This Week in Falcon - 29 Jul 2017


Falcon is a Binary Analysis Framework in Rust.

Roadmap to 0.1.0.

I’ve created a 0.1.0 milestone. This will track all of the less-exciting things that I believe should happen before 0.1.0 as they come up. The big things are:

  1. We can symbolically execute over the simple-0 example.
  2. We have some concept of, “Platform,” of which, “Linux,” “CGC,” and perhaps, “Windows,” may be supported.

Once these things work, I will have confidence enough in the IL and x86 translator to move to 0.1.0. The data-flow analysis/fixed-point engine will most likely change drastically between 0.1.0 and 0.2.0, but the IL and translator should be stable enough for me to support it.

List of new additions/changes/fixes.

Non-Falcon things learned/found

Manticore allows for symbolic addresses on memory stores

As shown here. It looks like manticore will solve for up to 0x1000 possible addresses, check if any of them are Out-Of-Bounds (crashing), and if not, add the possible value being stored to each memory location to the set of possible values in that memory location?

This is interesting as Klee concretizes addresses for reads and stores, MAYHEM concretizes addresses for stores (but allows symbolic addresses on reads), and Angr follow’s MAYHEM’s model. While there most likely is a binary symbolic execution engine that allows for symbolic addresses on stores, I don’t know of it.

cmovcc with 64-bit operands

mov rax, 0x4141414141414141
mov rbx, 0x6565656565656565
cmovc eax, ebx
; at this point, eax = 0x00000000_41414141

This tidbit of knowledge from gamozo in the Binary Ninja slack.

Other things across the internet

Things I found and plan to check out