type=int, help='the reven server port', default=13370)
    parser.add_argument('-r', metavar='run', dest='run', help='the reven execution run name', default='Execution run')
    parser.add_argument('-s', metavar='sequence', dest='sequence', type=int, help='the reven execution sequence', default=0)
    parser.add_argument('-i', metavar='instruction', dest='instruction', type=int, help='the reven execution instruction', default=0)
    parser.add_argument('-b', dest='backward', action='store_true', help='taint in backward direction')
    parser.add_argument('-v', dest='verbose', action='store_true', help='print the tainted register/memory')

    parser.add_argument(metavar='registers', dest='registers', help='name of the registers to taint', nargs='+')

    args = parser.parse_args()

    return args

# colors
green = "\033[1;32m"
red = "\033[1;31m"
reset = "\033[0m" # use to restore the default color
colored = lambda to_color, color: "%s%s%s" % (color, to_color, reset)

def colored_list_diff_str(old, new):
    string = "[ "
    for reg in sorted(set(new) - set(old), key=str.lower):
        string += "%s " % colored(reg, green)
    for reg in sorted(set(old) - set(new), key=str.lower):
        string += "%s " % colored(reg, red)
    for reg in sorted(set(old).intersection(new), key=str.lower):
        string += "%s " % reg
    string += "]"
    return string

def fixed_size_str(string, size):
    if len(string) > size:
        new = string[:(size - 3)] + "..."
    else:
        new = string + " " * (size - len(string))
    return new

def tainted_list(old, taintdiff):
    new = current + [symbolic.name for symbolic in taintdiff.tainted]
    for symbolic in taintdiff.untainted:
        new.remove(symbolic.name)
    return new


if __name__ == '__main__':

    # Parse the input arguments
    args = parse_args()

    # Connect to the reven project
    project = reven.Project(args.host, args.port)

    # Get the target trace
    trace = project.trace(args.run)

    # Get the taint range start point
    start_point = trace.point(args.sequence, args.instruction)

    # Get the initially tainted registers (assume its a 4byte register).
    symbolics = [ reven.SymbolicRegister(r, 4) for r in args.registers ]

    # Propagate the taint an unlimited number of times and timeout after 5s
    count = 0
    timeout = 5000
    forward = False if args.backward else True
    result = project.taint(start_point, symbolics, forward, count, timeout)

    # Display the sliced trace
    if args.verbose:
        current = [symbolic.name for symbolic in symbolics]

    for point in sorted(result.diffs.keys()):
        location = "%d_%d - %s" % (point.sequence_index, point.instruction_index, point.symbol.name)
        string = fixed_size_str(location, 45)

        if args.verbose:
            new = tainted_list(current, result.diffs[point])
            string += fixed_size_str(" %s" % point.instruction, 50)
            string += " %s" % colored_list_diff_str(current, new)
            current = new

        else:
            string += " %s" % point.instruction

        print string