Source: binsec_sse_shadow_stack.ml (p.binsec.0.11.0.doc.src.binsec_sse_shadow

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259(**************************************************************************) (* This file is part of BINSEC. *) (* *) (* Copyright (C) 2016-2026 *) (* CEA (Commissariat à l'énergie atomique et aux énergies *) (* alternatives) *) (* *) (* you can redistribute it and/or modify it under the terms of the GNU *) (* Lesser General Public License as published by the Free Software *) (* Foundation, version 2.1. *) (* *) (* It is distributed in the hope that it will be useful, *) (* but WITHOUT ANY WARRANTY; without even the implied warranty of *) (* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the *) (* GNU Lesser General Public License for more details. *) (* *) (* See the GNU Lesser General Public License version 2.1 *) (* for more details (enclosed in the file licenses/LGPLv2.1). *) (* *) (**************************************************************************) open Types open Ir let expr_of_addr addr size = Dba.Expr.constant (Bitvector.create (Virtual_address.to_bigint addr) size) let name = "shadow-stack" module Logger = Logger.Sub (struct let name = name end) type Script.Ast.t += Initial_stack of Script.Ast.Expr.t Script.Ast.loc list type ('value, 'model, 'state, 'path, 'a) field_id += | Stack : ('value, 'model, 'state, 'path, 'value list) field_id let grammar_extension = [ Dyp.Add_rules [ ( ( "decl", [ Dyp.Regexp (RE_String "initial"); Dyp.Regexp (RE_String "call"); Dyp.Regexp (RE_String "stack"); Dyp.Non_ter ("comma_separated_expr_rev_list", No_priority); ], "default_priority", [] ), fun _ -> function | [ _; _; _; Binsec_script.Syntax.Obj (Script.Expr_list values) ] -> (Binsec_script.Syntax.Decl (Initial_stack (List.rev values)), []) | _ -> assert false ); ]; ] let command_printer ppf = function | Initial_stack values -> Format.fprintf ppf "initial call stack %a" (Format.pp_print_list ~pp_sep:(fun ppf () -> Format.pp_print_string ppf ", ") (fun ppf (addr, _) -> Script.Expr.pp ppf addr)) values; true | _ -> false module Inline_plugin = struct let name = name let fields : (module PATH) -> field list = fun _ -> [] let extensions : type a. (module ENGINE with type Path.t = a) -> a extension list = fun engine -> let module E = (val engine) in let module P = E.Path in let pointer_size = Machine.ISA.word_size E.isa in let array = Some "shadow_stack" in let ptr = Dba.Var.create "shadow_stack_pointer" ~bitsize:(Size.Bit.create pointer_size) ~tag:Temp and witness = Dba.Var.create "shadow_stack_witness" ~bitsize:(Size.Bit.create pointer_size) ~tag:Temp in let ptr_r = Dba.Expr.v ptr and witness_r = Dba.Expr.v witness in let zero = Dba.Expr.constant (Bitvector.zeros pointer_size) and offset = Dba.Expr.constant (Bitvector.of_int ~size:pointer_size (pointer_size / 8)) in let insert_return_check graph vertex target = Revision.insert_list_before graph vertex [ Assert (Dba.Expr.ugt ptr_r zero); Assign { var = ptr; rval = Dba.Expr.sub ptr_r offset }; Load { var = witness; base = array; dir = LittleEndian; addr = ptr_r }; Assert (Dba.Expr.equal witness_r target); ] in [ Grammar_extension grammar_extension; Initialization_callback (fun path -> P.assign path ptr zero); Command_handler (fun decl (env : Script.env) path -> match decl with | Initial_stack values -> let ptr_v = List.fold_left (fun ptr_v addr -> let addr = Script.eval_expr ~size:env.wordsize addr env in P.store path array ~addr:ptr_v addr LittleEndian; Dba.Expr.add ptr_v offset) zero values in P.assign path ptr ptr_v; true | _ -> false); Command_printer command_printer; Instrumentation_routine (fun graph -> Revision.iter_new_vertex (fun vertex -> match Revision.node graph vertex with | Fallthrough { kind = Goto { tag = Call { base; _ }; _ }; _ } | Terminator { kind = Goto { tag = Call { base; _ }; _ }; _ } | Terminator { kind = Jump { tag = Call { base; _ }; _ }; _ } -> Revision.insert_list_before graph vertex [ Store { base = array; dir = LittleEndian; addr = ptr_r; rval = expr_of_addr base pointer_size; }; Assign { var = ptr; rval = Dba.Expr.add ptr_r offset }; ] | Terminator { kind = Goto { target; tag = Return; _ }; _ } -> insert_return_check graph vertex (expr_of_addr target pointer_size) | Terminator { kind = Jump { target; tag = Return; _ }; _ } -> insert_return_check graph vertex target | _ -> ()) graph); ] end module Builtin (E : ENGINE) : EXTENSIONS with type path = E.Path.t = struct module P = E.Path module V = P.Value module M = P.Model type path = P.t let key = E.lookup Stack let pointer_size = Machine.ISA.word_size E.isa type Ir.builtin += Push of Dba.Expr.t | Pop of Dba.Expr.t let push target path = Logger.debug ~level:2 "%a: push(%a)" Virtual_address.pp (P.pc path) Dba_printer.Ascii.pp_bl_term target; P.set path key (P.get_value path target :: P.get path key) let report addr target witness model = Logger.error "@[<v>%a: Stack tampering@ (goto %a, expected %a)@ %a@]" Virtual_address.pp addr Bitvector.pp_hex_or_bin (M.eval target model) Bitvector.pp_hex_or_bin (M.eval witness model) M.pp model (* TODO pp_with_section ?*) let pop target path = let addr = P.pc path in Logger.debug ~level:2 "%a: pop(%a)" Virtual_address.pp addr Dba_printer.Ascii.pp_bl_term target; match P.get path key with | [] -> Logger.error "%a: return does not match any call" Virtual_address.pp addr; Signal Assertion_failure | witness_v :: tail -> ( P.set path key tail; let target_v = P.get_value path target in (match P.check_sat_assuming_v ~retain:false path (V.binary Diff target_v witness_v) with | None -> () | Some model -> report addr target_v witness_v model); match P.assume_v path (V.binary Eq target_v witness_v) with | None -> Signal Assertion_failure | Some _ -> Return) let list : P.t extension list = [ Grammar_extension grammar_extension; Command_handler (fun decl (env : Script.env) path -> match decl with | Initial_stack values -> P.set path key (List.rev_map (fun addr -> P.get_value path (Script.eval_expr ~size:env.wordsize addr env)) values); true | _ -> false); Command_printer command_printer; Instrumentation_routine (fun graph -> Revision.iter_new_vertex (fun vertex -> match Revision.node graph vertex with | Fallthrough { kind = Goto { tag = Call { base; _ }; _ }; _ } | Terminator { kind = Goto { tag = Call { base; _ }; _ }; _ } | Terminator { kind = Jump { tag = Call { base; _ }; _ }; _ } -> Revision.insert_before graph vertex (Builtin (Push (expr_of_addr base pointer_size))) | Terminator { kind = Goto { target; tag = Return; _ }; _ } -> Revision.insert_before graph vertex (Builtin (Pop (expr_of_addr target pointer_size))) | Terminator { kind = Jump { target; tag = Return; _ }; _ } -> Revision.insert_before graph vertex (Builtin (Pop target)) | _ -> ()) graph); Builtin_resolver (function | Push target -> Apply (push target) | Pop target -> Call (pop target) | _ -> Unknown); Builtin_printer (fun ppf -> function | Push target -> Format.fprintf ppf "shadow push %a" Dba_printer.Ascii.pp_bl_term target; true | Pop target -> Format.fprintf ppf "shadow pop %a" Dba_printer.Ascii.pp_bl_term target; true | _ -> false); ] end module Builtin_plugin = struct let name = name let fields : (module PATH) -> field list = fun _ -> [ Field { id = Stack; default = []; copy = None; merge = None } ] let extensions : type a. (module ENGINE with type Path.t = a) -> a extension list = fun engine -> let module Extensions = Builtin ((val engine)) in Extensions.list end