-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reduce usage of concrete evaluation in x86 semantics #1241
Comments
Won't this break the dynamic symbolic execution approach where we make the constraints based on the path that was actually executed? |
Anyway, if we decide to proceed with the PR, we have local DSE benchmarks to measure symbolic execution accuracy and speed. |
@SweetVishnya Can you give a case example? The changes to handling undefined flags should be fine I think - the only case I can see a potential problem with is the string related instructions |
Yeah, now Triton decides the number of times to execute REP string instructions. |
Maybe, we should split this PR by instruction groups. I can benchmark symbolic execution accuracy on our side. And we can merge succeeding PRs one by one. |
@SweetVishnya Take With the change I suggested, this code:
would be transformed into something along the lines of this(in pseudo code)
Essentially both destinations are only being assigned a new value if the counter(cx) is not set to zero. The logic for computing the next RIP should remain unchanged. With this context, do you still think this may cause problems? |
@Colton1skees, I do not see the problem here. But you never know what break symbolic reasoning in real world. We may try to benchmark all string instructions in a separate PR. If everything is OK, we can merge it. More info about our benchmarking can be found in Evaluation section. |
So far for this |
In a general point of view, removing all |
One PR for each instruction can be an overkill. Maybe, we can group them somehow? |
Yeah I think grouping them would be ok :) |
Moreover, running one benchmark requires one night of a time ;) |
Agreed, #1/#3/#4 should be split into separate. grouped PRs/
Understood. If I have time to PR this, I'll try to put together some relatively exhaustive tests. Also, is there any existing DSE accuracy benchmark which I can run locally? Afaik Sydr is closed source |
@Colton1skees, unfortunately our benchmark is closed source( because it requires Sydr. We just open source the benchmark binaries. |
I have a .NET port of Triton(mostly the translator / semantics) here which has a standalone static version of Triton's IR translator(including support for symbolic memory with STORE/LOAD nodes). On the topic of #473, I wonder how hard it would be to try and update the rest of the Triton codebase to handle the addition of STORE/LOAD nodes. |
@Colton1skees, I also did some experiments with symbolic pointers long time ago here. |
STORE/LOAD nodes are already implemented (#1185) and we have modes for this now:
Some examples here: However, i'm pretty sure we can do better to improve how we deal with memory array :) |
@Colton1skees, also writing C# bindings for Triton would be easier than copy-pasting the code. |
Neat
If I linked a complete .NET port of Triton, then yes writing bindings would make sense. The repo I linked is basically just a standalone extraction of the IR translator, with some changes specific to my use case(e.g. never emitting reads/writes to concrete memory addresses, switching from capstone to ICED). Writings bindings wasn't necessary. |
Hi @JonathanSalwan,
In x86semantics.cpp, there are 46 instruction handlers where the emitted ASTs are dependent upon a concrete value retrieved through
.evaluate()
:There are some similar cases(push/pushfq/pop/popfq, fxsave/fxrstor, ret, etc) involving symbolic memory, but IMO they're out of the scope of this issue since Triton does not have STORE/LOAD ast nodes.
One step towards #473 would be to replace
.evaluate()
usages with code to emit AST nodes which depend on a symbolic value. Any objections to me opening a PR for this?You can break the usages of
.evaluate()
into four categories:cx
is used to determine whether any nodes should be emittedexception
variable is set for cases where x86 would raise an exceptionof
is set to an undefined value if thesrc
operand is greater than 1)For these categories:
of = ite(src > 1, undef, of)
) could be usedThe text was updated successfully, but these errors were encountered: