Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Architecture- Generate Bugs on Demand #25

Open
AndrewFasano opened this issue Mar 6, 2019 · 0 comments
Open

Update Architecture- Generate Bugs on Demand #25

AndrewFasano opened this issue Mar 6, 2019 · 0 comments

Comments

@AndrewFasano
Copy link
Contributor

I think LAVA would be more usable if it worked as follows:

  1. Using a config file, lava identifies ATPs and DUAs in a target with a given input file and CLI argument string. We store these in a database, mapping ATPs and DUAs to input file(s) (with corresponding hashes) and CLI args that will lead to these DUAs and ATPs. Running subsequent runs of LAVA on the same input file will do nothing at this step (all DUAs/ATPs should already be found). Running on new input files will append to this database.
  2. When it's time to inject bugs, we combine ATPs and viable DUAs to generate potential bugs. Testing and pruning potential bugs would continue as normal. An option would ensure that, if desired, all injected bugs can be triggered by the same CLI arguments.

The benefits to this are:

  • Smaller database and major performance improvements
  • Easier to update an existing database with new DUAs/ATPs as discovered by subsequent input files.
  • Enables more complex bug-generation logic where we could try combining DUAs and ATPs from different input files (though it may be difficult/impossible to generation solutions to these)

This differs from the current architecture in the following ways:

  • Currently we create bugs in find_bug_injections.cpp as we identify ATPs and DUAs during analysis of a recording. Due to poor database design/configuration, the bulk of this time is spent inserting bugs into the database.
  • While the current system supports conducting taint analysis on multiple input files, it's not easy to add a single new input file to an already built database of DUAs and ATPs.

The major work required here will be to update the database schema, and to split FBI's logic into a ATP/DUA generation phase and then, later, a phase where bugs are "built" out of DUAs and ATPs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant