Syscalls linux32

[Te-k]

Hi,

I have implemented a few more syscalls for Linux 32 (and some generic for Linux 64b too).
I am able to emulate several Linux 32b shellcodes with it, like :

[DEBUG   ]: socket(AF_INET, SOCK_STREAM, 0)
[DEBUG   ]: -> 3
WARNING: address 0x1240000 is not mapped in virtual memory:
[DEBUG   ]: socket_connect(fd, [AF_INET, 1234, 10.2.2.14], 102)
[DEBUG   ]: -> 0
Done

What do you think ?

[serpilliere]

Maybe it's not a good idea to have a default read here. Maybe we can raise an error with pure abstract function, in order to for the user subclass this in order to implements it's own read.
See for example

miasm/miasm/ir/translators/translator.py

Line 50 in 4c2320b

raise NotImplementedError("Abstract method")

The user can subclass its own LinuxEnvironement and set a brand new self.network

[Te-k]

I like the idea, but it seems hard to subclass, it means you have to implement a subclass of FileDescriptorSocket, Network and LinuxEnvironment, and make all this work together, right ?

[serpilliere]

Kind of. It will give something like:

class CustomFileDescriptorSocket(FileDescriptorSocket):
    def read(self, count):
        print("Turlututu")

class CustomNetworking(Networking):
    def socket(self, family, type_, protocol):
        fd = self.linux_env.next_fd()
        fdesc = CustomFileDescriptorSocket(fd, family, type_, protocol)
        self.linux_env.file_descriptors[fd] = fdesc
        return fd


class CustomLinuxEnvironment(LinuxEnvironment):
    def __init__(self):
        super(CustomLinuxEnvironment, self).__init__()
        self.network = CustomNetworking(self)

But maybe there is better: we could modify those classes to have a class variable which embed their needs. For example, for Networking:

class Networking(object):
    """Network abstraction"""

    fd_generator = FileDescriptorSocket
    def __init__(self, linux_env):
        self.linux_env = linux_env

    def socket(self, family, type_, protocol):
        fd = self.linux_env.next_fd()
        fdesc = self.fd_generator(fd, family, type_, protocol)
        self.linux_env.file_descriptors[fd] = fdesc
        return fd

So the "overhead" may just be:

class CustomNetworking(Networking):
    fd_generator = CustomFileDescriptorSocket

But I am not really sure if this is a suitable python pattern.
Or maybe Networking should take it's generator as init argument ?
It's a problem we already face in the SandBox object, which depends on os, arch, ...

@commial @p-l- I am interested if you have some feed on this.

[commial]

I'm not sure this is the same problem than the multiple inheritance of Sandbox. IMHO, it looks like more what we've done in Jitcore with Cgen or SymbExecClass, which reflects your last proposal.

In my opinion, the question is "what we want to provides, and what customization should be reasonably easy to implements?".
I agree with the fact that it should be easy to modify what the socket returns, its state, etc. i'm not sure that the more global Networking part needs that kind of customization possibility.

A pattern we can use would be to provides a kind of "socket factory" (sorry for this word, but it is what it is) that the Network would use to creates its sockets.
It could be a function, taking as input the socket parameters and returning an instance with the socket "interface", ie. a subclass of the socket fd.
It could also be a class, taking as __init__ these parameters, and asked just after for successful creation or not (to keep the possibility to easiliy deny socket creation). I rather prefer the function solution, as it could be easier to return default implementation or several socket families implementation.

This "factory function" is then an attribute of the Networking class, and could be replaced with a dedicated function / property.

If this pattern become more frequent for the Linux kernel stub implementation, we could have a "config-like" class containing several factories functions, or hooks.

What do you think?

[Te-k]

So the socket factory would be an attribute of Network ?

Using it would be something like :

class CustomFileDescriptorSocket(FileDescriptorSocket):
    def read(self, count):
        print("Chapeau pointu")

env = environment.LinuxEnvironment_x86_32()
env.network.socket_class = CustomFileDescriptorSocket

Is that correct ?

[serpilliere]

maybe it's envp_addr here instead of argv_addr?

[Te-k]

Yep

[serpilliere]

Maybe it's envp instead of argv here?

[Te-k]

Also yes

[serpilliere]

Same remarks here for argv

[Te-k]

Damn copy paste

[serpilliere]

Same remarks here for argv_addr

[serpilliere]

Maybe we could really apply the chmod on the file located in the file sandbox file_sb ?

[serpilliere]

Maybe you don't need to set pc to 0 here

[serpilliere]

We could use the current Linux env uid/euid/gid of the linux env here?

[serpilliere]

What about using the socklen instead of a fixed length?

[Te-k]

In some cases, a shellcode would not have a full sockaddr struct but just the needed fields, what I have done in the next commit is getting the socklen and if it fails, I only get the first 8 bytes. Is that an ok trick to have it work ?

[serpilliere]

In fact, maybe we should behave like the kernel does so we will be close to a real environment.
If the kernel is ok with semi structures, maybe your patch is ok.

[Te-k]

I have added a first get_mem for the full structure and fallback to 8 bytes if the memory if not that large, it should be close to what the kernel is doing I guess

[Te-k]

All good points, thanks. I will fix these later this week.

[serpilliere]

Thank you for you PR @Te-k !
If you really want to be sure we won't break anything in the future, maybe we could add a regression test of one of your shellcode (if you can share them, obvisouly), but put it in the https://github.com/cea-sec/miasm-extended-tests repository. Those tests are currently executed by the Miasm travis file.
The reason is simple:
Some times ago, we put a shellcode directly in the main repository, and the travis environment has flagged Miasm as malware and refused to run regression tests.
Maybe we should definitively not commit any shellcode/malware in the main repo, as it may be flagged as malware by PIP or distributions.

Another reason is to not add too many weight to the main repo.

[Te-k]

I have made some fix based on your suggestions, two are still unresolved :

• Whether or not to implement read on sockets
• Should it create a socket on connect ? (not sure why it would)

Just one warning : I have added a change on uid and euid in sys_generic_setreuid and it does not check for privileges to do that, should I implement privileges here ?

Let me know what you think

[Te-k]

And I have added a script in the examples to emulate Linux shellcodes, which is needed to add test cases to miasm-extended-tests

[Te-k]

And here is the PR for the test cea-sec/miasm-extended-tests#1 along with the update of travis config file (I have not tested it but it should be simple enough to work)