3b. Forward Edge Examples - TJAndHisStudents/Griffin-Trace GitHub Wiki

Previous Steps

If you just found your way to this page first, you can view the previous steps before diving into reviewing the Griffin Trace results:

Collecting Parseable Traces

Change your working directory to ./griffin-tests/, then run the annotate-forward-edge.sh bash script.

Annotated Traces

When viewing the traces, you'll receive all of the basic blocks in the order that they were executed. These blocks will also note when PLT trampolines and system calls are executed.

Start of trace:

process: tgid=1473, cmd=attack-call.out
thread: tgid=1473, pid=1473
xpage: tgid=1473, base=400000, size=1000
xpage: tgid=1473, base=7ffff7ddc000, size=20000
xpage: tgid=1473, base=7ffff7ffa000, size=2000
xpage: tgid=1473, base=7ffff7bdb000, size=201000
xpage: tgid=1473, base=7ffff7832000, size=3a9000
buffer: pid=1473, size=752
  PSB packet found
  block: 7ffff7ddd190
  block: 7ffff7de0750
  [...]

Identifying system calls in the trace:

  [...]
  block: 7ffff790b619
  syscall: 7ffff790b620
  block: 7ffff790b620
  [...]

Entering main, which calls invalid (the illegal function address). The invalid call is also annotated to note a control flow violation:

  [...]
  block: 7ffff7853b01
  block: 400530 : main
  block: 40051b : invalid : Forward-Edge Violation
  block: 4003e0
  block: 4003e6
  block: 4003d0
  block: 7ffff7df02f0
  [...]

The reason for this control flow violation is found in the code. When the code is compiled with the INVALID flag set, the function pointer is redirected in a way unexpected by the program flow:

int main()
{
	int (*fp)(void);
#ifdef INVALID
	fp = invalid;
#else
	fp = valid;
#endif
	fp();

	return 0;
}

Ending the program:

  [...]
  block: 7ffff7deb003
  block: 4004c0 : __do_global_dtors_aux
  block: 4004c9
  block: 400440 : deregister_tm_clones
  block: 400470
  block: 4004d2
  block: 7ffff7deb00a
  block: 7ffff7deb013
  block: 7ffff7deb01f
  block: 4005c4 : _fini
  block: 7ffff7deb028
  [...]

Debugging

If you run into any issues with the Griffin traces, you can check the dmesg output for debug information. The expected debug information is provided at Debugging Griffin Trace.