2.10.0
Highlights
REVEN version 2.10 is packed with new features, with the following highlights:
- Improved UX for newcomers with a step-by-step installation and quick start guide, and several UI pitfalls rubbed out.
- Improved performance on the Analysis side, with scripts such as
detect_use_after_free.ipynb
running up to 8 times faster. - A new API to iterate on contexts inside a process or a ring.
- A new API to inspect prototypes of functions and read parameters and return value.
- New OSSI for Linux CentOs 8 and enhanced OSSI for mangled symbols and Windows 21H1.
In more details:
- Fast path from downloading REVEN to the analysis of your first scenario: Using REVEN is easier than ever, thanks to many improvements to the setup process and documentation. We changed the default options to be more convenient and push first-time users towards the fast path. The revamped Installation section and the brand new Quick start guide will guide you through the installation and first use of REVEN, from the moment you download your package to the analysis of your first scenario!
- Process/Ring filters API: The new
Trace.filter
method allows to iterate on contexts that match a specific set of processes, and/or rings. This easily enables a common use-case of analyzing only some processes in userspace (e.g. only look at the instructions executed while running Chrome). - Preview Prototype API: The Prototype API is what has been powering our
ltrace
andfile-activity
report scripts since their release in 2.6 and 2.7. This API is now exposed as apreview.prototypes
package, that allows to parse C headers to return their signature, and also expose ABI call convention so that you can easily read e.g. the value of the third argument or return value of a call. Refer to the documentation of that package for more information. - Faster analysis: A new optional resource (replayed by default) called the
Executed blocks
, allows to iterate on transition objects faster, yielding performance improvements for the replay of some resources and the analyses that depend on iterating on transitions. Concretely, we observe speedups of x5 for sequential instruction recovery and up to x100 for random access of transitions. For end-user scripts such asdetect_user_after_free.ipynb
this translates to a speedup of up to x8. - More complete and customizable symbol demangling: Axion now displays in most places a shorter form of the demangled symbols. The full signature is available at the call of a symbol or on demand. Meanwhile, the symbol API sees the addition of three new entries:
Symbol.source_name
,Symbol.name_only
andSymbol.prototype
that are geared to recovering mangled and demangled symbol names in their short or long form. - More OSSI (current process, binary, symbol) support:
- On the Windows front, REVEN 2.10 better supports the latest released version of Windows 10 (21H1).
- REVEN now supports resolving the OSSI for the CentOS 8 distribution.
Improvements
REVEN
- Taint performance optimization, with up to 66% speedup in workloads with many pieces of tainted memory.
Project Manager
- For new installations, the list of PDB servers are now pre-populated with common PDB servers. For existing installations, you can refer to the documentation if you want to add the new PDB servers.
- Virtual Machines (VMs) in the
qcow
format are now automatically converted to theqcow2
format during the VM registration wizard. - The error message when there is a timeout during a binary autorecord is now clearer.
- Now, by default, all resources are selected to be replayed in the Replay page of a scenario as this is a most common use case.
- The Axion GUI client and the VM displays are now being rendered by default from the Project Manager's web interface, in your browser. To configure another behavior, please refer to the documentation.
- The logs of the services of the Project Manager (Postgres, Redis, Celerdy, uWSGI, etc.) are now rotated, to avoid accidental destruction of log information when restarting the Project Manager.
Analysis Python API
- In a Jupyter Notebook, a
reven2.address.LinearAddress
,reven2.address.LogicalAddress
orreven2.address.LogicalAddressSegmentIndex
instance now displays as a clickable link that instructs Axion to open a hexdump widget at that address. - The
Sessions.publish_address
method allows to publish an address to synchronized clients like Axion. - The
Ossi.executed_processes
method allows to get the processes executed in a Windows scenario. - The
Transition.pc
andTransition.mode
properties allow to query the RIP and CPU mode associated with a transition.
Analysis Python API script library
- The new script
automatic-post-fuzzer-recorder.py
that was demonstrated in a recent article has been added to the examples in the package. threadsync.py
adds an option to filter by the synchronization primitive, and replace the--cr3
option with a--pid
option for ease of use and consistency with other scripts.detect_data_race.ipynb
sees improved performance for workloads with many accessed memory address. The output of the notebook has been tuned to better distinguish between undetermined and positive cases.export_bookmarks.ipynb
now supports exporting bookmarks even when the OSSI is not available, but emits a warning in that case.bk2bp.ipynb
now correctly reports its dependency to the OSSI.ltrace
andfile-activity
now use the providedpreview.prototypes
API.
Fixed issues
REVEN
- OSSI: For Windows scenario, the MMU can now read standby pages in memory, solving an issue where certains modules could not be loaded.
- Some interrupts would mistakenly report that they would occur while executing an instruction when it wasn't the case. This issue is fixed for scenarios with the
Executed Blocks
resource replayed. - The stack event and PC range replay would fail with
Error: Cannot disassemble empty data
when encountering an instruction with empty data. - The server would crash when tainting through an instruction with empty or wrong data.
Project Manager
- A VM or its snapshots can no longer be used to record a scenario or be selected in the VM list while it is being registered in the Wizard.
- The Project Manager no longer blocks the user from registering new VMs when a VM or snapshot is unexpectedly deleted during registration.
Axion
- A sporadic segmentation fault crash in the Calltree view has been fixed.
- The calltree no longer crashes after disconnecting from a project and reconnecting to a different project in Axion.
- The calltree no longer sporadically logs an error reading "impossible case".
Analysis Python API Compatibility Notes
- The following deprecated classes and methods have been removed:
- The
Stack.backtrace
method and theBackTrace
class: print directly theStack
object to display a backtrace. - The
Taint.changes
method and theTaintChanges
andTaintChangeView
classes: use theTaint.accesses(changes_only=True)
to get the changes of the taint.
- The
- The return value of
Symbol.name
changed: previously it would return the prototype, now it returns the short name (Symbol.name_only
) of a symbol if available, or otherwise defaults to the source name (Symbol.source_name
).