What is the incidents report for primus-checks doing here?

[anzosasuke]

Trying to check for primus-checks. I gave the binary with stack buffer overflow error. Here is the binary
2.zip

And again the incidents i got :
incidents.zip

I am not able to make sense out of it. Did it detect, or if it did, how do i go about understanding the output.( This is my first time using this tool.)
bap-version = 2.6.0-alpha+7d79f7f
using docker from bap-toolkit.

[ivg]

The incidents are reported using the incident observation that looks like this,

(incident <what-happened> <where-it-happened>...)

So you can grep your files for the list of incidents, e.g., in our case we have

(incident (value-was-checked 3 5))
(incident (value-was-checked 6 8))
(incident (value-was-checked 6 12))
(incident (value-was-checked 3 13))
(incident (value-was-checked 14 16))
(incident (value-was-checked 17 19))
(incident (value-was-checked 17 22))
(incident (value-was-checked 14 23))
(incident (value-was-checked 24 26))
(incident (value-was-checked 27 29))
(incident (value-was-checked 30 32))
(incident (value-was-checked 33 35))
(incident (value-was-checked 33 36))
(incident (value-was-checked 30 37))
(incident (value-was-checked 38 40))
(incident (value-was-checked 41 43))
(incident (value-was-checked 86 88))
(incident (value-was-checked 89 91))
(incident (value-was-checked 92 94))
(incident (value-was-checked 95 96))
(incident (value-was-checked 95 98))
(incident (value-was-checked 101 103))
(incident (value-was-checked 92 105))

This are the incidents from the check-value taint analysis and they are actually positive (so the could be ignored, they just show that a value that we marked as potentially harmful was properly validated and the locations show where they were validated).

Note, that the locations are expressed in terms of identifiers and you have to find an incident-location observation with the given id, e.g., for the last incident the first location (that shows where the suspicuous value was introduced) is 92, which is,

(incident-location (93
                    (159:11bb 159:11b4 159:11ab 159:11a4 159:119b 159:1194
                     159:118b 159:1184 159:117b 159:1174 159:116b 159:1164
                     159:1b5d 159:1b44 159:1af4 159:1ac5)))

The general form is,

(incident-location (<location-id> <backtrace> ))

The backtrace is a sequence of basic block addresses prefixed by the path number, e.g, 159:11bb means basic block at address 0x11bb while executing path 159 (paths are called machines in Primus in tribute to the Non-deterministic Turning Machine, see machine-fork and machine-switch observations).

Finally, you might want to know, what are the names for the incidents and what the locations mean. Well it depends on each particular analysis. It looks like that you're actually interested in the memcheck analysis, which is defined here:

;;; Incidents:
;;; - (incident double-release acquire release release)
;;;   reported when the same memory region is released twice;
;;;   reported when a region that was never acquired is released;
;;; - (incident use-after-release acquire release use)
;;;   reported when a memory access operation occurs on a memory
;;;   region that was released

And, as usual with documentation, it is outdated as it misses one more incident that it detects,

 'memcheck-out-of-bound alloc1-location alloc2-location problem-location

To summarize, the memcheck analysis detects UAF/DF and some out-of-bounds for heap allocated values. It doesn't do any stack analysis, so it wan't be able to detect a stack buffer overflow.

[anzosasuke]

Thanks so much @ivg

[anzosasuke]

@ivg so, I am actually trying to detect and evaluate the BAP with BAP-toolkit using the different checks. In the incidents, if i do not get any incidents on the juliet test suite for the Use-after-free as well.

command i am using is using --recipe=use-after-free. There are no incidents of that what so ever. Does that mean this didn't detect any use-after-error in those benchmark suites??

Also these

(incident (value-was-checked 6 8))
(incident (value-was-checked 6 12))```
I did't get these anywhere..

Furthermore, I got these error when i was running the checks for one of the binary.
```[00:00:00]  disassemble: 100% (5/5)
[00:02:08]  primus-greedy:  99% (820/825)
[00:02:09]  primus-mark-visited:  17% (1292/7304)
[00:02:13]  run:   0% (0/1)
[00:02:08]   multi-task-job:  13% (144/1095)
The pass "run" failed with:
Bitvector.extract: len 0 is negative

xz_s.zip

[ivg]

The bitvector extract issue is definitely a bug, can you please create a separate issue on bap's issue tracker?

command i am using is using --recipe=use-after-free. There are no incidents of that what so ever. Does that mean this didn't detect any use-after-error in those benchmark suites??

When I was developing this check I got 100% detection rate if I exclude C++. So something is very fishy going on here. Can you provide more information, e.g., the resulting binaries, log files, etc?

[anzosasuke]

Oh im sorry about putting primus-checks report here. But it was same error for both the checks use-after-free and primus-checks. I will send it to you asap after i reach home. Thanks @ivg

[anzosasuke]

Yes, I have added on the bap about it. #1579

About the Juliet test suite, here are the codes for UAF. NPD works fine but not use-after-free.
link

And also here is the incidents for the UAF and log files.
incident
incident.zip
Binary
CWE416_Use_After_Free__malloc_free_long_01.zip
log file
log.zip

Please let me know if you need anything else