Enabled patches written in primus lisp. I am shocked this is working at all

Author: philzook58

bap-vibes/src/config.ml

@@ -5,7 +5,7 @@ open !Core_kernel
 module Hvar = Higher_var
 module Wp_params = Bap_wp.Run_parameters
 
-type patch_code = CCode of Cabs.definition | ASMCode of string
+type patch_code = CCode of Cabs.definition | ASMCode of string | PrimusCode of string
 
 (* A type to represent a patch. *)
 type patch =
@@ -84,7 +84,8 @@ let string_of_hvar (v : Hvar.t) : string =
 let patch_to_string (p : patch) : string =
   let code = match p.patch_code with
   | CCode ccode -> Utils.print_c Cprint.print_def ccode
-  | ASMCode asmcode -> asmcode in
+  | ASMCode asmcode -> asmcode
+  | PrimusCode funname -> funname in
   let h_vars =
     String.concat ~sep:"\n" (List.map p.patch_vars ~f:string_of_hvar)
   in

bap-vibes/src/config.mli

@@ -13,7 +13,7 @@ type patch
 type t
 
 (** A type to represent patch cody which may either be C or literal assembly *)
-type patch_code = CCode of Cabs.definition | ASMCode of string
+type patch_code = CCode of Cabs.definition | ASMCode of string  | PrimusCode of string
 
 (** A type to represent known regions that may be overwritten with patch code *)
 type patch_space = {

bap-vibes/src/data.ml

@@ -44,7 +44,7 @@ let sexp_domain : Sexp.t option KB.Domain.t = KB.Domain.optional
     "sexp-domain"
 
 (* Optional C definition domain for the patch code. *)
-let source_domain : Cabs.definition option KB.Domain.t = KB.Domain.optional
+let source_domain : Config.patch_code option KB.Domain.t = KB.Domain.optional
     ~equal:Poly.equal
     "source-domain"
 
@@ -93,7 +93,7 @@ module Patch = struct
   let patch_name : (patch_cls, string option) KB.slot =
     KB.Class.property ~package patch "patch-name" string_domain
 
-  let patch_code : (patch_cls, Cabs.definition option) KB.slot =
+  let patch_code : (patch_cls, Config.patch_code option) KB.slot =
     KB.Class.property ~package patch "patch-code" source_domain
 
   let patch_label : (patch_cls, Theory.label option) KB.slot =
@@ -136,13 +136,16 @@ module Patch = struct
     | None -> Kb_error.fail Kb_error.Missing_patch_name
     | Some value -> KB.return value
 
-  let set_patch_code (obj : t) (data : Cabs.definition option) : unit KB.t =
-    KB.provide patch_code obj data
+  let set_patch_code (obj : t) (data : Config.patch_code option) : unit KB.t =
+    KB.provide patch_code obj data (* (Option.map ~f:(fun c -> Config.CCode c) data) *)
 
-  let get_patch_code (obj : t) : Cabs.definition option KB.t =
-    KB.collect patch_code obj
+  let get_patch_code (obj : t) : Config.patch_code option KB.t =
+    KB.collect patch_code obj (* >>= fun res ->
+    match res with
+    | Some (CCode code) -> KB.return (Some code)
+    | _ -> KB.return None *)
 
-  let get_patch_code_exn (obj : t) : Cabs.definition KB.t =
+  let get_patch_code_exn (obj : t) : Config.patch_code KB.t =
     get_patch_code obj >>= fun result ->
     match result with
     | None -> Kb_error.fail Kb_error.Missing_patch_code

bap-vibes/src/data.mli

@@ -14,7 +14,7 @@ val int_domain       : int option KB.Domain.t
 val int64_domain     : int64 option KB.Domain.t
 val bitvec_domain    : Bitvec.t option KB.Domain.t
 val sexp_domain      : Sexp.t option KB.Domain.t
-val source_domain    : Cabs.definition option KB.Domain.t
+val source_domain    : Config.patch_code option KB.Domain.t
 val assembly_domain  : string list option KB.Domain.t
 val unit_domain      : unit KB.Domain.t
 val higher_vars_domain : Hvar.t list option KB.Domain.t
@@ -49,7 +49,7 @@ module Patch : sig
   include Knowledge.Object.S with type t := t
 
   val patch_name : (patch_cls, string option) KB.slot
-  val patch_code : (patch_cls, Cabs.definition option) KB.slot
+  val patch_code : (patch_cls, Config.patch_code option) KB.slot
   val patch_point : (patch_cls, Bitvec.t option) KB.slot
   val patch_size : (patch_cls, int option) KB.slot
   val patch_label : (patch_cls, Theory.label option) KB.slot
@@ -68,9 +68,9 @@ module Patch : sig
   val get_patch_name : t -> string option KB.t
   val get_patch_name_exn : t -> string KB.t
 
-  val set_patch_code : t -> Cabs.definition option -> unit KB.t
-  val get_patch_code : t -> Cabs.definition option KB.t
-  val get_patch_code_exn : t -> Cabs.definition KB.t
+  val set_patch_code : t -> Config.patch_code option -> unit KB.t
+  val get_patch_code : t -> Config.patch_code option KB.t
+  val get_patch_code_exn : t -> Config.patch_code KB.t
 
   val set_patch_point : t -> Bitvec.t option -> unit KB.t
   val get_patch_point : t -> Bitvec.t option KB.t

bap-vibes/src/patch_ingester.ml

@@ -5,6 +5,7 @@ open Bap_knowledge
 open Knowledge.Syntax
 open Core_kernel
 open Bap_core_theory
+open Bap_primus.Std
 
 module KB = Knowledge
 open KB.Let
@@ -15,14 +16,27 @@ let provide_bir (tgt : Theory.target) (patch : Data.Patch.t) : unit KB.t =
   let module CParser = Core_c.Eval(Core) in
   Data.Patch.init_sem patch >>= fun () ->
   Data.Patch.get_patch_name_exn patch >>= fun name ->
-  Data.Patch.get_patch_code_exn patch >>= fun code ->
   Events.(send @@ Info (Printf.sprintf "Patch %s" name));
-  let code_str = Utils.print_c Cprint.print_def code in
-  Events.(send @@ Info (Printf.sprintf "%s" code_str));
-
+  Data.Patch.get_patch_code_exn patch >>= fun code ->
   (* Get the patch (as BIR). *)
-  let* bir = CParser.c_patch_to_eff tgt code in
-
+  let* bir = match code with
+  | CCode code -> begin
+          let code_str = Utils.print_c Cprint.print_def code in
+          Events.(send @@ Info (Printf.sprintf "%s" code_str));
+          CParser.c_patch_to_eff tgt code
+          end
+  | PrimusCode name -> begin
+     Primus.Lisp.Unit.create tgt >>= fun unit ->
+    KB.Object.scoped Theory.Program.cls @@ fun obj ->
+    KB.sequence [
+      KB.provide Theory.Label.unit obj (Some unit);
+      (* KB.provide Theory.Label.addr obj addr; *)
+      KB.provide Primus.Lisp.Semantics.name obj (Some (KB.Name.create name));
+    ] >>= fun () ->
+    KB.collect Theory.Semantics.slot obj
+    end
+  | ASMCode _asm -> Kb_error.fail (Kb_error.Not_implemented "yolo")
+  in
   Events.(send @@ Info "The patch has the following BIL:");
   Events.(send @@ Rule);
   let bir_str = Format.asprintf "%a" Bil.pp (KB.Value.get Bil.slot bir) in

bap-vibes/src/seeder.ml

@@ -67,9 +67,10 @@ let create_patches
         ~addr:(Config.patch_point p)
     in
     let* () = Data.Patch.set_patch_name obj (Some patch_name) in
+    let* () = Data.Patch.set_patch_code obj (Some (Config.patch_code p)) in
     let* () = match Config.patch_code p with
-      | CCode ccode -> Data.Patch.set_patch_code obj (Some ccode)
       | ASMCode asmcode -> Data.Patch.set_assembly obj (Some [asmcode])
+      | _ -> KB.return ()
     in
     let* () = Data.Patch.set_patch_point obj (Some (Config.patch_point p)) in
     let* () = Data.Patch.set_patch_size obj (Some (Config.patch_size p)) in

plugin/lib/vibes_plugin_parameters.ml

@@ -87,15 +87,18 @@ let validate_patch_name (obj : Json.t) : (string, error) Stdlib.result =
    into a [Cabs.definition] *)
 let validate_patch_code (nm : string) (obj : Json.t)
   : (Vibes_config.patch_code, error) Stdlib.result =
-  match Json.Util.member "patch-code" obj, Json.Util.member "asm-code" obj with
-  | `String s, `Null ->
+  match Json.Util.member "patch-code" obj, Json.Util.member "asm-code" obj, Json.Util.member "lisp-code" obj  with
+  | `String s, `Null, `Null ->
           (match Parse_c.parse_c_patch s with
           | Ok code -> Ok (Vibes_config.CCode code)
           | Error msg -> Error (Errors.Invalid_patch_code msg))
-  | `Null, `String s -> Ok (Vibes_config.ASMCode s)
-  | `String s, `String s' -> Error
+  | `Null, `String s, `Null -> Ok (Vibes_config.ASMCode s)
+  | `Null, `Null, `String s -> Ok (Vibes_config.PrimusCode s)
+  | `String s, `String s', _
+  |  _, `String s', `String s
+  | `String s,   _, `String s' -> Error
       (Errors.Invalid_patch_code "Specified both assembly and C code in patch")
-  | _, _ -> Err.fail Errors.Missing_patch_code
+  | _, _, _ -> Err.fail Errors.Missing_patch_code
 
 (* Extract the patch point field and parse the hex string into a bitvector, or
    error. *)

resources/exes/arm-simple-primus/Makefile

@@ -0,0 +1,106 @@
+SRC := main.c
+
+PROG := main
+PATCHED_PROG := main.patched
+
+REF_PROG := main.reference
+PATCHED_REF_PROG := main.patched.reference
+
+PATCHED_PROG_FOR_TESTING := test.patched.by.vibes
+
+
+#####################################################
+# DEFAULT
+#####################################################
+
+.DEFAULT_GOAL := all
+all: clean build patch
+
+
+#####################################################
+# BUILD
+#####################################################
+
+build: $(PROG)
+$(PROG): $(SRC)
+	arm-linux-gnueabi-gcc -marm -o $@ $<
+
+
+#####################################################
+# CLEAN
+#####################################################
+
+.PHONY: clean
+clean:
+	rm -rf $(OBJ) $(PROG) $(PATCHED_PROG) $(PATCHED_PROG_FOR_TESTING)
+
+
+#####################################################
+# PATCH
+#####################################################
+
+$(PATCHED_PROG): $(PROG)
+	bap vibes $(PROG) \
+                --config=config.json \
+				--primus-lisp-load=patch \
+                -o $(PATCHED_PROG) \
+                --verbose
+	chmod +x $(PATCHED_PROG)
+
+patch: $(PATCHED_PROG)
+
+
+#####################################################
+# PATCH THE REFERENCE EXECUTABLE
+#####################################################
+
+$(PATCHED_PROG_FOR_TESTING): $(REF_PROG)
+	bap vibes $(REF_PROG) \
+                --config=config.json \
+                -o $(PATCHED_PROG_FOR_TESTING) \
+                --verbose
+	chmod +x $(PATCHED_PROG_FOR_TESTING)
+
+patch.reference: $(PATCHED_PROG_FOR_TESTING)
+
+
+#####################################################
+# CREATE REFERENCE FILES
+#####################################################
+
+$(REF_PROG):
+	$(MAKE) $(PROG)
+	cp $(PROG) $(REF_PROG)
+
+$(PATCHED_REF_PROG):
+	$(MAKE) patch.reference
+	cp $(PATCHED_PROG_FOR_TESTING) $(PATCHED_REF_PROG)
+
+reference: 
+	rm -rf $(REF_PROG) $(PATCHED_REF_PROG)
+	$(MAKE) $(REF_PROG)
+	$(MAKE) $(PATCHED_REF_PROG)
+
+
+#####################################################
+# RUN
+#####################################################
+
+.PHONY: run.orig
+run.orig: $(PROG)
+	-QEMU_LD_PREFIX=/usr/arm-linux-gnueabi qemu-arm $(PROG)
+
+.PHONY: run.patched
+run.patched: $(PATCHED_PROG)
+	-QEMU_LD_PREFIX=/usr/arm-linux-gnueabi qemu-arm $(PATCHED_PROG)
+
+.PHONY: run.ref
+run.ref: $(REF_PROG)
+	-QEMU_LD_PREFIX=/usr/arm-linux-gnueabi qemu-arm $(REF_PROG)
+
+.PHONY: run.patched-ref
+run.patched-ref: $(PATCHED_REF_PROG)
+	-QEMU_LD_PREFIX=/usr/arm-linux-gnueabi qemu-arm $(PATCHED_REF_PROG)
+
+.PHONY: run.test
+run.test: run.orig run.patched

resources/exes/arm-simple-primus/README.md

@@ -0,0 +1,29 @@
+# ARM Simple Compiled
+
+To clean, build, and patch:
+
+    make
+
+To build:
+
+    make build
+
+To patch:
+
+    make patch
+
+To run the executable and the patched executable (in qemu):
+
+    make run.test
+
+To create reference versions of the executables:
+
+    make reference
+
+To patch the reference executable:
+
+    make patch.reference
+
+To clean:
+
+    make clean

resources/exes/arm-simple-primus/config.json

@@ -0,0 +1,25 @@
+{
+  "max-tries": 3,
+  "wp-params": {
+    "func": "main",
+    "postcond" : "(assert (= (bvadd R0_mod #x00000002) R0_orig))"
+  },
+  "patches" : [
+    {"patch-name" : "ret-3",
+     "lisp-code" : "ret-3",
+     "patch-point" : "0x103d4",
+     "patch-size" : 8,
+     "patch-vars": [
+         {"name": "retvar",
+	  "at-entry": {
+              "stored-in": "register",
+              "register": "R0"
+          },
+          "at-exit": {
+              "stored-in": "register",
+	      "register": "R12"
+          }}
+     ]
+    }
+  ]
+}