package binsec

  1. Overview
  2. Docs
Semantic analysis of binary executables

Install

Dune Dependency

binsec.github.io Readme Changelog LGPL-2.1-or-later License Edit opam file Versions (18)

Authors

  1. A
    Adel Djoudi
  2. B
    Benjamin Farinier
  3. C
    Chakib Foulani
  4. D
    Dorian Lesbre
  5. F
    Frédéric Recoules
  6. G
    Guillaume Girol
  7. J
    Josselin Feist
  8. L
    Lesly-Ann Daniel
  9. M
    Mahmudul Faisal Al Ameen
  10. M
    Manh-Dung Nguyen
  11. M
    Mathéo Vergnolle
  12. M
    Mathilde Ollivier
  13. M
    Matthieu Lemerre
  14. N
    Nicolas Bellec
  15. O
    Olivier Nicole
  16. R
    Richard Bonichon
  17. R
    Robin David
  18. S
    Sébastien Bardin
  19. S
    Soline Ducousso
  20. T
    Ta Thanh Dinh
  21. Y
    Yaëlle Vinçont
  22. Y
    Yanis Sellami

Maintainers

  1. B
    BINSEC <binsec@saxifrage.saclay.cea.fr>

Sources

binsec-0.9.0.tbz
sha256=d959c2351b6cac10ffbdaf112769a676c9ad84bf6bc7fefa5cb1daa8d086cc97
sha512=1a3951896f05fb3a4cb05e81830373c75409a69c49323dc82e97c94889927b5f9561e704565a22c2a608842f67063d6c89a330477165b197a40d6ac231c09a7e

doc/src/libterm/api_solver.ml.html

Source file api_solver.ml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
(**************************************************************************)
(*  This file is part of BINSEC.                                          *)
(*                                                                        *)
(*  Copyright (C) 2016-2024                                               *)
(*    CEA (Commissariat à l'énergie atomique et aux énergies              *)
(*         alternatives)                                                  *)
(*                                                                        *)
(*  you can redistribute it and/or modify it under the terms of the GNU   *)
(*  Lesser General Public License as published by the Free Software       *)
(*  Foundation, version 2.1.                                              *)
(*                                                                        *)
(*  It is distributed in the hope that it will be useful,                 *)
(*  but WITHOUT ANY WARRANTY; without even the implied warranty of        *)
(*  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *)
(*  GNU Lesser General Public License for more details.                   *)
(*                                                                        *)
(*  See the GNU Lesser General Public License version 2.1                 *)
(*  for more details (enclosed in the file licenses/LGPLv2.1).            *)
(*                                                                        *)
(**************************************************************************)

module Bv = Sexpr.Bv
module Expr = Sexpr.Expr
module Memory = Sexpr.Memory
module StTbl = Sexpr.StTbl
module BvTbl = Sexpr.BvTbl
module AxTbl = Sexpr.AxTbl
module NiTbl = Basic_types.Int.Htbl
module BiMap = Basic_types.BigInt.Map

let byte_size = Natural.to_int Basic_types.Constants.bytesize

module type CONTEXT = sig
  type bl
  type bv
  type ax

  val addr_space : int
  val visit_bl : Expr.t -> bl
  val visit_bv : Expr.t -> bv
  val visit_ax : Memory.t -> ax
  val iter_free_variables : (string -> Expr.t -> unit) -> unit
  val iter_free_arrays : (string -> Memory.t -> unit) -> unit
  val get : Expr.t -> bv
end

type ('bl, 'bv, 'ax) context =
  (module CONTEXT with type bl = 'bl and type bv = 'bv and type ax = 'ax)

module Context (S : Libsolver.S) :
  CONTEXT with type bl = S.Bl.t and type bv = S.Bv.t and type ax = S.Ax.t =
struct
  open S

  type bl = Bl.t
  type bv = Bv.t
  type ax = Ax.t

  let fvariables = StTbl.create 16
  let farrays = StTbl.create 4
  let bl_cons = BvTbl.create 128
  let bv_cons = BvTbl.create 128
  let ax_cons = AxTbl.create 64
  let addr_space = Kernel_options.Machine.word_size ()
  let array_sort = Ax.sort ~idx:addr_space byte_size

  let visit_select =
    let rec iter len concat index array res =
      if len = 0 then res
      else
        iter (len - 1) concat (Bv.succ index) array
          (concat (Ax.select array index) res)
    in
    fun len dir index array ->
      let concat =
        match dir with
        | Machine.LittleEndian -> Bv.append
        | Machine.BigEndian -> Fun.flip Bv.append
      in
      iter (len - 1) concat (Bv.succ index) array (Ax.select array index)

  let rec unroll_store array index x s =
    if s = 8 then Ax.store array index x
    else
      unroll_store
        (Ax.store array index (Bv.extract ~hi:7 ~lo:0 x))
        (Bv.succ index)
        (Bv.extract ~hi:(s - 1) ~lo:8 x)
        (s - 8)

  let rec visit_bl bl =
    try BvTbl.find bl_cons bl
    with Not_found ->
      let e =
        match bl with
        | Cst bv -> if Term.Bv.is_zero bv then Bl.bot else Bl.top
        | Load _ (* cannot be a bl<1> *) -> assert false
        | Unary { f = Not; x; _ } -> Bl.lognot (visit_bl x)
        | Binary { f = And; x; y; _ } -> Bl.logand (visit_bl x) (visit_bl y)
        | Binary { f = Or; x; y; _ } -> Bl.logor (visit_bl x) (visit_bl y)
        | Binary { f = Xor; x; y; _ } -> Bl.logxor (visit_bl x) (visit_bl y)
        | Binary { f = Eq; x; y; _ } -> Bv.equal (visit_bv x) (visit_bv y)
        | Binary { f = Diff; x; y; _ } -> Bv.diff (visit_bv x) (visit_bv y)
        | Binary { f = Uge; x; y; _ } -> Bv.uge (visit_bv x) (visit_bv y)
        | Binary { f = Ule; x; y; _ } -> Bv.ule (visit_bv x) (visit_bv y)
        | Binary { f = Ugt; x; y; _ } -> Bv.ugt (visit_bv x) (visit_bv y)
        | Binary { f = Ult; x; y; _ } -> Bv.ult (visit_bv x) (visit_bv y)
        | Binary { f = Sge; x; y; _ } -> Bv.sge (visit_bv x) (visit_bv y)
        | Binary { f = Sle; x; y; _ } -> Bv.sle (visit_bv x) (visit_bv y)
        | Binary { f = Sgt; x; y; _ } -> Bv.sgt (visit_bv x) (visit_bv y)
        | Binary { f = Slt; x; y; _ } -> Bv.slt (visit_bv x) (visit_bv y)
        | Ite { c; t; e; _ } -> Bl.ite (visit_bl c) (visit_bl t) (visit_bl e)
        | Var _ | Unary _ | Binary _ -> Bv.to_bl (visit_bv bl)
      in
      BvTbl.add bl_cons bl e;
      e

  and visit_bv bv =
    try BvTbl.find bv_cons bv
    with Not_found ->
      let e =
        match bv with
        | Var { name; size; _ } ->
            StTbl.add fvariables name bv;
            Bv.const size name
        | Load { len; dir; addr; label; _ } ->
            let index = visit_bv addr and array = visit_ax label in
            visit_select len dir index array
        | Cst bv -> Bv.value (Bitvector.size_of bv) (Bitvector.value_of bv)
        | Unary { f = Not; x; _ } -> Bv.lognot (visit_bv x)
        | Unary { f = Minus; x; _ } -> Bv.neg (visit_bv x)
        | Unary { f = Uext n; x; _ } -> Bv.uext n (visit_bv x)
        | Unary { f = Sext n; x; _ } -> Bv.sext n (visit_bv x)
        | Unary { f = Restrict { lo; hi }; x; _ } ->
            Bv.extract ~hi ~lo (visit_bv x)
        | Binary { f = Plus; x; y; _ } -> Bv.add (visit_bv x) (visit_bv y)
        | Binary { f = Minus; x; y; _ } -> Bv.sub (visit_bv x) (visit_bv y)
        | Binary { f = Mul; x; y; _ } -> Bv.mul (visit_bv x) (visit_bv y)
        | Binary { f = Udiv; x; y; _ } -> Bv.udiv (visit_bv x) (visit_bv y)
        | Binary { f = Sdiv; x; y; _ } -> Bv.sdiv (visit_bv x) (visit_bv y)
        | Binary { f = Umod; x; y; _ } -> Bv.umod (visit_bv x) (visit_bv y)
        | Binary { f = Smod; x; y; _ } -> Bv.smod (visit_bv x) (visit_bv y)
        | Binary { f = Or; x; y; _ } -> Bv.logor (visit_bv x) (visit_bv y)
        | Binary { f = And; x; y; _ } -> Bv.logand (visit_bv x) (visit_bv y)
        | Binary { f = Xor; x; y; _ } -> Bv.logxor (visit_bv x) (visit_bv y)
        | Binary { f = Concat; x; y; _ } -> Bv.append (visit_bv x) (visit_bv y)
        | Binary { f = Lsl; x; y; _ } -> Bv.shift_left (visit_bv x) (visit_bv y)
        | Binary { f = Lsr; x; y; _ } ->
            Bv.shift_right (visit_bv x) (visit_bv y)
        | Binary { f = Asr; x; y; _ } ->
            Bv.shift_right_signed (visit_bv x) (visit_bv y)
        | Binary { f = Rol; x; y; _ } ->
            Bv.rotate_left (visit_bv x) (visit_bv y)
        | Binary { f = Ror; x; y; _ } ->
            Bv.rotate_right (visit_bv x) (visit_bv y)
        | Binary
            { f = Eq | Diff | Ule | Ult | Uge | Ugt | Sle | Slt | Sge | Sgt; _ }
          ->
            Bl.to_bv (visit_bl bv)
        | Ite { c; t; e; _ } -> Bv.ite (visit_bl c) (visit_bv t) (visit_bv e)
      in

      BvTbl.add bv_cons bv e;
      e

  and visit_ax (ax : Memory.t) =
    try AxTbl.find ax_cons ax
    with Not_found ->
      let a =
        match ax with
        | Root -> Ax.const array_sort Suid.(to_string zero)
        | Symbol name ->
            StTbl.add farrays name ax;
            Ax.const array_sort name
        | Layer { addr; store; over; _ } ->
            let base = visit_bv addr and array = visit_ax over in
            Sexpr.Store.fold_term
              (fun i value array ->
                let s = Expr.sizeof value in
                let x = visit_bv value
                and index = Bv.add base (Bv.value addr_space i) in
                unroll_store array index x s)
              array store
      in
      AxTbl.add ax_cons ax a;
      a

  let iter_free_variables f = StTbl.iter f fvariables
  let iter_free_arrays f = StTbl.iter f farrays
  let get e = BvTbl.find bv_cons e
end

module Make (F : Libsolver.F) = struct
  module Open () : Solver.S = struct
    module Solver = F ()
    module Context = Context (Solver)

    let visit_formula _ = ()
    let iter_free_variables = Context.iter_free_variables
    let iter_free_arrays = Context.iter_free_arrays
    let assert_formula bl = Solver.assert_formula (Context.visit_bl bl)
    let check_sat = Solver.check_sat

    let check_sat_assuming ?timeout bl =
      Solver.check_sat_assuming ?timeout (Context.visit_bl bl)

    let get_value bv = Solver.get_bv_value (Context.visit_bv bv)

    let fold_array_values f ar x =
      Solver.fold_ax_values f (Context.visit_ax ar) x

    let push = Solver.push
    let pop = Solver.pop
    let close = Solver.close
  end
end
OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events OCaml Planet Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct