2.9.0

Highlights

REVEN version 2.9 is packed with new features, with a focus on providing the users with more trace navigation and memory analysis handles in the Axion GUI.

Here are some highlights:

  • Memory Watchers in Axion GUI: The GUI now allows to create Memory Watchers, that will display the value of a range of memory at all times while browsing a REVEN scenario.

  • Markers of a transition's location in the trace: To make it easier to tell at a glance where a particular transition falls in the scenario, hovering a transition in any widget now displays its position in the time. Moreover, the transitions displayed in widgets now sport an icon indicating their position relative to the currently selected transition.

  • Debugger controls with step out and step over navigation in Axion GUI: Step out / Step over buttons and their corresponding shortcuts allow to quickly find the exit of a function, or to skip over a call in a single action. Due to REVEN's timeless nature, it is of course possible to step out/step over backward.

  • Step out and step over are also available in the Python API: The new methods Transition.step_out and Transition.step_over bring this capability to the API where it can be used for automation. For example, step_out allows to easily find the return value of a function you're in.

  • New sample scripts and notebooks:

    • detect_data_race.ipynb: demonstrates how to use the API to detect data races in programs whose synchronization would depend on critical sections.
    • threadsync.py: traces calls to Windows synchronization APIs such as EnterCriticalSection, WakeConditionVariable or ReleaseMutex.
    • export_bookmarks.ipynb and bk2bp.ipynb: demonstrates how to use the bookmark API to generate a report in HTML or markdown or to generate breakpoints that can be imported into WinDbg.
    • All sample scripts can now be browsed in the documentation.

Improvements

REVEN

  • High-level OS Specific Information (OSSI) has been enhanced:
    • In Windows scenarios, REVEN now presents private symbols from PDBs, as well as symbols from PDB modules. Besides, the performance of PDB parsing has been improved by up to 400%, which translates in a shorter waiting time when loading transitions for the first time in the trace in Axion GUI or the Python API.
    • In Linux scenarios, REVEN now loads symbols from debug binaries if available at the standard locations looked up by GDB (such as /usr/lib/debug).

Project Manager

  • In Linux scenarios, the debug binaries are now extracted when replaying the Light Filesystem resource.

Analysis Python API

  • The reven2.Trace.memory_accesses method now supports fetching memory accesses on the entire trace or on a range of transitions regardless of the address of the memory access. Concretely, this means that the address and size parameters of this method are now optional.

Axion

  • The Calltree view now displays bookmark icons next to entries corresponding to a bookmarked transition.
  • Hexdump views can now be renamed so that their identification is easier during the analysis. To rename a Hexdump, right-click on it, then choose "rename".
  • You can now select which Hexdump view is "active" by clicking the corresponding button in the widget. The active Hexdump is the one which is used when a new address is selected for display. If no Hexdump is active, selecting an address will display it in a new one.
  • Shortcut management:
    • Shortcut conflicts are now displayed in the shortcut editor.
    • A modal dialog now warns user upon inputting a shortcut that is associated to multiple actions.
    • Axion no longer saves or loads shortcuts that are the same as the default in the settings. This reduces the probability of a shortcut conflict when upgrading Axion.

Fixed issues

REVEN

  • The taint now propagates correctly through the bswap instruction.

Project Manager

  • Compressed Linux kernel modules files were not copied during the light filesystem extraction of a scenario.

Axion

  • Calltree view: The binary name for the root node of the calltree was sometimes mistakenly reported as unknown.
  • Calltree view: The current transition display (red line) is now displayed at the correct location in the following situations:
    • when the children of the last call node also have children nodes,
    • when the calltree view has been "locked" by clicking the lock button.
  • Closing Axion with a SIGINT or SIGTERM signal is now considered like a normal exit. This allows in particular to save Axion's settings when an Axion session is stopped from the Project Manager.

Analysis Python API

  • Some calls to the preview.project_manager API could spuriously fail with a ConnectionError, especially when using a high-latency connection.
  • Python dependencies of example scripts are now distributed along reven2, which makes use of these scripts easier, especially in air-gapped networks.

Analysis Python API Compatibility Notes

  • The Stack.backtrace method and the BackTrace class have been deprecated and are scheduled for removal in version 2.10. Use str or display on a Stack instance to display a backtrace.