Patch from CDN to add support for an exploitability engine

A=cdn
R=nealsid



git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@662 4c0a9323-5329-0410-9bdc-e9ce6186880e

6 files changed, 265 insertions, 1 deletions

diff --git a/src/google_breakpad/processor/exploitability.h b/src/google_breakpad/processor/exploitability.h
new file mode 100644
index 00000000..41ca551c
--- /dev/null
+++ b/src/google_breakpad/processor/exploitability.h
@@ -0,0 +1,72 @@
+// Copyright (c) 2010 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_engine.h: Generic exploitability engine.
+//
+// The Exploitability class is an abstract base class providing common
+// generic methods that apply to exploitability engines for specific platforms.
+// Specific implementations will extend this class by providing run
+// methods to fill in the exploitability_ enumeration of the ProcessState
+// for a crash.
+//
+// Author: Cris Neckar
+
+#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
+#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
+
+#include "google_breakpad/common/breakpad_types.h"
+#include "google_breakpad/processor/minidump.h"
+#include "google_breakpad/processor/process_state.h"
+
+namespace google_breakpad {
+
+class Exploitability {
+ public:
+  virtual ~Exploitability() {}
+
+  static Exploitability *ExploitabilityForPlatform(Minidump *dump,
+                                                   ProcessState *process_state);
+
+  ExploitabilityRating CheckExploitability();
+
+ protected:
+  Exploitability(Minidump *dump,
+                 ProcessState *process_state);
+
+ private:
+  virtual ExploitabilityRating CheckPlatformExploitability() = 0;
+
+  Minidump *dump_;
+  ProcessState *process_state_;
+  SystemInfo *system_info_;
+};
+
+}  // namespace google_breakpad
+
+#endif  // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
diff --git a/src/google_breakpad/processor/minidump_processor.h b/src/google_breakpad/processor/minidump_processor.h
index 8779b962..384c60c1 100644
--- a/src/google_breakpad/processor/minidump_processor.h
+++ b/src/google_breakpad/processor/minidump_processor.h
@@ -94,6 +94,14 @@ class MinidumpProcessor {
   // implementation of the SymbolSupplier abstract base class.
   MinidumpProcessor(SymbolSupplier *supplier,
                     SourceLineResolverInterface *resolver);
+
+  // Initializes the MinidumpProcessor with the option of
+  // enabling the exploitability framework to analyze dumps
+  // for probable security relevance.
+  MinidumpProcessor(SymbolSupplier *supplier,
+                    SourceLineResolverInterface *resolver,
+                    bool enable_exploitability);
+
   ~MinidumpProcessor();
 
   // Processes the minidump file and fills process_state with the result.
@@ -149,6 +157,11 @@ class MinidumpProcessor {
  private:
   SymbolSupplier *supplier_;
   SourceLineResolverInterface *resolver_;
+
+  // This flag enables the exploitability scanner which attempts to
+  // guess how likely it is that the crash represents an exploitable
+  // memory corruption issue.
+  bool enable_exploitability_;
 };
 
 }  // namespace google_breakpad
diff --git a/src/google_breakpad/processor/process_state.h b/src/google_breakpad/processor/process_state.h
index 23014227..f3f2ec42 100644
--- a/src/google_breakpad/processor/process_state.h
+++ b/src/google_breakpad/processor/process_state.h
@@ -48,6 +48,42 @@ using std::vector;
 class CallStack;
 class CodeModules;
 
+enum ExploitabilityRating {
+  EXPLOITABILITY_HIGH,                    // The crash likely represents
+                                          // a exploitable memory corruption
+                                          // vulnerability.
+
+  EXPLOITABLITY_MEDIUM,                   // The crash appears to corrupt
+                                          // memory in a way which may be
+                                          // exploitable in some situations.
+
+  EXPLOITABILITY_LOW,                     // The crash either does not corrupt
+                                          // memory directly or control over
+                                          // the effected data is limited. The
+                                          // issue may still be exploitable
+                                          // on certain platforms or situations.
+
+  EXPLOITABILITY_INTERESTING,             // The crash does not appear to be
+                                          // directly exploitable. However it
+                                          // represents a condition which should
+                                          // be furthur analyzed.
+
+  EXPLOITABILITY_NONE,                    // The crash does not appear to represent
+                                          // an exploitable condition.
+
+  EXPLOITABILITY_NOT_ANALYZED,            // The crash was not analyzed for
+                                          // exploitability because the engine
+                                          // was disabled.
+
+  EXPLOITABILITY_ERR_NOENGINE,            // The supplied minidump's platform does
+                                          // not have a exploitability engine
+                                          // associated with it.
+
+  EXPLOITABILITY_ERR_PROCESSING           // An error occured within the
+                                          // exploitability engine and no rating
+                                          // was calculated.
+};
+
 class ProcessState {
  public:
   ProcessState() : modules_(NULL) { Clear(); }
@@ -69,6 +105,7 @@ class ProcessState {
   }
   const SystemInfo* system_info() const { return &system_info_; }
   const CodeModules* modules() const { return modules_; }
+  ExploitabilityRating exploitability() const { return exploitability_; }
 
  private:
   // MinidumpProcessor is responsible for building ProcessState objects.
@@ -119,6 +156,11 @@ class ProcessState {
   // The modules that were loaded into the process represented by the
   // ProcessState.
   const CodeModules *modules_;
+
+  // The exploitability rating as determined by the exploitability
+  // engine. When the exploitability engine is not enabled this
+  // defaults to EXPLOITABILITY_NONE.
+  ExploitabilityRating exploitability_;
 };
 
 }  // namespace google_breakpad
diff --git a/src/processor/exploitability.cc b/src/processor/exploitability.cc
new file mode 100644
index 00000000..74810e70
--- /dev/null
+++ b/src/processor/exploitability.cc
@@ -0,0 +1,89 @@
+// Copyright (c) 2010 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_engine.cc: Generic exploitability engine.
+//
+// See exploitable_engine.h for documentation.
+//
+// Author: Cris Neckar
+
+
+#include <cassert>
+
+#include "google_breakpad/processor/exploitability.h"
+#include "google_breakpad/processor/minidump.h"
+#include "google_breakpad/processor/process_state.h"
+#include "processor/logging.h"
+#include "processor/scoped_ptr.h"
+
+namespace google_breakpad {
+
+Exploitability::Exploitability(Minidump *dump,
+                               ProcessState *process_state)
+    : dump_(dump),
+      process_state_(process_state) {}
+
+ExploitabilityRating Exploitability::CheckExploitability() {
+  return CheckPlatformExploitability();
+}
+
+Exploitability *Exploitability::ExploitabilityForPlatform(
+    Minidump *dump,
+    ProcessState *process_state) {
+  Exploitability *platform_exploitability = NULL;
+  MinidumpSystemInfo *minidump_system_info = dump->GetSystemInfo();
+  if (!minidump_system_info)
+    return NULL;
+
+  const MDRawSystemInfo *raw_system_info =
+    minidump_system_info->system_info();
+  if (!raw_system_info)
+    return NULL;
+
+  switch (raw_system_info->platform_id) {
+    case MD_OS_WIN32_NT:
+    case MD_OS_WIN32_WINDOWS:
+    case MD_OS_UNIX:
+    case MD_OS_MAC_OS_X:
+    case MD_OS_LINUX:
+    case MD_OS_SOLARIS:
+    default: {
+      platform_exploitability = NULL;
+      break;
+    }
+  }
+
+  BPLOG_IF(ERROR, !platform_exploitability) <<
+    "No Exploitability module for platform: " <<
+    process_state->system_info()->os;
+  return platform_exploitability;
+}
+
+}  // namespace google_breakpad
+
diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc
index b090ecbd..057b342d 100644
--- a/src/processor/minidump_processor.cc
+++ b/src/processor/minidump_processor.cc
@@ -35,6 +35,7 @@
 #include "google_breakpad/processor/call_stack.h"
 #include "google_breakpad/processor/minidump.h"
 #include "google_breakpad/processor/process_state.h"
+#include "google_breakpad/processor/exploitability.h"
 #include "processor/logging.h"
 #include "processor/scoped_ptr.h"
 #include "processor/stackwalker_x86.h"
@@ -43,7 +44,15 @@ namespace google_breakpad {
 
 MinidumpProcessor::MinidumpProcessor(SymbolSupplier *supplier,
                                      SourceLineResolverInterface *resolver)
-    : supplier_(supplier), resolver_(resolver) {
+    : supplier_(supplier), resolver_(resolver),
+      enable_exploitability_(false) {
+}
+
+MinidumpProcessor::MinidumpProcessor(SymbolSupplier *supplier,
+                                     SourceLineResolverInterface *resolver,
+                                     bool enable_exploitability)
+    : supplier_(supplier), resolver_(resolver),
+      enable_exploitability_(enable_exploitability) {
 }
 
 MinidumpProcessor::~MinidumpProcessor() {
@@ -230,6 +239,22 @@ ProcessResult MinidumpProcessor::Process(
     process_state->requesting_thread_ = -1;
   }
 
+  // Exploitability defaults to EXPLOITABILITY_NOT_ANALYZED
+  process_state->exploitability_ = EXPLOITABILITY_NOT_ANALYZED;
+
+  // If an exploitability run was requested we perform the platform specific
+  // rating.
+  if (enable_exploitability_) {
+    scoped_ptr<Exploitability> exploitability(
+        Exploitability::ExploitabilityForPlatform(dump, process_state));
+    // The engine will be null if the platform is not supported
+    if (exploitability != NULL) {
+      process_state->exploitability_ = exploitability->CheckExploitability();
+    } else {
+      process_state->exploitability_ = EXPLOITABILITY_ERR_NOENGINE;
+    }
+  }
+
   BPLOG(INFO) << "Processed " << dump->path();
   return PROCESS_OK;
 }
diff --git a/src/processor/minidump_processor_unittest.cc b/src/processor/minidump_processor_unittest.cc
index 8fd21fbd..85a60726 100644
--- a/src/processor/minidump_processor_unittest.cc
+++ b/src/processor/minidump_processor_unittest.cc
@@ -245,6 +245,24 @@ TEST_F(MinidumpProcessorTest, TestSymbolSupplierLookupCounts) {
             google_breakpad::PROCESS_OK);
 }
 
+TEST_F(MinidumpProcessorTest, TestExploitilityEngine) {
+  TestSymbolSupplier supplier;
+  BasicSourceLineResolver resolver;
+  MinidumpProcessor processor(&supplier, &resolver, true);
+
+  string minidump_file = string(getenv("srcdir") ? getenv("srcdir") : ".") +
+                         "/src/processor/testdata/minidump2.dmp";
+
+  ProcessState state;
+  ASSERT_EQ(processor.Process(minidump_file, &state),
+            google_breakpad::PROCESS_OK);
+
+  // Test that exploitability module correctly fails to supply
+  // an engine for this platform
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_ERR_NOENGINE,
+            state.exploitability());
+}
+
 TEST_F(MinidumpProcessorTest, TestBasicProcessing) {
   TestSymbolSupplier supplier;
   BasicSourceLineResolver resolver;
@@ -315,6 +333,11 @@ TEST_F(MinidumpProcessorTest, TestBasicProcessing) {
   ASSERT_EQ(state.modules()->GetModuleForAddress(0x77d43210)->version(),
             "5.1.2600.2622");
 
+  // Test that disabled exploitability engine defaults to
+  // EXPLOITABILITY_NOT_ANALYZED.
+  ASSERT_EQ(google_breakpad::EXPLOITABILITY_NOT_ANALYZED,
+            state.exploitability());
+
   // Test that the symbol supplier can interrupt processing
   state.Clear();
   supplier.set_interrupt(true);