(symbol-entry open -4194304 0 0)
write. We will provide a fix soon
openbut not the rest?
fgets. Like in this example, it's the last in the list of code-entries where the start is set to 0.
(code-entry puts 0 0) (code-entry __libc_start_main 0 0) (code-entry fgets 0 0)
Incidents reports are n-tuples, where the first element is a symbolic name of the incident, and the rest are locations of the points of interest. The notion of this points are specific to a concrete incident kind. We yet to add the declaration procedure, that will allow us to at least have a symbolic annotation to each point.
In your case both incidents should have two points, if your code is the same is mine:
(incident-report 'unchecked-untrusted-argument (incident-location) (dict-get 'taint-sources/untrusted t)) (incident-report 'untrusted-argument (incident-location) (dict-get 'taint-sources/untrusted t))
the first is the location of the place where the rule was violated, i.e., the sensitive sink. The second is the location where a taint was introduced (i.e., the untrusted input)
Each location is denoted by the location identifier, with which we can associate arbitrary attributes. So far, it is only the
incident-location attribute that is a backtrace of location, with the last point being always the exact point of the location.
Well, a function whose name weren't recognized will get a bogus name
XXXX is its address. So you can write a policy that will depend on that name.
Not sure that this is what you're seeking for, as usually policies rely on API, to be general and reusable across binaries. So the bottom line is that the function names should be recognized. In bap the component responsible for symbol recognition is called
symbolizer. We have a few symbolizers, including built-in, one that uses objdump, and another that uses IDA. You can use all three (for the last one you need IDA Pro, though), or you can also write your own.
But before going to deep, you need to verify that you're getting maximum from the existing symbolizers. First of all, check the specification of the
--symbolizer option in the
bap --help output. If it doesn't it exist all then it means that you don't have any options to choose from, so you need to install the objdump symbolizers and/or ida symbolizer, if you have IDA Pro, corresponding opam packages are
@ivg Hi, I am reading
bap-plugins/deadcode/deadcode.ml. (https://github.com/BinaryAnalysisPlatform/bap-plugins/blob/master/deadcode/deadcode.ml )
I am wodering why
no_side_effects is defined as
let open Target.CPU in Var.is_virtual var || is_flag var
I thought each variables in arg_t, def_t, phi_t does not have side effects.
Could you explain why physical registers are considered it has side effects ?
is_flagis an underapproximation, we assume that flags set in one subroutine are never used in another. They could of course, but not by a piece of code that was generated by a compiler. Since compilers do not treat flags as physical locations or data, they will never do optimizations on them.
primus-checksrecipe from the bap-recipes repository as the starting example, instructions are provided in the link. If you want to learn how to program new analysis in Primus using either OCaml or Primus Lisp, then you can learn the interfaces using our documentation, (here is the Lisp documentation). See also