blob: 23553c32ea066872ca8d54cdb35bd71a35d48cce [file] [log] [blame] [edit]
#!/usr/bin/perl
# **********************************************************
# Copyright (c) 2008 VMware, Inc. All rights reserved.
# **********************************************************
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# * Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# * Neither the name of VMware, Inc. nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL VMWARE, INC. OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
# DAMAGE.
# processes a file created by moduledb_study.sh
$file = $ARGV[0];
open(FILE, "< $file") || die "Error: Couldn't open $file\n";
$tools = $ENV{'DYNAMORIO_TOOLS'};
if ($tools eq "") {
# use same dir this script sits in
$tools = $0;
if ($tools =~ /[\\\/]/) {
$tools =~ s/^(.+)[\\\/][\w\.]+$/\1/;
$tools =~ s/\\/\\\\/g;
} else {
$tools = "./";
}
# address_query needs DYNAMORIO_TOOLS set to find DRload.exe
$ENV{'DYNAMORIO_TOOLS'} = $tools;
}
$path = ".";
if ($ARGV[0] =~ /^(.*)\/[^\/]*$/) {
$path = $1;
}
while (<FILE>) {
$root = "-";
$case_num = 0;
$build = "-";
$app = "-";
$source = "-";
$source_addr = "-";
$source_prop = "-";
$target = "-";
$target_addr = "-";
$target_prop = "-";
$id = "-";
if ($_ =~ /^(bug|case)-?_?\s?(\d+)/i) {
$case_num = $2;
} elsif ($_ =~ /^([^\/]*)\//) {
$root = $1;
}
$bugtitle_info = `perl $tools/bugtitle.pl \Q$path/$_\E`;
if ($bugtitle_info =~ /^VIOLATION\s([^\s]*)\s\((<unknown build>|custom|\d*)\s([^\)]*)\)(.*)$/) {
$id = $1;
$build = $2;
$app = $3;
$rest = $4;
if ($rest =~ /^\s*(.*)\s--->\s(.*)$/) {
$source = $1;
$target = $2;
} elsif ($rest =~ /^\s*(0x[\da-fA-F]*)\s\(([^\s]*)\s(.*)\)\s=>\s(0x[\da-fA-F]*)\s\(([^\s]*)\s(.*)\).*$/) {
$source_addr = $1;
$source = $2;
$source_prop = $3;
$target_addr = $4;
$target = $5;
$target_prop = $6;
}
}
if ($case_num == 0) {
print "$root";
} else {
print "$case_num";
}
print " $id \"$app\" $source $target\n";
}
# use this | sort | uniq > file
# grep -iE " ....\.....\.A " results_uniq.txt > results_a.txt
# ...
# grep -iEv " ....\.....\.[abcef] " results_uniq.txt > results_other.txt
# 1129 unique violations (however many are core bugs!)
# gathered from determina bugs folder, does not include zipped up forensics files
# 37 .O or .P
# 31 .A (stack) (mostly bugs)
# 471 .C/E/F
# 590 .B
# of .B (number may not add up due to some truncated forensics not being included)
# grep -iE " heap heap$" results_b.txt > results_b_heap_to_heap.txt
# grep -iEv " (heap|unknown) heap$" results_b.txt | grep -iE " heap$" > results_b_mod_to_
# 56 heap -> heap
# 50 unknown -> heap
# 408 module -> heap [potential dll2heap relaxation]
# grep -iEv "(ntdll.dll|kernel32.dll|advapi32.dll|user32.dll|rpcrt4.dll|ole32.dll)" results_b_mod_to_heap.txt > res
# 118 not common dll (most of the remainder are bugs, from before we got the hook policy nailed down, or bad hookers)
# even of these most are microsoft (need to get company name)
# 76 module -> module
# grep -iEv " kernel32.dll$" results_b_mod_to_mod.txt > results_b_mod_to_mod_less_commo
# 54 less targeting kernel32 (bugs and bad hookers)
# 27 unique target dlls (~2/3 MS? need to run through my company name script)
# of rct - note there tend to be more unique violations per dll
# grep -Ev "dynamorio.dll" results_rct.txt > results_rct2.txt
# grep -iEv "unknown heap$" results_rct2.txt | grep -iE " heap$" > results_rct2_mod_to_h
# (need to lean to select columns in emacs, for now used excel)
# 386 ignoring to dynamorio.dll (a bug)
# 15 unknown to heap
# 73 module to heap (.C) [currently not easily addressable, should add rct from list? limit to just heap? maybe stopping some of the auto-attacks?]
# 298 module to module
# 93 unique targets (~2/3 MS? need to run through company name script)
# 61 unique src modules ""