slumps
slumps copied to clipboard
ASSERT-KTH
vulnerabilities experimentation
We have three sources for vulnerabilities experimentation with SLUMPs:
- Memory disclosures from #7 (C code here)
- Whitebox cryptographic programs mentioned in #27
- CVEs report for webassembly mentioned in #41
- TODO: Collect specific CVEs to test
Experiment steps:
1 - Port the vulnerable code to WebAssembly using SLUMPs and collecting the original program without optimizations 2 - See if the problem persists in the V8 context (already tested in #7 with emcc)
- Try to execute in the browser
- Collect the profiler information from the DevTool
- Execute the same WASM code in SWAM and collect stack and memory traces
3 - Feed SLUMPs with the vulnerable program 4 - Collect variants
- For each variant: apply step 2
Notes
In the case of the CVEs, we also need to test if the CVEs related to Binaryen persist after the SLUMPs phase
Use the dockerized SLUMPs app
For example
docker run -it --rm -v $(pwd)/out:/slumps/src/out jacarte/slumps:app https://raw.githubusercontent.com/KTH/slumps/master/benchmark_programs/rossetta/valid/no_input/Catalan_numbers.c Catalan_numbers.c
I am trying to run the Catalan_numbers.c example in dockerized Slump app but getting the below-mentioned output. How much time does it take in the stage LLVM BC to Souper IR candidates?
It can take a while, taking into account that the souper exploration can be expensive. However, the timeout in this case (second line in your screenshot) is for half hour.
In the experiments that we ran the time for an answer was 2863.46 seconds.
@Jacarte I am able to get into the interactive mode using this command(docker run -it --rm -v $(pwd/out:/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c --entrypoint /bin/bash jacarte/slumps:app ) but after that, when I am trying to run the vulnerable program getting below-mentioned error. Am I doing something wrong
root@5831e19c674c:/slumps/src# python3 slumps.py interger_overflow.c
Traceback (most recent call last):
File "slumps.py", line 5, in
Change the python interpreter to python3.7 instead of python3, python3.7 slumps.py <program>. I will fix it in the doc
using [python3.7 slumps.py integer_overflow.c] it gives a below-mentioned error. The error says No such file or directory: 'interger_overflow.c'
docker run -it --rm -v $(pwd/out:/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c --entrypoint /bin/bash jacarte/slumps:app In the docker command i have mentioned the vulnerable code path. How should I provide the path for vulnerale program.
Should be something like this
docker run -it --rm -v $(pwd):/slumps/src/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c:/slumps/src --entrypoint /bin/bash jacarte/slumps:app
You are missing the second part for the vulnerabilities volume, therefore, the files are not in the slumps root.
Tried with the latest command. getting below error after running the slumps.py.
python3.7: can't open file 'slumps.py': [Errno 2] No such file or directory
But the good thing is that able to see vulnerable programs list. Only thing I am not getting is how to mount the src/slumps folder so to run the slumps.py file.
Sorry my mistake, you are overriding the src folder thats why you are not seeing the scripts slumps.py. Change the second volume to -v $(pwd)/<vulnerable>:/input or other input folder name. Then you will be able to run python3.7 slumps.py /input/<program>.c
Thanks for the input Javier I was able to run it but ran into some issues at C to LLVR IR. Are these expected as we are running the vulnerable code?
removed the EMSCRIPTEN code from the file and ran it but it is giving an error at LLVM to Souper IR stage. The error is related to redis do I need to install and configure redis db in my system.
Changing the entrypoint for the container bypasses the initialization of redis-server service. To launch it again, run nohup redis-server & in the bash console inside the container.