This Week in Falcon - 22 Jul 2017

Falcon is a Binary Analysis Framework in Rust.

Changes

• Finished translating enough instructions to lift libc (caveat floating point instructions).
• Floating point instructions emit a Raise operation. The expression is a 1-bit scalar named “fp_not_supported”.
• Implemented segment registers. There are two scalars for each segment register. For example, the fs register has fs:0x16 and fs_base:0x32.
• ElfLinker is a linker which resolves DT_NEEDED dependencies. Relocations are not yet implemented, so ElfLinker is not complete.

Issues identified

• There is a clone() called in EngineDriver::step() which is taking >90% of execution time.

Important initialization information

    let stack_address : u64 = 0xb0000000;
    let stack_size : u64 = 0x10000;
    let initial_stack_pointer : u64 = 0xb0000000 - 0x1000;

Elf shared objects are linked starting at 0x84000000.

DF set to 0x0.

fs_base set to 0xbf000000 and gs_base set to 0xbf008000, and 0x10000 bytes are allocated starting at 0xbf000000.

Other things learned across the Internet

• Initial values for segment register in Linux
• Routersploit on phones now (God help us all)
• Ten process injection techniques
• This classic Windows generic shellcoding tutorial that I’ve used before, but am bookmarking for posterity.
• A survey of symbolic execution techniques
• Wireguard Protocol Formal Verification
• Accessing and Modifying Upper Bits in x86 and x64 Registers
• SeaHorn - A verification framework.
• Daniel P. Clark blog 6ft Dan spoke this week at Rust DC, and deserves an honorary link.