locsec/OPCDE
1
Форкнуть 0
Код Задачи Запросы на слияние Действия Пакеты Проекты Релизы Вики Активность
OPCDE/2017/Security Research and Development with LLVM - Andrew Reiter/projects.md
Matt Suiche 0344c55037 - Moving *.* to 2017\* folder.
2017-08-29 19:34:30 +04:00

302 строки
9.0 KiB
Markdown
Исходник Ответственный История

# Security Related LLVM Projects
Some entries are on the cusp of security and non-security related. Please
submit a pull request (or a friendly email) to add or remove projects. I
highly doubt it is a complete list, so always welcoming additions and/or
corrections. Further, I had thought to break out papers into it's own
section, but decided against it for reasons related to sleep. And even
further... There are some things I just wanted in here for informational
reasons; i.e. they may not be projects. :camel:
## Projects
### AddressSanitizer (ASan)
> Memory error detector for C/C++ finding UAF, buffer overflow,
> UAR, etc
[GitHub](https://github.com/google/sanitizers/wiki/AddressSanitizer)
Note the code in lib/Transform/Instrumentation.
[``AddressSanitizer: A Fast Address Sanity Checker''](https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/37752.pdf)
### American Fuzzy Lop (AFL)
> a security-oriented fuzzer that employs a novel type of compile-time
> instrumentation and genetic algorithms to automatically discover
> clean, interesting test cases that trigger new internal states in the
> targeted binary
http://lcamtuf.coredump.cx/afl
### Andersen's Analysis
[``Program Analysis and Specialization for the C Programming Language''](http://www.cs.cornell.edu/courses/cs711/2005fa/papers/andersen-thesis94.pdf)
[Standalone LLVM impl](https://github.com/grievejia/andersen)
### ASAP (EPFL)
> Analyze runtime checks to balance those that are needed and those that are not
http://dslab.epfl.ch/proj/asap/
### Causal, Adaptive, Distributed, and Efficient Tracing System (CADETS)
> address flaws in current audit and information-flow systems through
> fundamental improvements in dynamic instrumentation, scalable
> distributed tracing, and programming-language support.
http://www.cl.cam.ac.uk/research/security/cadets/
### cclyzer
> A tool for analyzing LLVM bitcode using Datalog.
[GitHub](https://github.com/plast-lab/cclyzer)
### cspgen (Draper)
> Map IR to models in Communicating Sequential Processes (CSP) process calculus.
[GitHub](https://github.com/draperlaboratory/cspgen)
### DangSan (VUSec)
> Dangling pointer detection
[GitHub](https://github.com/vusec/dangsan)
[Paper](http://www.cs.vu.nl/~giuffrida/papers/dangsan_eurosys17.pdf)
### DataFlowSanitizer
> Generalized data flow API
http://clang.llvm.org/docs/DataFlowSanitizerDesign.html
### Divine
> Explicit-state model checker
https://divine.fi.muni.cz
[Thesis](https://is.muni.cz/th/373979/fi_m/thesis.pdf)
### DynamicTools
> This project consists of several useful tool for dealing with LLVM
> IR runtime behaviors. Currently it consists of two parts,
> a custom-written LLVM IR interpreter, and an LLVM IR fuzzer (abandoned).
[GitHub](https://github.com/grievejia/LLVMDynamicTools)
### fdc
> An optimizing decompiler (for reversing)
http://zneak.github.io/fcd/
[GitHub](https://github.com/zneak/fcd)
### FindFlows
https://llvm.org/svn/llvm-project/giri/trunk/lib/Static/FindFlows.cpp
### Foreign Inference
> Auto-generate wrappers for C code for Python etc.
[GitHub](https://github.com/travitch/foreign-inference)
Out of date, someone should revive and build LibFuzzer wrappers
### Fracture (Draper)
> Arch independent decompiler to LLVM IR (ver 3.6)
[GitHub](https://github.com/draperlaboratory/fracture)
### Gist Static Analyzer (EPFL)
> Failure-sketching to help determine reasons for faults
http://dslab.epfl.ch/proj/gist/
[Paper](http://dslab.epfl.ch/pubs/gist.pdf)
### Trail of Bits CGC
[``How we fared in the Cyber Grand Challenge''](https://blog.trailofbits.com/2015/07/15/how-we-fared-in-the-cyber-grand-challenge/)
### Infer (Facebook)
> Compile time static analyzer
http://fbinfer.com/
[GitHub](https://github.com/facebook/infer)
[Infer Clang Plugin](https://github.com/facebook/facebook-clang-plugins/tree/ee26293dd046acc5c2dd862d3201aa9f7dace96a)
### Kryptonite obfuscator
[GitHub](https://github.com/0vercl0k/stuffz/blob/master/llvm-funz/kryptonite/llvm-functionpass-kryptonite-obfuscater.cpp)
### KULFI (Utah)
> Instruction level fault injector
[GitHub](https://github.com/soarlab/KULFI)
http://formalverification.cs.utah.edu/fmr/#kulfi
### IKOS (NASA)
> a C++ library designed to facilitate the development of sound static analyzers based on Abstract Interpretation
https://ti.arc.nasa.gov/opensource/ikos/
### lafindel's transforms
> Splitting certain compares to improve fuzzing
[``Circumventing Fuzzing Roadblocks with Compiler Transformations''](https://lafintel.wordpress.com/2016/08/15/circumventing-fuzzing-roadblocks-with-compiler-transformations/)
### LeakSanitizer
> Memory leak detection
[GitHub](https://github.com/google/sanitizers/wiki/AddressSanitizerLeakSanitizer)
### LibFuzzer
> Evolutionary, in-process guided fuzzing library
http://llvm.org/docs/LibFuzzer.html
[GitHub](https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer)
[LibFuzzer Tutorial](https://github.com/google/fuzzer-test-suite/blob/master/tutorial/libFuzzerTutorial.md)
### llmc
[``Model checking LLVM IR using LTSmin''](http://fmt.cs.utwente.nl/files/sprojects/190.pdf)
### llStar
> Pre/post condition intra-procedural verifier
https://bitbucket.org/jvillard/llstar/wiki/Home
### Mc Sema (ToB)
> Lift MC to IR for retargeting, patching, recompilation, symbolic exec
[Github](https://github.com/trailofbits/mcsema)
### MemorySanitizer
> Detect pointer misalignment etc
[GitHub](https://github.com/google/sanitizers/wiki/MemorySanitizer) and see source in lib/Transform/Instrumentation
### Obfuscator-LLVM
[GitHub](https://github.com/obfuscator-llvm/obfuscator)
Note: https://github.com/obfuscator-llvm/obfuscator/tree/llvm-3.6.1/lib/Transforms/Obfuscation
### Passes from QuarksLab
[GitHub](https://github.com/quarkslab/llvm-passes/tree/master/llvm-passes)
[``Turning regular code into atrocities''](http://blog.quarkslab.com/turning-regular-code-into-atrocities-with-llvm.html)
### Path Analysis for invariant Generation by Abstract Interpretation (PAGAI) (VERIMAG)
http://pagai.forge.imag.fr/
Also check out *screen* from trail of bits which makes use of PAGAI: https://github.com/trailofbits/screen
### pmGen
> Translate IR to Promela for verification
[GitHub](https://github.com/roselone/pmGen)
### PRESAGE (Utah)
> protecting structured address computations against soft errors
http://formalverification.cs.utah.edu/fmr/#presage
[Git]https://utahfmr.github.io/PRESAGE/
[Paper](https://arxiv.org/abs/1606.08948)
Basically, it attempts to reorganize GetElementPtr's to best handle alpha particle hits.
### Pointer analysis with tunable precision (TPA)
[GitHub](https://github.com/grievejia/tpa)
### Remill (ToB)
> Lift MC instructions to IR
[GitHub](https://github.com/trailofbits/remill)
### Return-less code
> Transform IR to have no return statements.. attempt to avoid ROP
[Paper](http://www4.ncsu.edu/~mcgrace/EUROSYS10.pdf)
### Rev.ng
> Lift MC to IR by using QEMU
https://rev.ng/
[Rev.ng LLVM developer mtg 2016](http://llvm.org/devmtg/2016-11/Slides/DiFederico-rev.ng.pdf)
### s2e (EPFL)
[GitHub](https://github.com/dslab-epfl/s2e)
### SAFECode
http://safecode.cs.illinois.edu/
[``Memory Safety for Low-Level Software/Hardware Interactions''](http://llvm.org/pubs/2009-08-12-UsenixSecurity-SafeSVAOS.html)
### SafeInit (VUSec)
> Detect uninitialized memory use errors
[GitHub](https://github.com/vusec/safeinit)
[Paper](https://www.vusec.net/download/?t=papers/safeinit_ndss17.pdf)
### Seahorn
> Intraprocedural model checker
[GitHub](https://github.com/seahorn/seahorn)
See the links there to CRAB etc
### Security-Oriented Analysis of Application Programs (SOAAP) (Cambridge)
http://www.cl.cam.ac.uk/research/security/ctsrd/soaap
[GitHub](https://github.com/CTSRD-SOAAP)
### Sloopy
http://forsyte.at/people/pani/sloopy/
### Smack
[GitHub](https://github.com/smackers/smack)
http://soarlab.org/2014/05/smack-decoupling-source-language-details-from-verifier-implementations/
### Software Analysis Workbench (SAW) (Galois Inc)
> Formal verification via equivelancy checks
http://saw.galois.com/
[GitHub SAW Script](https://github.com/GaloisInc/saw-script)
[GitHub llvm-verifier](https://github.com/GaloisInc/llvm-verifier)
### Static Value Flow (SVF) (UNSW)
> Pointer Analysis and Program Dependence Analysis for C and C++ Programs
http://unsw-corg.github.io/SVF/
[GitHub](https://github.com/unsw-corg/SVF)
### Temporally Enhanced Security Logic Assertions (TESLA) (Cambridge)
http://www.cl.cam.ac.uk/research/security/ctsrd/tesla
[GitHub](https://github.com/CTSRD-TESLA/)
### TokenCap
> Find tokens/magics in code so as to quickly pass fuzzing blockers
[GitHub](https://github.com/0vercl0k/stuffz/blob/master/llvm-funz/afl-llvm-tokencap-pass.so.cc)
### Typesan (VUSec)
[GitHub](https://github.com/vusec/typesan)
### Verified LLVM (VeLLVM)
> Model syntax and semantics of LLVM IR in Coq for proving things about code reasoning on IR
http://www.cis.upenn.edu/~stevez/vellvm/
https://deepspec.org/main
### Whole program LLVM
> Help linking multiple .bc files to one
[GitHub](https://github.com/travitch/whole-program-llvm)
Ссылка в новой задаче Показать git blame Копировать постоянную ссылку