diff --git a/Makefile.in b/Makefile.in index c12be3e6..e74bd531 100644 --- a/Makefile.in +++ b/Makefile.in @@ -164,7 +164,8 @@ am_src_libbreakpad_la_OBJECTS = src/processor/basic_code_modules.lo \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo src/processor/tokenize.lo \ - src/processor/udp_network.lo + src/processor/udp_network.lo \ + src/processor/exploitability.lo src_libbreakpad_la_OBJECTS = $(am_src_libbreakpad_la_OBJECTS) @SELFTEST_TRUE@am__EXEEXT_1 = \ @SELFTEST_TRUE@ src/processor/stackwalker_selftest$(EXEEXT) @@ -258,7 +259,8 @@ src_processor_minidump_processor_unittest_DEPENDENCIES = \ src/processor/stackwalker_arm.lo \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ - src/processor/stackwalker_x86.lo src/processor/tokenize.lo + src/processor/stackwalker_x86.lo src/processor/tokenize.lo \ + src/processor/exploitability.lo am_src_processor_minidump_stackwalk_OBJECTS = \ src/processor/minidump_stackwalk.$(OBJEXT) src_processor_minidump_stackwalk_OBJECTS = \ @@ -279,7 +281,8 @@ src_processor_minidump_stackwalk_DEPENDENCIES = \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo src/processor/tokenize.lo \ - src/processor/udp_network.lo + src/processor/udp_network.lo \ + src/processor/exploitability.lo am_src_processor_minidump_unittest_OBJECTS = src/common/src_processor_minidump_unittest-test_assembler.$(OBJEXT) \ src/processor/src_processor_minidump_unittest-minidump_unittest.$(OBJEXT) \ src/processor/src_processor_minidump_unittest-synth_minidump.$(OBJEXT) \ @@ -312,7 +315,8 @@ src_processor_network_source_line_resolver_server_unittest_DEPENDENCIES = \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo src/processor/tokenize.lo \ - src/processor/udp_network.lo + src/processor/udp_network.lo \ + src/processor/exploitability.lo am_src_processor_network_source_line_resolver_unittest_OBJECTS = src/processor/src_processor_network_source_line_resolver_unittest-network_source_line_resolver_unittest.$(OBJEXT) \ src/testing/gtest/src/src_processor_network_source_line_resolver_unittest-gtest-all.$(OBJEXT) \ src/testing/src/src_processor_network_source_line_resolver_unittest-gmock-all.$(OBJEXT) @@ -674,6 +678,7 @@ src_libbreakpad_la_SOURCES = \ src/google_breakpad/processor/stackwalker.h \ src/google_breakpad/processor/symbol_supplier.h \ src/google_breakpad/processor/system_info.h \ + src/google_breakpad/processor/exploitability.h \ src/processor/address_map-inl.h \ src/processor/address_map.h \ src/processor/basic_code_module.h \ @@ -721,7 +726,8 @@ src_libbreakpad_la_SOURCES = \ src/processor/tokenize.cc \ src/processor/tokenize.h \ src/processor/udp_network.cc \ - src/processor/udp_network.h + src/processor/udp_network.h \ + src/processor/exploitability.cc check_SCRIPTS = \ src/processor/minidump_dump_test \ @@ -855,7 +861,8 @@ src_processor_minidump_processor_unittest_LDADD = \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo \ - src/processor/tokenize.lo + src/processor/tokenize.lo \ + src/processor/exploitability.lo src_processor_minidump_unittest_SOURCES = \ src/common/test_assembler.cc \ @@ -930,7 +937,8 @@ src_processor_network_source_line_resolver_server_unittest_LDADD = \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo \ src/processor/tokenize.lo \ - src/processor/udp_network.lo + src/processor/udp_network.lo \ + src/processor/exploitability.lo src_processor_network_source_line_server_unittest_SOURCES = \ src/processor/network_source_line_server_unittest.cc \ @@ -987,7 +995,8 @@ src_processor_stackwalker_selftest_LDADD = \ src/processor/stackwalker_ppc.lo \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo \ - src/processor/tokenize.lo + src/processor/tokenize.lo \ + src/processor/exploitability.lo src_processor_stackwalker_amd64_unittest_SOURCES = \ src/common/test_assembler.cc \ @@ -1100,7 +1109,8 @@ src_processor_minidump_stackwalk_LDADD = \ src/processor/stackwalker_sparc.lo \ src/processor/stackwalker_x86.lo \ src/processor/tokenize.lo \ - src/processor/udp_network.lo + src/processor/udp_network.lo \ + src/processor/exploitability.lo src_processor_source_daemon_SOURCES = \ src/processor/source_daemon.cc @@ -1863,6 +1873,8 @@ mostlyclean-compile: -rm -f src/processor/cfi_frame_info.$(OBJEXT) -rm -f src/processor/cfi_frame_info.lo -rm -f src/processor/contained_range_map_unittest.$(OBJEXT) + -rm -f src/processor/exploitability.$(OBJEXT) + -rm -f src/processor/exploitability.lo -rm -f src/processor/logging.$(OBJEXT) -rm -f src/processor/logging.lo -rm -f src/processor/minidump.$(OBJEXT) diff --git a/src/google_breakpad/processor/exploitability.h b/src/google_breakpad/processor/exploitability.h new file mode 100644 index 00000000..41ca551c --- /dev/null +++ b/src/google_breakpad/processor/exploitability.h @@ -0,0 +1,72 @@ +// Copyright (c) 2010 Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// exploitability_engine.h: Generic exploitability engine. +// +// The Exploitability class is an abstract base class providing common +// generic methods that apply to exploitability engines for specific platforms. +// Specific implementations will extend this class by providing run +// methods to fill in the exploitability_ enumeration of the ProcessState +// for a crash. +// +// Author: Cris Neckar + +#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_ +#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_ + +#include "google_breakpad/common/breakpad_types.h" +#include "google_breakpad/processor/minidump.h" +#include "google_breakpad/processor/process_state.h" + +namespace google_breakpad { + +class Exploitability { + public: + virtual ~Exploitability() {} + + static Exploitability *ExploitabilityForPlatform(Minidump *dump, + ProcessState *process_state); + + ExploitabilityRating CheckExploitability(); + + protected: + Exploitability(Minidump *dump, + ProcessState *process_state); + + private: + virtual ExploitabilityRating CheckPlatformExploitability() = 0; + + Minidump *dump_; + ProcessState *process_state_; + SystemInfo *system_info_; +}; + +} // namespace google_breakpad + +#endif // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_ diff --git a/src/google_breakpad/processor/minidump_processor.h b/src/google_breakpad/processor/minidump_processor.h index 8779b962..384c60c1 100644 --- a/src/google_breakpad/processor/minidump_processor.h +++ b/src/google_breakpad/processor/minidump_processor.h @@ -94,6 +94,14 @@ class MinidumpProcessor { // implementation of the SymbolSupplier abstract base class. MinidumpProcessor(SymbolSupplier *supplier, SourceLineResolverInterface *resolver); + + // Initializes the MinidumpProcessor with the option of + // enabling the exploitability framework to analyze dumps + // for probable security relevance. + MinidumpProcessor(SymbolSupplier *supplier, + SourceLineResolverInterface *resolver, + bool enable_exploitability); + ~MinidumpProcessor(); // Processes the minidump file and fills process_state with the result. @@ -149,6 +157,11 @@ class MinidumpProcessor { private: SymbolSupplier *supplier_; SourceLineResolverInterface *resolver_; + + // This flag enables the exploitability scanner which attempts to + // guess how likely it is that the crash represents an exploitable + // memory corruption issue. + bool enable_exploitability_; }; } // namespace google_breakpad diff --git a/src/google_breakpad/processor/process_state.h b/src/google_breakpad/processor/process_state.h index 23014227..f3f2ec42 100644 --- a/src/google_breakpad/processor/process_state.h +++ b/src/google_breakpad/processor/process_state.h @@ -48,6 +48,42 @@ using std::vector; class CallStack; class CodeModules; +enum ExploitabilityRating { + EXPLOITABILITY_HIGH, // The crash likely represents + // a exploitable memory corruption + // vulnerability. + + EXPLOITABLITY_MEDIUM, // The crash appears to corrupt + // memory in a way which may be + // exploitable in some situations. + + EXPLOITABILITY_LOW, // The crash either does not corrupt + // memory directly or control over + // the effected data is limited. The + // issue may still be exploitable + // on certain platforms or situations. + + EXPLOITABILITY_INTERESTING, // The crash does not appear to be + // directly exploitable. However it + // represents a condition which should + // be furthur analyzed. + + EXPLOITABILITY_NONE, // The crash does not appear to represent + // an exploitable condition. + + EXPLOITABILITY_NOT_ANALYZED, // The crash was not analyzed for + // exploitability because the engine + // was disabled. + + EXPLOITABILITY_ERR_NOENGINE, // The supplied minidump's platform does + // not have a exploitability engine + // associated with it. + + EXPLOITABILITY_ERR_PROCESSING // An error occured within the + // exploitability engine and no rating + // was calculated. +}; + class ProcessState { public: ProcessState() : modules_(NULL) { Clear(); } @@ -69,6 +105,7 @@ class ProcessState { } const SystemInfo* system_info() const { return &system_info_; } const CodeModules* modules() const { return modules_; } + ExploitabilityRating exploitability() const { return exploitability_; } private: // MinidumpProcessor is responsible for building ProcessState objects. @@ -119,6 +156,11 @@ class ProcessState { // The modules that were loaded into the process represented by the // ProcessState. const CodeModules *modules_; + + // The exploitability rating as determined by the exploitability + // engine. When the exploitability engine is not enabled this + // defaults to EXPLOITABILITY_NONE. + ExploitabilityRating exploitability_; }; } // namespace google_breakpad diff --git a/src/processor/exploitability.cc b/src/processor/exploitability.cc new file mode 100644 index 00000000..74810e70 --- /dev/null +++ b/src/processor/exploitability.cc @@ -0,0 +1,89 @@ +// Copyright (c) 2010 Google Inc. +// All rights reserved. +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// exploitability_engine.cc: Generic exploitability engine. +// +// See exploitable_engine.h for documentation. +// +// Author: Cris Neckar + + +#include + +#include "google_breakpad/processor/exploitability.h" +#include "google_breakpad/processor/minidump.h" +#include "google_breakpad/processor/process_state.h" +#include "processor/logging.h" +#include "processor/scoped_ptr.h" + +namespace google_breakpad { + +Exploitability::Exploitability(Minidump *dump, + ProcessState *process_state) + : dump_(dump), + process_state_(process_state) {} + +ExploitabilityRating Exploitability::CheckExploitability() { + return CheckPlatformExploitability(); +} + +Exploitability *Exploitability::ExploitabilityForPlatform( + Minidump *dump, + ProcessState *process_state) { + Exploitability *platform_exploitability = NULL; + MinidumpSystemInfo *minidump_system_info = dump->GetSystemInfo(); + if (!minidump_system_info) + return NULL; + + const MDRawSystemInfo *raw_system_info = + minidump_system_info->system_info(); + if (!raw_system_info) + return NULL; + + switch (raw_system_info->platform_id) { + case MD_OS_WIN32_NT: + case MD_OS_WIN32_WINDOWS: + case MD_OS_UNIX: + case MD_OS_MAC_OS_X: + case MD_OS_LINUX: + case MD_OS_SOLARIS: + default: { + platform_exploitability = NULL; + break; + } + } + + BPLOG_IF(ERROR, !platform_exploitability) << + "No Exploitability module for platform: " << + process_state->system_info()->os; + return platform_exploitability; +} + +} // namespace google_breakpad + diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc index b090ecbd..057b342d 100644 --- a/src/processor/minidump_processor.cc +++ b/src/processor/minidump_processor.cc @@ -35,6 +35,7 @@ #include "google_breakpad/processor/call_stack.h" #include "google_breakpad/processor/minidump.h" #include "google_breakpad/processor/process_state.h" +#include "google_breakpad/processor/exploitability.h" #include "processor/logging.h" #include "processor/scoped_ptr.h" #include "processor/stackwalker_x86.h" @@ -43,7 +44,15 @@ namespace google_breakpad { MinidumpProcessor::MinidumpProcessor(SymbolSupplier *supplier, SourceLineResolverInterface *resolver) - : supplier_(supplier), resolver_(resolver) { + : supplier_(supplier), resolver_(resolver), + enable_exploitability_(false) { +} + +MinidumpProcessor::MinidumpProcessor(SymbolSupplier *supplier, + SourceLineResolverInterface *resolver, + bool enable_exploitability) + : supplier_(supplier), resolver_(resolver), + enable_exploitability_(enable_exploitability) { } MinidumpProcessor::~MinidumpProcessor() { @@ -230,6 +239,22 @@ ProcessResult MinidumpProcessor::Process( process_state->requesting_thread_ = -1; } + // Exploitability defaults to EXPLOITABILITY_NOT_ANALYZED + process_state->exploitability_ = EXPLOITABILITY_NOT_ANALYZED; + + // If an exploitability run was requested we perform the platform specific + // rating. + if (enable_exploitability_) { + scoped_ptr exploitability( + Exploitability::ExploitabilityForPlatform(dump, process_state)); + // The engine will be null if the platform is not supported + if (exploitability != NULL) { + process_state->exploitability_ = exploitability->CheckExploitability(); + } else { + process_state->exploitability_ = EXPLOITABILITY_ERR_NOENGINE; + } + } + BPLOG(INFO) << "Processed " << dump->path(); return PROCESS_OK; } diff --git a/src/processor/minidump_processor_unittest.cc b/src/processor/minidump_processor_unittest.cc index 8fd21fbd..85a60726 100644 --- a/src/processor/minidump_processor_unittest.cc +++ b/src/processor/minidump_processor_unittest.cc @@ -245,6 +245,24 @@ TEST_F(MinidumpProcessorTest, TestSymbolSupplierLookupCounts) { google_breakpad::PROCESS_OK); } +TEST_F(MinidumpProcessorTest, TestExploitilityEngine) { + TestSymbolSupplier supplier; + BasicSourceLineResolver resolver; + MinidumpProcessor processor(&supplier, &resolver, true); + + string minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") + + "/src/processor/testdata/minidump2.dmp"; + + ProcessState state; + ASSERT_EQ(processor.Process(minidump_file, &state), + google_breakpad::PROCESS_OK); + + // Test that exploitability module correctly fails to supply + // an engine for this platform + ASSERT_EQ(google_breakpad::EXPLOITABILITY_ERR_NOENGINE, + state.exploitability()); +} + TEST_F(MinidumpProcessorTest, TestBasicProcessing) { TestSymbolSupplier supplier; BasicSourceLineResolver resolver; @@ -315,6 +333,11 @@ TEST_F(MinidumpProcessorTest, TestBasicProcessing) { ASSERT_EQ(state.modules()->GetModuleForAddress(0x77d43210)->version(), "5.1.2600.2622"); + // Test that disabled exploitability engine defaults to + // EXPLOITABILITY_NOT_ANALYZED. + ASSERT_EQ(google_breakpad::EXPLOITABILITY_NOT_ANALYZED, + state.exploitability()); + // Test that the symbol supplier can interrupt processing state.Clear(); supplier.set_interrupt(true);