How to calculate branch coverage?
100 views
Skip to first unread message
ice
Apr 11, 2011, 11:22:44 PM4/11/11
to BitBlaze User Discussion group
Hi all,
I want to calculate branch coverage. My way is to use IDA Pro to
statically determine the total branches(TB), and generate the number
of branch executed at run-time(RTB). Then branch coverate= RTB/TB.
Is this approach feasible? or there is another more effective means.
Thank you
I want to calculate branch coverage. My way is to use IDA Pro to
statically determine the total branches(TB), and generate the number
of branch executed at run-time(RTB). Then branch coverate= RTB/TB.
Is this approach feasible? or there is another more effective means.
Thank you
Stephen McCamant
Apr 21, 2011, 2:49:21 PM4/21/11
to bitblaz...@googlegroups.com
>>>>> "IF" == ice <icefr...@gmail.com> writes:
IF> Hi all,
IF> I want to calculate branch coverage. My way is to use IDA Pro to
IF> statically determine the total branches(TB), and generate the
IF> number of branch executed at run-time(RTB). Then branch coverate=
IF> RTB/TB. Is this approach feasible? or there is another more
IF> effective means.
Sounds like a feasible approach to me. IDA's disassembly is heuristic,
so there isn't a guarantee that the set of branches it recognizes will
be exactly correct. But in practice its results are usually very good,
probably plenty good for estimating the total number of branches.
Hope this helps,
-- Stephen
dan
Apr 21, 2011, 9:18:02 PM4/21/11
to BitBlaze User Discussion group
As Stephen pointed out, this should work well enough in practice on
most programs. You would get less than optimal results for heavily
obfuscated / packed programs (i.e. most malware), as well as jitted
programs. In this case, RTB will be far greater than TB, but you could
restrict yourself to run-time branches that were discovered
statically.
--
Daniel Reynaud
most programs. You would get less than optimal results for heavily
obfuscated / packed programs (i.e. most malware), as well as jitted
programs. In this case, RTB will be far greater than TB, but you could
restrict yourself to run-time branches that were discovered
statically.
--
Daniel Reynaud
Alex Bazhanyuk
Apr 22, 2011, 4:21:06 AM4/22/11
to bitblaz...@googlegroups.com
Hi,
I use PIN, DynamoRIO (dyntrace - IDA plugin) for implement the coverage.
I use Bltblaze too, but the process of simulation (TEMU) has long time.
For these reasons, I use PIN, DynamoRIO, but it work in R3 (user space). (not R0 - kernel space)
I use project Code-coverage-analysis-tools: https://github.com/Cr4sh/Code-coverage-analysis-tools
and theory about it: "Analysis of code coverage in the search of vulnerabilities" : http://translate.google.com/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fd-olex.blogspot.com%2F2011%2F03%2Fblog-post.html
If I need build coverage for R0, I use Bitblaze. I change direction on a one cjmp at each iteration.
Using this technique and make a complete covering of the graph.
It is necessary for the search vulnerability of driver in kernel: AV,...
Thank you,
--
Best Regards,
Alexander N. Bazhanyuk
UKRAINE
Phone: +38-093-076-64-34
mail: virv...@gmail.com
ICQ: 472244882
Skype: abazhanyk_cv
I use PIN, DynamoRIO (dyntrace - IDA plugin) for implement the coverage.
I use Bltblaze too, but the process of simulation (TEMU) has long time.
For these reasons, I use PIN, DynamoRIO, but it work in R3 (user space). (not R0 - kernel space)
I use project Code-coverage-analysis-tools: https://github.com/Cr4sh/Code-coverage-analysis-tools
and theory about it: "Analysis of code coverage in the search of vulnerabilities" : http://translate.google.com/translate?hl=ru&sl=ru&tl=en&u=http%3A%2F%2Fd-olex.blogspot.com%2F2011%2F03%2Fblog-post.html
If I need build coverage for R0, I use Bitblaze. I change direction on a one cjmp at each iteration.
Using this technique and make a complete covering of the graph.
It is necessary for the search vulnerability of driver in kernel: AV,...
Thank you,
2011/4/22 dan <reynaud...@gmail.com>
--
Best Regards,
Alexander N. Bazhanyuk
UKRAINE
Phone: +38-093-076-64-34
mail: virv...@gmail.com
ICQ: 472244882
Skype: abazhanyk_cv
Minh Triet Pham Tran
Mar 20, 2016, 10:06:44 PM3/20/16
to BitBlaze User Discussion group
Could you share dyntrace (DynamoRIO) - IDA plugin which you use for implement the coverage? I find that it is used to be at: http://www.inreverse.net/wp-content/uploads/2011/11/dyntrace.zip .
Reply all
Reply to author
Forward
0 new messages