adds the stub resolver abi pass (#1036)

The stub resolver pass redirects on the IR level calls to stub functions to the calls to real functions if such could be identified. A function is a stub if it has the stub attribute present in the knowledge base. So far, we add only a knowledge provider for ELF stubs (that looks into the .plt section) others will be added later. The redirection algorithm establishes a one-to-one mapping between a stub and its prospective redirection. In case if a non-bijective mapping is detected (a stub has more than one implementation candidates or implementation has more than one stubs) no redirection is established.

Author: gitoleg

.gitignore

@@ -67,6 +67,7 @@ _oasis
 /plugins/primus_lisp/primus_lisp_config.ml
 /plugins/primus_greedy/.merlin
 /plugins/primus_lisp/primus_lisp_config.ml
+/plugins/primus_systems/primus_systems_config.ml
 /setup.exe
 /tools/bap_config
 /lib/bap_bundle/bap_bundle_config.ml

.run_travis_tests.sh

@@ -22,6 +22,7 @@ if [ "$TASK" == "unit_tests" ]; then
     bap_powerpc_tests
     bap_piqi_tests
     bap_traces_tests
+    bap_stub_resolver_tests
 fi
 
 if [ "$TASK" == "veri" ]; then

lib/bap/bap.mli

@@ -7806,12 +7806,26 @@ module Std : sig
         that occur in jump [jmp] expressions.*)
     val substitute : t -> exp -> exp -> t
 
-    (** updated jump's guard condition  *)
+    (** [with_cond jmp c] updates jump's guard condition
+
+        @since 2.0.0 *)
     val with_cond : t -> exp -> t
 
-    (** updated jump's kind  *)
+    (** [with_kind jmp k] updates jump's kind
+
+        @since 2.0.0 *)
     val with_kind : t -> jmp_kind -> t
 
+    (** [with_alt jmp d] updates jump's inter-procedural destination
+
+        @since 2.1.0 *)
+    val with_alt : t -> dst option -> t
+
+    (** [with_dst jmp d] updates jump's intra-procedural destination
+
+        @since 2.1.0 *)
+    val with_dst : t -> dst option -> t
+
     (** [pp_slots names] prints slots that are in [names].  *)
     val pp_slots : string list -> Format.formatter -> t -> unit
     include Regular.S with type t := t

lib/bap_sema/bap_sema_lift.ml

@@ -306,13 +306,13 @@ let program symtab =
       | Ok () -> tid
       | Error _ ->
         let tid = Tid.create () in
-        Tid.set_name tid name;
         Hash_set.strict_add_exn tids tid;
         tid in
   Seq.iter (Symtab.to_sequence symtab) ~f:(fun (name,entry,cfg) ->
       let addr = Block.addr entry in
       let blk_tid = Tid.for_addr addr in
       let sub_tid = tid_for_sub name in
+      Tid.set_addr sub_tid addr;
       let sub = lift_sub ~symtab ~tid:sub_tid entry cfg in
       Ir_program.Builder.add_sub b (Ir_sub.with_name sub name);
       Hashtbl.add_exn sub_of_blk ~key:blk_tid ~data:sub_tid;);

lib/bap_types/bap_ir.ml

@@ -58,7 +58,7 @@ module Tid = struct
       KB.provide slot tid (Some name)
     end
 
-  let set_addr = set Theory.Label.addr
+  let set_addr t w = set Theory.Label.addr t (Bap_bitvector.to_bitvec w)
   let set_ivec = set Theory.Label.ivec
 
 
@@ -316,23 +316,19 @@ end = struct
     let addr = Dict.find s.dict Bap_attributes.address in
     let name = mangle_name addr s.tid s.self.name in
     Tid.add_name s.tid s.self.name;
-    Tid.add_name s.tid name;
+    Tid.set_name s.tid name;
     let self = {s.self with name} in
     {s with self}
 
-  let fix_names olds news =
-    let is_new tid name =
-      match Array.find olds ~f:(fun s -> Tid.equal s.tid tid) with
-      | Some s -> String.(name <> s.self.name)
-      | None -> true in
+  let fix_names news =
+    let is_new sub = sub.tid <> Tid.for_name sub.self.name in
     let keep_name tids name tid = Map.set tids ~key:name ~data:tid in
     let tids = Array.fold news ~init:String.Map.empty ~f:(fun tids sub ->
         match Map.find tids sub.self.name with
         | None -> keep_name tids sub.self.name sub.tid
         | Some _ ->
-          if is_new sub.tid sub.self.name then
-            keep_name tids sub.self.name sub.tid
-          else tids) in
+          if is_new sub then tids
+          else keep_name tids sub.self.name sub.tid) in
     if Array.length news = Map.length tids then news
     else
       Array.map news ~f:(fun sub ->
@@ -342,7 +338,7 @@ end = struct
 
   let empty () = {subs = [| |] ;  paths = Tid.Table.create () }
 
-  let update p subs = { p with subs = fix_names p.subs subs }
+  let update p subs = { p with subs = fix_names subs }
 
   let compare x y =
     let compare x y = [%compare:sub term array] x y in

lib/bap_types/bap_ir.mli

@@ -58,6 +58,7 @@ module Tid : sig
 
   val create : unit -> t Bap_toplevel.t
   val set_name : t -> string -> unit Bap_toplevel.t
+  val set_addr : t -> word -> unit Bap_toplevel.t
   val name : t -> string Bap_toplevel.t
   val from_string : string -> tid Or_error.t
   val from_string_exn : string -> tid
@@ -337,6 +338,8 @@ module Ir_jmp : sig
   val cond : t -> exp
   val with_cond : t -> exp -> t
   val with_kind : t -> jmp_kind -> t
+  val with_alt : t -> dst option -> t
+  val with_dst : t -> dst option -> t
   val exps : t -> exp Sequence.t
   val map_exp : t -> f:(exp -> exp) -> t
   val substitute : t -> exp -> exp -> t

oasis/stub-resolver

@@ -0,0 +1,38 @@
+Flag stub_resolver
+  Description: Build Stub Resolver plugin
+  Default: false
+
+Library stub_resolver_library_plugin
+  Build$:       flag(everything) || flag(stub_resolver)
+  Path:         plugins/stub_resolver/
+  BuildDepends: bap, bap-abi, bap-knowledge, bap-core-theory, core_kernel, bitvec, bitvec-order, bap-main
+  FindlibName:     bap-plugin-stub_resolver
+  CompiledObject:  best
+  Modules:         Stub_resolver
+  InternalModules: Stub_resolver_main
+  XMETADescription: Substitutes calls to stubs with calls to real functions
+  XMETAExtraLines:  tags="abi"
+
+Library stub_resolver_tests
+  Path:           plugins/stub_resolver
+  FindLibParent:  stub_resolver_library_plugin
+  FindlibName:    tests
+  Build$:         flag(tests) && (flag(everything) || flag(stub_resolver))
+  CompiledObject: best
+  BuildDepends:   bap, oUnit, core_kernel, ppx_jane
+  Install:        false
+  Modules:        Stub_resolver_tests
+
+Executable run_stub_resolver_tests
+  Path:		  plugins/stub_resolver
+  Build$:	  flag(tests) && (flag(everything) || flag(stub_resolver))
+  CompiledObject: best
+  BuildDepends:	  findlib.dynload, oUnit, bap-main, bap-plugin-stub_resolver.tests
+  Install:	  false
+  MainIs:         run_stub_resolver_tests.ml
+
+
+Test stub_resolver_tests
+ TestTools: run_stub_resolver_tests
+ Run$: flag(tests) && (flag(everything) || flag(stub_resolver))
+ Command: $run_stub_resolver_tests

opam/opam

@@ -117,6 +117,7 @@ install: [
   ["ocamlfind" "remove" "bap-plugin-print"]
   ["ocamlfind" "remove" "bap-plugin-report"]
   ["ocamlfind" "remove" "bap-plugin-read_symbols"]
+  ["ocamlfind" "remove" "bap-plugin-stub_resolver"]
   ["ocamlfind" "remove" "bap-plugin-x86"]
   ["ocamlfind" "remove" "bap-traces"]
   ["ocamlfind" "remove" "bap-taint"]
@@ -161,6 +162,7 @@ install: [
   ["cp" "run_powerpc_tests.native" "%{bin}%/bap_powerpc_tests"]
   ["cp" "run_piqi_tests.native" "%{bin}%/bap_piqi_tests"]
   ["cp" "run_traces_tests.native" "%{bin}%/bap_traces_tests"]
+  ["cp" "run_stub_resolver_tests.native" "%{bin}%/bap_stub_resolver_tests"]
 ]
 remove: [
   ["ocamlfind" "remove" "bap-main"]
@@ -226,6 +228,7 @@ remove: [
   ["ocamlfind" "remove" "bap-plugin-raw"]
   ["ocamlfind" "remove" "bap-plugin-report"]
   ["ocamlfind" "remove" "bap-plugin-read_symbols"]
+  ["ocamlfind" "remove" "bap-plugin-stub_resolver"]
   ["ocamlfind" "remove" "bap-plugin-x86"]
   ["ocamlfind" "remove" "bap-traces"]
   ["ocamlfind" "remove" "bap-taint"]
@@ -281,6 +284,8 @@ remove: [
   ["rm" "-f" "%{bin}%/bap_powerpc_tests"]
   ["rm" "-f" "%{bin}%/bap_piqi_tests"]
   ["rm" "-f" "%{bin}%/bap_traces_tests"]
+  ["rm" "-f" "%{bin}%/bap_stub_resolver_tests"]
+
 ]
 depexts: [
   [

plugins/primus_systems/primus_systems_config.ml

@@ -0,0 +1,7 @@
+PKG core_kernel
+PKG oUnit
+PKG bap
+PKG bap-abi
+
+S .
+B ../../_build/plugins/stub_resolver

plugins/stub_resolver/.merlin

@@ -0,0 +1,16 @@
+open Core_kernel
+open OUnit2
+open Bap_plugins.Std
+
+let suite = "Stub_resolver" >::: [
+    Stub_resolver_tests.suite;
+  ]
+
+let () =
+  match Bap_main.init () with
+  | Error err ->
+    Format.eprintf "Failed to initialize BAP: %a@\n%!"
+      Bap_main.Extension.Error.pp err;
+    exit 1;
+  | Ok () ->
+    run_test_tt_main suite

plugins/stub_resolver/run_stub_resolver_tests.ml

@@ -0,0 +1,142 @@
+open Core_kernel
+open Bap.Std
+open Bap_core_theory
+open Bap_knowledge
+
+include Self ()
+
+open KB.Syntax
+
+type groups = int Tid.Map.t
+type names = String.Set.t Int.Map.t
+
+type t = {
+  groups : groups;
+  names  : names;
+  next   : int;
+  stubs  : Tid.Set.t;
+}
+
+let tids = Knowledge.Domain.mapping (module Tid) "tids"
+    ~equal:Tid.equal
+    ~inspect:sexp_of_tid
+
+let slot = Knowledge.Class.property
+    Theory.Program.cls "stubs" tids
+    ~persistent:(Knowledge.Persistent.of_binable (module struct
+                   type t = tid Tid.Map.t
+                   [@@deriving bin_io]
+                 end))
+    ~public:true
+    ~desc:"The mapping from stubs to real symbols"
+
+let cls = Knowledge.Slot.cls slot
+
+let empty = {
+  groups = Map.empty (module Tid);
+  names  = Map.empty (module Int);
+  stubs  = Set.empty (module Tid);
+  next   = 0;
+}
+
+let is_stub sub =
+  KB.collect (Value.Tag.slot Sub.stub) (Term.tid sub) >>= function
+  | None -> KB.return false
+  | Some () -> KB.return true
+
+let aliases_of_sub s = KB.collect Theory.Label.aliases (Term.tid s)
+
+let update_stubs t sub =
+  is_stub sub >>| fun is_stub ->
+  if is_stub
+  then { t with stubs = Set.add t.stubs (Term.tid sub) }
+  else t
+
+let find_groups names aliases =
+  Map.fold names ~init:[]
+    ~f:(fun ~key:group ~data:aliases' groups ->
+        if Set.(is_empty @@ inter aliases aliases')
+        then groups
+        else group :: groups)
+
+let unite_names t groups =
+  List.fold groups ~init:(Set.empty (module String))
+    ~f:(fun als id ->
+        Set.union als (Map.find_exn t.names id))
+
+let pick_representative = function
+  | [] -> assert false
+  | groups ->
+    List.min_elt groups ~compare:Int.compare |>
+    Option.value_exn
+
+let redirect t ~from ~to_ =
+  Map.map t.groups ~f:(fun id ->
+      if List.mem from id ~equal:Int.equal
+      then to_
+      else id)
+
+let add t sub =
+  update_stubs t sub >>= fun t ->
+  aliases_of_sub sub >>| fun aliases ->
+  match find_groups t.names aliases with
+  | [] ->
+    let groups = Map.add_exn t.groups (Term.tid sub) t.next in
+    let names  = Map.add_exn t.names t.next aliases in
+    { t with groups; names; next = t.next + 1 }
+  | [id] ->
+    let groups = Map.add_exn t.groups (Term.tid sub) id in
+    let names = Map.update t.names id ~f:(function
+        | None -> assert false
+        | Some als' -> Set.union aliases als') in
+    { t with names; groups }
+  | groups ->
+    let grp = pick_representative groups in
+    let aliases = Set.union aliases (unite_names t groups) in
+    let names = List.fold groups ~init:t.names ~f:Map.remove in
+    let names = Map.add_exn names grp aliases in
+    let groups = redirect t ~from:groups ~to_:grp in
+    {t with names; groups;}
+
+let collect_by_group_id groups =
+  Map.fold groups ~init:Int.Map.empty
+    ~f:(fun ~key:tid ~data:id xs ->
+        Map.update xs id ~f:(function
+            | None -> [tid]
+            | Some tids -> tid :: tids ))
+
+let unambiguous_pairs stubs xs =
+  let is_stub tid = Set.mem stubs tid in
+  Map.fold xs ~init:(Map.empty (module Tid))
+    ~f:(fun ~key:_group_id ~data:tids pairs ->
+        match tids with
+        | [x; y] ->
+          begin
+            match is_stub x, is_stub y with
+            | true, false -> Map.add_exn pairs x y
+            | false, true -> Map.add_exn pairs y x
+            | _ -> pairs
+          end
+        | _ -> pairs)
+
+let find_pairs t =
+  collect_by_group_id t.groups |>
+  unambiguous_pairs t.stubs
+
+let resolve prog =
+  Knowledge.Seq.fold ~init:empty
+    (Term.to_sequence sub_t prog) ~f:add >>|
+  find_pairs
+
+let provide prog =
+  Knowledge.Object.create cls >>= fun obj ->
+  resolve prog >>= fun links ->
+  KB.provide slot obj links >>= fun () ->
+  KB.return obj
+
+let run prog =
+  match Knowledge.run cls (provide prog) (Toplevel.current ()) with
+  | Ok (v,_) -> Knowledge.Value.get slot v
+  | Error cnf ->
+    error "%a\n" Knowledge.Conflict.pp cnf;
+    Map.empty (module Tid)

plugins/stub_resolver/stub_resolver.ml

@@ -0,0 +1,8 @@
+open Core_kernel
+open Bap.Std
+open Bap_core_theory
+open Bap_knowledge
+
+(** [run prog] - returns the mapping from
+    stubs to implementations *)
+val run : program term -> tid Tid.Map.t