【S2E插件分析】Recipe插件 -- 0.概述

工具
,

Recipe 插件 – 0. 概述

在新建工程时启用 --tools pov 将会默认激活 Recipe 插件。实际上,Recipe 包含一组插件协同工作,从 s2e-config.lua 中可以看到与之相关的内容:

  • PovGenerationPolicy:包含了不同类型的漏洞信息,用于生成 PoV;
  • Recipe:持续监控程序执行,寻找可以被利用的状态。最重要的脆弱点是对一个符号化的指针解引用
  • FilePovGenerator:在找到可利用的状态后,约束求解,将输入生成 PoV
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
add_plugin("PovGenerationPolicy")

add_plugin("Recipe")
pluginsConfig.Recipe = {
    recipesDir = "/home/ubuntu/s2e/projects/stack_overflow/recipes",
    logLevel = "warn"
}

-- This plugin writes PoVs as input files. This is suitable for programs that
-- take their inputs from files (instead of stdin or other methods).
add_plugin("FilePovGenerator")
pluginsConfig.FilePovGenerator = {
    -- The generated PoV will set the program counter
    -- of the vulnerable program to this value
    target_pc = 0xdeadbeef,

    -- The generated PoV will set a general purpose register
    -- of the vulnerable program to this value.
    target_gp = 0x8899aabbccddeeff
}

对 Recipe 插件的具体使用在 Post not found: S2E-review 中有简单描述。