-
Notifications
You must be signed in to change notification settings - Fork 18
/
analysis.yaml
95 lines (87 loc) · 3.56 KB
/
analysis.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# Heap analysis configuration file
# Use global config as base
#global_config: ./analysis.yaml
#############################
# zoo-gen settings #
#############################
# Create files or just show the amount of permutations
create_files: True
# Specify the write_target's size in qwords (controlled memory where you want to write to for arb. write)
wtarget_size: 4
# Symbolic bytes in sim_data used for fake_free, etc... (default: 0x20)
sym_data_size: 0x20
# FD for memory corruptions:
mem_corruption_fd: 3
# Specify the number of actions in one zoo case
zoo_depth: 7
# Specify the zoo actions out of (malloc, free, overflow, uaf, fake_free, double_free, single_bitflip, arb_relative_write)
# Syntax: action:count (count sets the max. occurrences of the action per binary, -1 means zoo_depth)
zoo_actions: {malloc: -1, free: -1, overflow: -1, fake_free: -1, double_free: -1, arb_relative_write: -1, single_bitflip: -1}
# Specify the location to store your zoo
zoo_dir: /tmp/zoo_dir
# Enable additional malloc hardening for glibc (disable, enable, pedantic)
mcheck: disable
# Path to shared lib implementing the c-allocator API ("default" for using the libc)
allocator: ./libc.so.6
libc: ./libc.so.6
loader: ld-linux-x86-64.so.2
#############################
# analysis settings #
#############################
# Specify the distinct malloc sizes; run identify_libc to identify the libc-binsizes
malloc_sizes: [20, 200, 2000]
# Specify the overflow sizes starting from prev_size
overflow_sizes: [9, 12]
# Specify stdin should be pre-constrained
input_pre_constraint: False
# Specify stdin value-range (any, ascii, printable, alphanumeric, letters, zero-bytes)
input_values: any
# Specify a chunk's header size
header_size: 32
# Specify the offset between the user's memory and the start of the chunk
mem2chunk_offset: 16
# Chunk fill size (number of byte read into each chunk when allocated): zero, header_size, chunk_size, <numeric value in bytes>
chunk_fill_size: zero
# Set log_level (DEBUG, INFO, ERROR)
log_level: INFO
# Specify vulnerabilities to detect: arbitrary write, allocations over already allocated memory, allocations over non-
# heap-memory, freeing of fake chunks
vulns: [arb_write, overlap_alloc, bad_alloc]
store_desc: True
fix_loader_problem: False
#############################
# memory performance #
#############################
# Set Memory limiter (Makes sure you don't run out of memory. Highly recommended!)
use_mem_limiter: True
# Set the memory limit in GB
mem_limit: 30
# Set spiller (spill states to disk in order to save memory)
spiller: False
spiller_conf: {min: 1, max: 2, staging_min: 1, staging_max: 2}
# Specify if states should be split on allocations sizes or "ored" instead:
state_split_sizes: False
# Drop errored states (e.g. SegFaults)
drop_errored: True
#############################
# solver performance #
#############################
# Set DFS (depth-first explorations)
use_dfs: True
# Set VSA (value-set analysis)
use_vsa: False
# Set Veritesting (DSE+SSE)
use_veritesting: False
# Stop exploration as soon as a vuln state is found. Do not explore the whole space!
stop_found: False
# Stop found for fake_frees, exploration is pretty expensive on those
filter_fake_frees: True
# Set Concretizer (Tries to concretize symbolic values asap)
use_concretizer: False
#############################
# pocs-gen settings #
#############################
# Define where to store the proof-of-concept c-files
pocs_path: ./pocs
# Results may contain symbolic values which allow for multiple solutions, specify how many solutions you want to get
num_results: 1