Open source binary analysis tools.
Go to file
Tristan Ravitch cfcc1fc0d4 Update to the latest macaw-symbolic
There was some API churn, mostly a few renames and new modules.
2019-01-10 18:23:19 -08:00
doc Documentation updates 2018-05-21 17:53:01 -07:00
macaw-arm [macaw-arm] Add test semigroup import for GHC 8.2. 2018-12-14 15:54:20 -08:00
macaw-ppc Finish porting macaw-ppc to use the unified PPC architecture tag 2019-01-08 13:27:40 -08:00
macaw-ppc-symbolic Update to the latest macaw-symbolic 2019-01-10 18:23:19 -08:00
macaw-semmc Update to the latest macaw-symbolic 2019-01-10 18:23:19 -08:00
submodules Update to the latest macaw-symbolic 2019-01-10 18:23:19 -08:00
.gitignore Update gitignore 2019-01-08 13:37:55 -08:00
.gitmodules Update to use macaw-loader for uniform binary loading. 2018-10-29 15:51:42 -07:00
cabal.project.dist Add macaw-ppc-symbolic to cabal.project 2018-11-27 13:57:20 -08:00
README.org Move stack.yaml to stack-ghc-8.2.yaml 2018-10-30 16:16:16 -07:00
stack-ghc-8.2.yaml Move stack.yaml to stack-ghc-8.2.yaml 2018-10-30 16:16:16 -07:00

Overview

The high level goal is to write and/or generate architecture-specific backends for macaw based on the semantics discovered by semmc. In particular, we are interested in making macaw-ppc and macaw-arm. We will hand-write some of the code, but we will generate as much as possible automatically. We will read in the semantics files generated by semmc and use Template Haskell to generate a function that transforms machine states according to the learned semantics.

We will implement a base package (macaw-semmc) that provides shared infrastructure for all of our backends; this will include the Template Haskell function to create a state transformer function from learned semantics files.

Repository Layout

  • macaw-semmc contains the architecture-independent components of the translation from semmc semantics into macaw IR.
  • macaw-ppc implements the PowerPC-specific backend of the translation.
  • macaw-ppc-symbolic implements a translation of macaw IR (with PowerPC architecture-specific functions) into Crucible IR, which is suitable for symbolic execution.
  • macaw-arm implements the ARM-specific backend of the translation.

Building

The dependencies of this project that are not available on Hackage are tracked via git submodules. To build with a reasonably modern version of cabal (i.e., one that supports new-build):

 $ git submodule update --init
 $ ln -s cabal.project.dist cabal.project
 $ cabal new-configure
 $ cabal new-build macaw-ppc

To build with stack:

 $ git submodule update --init
 # Choose one of the provided GHC version-specific
 # stack-ghc-<version>.yaml files, e.g. stack-ghc-8.2.yaml.
 $ ln -s stack-ghc-<version>.yaml stack.yaml
 $ stack build

Code dependencies and related packages

  • macaw (binary code discovery)
  • macaw-x86 (x86_64 backend for macaw)
  • semmc (semantics learning and code synthesis)
  • semmc-ppc (PowerPC backend for synthesis)
  • dismantle-tablegen (disassembler infrastructure)
  • dismantle-ppc (PowerPC disassembler)
  • crucible (interface to SMT solvers)
  • parameterized-utils (utilities for working with parameterized types)

Semantics background

The semmc library is designed to learn semantics for machine code instructions. Its output, for each Instruction Set Architecture (ISA), is a directory of files where each file contains a formula corresponding to the semantics for an opcode in the ISA. For example, the ADDI.sem file contains the semantics for the add immediate instruction in PowerPC.

There are functions in semmc for dealing with this representation. Formulas are loaded into a data type called ParameterizedFormula, which contains formula fragments based on the ExprBuilder representation of crucible. This can be thought of as a convenient representation of SMT formulas.

Status

This codebase is a work in progress. PowerPC support (both 32 and 64 bit) is reasonably robust. Support for ARM is ongoing.

License

This code is made available under the BSD3 license and without any support.