REVEN version 2.8 is packed with new features, still with a strong focus on providing you with a "bird's eye view" over a trace, so that you can get important information about what happens in a scenario at a glance! Here are some highlights:
Call Tree view in Axion GUI: the GUI now proposes a new Call Tree view that provides users with far more semantic information about what is going on in the trace. Navigate to one transition and immediately visualize the call history before and after this transition, from there jump to surrounding points of interests.
New vulnerability detection notebooks: new Jupyter Notebooks are available to help you detect Buffer Overflow vulnerabilities and Uninitialized Memory vulnerabilities. The notebooks are available in the "Python API - Analyze" examples of the "Download" page of the Project Manager, as well as on our GitHub.
Important Compatibility Notes
REVEN version 2.8 is the first version of REVEN to support Debian Buster and Python 3.7. As a result, support for Debian Stretch and Python 2.7 has been removed. See the migration guide for more information on the upgrade process.
REVEN version 2.8 switches from Capstone to Zydis as its disassembler backend. This modifies the result of the
reven2.trace.Instruction.operandsmethods, as well as the display of some instructions in Axion.
For example, the instruction
xmmword ptr [rdi + rcx]is now rendered as
xmmword ptr [rdi+rcx*1], the instruction
rep movsq qword ptr [rdi], qword ptr [rsi]is now rendered as
rep movsq(the operands are implicit), or the instruction
cmpltps xmm1, xmm0is now rendered as
cmpps xmm1, xmm0, 0x1(fixing the mnemonic and the operands).
The behavior of the
TaintResultView.filter_by_context_rangefunctions has been modified in the way the
to_contextparameter is handled. Previously, the taint would not propagate through the
Transitionright before the
to_contextparameter. With this change, it is now the case. This means that a simple taint between context
c + 1will now propagate through the transition between context
cand its successor context, whereas before it would propagate through no context at all.
- Taint performance has been improved up to x4 in some workloads (long taint with lots of tainted memory benefit most from the improvement)
- In the Python API
Taint.accessesslicer, more instructions are reported as "accessed":
- When the conditional flag is tainted in a conditional move or jump
- When a tainted register is used to dereference memory
- Changed REVEN's disassembler backend from Capstone to Zydis, yielding runtime improvements in performance and correctness.
- In the Enterprise edition, it is now possible to start and stop recording using the ASM stub, even when performing an automatic binary record. This allows for more flexiblity in the record options.
Analysis Python API
- The accuracy of the
Transition.find_inversemethod has been improved so that it returns the correct transition in more cases.
- Added an example script
thread_id.pyto detect the current thread and find the transition where it was created. You can find it in the
Downloadpage of the Project Manager.
- The standalone Python API Debian package is now easier to use with the addition of a
sourcemescript. Please refer to the installation documentation for more information.
- The Backtrace view now skips "trampoline" calls by default. Trampoline calls are calls that immediately call another function selected dynamically by an indirect jump. It is desirable to skip them, since they muddle the backtrace and don't add any useful information.
- The accuracy of the "%" (find inverse) plugin has been improved so that it jumps to the correct transition in more cases.
- You can now choose the numeric base in which to display the register values in the CPU view.
- Displaying symbols in the Taint view is now optional.
- VirtualBox is now shipped in version to 6.1.18, which brings all the benefits of VirtualBox 6 to REVEN, such as the major rework of the user interface and the support of host Linux kernels up to version 5.10. QEMU remains the recommended way to record scenarios for most usages.
Analysis Python API
TaintResultView.filter_by_context_rangewould raise an
- The provided
automatic-scenario-creation.pyexample no longer fails attempting to replay the deprecated
Context.find_register_changecould loop infinitely when invoked in backward.
Context.find_register_changecould skip changes depending on the value of the technical
Context.find_register_changewould mistakenly raise
- When recording a QEMU VM with UEFI enabled, the UEFI boot option is now passed correctly when replaying.
- External processes launched by the Project Manager are correctly terminated by clicking the various
- It was not possible to use OSSI without the kernel description and light filesystem resources. The snapshot filesystem can now be used if the light filesystem is not available.
- The Project Manager would sometimes fail to correctly terminate its subprocesses. This would lead to some zombie processes remaining on the server running the Project Manager, and in some cases would lead to a failure to stop a VM when clicking the "Stop VM" button.
- A superfluous and misleading error was displayed when attempting to replay without being able to delete all the necessary resources.