REVEN-Axion 2018v1.5.0
Change log

Every notable change to the REVEN project will be documented in this file.

See also the Python API changelog and the low-level Python API changelog.

Product Releases

Release 1.5.0 - 2018-09-06

REVEN must now be installed on Debian Stretch - see documentation for upgrade procedure

Compatibility information

  • Execution traces saved with version 1.4.5 and lower are not compatible. You may want to regenerate them from their corresponding recorded scenarios.
  • Execution presets saved with version 1.4.5 and lower are not compatible as well. Please note down your settings before upgrading if necessary.
  • VMs and snapshots created on jessie are still compatible.
  • Scenarios recorded with version v1.4.x are compatible.
  • The Python API is backward compatible with v1.4.4.

Removed

In this version we removed a few largely unused, experimental features:

  • "Delta context" widget.
  • "Exploration" feature (This was the "Explore from here" entry in the trace's context menu).
  • "GDB Stub" feature and related python object GdbServer.

Added / Changed

  • New python services get_previous_scenario_item and get_scenario_item. See documentation.

Fixed issues

  • T1849: fixed "Framebuffer" widget behavior on project open / close.
  • Fixed sequence number display in "Hot Points" widget, is now in decimal instead of hexadecimal.
  • Fixed potential desync on unaligned memory accesses at page boundary.
  • Fixed potential trace execution failure on instructions manipulating linear memory.
  • Fixed debug register size, now 32 bits.
  • Fixed text framebuffer: the initial state was incomplete because the buffer was not copied entirely.

Known issues

  • Under KDE/Plasma, menu entries in Axion may appear broken. Please read the FAQ in the documentation to work around this issue.
  • In some cases, the nodes in the taint graph may appear entirely white. Zooming/unzooming the graph fixes the issue.

Release 1.4.5 - 2018-05-22

Compatibility information

  • Scenarios recorded with version v1.4.x are compatible.
  • Execution traces saved with version 1.4.1 and greater are compatible.
  • Execution traces saved with version 1.4.0 and lower are not compatible. You may want to regenerate them from their corresponding recorded scenarios.
  • The Python API is fully backward compatible with v1.4.4

Fixed issues

  • T2102 - Server would sometimes refuse licence.
  • T1925 - Fewer crashes during parallel recordings and crashes no longer affect over recordings.
  • T2128 - Ignore whitespace around searched symbols or binaries in Axion.

Release 1.4.4 - 2018-03-04

Compatibility information

  • Scenarios recorded with version v1.4.x are compatible.
  • Execution traces saved with version 1.4.1 and greater are compatible.
  • Execution traces saved with version 1.4.0 and lower are not compatible. You may want to regenerate them from their corresponding recorded scenarios.
  • The REVEN v1.4.4 Python API is not fully backward compatible.
    • The ExecutionProgress.status method now returns the current status as a string (e.g. "Busy") rather than the text message contained in the progress. You can use ExecutionProgress.text to get the previous behavior.

Added / Changed

  • T1884 - Experimental mode is now enabled by default in Axion (existing configuration file from a previous version would keep it disabled if not explicitly set).
  • T878 - Sign REVEN Debian packages. This changes a bit the installation steps, beware.
  • Several changes to documentation:
    • New page documenting the interaction between license checks and the python API.
    • New FAQ entry about the handling of the /tmp directory in REVEN.
    • The cheat sheet containing Axion's various shortcuts is now in the documentation.
    • Some documentation to launcher_connection.server_launch explaining what happens when starting several servers at the same port.
    • upload_and_rename function as an example on the documentation of launcher_connection.project_rename_file.

Fixed issues

  • T1643 - Alt-Gr and mouse clicks were not properly registered in REVEN VirtualBox
  • T1773 - Trace desynchronization could happen at the first sequence with automated recording/analysis using the start/stop recording assembly stub
  • T1778 - File name truncation in iso when input name is very long: input names on Windows VMs can now go up to 103 characters instead of the previous 64
  • Page faults caused by rights sometimes caused a trace desynchronization.
  • Various network stability fixes: fixed the "null socket" and "unregistered command" errors sometimes encountered in python.
  • T1776 - Unexpected RuntimeError would sometimes happen when connecting to a project and checking execution_status: the low-level python API now throws an exception in the ctor or reven_connection when there is no available license token. The exception's message is identical to the message received in Axion. Previously, it would always return the object, and then fail with an unrelated error message on the next service call. Note that the Project object of the high-level API also throws that exception.
  • T1782 - USB device management in VirtualBox was not enabled by default.
  • T1847 - Typing exit() in Axion python console caused a freeze in Axion: this now displays an error in Axion's log window.
  • T1846 - Search view was not properly cleared when performing a new search
  • T1583 - Axion crashed when using T shortcut without prior Ctrl-J/K/L
  • T1839 - Selecting string accesses from another run did not select the proper point
  • T1848 - Clicking on a string entry in the string history did not show the first string access in the trace.
  • rdtscp instruction was missing
  • A race condition could potentially occur in ExecutionProgress
  • T1844 - Connection windows would occasionally freeze on some window managers
  • An external interrupt could cause a trace desynchronization
  • The ExecutionProgress format in the python API was unhelpful: instances now print the current progress when printed.

Release 1.4.3 - 2017-10-25

Added / Changed

  • T1202 & T1657 - Added missing SSE instructions used by common browsers.
  • T1680 - Log instructions with a known potential precision issue when encountered.

Fixed issues

  • T1642 - Fix color of conditional branches in current symbol graph of Axion.

Release 1.4.2 - 2017-07-14

Compatibility information

  • Scenarios recorded with version v1.4.0 and v1.4.1 are compatible.
  • Execution traces saved with version v1.4.1 are compatible.
  • Execution traces saved with version v1.4.0 are not compatible. You may want to regenerate them from their corresponding recorded scenarios.
  • The REVEN v1.4.2 Python API is not fully backward compatible. Scripts written for a previous version of REVEN may not work exactly as-is with REVEN v1.4.2 and may require minor changes. Please see the API changelog in the documentation.

Added / Changed

  • The Python API installers for Windows are now available from the REVEN server.
  • New examples of plugin in the documentation.

Fixed issues

  • T1633:
    • RvnKd script now shipped on Windows
    • Issue with paths on Windows when using the launcher's project_upload_file method: the full path is visible on the server.
    • Issue with file upload on Windows when using the launcher's project_upload_file method: the file is sometimes truncated.
  • T1619 - Python API demo scripts missing in Debian Packages.
  • T1618 - process.py does not free its connection to REVEN server.
  • T1617 - Team licence blocked by Axion plugin.
  • T1565 - Instruction PREFETCH & PREFETCHW now advertised as unavailable via CPUID.
  • Issue with AddressSpace.contains method in the python API.
  • Missing string after ETA in execution progress window in Axion.

Release 1.4.1 - 2017-06-30

Compatibility information

  • The scenarios recorded with version 1.4.0 are compatible.
  • The execution traces saved in v.1.4.0 are not compatible, but you simply have to re-execute your recorded scenarios.
  • The Python API is not fully backward compatible. Scripts written for a previous version of REVEN may not work exactly as-is with REVEN v1.4.1 and may require minor changes. Please see the API changelog in the documentation.

Added / Changed

  • A REVEN Python API usable from Microsoft Windows and from IDA Pro scripting interface.
  • Several examples of IDA Pro + REVEN Python scripts, such as:
    • Visualize in IDA the number of times a basic bloc is executed in a REVEN trace.
    • Add cross-references in IDA Pro from a REVEN trace.
  • New examples demonstrating the Python API (see Examples ).
  • T1490 - In Axion, new ability to define a symbol name for a sequence.
  • T1336 - In Axion, strings are sorted by creation absic in the "strings" widget (previously unsorted).
  • T1521 - QB-sync plugin renamed into IDA-sync
  • IDA-sync has been ported to newer Ret-sync, and no longer requires rebasing the IDA's binary to 0
  • Removed deprecated experimental inspector indirect_call_finder.
  • Removed deprecated experimental plugin strace
  • Numerous documentation improvements
  • Replaced the ambiguous term "scenario generation" with "scenario recording" in the documentation.

Fixed issues

The following issues have been fixed:

  • T1503 - REVEN doesn't handle library symbols in Debian Jessie.
  • T1502 - sysexit breaks sequence tree in Debian Jessie.
  • T1489 - Search criterion type is re-initialized when the user switches from one run to another in Axion.
  • T1457 & T1488 - No preset trace configuration is loaded when a manage preset dialog box is opened and a preset is selected.
  • T1458 - Backward taint does not taint the selected memory.
  • T1455 - Crash Reven when using the low python services memory_get_* on invalid execution point.
  • T1447 - The "Sequence split by a pagefault[...]" is not always present.
  • T1405 - MMU inconsistency between Python API and Axion.
  • T1443 - Call to services not allowed to run during the execution may cause REVEN to crash.
  • T1348 - reven.log doesn't mention "unsupported" instructions.
  • T1345 - Loss of memory taints on backward taint.
  • T1525 - The IDA-sync and gdbstub plugins fail to reset properly when changing projets.

Notable API changes

As stated before, the API is slightly incompatible. Here are a few notable API improvements; please see the dedicated API changelogs for a comprehensive list.

  • Miscellaneous API consistency improvements:
    • Many properties changed into methods, with setters when appropriate.
    • Fixed typographical errors
  • Changed memory read methods:
    • T1456 - New methods available in the Python API Memory class: read_[u8, i8, u16, i16, u32, i32, u64, i64, f32, f64]
    • T1579 - New default arguments when creating Memory object or when calling read_xxx to specify segment:
  • Replaced connected property with a is_connected() method that actually checks current status of the connection (Project.connected is not updated as would be expected).
  • New method L{Project.refresh} to manually refresh the cache.

Release 1.4.0 - 2017-01-20

Several style evolution for the User Documentation. Does not break scenario compatibility if correctly migrated, but some fixes require scenario regeneration to be applied. Note that sequence number might change from previous versions.

Does break python compatibility, and all saves will be unloadable.

Changed

  • Major symbol backend rework - see documentation.
  • Updated Axion to Qt5
  • Now ships VirtualBox 5
  • PCAP files are now downloaded from http server by default
  • Better IDA sync plugin
  • More criteria in search widget
  • Axion connection timeout is now much higher, since projects can take up to minutes to parse PDB files if cache is cold
  • Axion's error log is now a colored, message log
  • Axion's delta context is now per instruction, not per sequence
  • Sequence split conditions changed (not needed anymore on TLB flushes)
  • Hardened PE/Core Parser.
  • More robust linux binary loader: does handle PIC code correctly

Fixed issues

  • Various emulation issues:
    • VirtualBox FPU context bug
    • FPU exceptions on fsincos & fptan
    • Inspector's reads are now const
    • SSE exceptions support improved
    • Better handling of simultaneous interrupts and EPT violation on REPs
    • Undetected pages faults due to TLB inconsistencies and other various TLB-related issues. Requires scenario regerenation
    • Order of issued PFs on some instructions was wrong if both operands were unmapped
    • SIDT/SGDT instructions issues
    • FWORD operands were sometimes incorrectly disassembled
    • Display order of port I/O instructions was reversed
    • Eflags's RF bit was lost in some circumstances
    • Segment override issue on MOVS instruction
    • Flag correction on interrupts
    • Added support for psadbw, loope & loopne
    • Forced preemption from host to enhance synchronisation
    • Various unmanaged instructions are now advertised to guest as unavailable via the CPUID: XSAVE, MOVBE, POPCNT, RDRAND, and all SSE4.2 and AES instructions. In most cases this means the OS will refrain from using these, but note that this won't prevent an application from blindly doing so, in which case a desync will likely occur.
  • Multiple bugs on tainter:
    • Sometimes tainted memory interval was not properly propagated. Due to this, memory intervals are now displayed byte per byte. This will probably change in a future revision
    • Taint propagation issues on REP instruction
    • Out-of-bounds last_tainted_point issues
    • Backward taint on first instruction could cause crash
  • Issues in hexdump:
    • Unaligned segment's pages could be incomplete
    • Access duplication or missing
    • Missing accesses with exec_after_write inspector
    • various fixes on physical history
  • Axion crash when combining trace filtering (PMF) and sequence tree view filtering
  • Consistency issue in reven.rc's optional fields
  • Crash with licence server
  • Cron cleaning job sometimes stole the /tmp/reven project, preventing further project opening
  • Better UI for cancelling scenario recording
  • No more issues when Axion's client machine has no configured network interface
  • Plugin widgets now restore in their previous states, just like any other widget
  • Better handling of /tmp being full
  • VM names can now contain spaces.
  • Automatic scenario recording used to fail on binary with spaces in their names
  • Allow multiline bookmarks.
  • Previous/next inconsistency on split sequences
  • Error on reven daemon start used to lead to 100% CPU consumption
  • Issues with file uploading, using Axion or Python API
  • Many fixes to prevent crashes when manipulating unexpected or nonexistent execution points.

And other smaller or internal additions and fixes.

Known issues

  • Various unsolved emulation problems:
    • Eflags are sometimes wrong (parity flag in particular)
    • Interrupts should have priority over page faults when both happen at the same time
    • Accessed flag is updated for page on access that actually cause write protection fault
    • Hardware accesses sometimes appear to be duplicated
    • Instruction RDRAND and RDSEED are disassembled as VMPTRLD and VMPTRST. See the faq for more info.
  • Gdbstub plugin will not work as expected by IDA on big traces (slow breakpoint set)
  • Previous taint button has an inconsistent behavior when the taint is over.
  • Python API's Project.connected property is not updated as would be expected.
  • Python API behavior may not report failure of connection when no licence is available.

Release 1.3.1 - 2016-05-25

Does not break scenario, save or python compatibility.

Fixed

  • Fix "binaries not mapped" bug due to a change in dump_process for windows.
  • Cleaner cron job used to chown /tmp/reven to root, breaking further executions.

Release 1.3.0 - 2016-05-02

Added

  • New Python API based on the previous, low-level api. It simplifies many common uses, and wraps specific knowledge into a much more pythonic API.
  • Native support for PDB files, we don't require converting them into our own format anymore.

Changed

  • Low level python renamed from reven to reven_api.
  • Huge improvements on the FPU edge cases and flag management.
  • Improvements on SSE edge cases as well as ~10 new instructions implemented.
  • MMU is now closer to actual hardware.
  • Better handling of invalid instructions.
  • Matching between a binary file & its PDB is now based on the GUID & version number, as intended.

Fixed

  • Various bugs fixed on hardware sync.
  • Two bugs fixed on VBox, including a crash on early VNC connection.
  • Axion UI bugs fixed.
  • Fixes and improvements to the, still unsupported, tainter graph experimental feature.

Release 1.2.0 - 2015-12-02

Added

  • Gdbstub plugin provides a gdb-compatible interface for communicating with REVEN.
  • QbSync plugin now supported: enables synchronisation between IDA and Axion.
  • PCAP extraction & sync with Wireshark.
  • RvnKd: create a core dump file which WinDBG can read.
  • (Experimental) Tainter Graph: a more interactive taint procedure.
  • (Experimental) Strace-like: parses the execution trace and analyses the system calls.
  • Added missing SSE instructions from common programs.
  • Handle multiple anti-disassembly tricks used in obfuscated binaries.

Changed

  • FPU is more precise on exception flags.

Fixed

  • Various bugs fixed on hardware sync.

Release 1.1.0 - 2015-10-27

Changed

  • multiple improvements on emulation and scenario creation.

Fixed

  • Fix python API unusable types.

Release 1.0.0 - 2015-03-30

  • Initial release.