vulnerabilities experimentation

[Jacarte]

We have three sources for vulnerabilities experimentation with SLUMPs:

• Memory disclosures from find 3 reproducible attacks on WASM programs #7 (C code here)
• Whitebox cryptographic programs mentioned in add white box crypto into benchmark #27
• CVEs report for webassembly mentioned in CVEs in Webassembly #41
  • TODO: Collect specific CVEs to test

Experiment steps:

1 - Port the vulnerable code to WebAssembly using SLUMPs and collecting the original program without optimizations
2 - See if the problem persists in the V8 context (already tested in #7 with emcc)

• Try to execute in the browser
• Collect the profiler information from the DevTool
• Execute the same WASM code in SWAM and collect stack and memory traces

3 - Feed SLUMPs with the vulnerable program
4 - Collect variants

• For each variant: apply step 2

Notes

In the case of the CVEs, we also need to test if the CVEs related to Binaryen persist after the SLUMPs phase

Use the dockerized SLUMPs app

For example

docker run -it --rm -v $(pwd)/out:/slumps/src/out  jacarte/slumps:app https://raw.githubusercontent.com/KTH/slumps/master/benchmark_programs/rossetta/valid/no_input/Catalan_numbers.c Catalan_numbers.c

[tareq97-zz]

I am trying to run the Catalan_numbers.c example in dockerized Slump app but getting the below-mentioned output. How much time does it take in the stage LLVM BC to Souper IR candidates?

[Jacarte]

It can take a while, taking into account that the souper exploration can be expensive. However, the timeout in this case (second line in your screenshot) is for half hour.

In the experiments that we ran the time for an answer was 2863.46 seconds.

[tareq97-zz]

@Jacarte I am able to get into the interactive mode using this command(docker run -it --rm -v $(pwd/out:/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c --entrypoint /bin/bash jacarte/slumps:app
) but after that, when I am trying to run the vulnerable program getting below-mentioned error. Am I doing something wrong

root@5831e19c674c:/slumps/src# python3 slumps.py interger_overflow.c
Traceback (most recent call last):
File "slumps.py", line 5, in
from stages import CToLLStage, LLToBC, BCToSouper, ObjtoWASM, WASM2WAT, BCCountCandidates
File "/slumps/src/stages.py", line 4, in
from utils import bcolors, Alias, config, createTmpFile, RUNTIME_CONFIG,processCandidatesMetaOutput
File "/slumps/src/utils.py", line 17, in
import requests
ModuleNotFoundError: No module named 'requests'
root@5831e19c674c:/slumps/src#

[Jacarte]

Change the python interpreter to python3.7 instead of python3, python3.7 slumps.py <program>. I will fix it in the doc

[tareq97-zz]

using [python3.7 slumps.py integer_overflow.c] it gives a below-mentioned error. The error says No such file or directory: 'interger_overflow.c'

docker run -it --rm -v $(pwd/out:/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c --entrypoint /bin/bash jacarte/slumps:app
In the docker command i have mentioned the vulnerable code path. How should I provide the path for vulnerale program.

[Jacarte]

Should be something like this

docker run -it --rm -v $(pwd):/slumps/src/out -v $(pwd)/vulnerable_programs/report-web-assembly-memory-safety/c:/slumps/src --entrypoint /bin/bash jacarte/slumps:app

You are missing the second part for the vulnerabilities volume, therefore, the files are not in the slumps root.

[tareq97-zz]

Tried with the latest command. getting below error after running the slumps.py.

python3.7: can't open file 'slumps.py': [Errno 2] No such file or directory

But the good thing is that able to see vulnerable programs list. Only thing I am not getting is how to mount the src/slumps folder so to run the slumps.py file.

[Jacarte]

Sorry my mistake, you are overriding the src folder thats why you are not seeing the scripts slumps.py. Change the second volume to -v $(pwd)/<vulnerable>:/input or other input folder name. Then you will be able to run python3.7 slumps.py /input/<program>.c

[tareq97-zz]

Thanks for the input Javier I was able to run it but ran into some issues at C to LLVR IR. Are these expected as we are running the vulnerable code?

[Jacarte]

I see...try to remove the EMSCRIPTEN_KEEPALIVE annotation from the C code

[tareq97-zz]

removed the EMSCRIPTEN code from the file and ran it but it is giving an error at LLVM to Souper IR stage. The error is related to redis do I need to install and configure redis db in my system.

[Jacarte]

Changing the entrypoint for the container bypasses the initialization of redis-server service. To launch it again, run nohup redis-server & in the bash console inside the container.