Henrik Brodin
Henrik Brodin
There has been various discussions about compressing the tdag. A few approaches in use/considered are: * Remove slack in tdag by shifting sections to the front of the file (have...
There is no explicit handling of the `select` IR instruction. That is needed to capture that a tainted condition affects control flow. Taint will likely be propagated through the `select`...
If an application exits due to an assert (or otherwise unexpected exit). The size fields for each section remains at it's [allocated size](https://github.com/trailofbits/polytracker/blob/master/polytracker/include/taintdag/outputfile.h#L100). Under normal circumstances, [that size is updated...
`printf` writes to `stdout` are not captured as taint sinks when running PolyTracker with `POLYTRACKER_STDOUT_SINK=1`. It would be convenient to be able to capture: ```c++ printf("Tainted value: %x", tainted_value); ```...
The wrapper for `gets` is defined here: https://github.com/trailofbits/polytracker/blob/master/polytracker/src/taint_sources/taint_sources.cpp#L315-L318 ```c++ EXT_C_FUNC char *__dfsw_gets(char *str, dfsan_label str_label, dfsan_label *ret_label) { long offset = ftell(stdin); char *ret = fgets(str, sizeof str, stdin); ```...
In the Henrik/s2esubmodule branch, when recovering binaries having entries in the init_array, e.g. usage of std::cout, these entries are lost somewhere in the translation. The function to be called seems...
Instead of running the cmd-debian-mt.sh script, can we use [S2E parallel execution mode](http://s2e.systems/docs/Howtos/Parallel.html#parallel-s2e ) directly?
We can't, that's correct... I guess we could do that but I'd create a separate issue/PR for that because it affects both Java and C++. It was not implemented even...
As a user I'd find it useful to get access to the stack trace of the submitted PoV to better understand what's going on. Provide access in the ui. Probably...
We already have the [coverage monitor script](https://github.com/trailofbits/buttercup/blob/main/common/src/buttercup/common/coverage_monitor.py) that can generate graphs of coverage. We could consider extending the ui with a view that starts from now and periodically computes coverage...