For a project I am working on, I am trying to export some form of a symbolic state for a program during execution.I was wondering whether it is possible to, at a certain point during program execution, acquire the locations (memory addresses) in guest memory that contain some symbolic value. Looking at the S2E code, the addresses translate from the guest to the host one-way, but I am curious whether I can also get the guest addresses back in some way.
In addition to that, I tried to acquire a concrete memory dump from QEMU when running in S2E mode (to combine with the knowledge of symbolic memory from the above), but this causes QEMU to freeze. I have not been able to determine why.
You could write a plugin that enumerates all virtual pages in the address space of a process and then check if state->mem()->read() returns a symbolic expression for a given byte.
How did you try to get the dump? If you use Windows guests, there is WindowsCrashDumpGenerator to create dumps that can be opened in WinDbg.
You could write a plugin that enumerates all virtual pages in the address space of a process and then check if state->mem()->read() returns a symbolic expression for a given byte.I had looked at how I could walk through guest memory earlier, but had not been able to determine how to access the virtual pages in the address space (of the guest, or the program under analysis); at that time I just looked at the objects in the KLEE address space. Where do you suggest I look to access these pages for a certain (selected) process from a plugin?
How did you try to get the dump? If you use Windows guests, there is WindowsCrashDumpGenerator to create dumps that can be opened in WinDbg.Apologies, I should have been more specific. I am running this with a Linux guest image. Since I wanted to dump the guest's memory at a specific point during execution, I attempted to send a dump-guest-memory command from the S2E plugin. This caused a freeze. I also dropped to a shell during S2E's bootstrap to try this manually, but this causes QEMU to exit immediately. I'm afraid I currently do not have any more information about this, but I will try this again to see if I can find anything else.
I was also wondering about the propagation of symbolic values, specifically when using a symbolic value as an index for an array access. Namely, I want to follow symbolic data from a syscall through the kernel up to some potentially vulnerable code, where I want to see e.g., whether an array access could go out of bounds. Is it the case that when an array index is symbolic, the result value of this access will be concretized? In a test program, I tried something as follows:
That's a pretty common thing that most plugins do. Look for state->mem()->read in the code base.
That command probably accesses memory directly. In S2E, the guest RAM is unmapped and QEMU must perform all accesses through a wrapper.
In order to avoid forking, the memory access must be aligned and constrained to a 256 byte range. Otherwise, there will be many additional forks to account for various unaligned accesses that span 256 byte intervals. Check these two test cases to understand how it works:Unfortunately, it is not possible to eliminate forking completely. You could increase 256 bytes to 4K but that would be hard on the constraint solver. Going above 4K is not possible because the TLB is concrete (i.e., only the 12 lower address bits may be symbolic).
--
You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to s2e-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/91acebe7-e9f6-47db-81b0-414d71ff1770n%40googlegroups.com.
Regarding adding a new kernel, it's best to look at the recent commit history in s2e-linux-kernel and guest-images repo.I don't support creating snapshots manually, there are just too many steps and many opportunities for hard to debug errors.The steps look like this:
- Import a new kernel into s2e-linux-kernel- Apply S2E patches on it- Setup a kernel config file (with the S2E option enabled)- Update the guest-images repo to use the new kernel- Build the image.
--
You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to s2e-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/8f903b3d-5317-404a-bf89-8496af740d7bn%40googlegroups.com.