[scanner] Remove use of local config

vusec · Jun 2, 2024 · f224371 · f224371
1 parent e870f22
commit f224371
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 11 deletions.
diff --git a/analyzer/analyzer.py b/analyzer/analyzer.py
@@ -58,7 +58,6 @@ def load_config(config_file):
                                            'r12', 'r13', 'r14', 'r15']}
 
     init_config(config)
-    return config
 
 
 def load_angr_project(binary_file: str, base_address, use_pickle) -> angr.Project:
@@ -125,7 +124,7 @@ def append_to_csv(csv_filename, transmissions):
         writer.writerows(flatten_dicts)
 
 
-def analyse_gadget(proj, gadget_address, name, config, csv_filename, tfp_csv_filename, asm_folder):
+def analyse_gadget(proj, gadget_address, name, csv_filename, tfp_csv_filename, asm_folder):
     """
     Run the scanner from a single entrypoint and analyze the potential transmissions
     found at symbolic-execution time.
@@ -134,7 +133,7 @@ def analyse_gadget(proj, gadget_address, name, config, csv_filename, tfp_csv_fil
     # Step 1. Analyze the code snippet with angr.
     l.info(f"Analyzing gadget at address {hex(gadget_address)}...")
     s = Scanner()
-    s.run(proj, gadget_address, config)
+    s.run(proj, gadget_address)
 
     l.info(f"Found {len(s.transmissions)} potential transmissions.")
     l.info(f"Found {len(s.calls)} tainted function pointers.")
@@ -230,7 +229,7 @@ def run(binary, config_file, base_address, gadgets, cache_project, csv_filename=
     # Simplify how symbols get printed.
     claripy.ast.base._unique_names = False
 
-    config = load_config(config_file)
+    load_config(config_file)
 
     if global_config["LogLevel"] == 0:
         disable_logging()
@@ -253,4 +252,4 @@ def run(binary, config_file, base_address, gadgets, cache_project, csv_filename=
     # Run the Analyzer.
     # TODO: Parallelize.
     for g in gadgets:
-        analyse_gadget(proj, g[0], g[1], config, csv_filename, tfp_csv_filename, asm_folder)
+        analyse_gadget(proj, g[0], g[1], csv_filename, tfp_csv_filename, asm_folder)
diff --git a/analyzer/scanner/scanner.py b/analyzer/scanner/scanner.py
@@ -112,7 +112,7 @@ def __init__(self):
         self.cur_state = None
 
 
-    def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config):
+    def initialize_regs_and_stack(self, state: angr.sim_state.SimState):
         """
         Mark stack locations and registers as attacker-controlled.
         """
@@ -121,7 +121,7 @@ def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config):
         state.regs.gs = claripy.BVS('gs', 64, annotations=(UncontrolledAnnotation('gs'),))
 
         # Attacker-controlled registers.
-        for reg in config['controlled_registers']:
+        for reg in global_config['controlled_registers']:
             try:
                 length = getattr(state.regs, reg).length
             except AttributeError:
@@ -133,8 +133,8 @@ def initialize_regs_and_stack(self, state: angr.sim_state.SimState, config):
         # Attacker-controlled stack locations: save them as stores.
         # TODO: this is a hack. If STL forwarding is disabled, stack variables
         # will not be loaded.
-        if 'controlled_stack' in config:
-            for region in config['controlled_stack']:
+        if 'controlled_stack' in global_config:
+            for region in global_config['controlled_stack']:
                 for offset in range(region['start'], region['end'], region['size']):
                     size = region['size']
                     assert (size in [1, 2, 4, 8])
@@ -551,7 +551,7 @@ def exit_hook_before(self, state : angr.SimState):
         raise SplitException
 
 
-    def run(self, proj: angr.Project, start_address, config) -> list[TransmissionExpr]:
+    def run(self, proj: angr.Project, start_address) -> list[TransmissionExpr]:
         """
         Run the symbolic execution engine for a given number of basic blocks.
         """
@@ -584,7 +584,7 @@ def run(self, proj: angr.Project, start_address, config) -> list[TransmissionExp
         state.inspect.b('address_concretization', when=angr.BP_AFTER, action=skip_concretization)
         state.inspect.b('expr', when=angr.BP_AFTER, action=self.expr_hook_after)
 
-        self.initialize_regs_and_stack(state, config)
+        self.initialize_regs_and_stack(state)
         self.thunk_list = get_x86_indirect_thunks(proj)
 
         # Run the symbolic execution engine.