Patch from CDN to add support for an exploitability engine

A=cdn R=nealsid git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@662 4c0a9323-5329-0410-9bdc-e9ce6186880e
2026-01-07 15:08:27 +01:00 · 2010-08-24 14:28:10 +00:00 · 2010-08-24 14:28:10 +00:00 · 8d2c518c0b
commit 8d2c518c0b
parent 3b7d8ee362
7 changed files with 286 additions and 10 deletions
--- a/src/google_breakpad/processor/exploitability.h
+++ b/src/google_breakpad/processor/exploitability.h
@ -0,0 +1,72 @@
+// Copyright (c) 2010 Google Inc.
+// All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//     * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//     * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//     * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+// exploitability_engine.h: Generic exploitability engine.
+//
+// The Exploitability class is an abstract base class providing common
+// generic methods that apply to exploitability engines for specific platforms.
+// Specific implementations will extend this class by providing run
+// methods to fill in the exploitability_ enumeration of the ProcessState
+// for a crash.
+//
+// Author: Cris Neckar
+
+#ifndef GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
+#define GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
+
+#include "google_breakpad/common/breakpad_types.h"
+#include "google_breakpad/processor/minidump.h"
+#include "google_breakpad/processor/process_state.h"
+
+namespace google_breakpad {
+
+class Exploitability {
+ public:
+  virtual ~Exploitability() {}
+
+  static Exploitability *ExploitabilityForPlatform(Minidump *dump,
+                                                   ProcessState *process_state);
+
+  ExploitabilityRating CheckExploitability();
+
+ protected:
+  Exploitability(Minidump *dump,
+                 ProcessState *process_state);
+
+ private:
+  virtual ExploitabilityRating CheckPlatformExploitability() = 0;
+
+  Minidump *dump_;
+  ProcessState *process_state_;
+  SystemInfo *system_info_;
+};
+
+}  // namespace google_breakpad
+
+#endif  // GOOGLE_BREAKPAD_PROCESSOR_EXPLOITABILITY_H_
--- a/src/google_breakpad/processor/minidump_processor.h
+++ b/src/google_breakpad/processor/minidump_processor.h
@ -94,6 +94,14 @@ class MinidumpProcessor {
  // implementation of the SymbolSupplier abstract base class.
  MinidumpProcessor(SymbolSupplier *supplier,
                    SourceLineResolverInterface *resolver);
+
+  // Initializes the MinidumpProcessor with the option of
+  // enabling the exploitability framework to analyze dumps
+  // for probable security relevance.
+  MinidumpProcessor(SymbolSupplier *supplier,
+                    SourceLineResolverInterface *resolver,
+                    bool enable_exploitability);
+
  ~MinidumpProcessor();

  // Processes the minidump file and fills process_state with the result.
@ -149,6 +157,11 @@ class MinidumpProcessor {
 private:
  SymbolSupplier *supplier_;
  SourceLineResolverInterface *resolver_;
+
+  // This flag enables the exploitability scanner which attempts to
+  // guess how likely it is that the crash represents an exploitable
+  // memory corruption issue.
+  bool enable_exploitability_;
 };

 }  // namespace google_breakpad
--- a/src/google_breakpad/processor/process_state.h
+++ b/src/google_breakpad/processor/process_state.h
@ -48,6 +48,42 @@ using std::vector;
 class CallStack;
 class CodeModules;

+enum ExploitabilityRating {
+  EXPLOITABILITY_HIGH,                    // The crash likely represents
+                                          // a exploitable memory corruption
+                                          // vulnerability.
+
+  EXPLOITABLITY_MEDIUM,                   // The crash appears to corrupt
+                                          // memory in a way which may be
+                                          // exploitable in some situations.
+
+  EXPLOITABILITY_LOW,                     // The crash either does not corrupt
+                                          // memory directly or control over
+                                          // the effected data is limited. The
+                                          // issue may still be exploitable
+                                          // on certain platforms or situations.
+
+  EXPLOITABILITY_INTERESTING,             // The crash does not appear to be
+                                          // directly exploitable. However it
+                                          // represents a condition which should
+                                          // be furthur analyzed.
+
+  EXPLOITABILITY_NONE,                    // The crash does not appear to represent
+                                          // an exploitable condition.
+
+  EXPLOITABILITY_NOT_ANALYZED,            // The crash was not analyzed for
+                                          // exploitability because the engine
+                                          // was disabled.
+
+  EXPLOITABILITY_ERR_NOENGINE,            // The supplied minidump's platform does
+                                          // not have a exploitability engine
+                                          // associated with it.
+
+  EXPLOITABILITY_ERR_PROCESSING           // An error occured within the
+                                          // exploitability engine and no rating
+                                          // was calculated.
+};
+
 class ProcessState {
 public:
  ProcessState() : modules_(NULL) { Clear(); }
@ -69,6 +105,7 @@ class ProcessState {
  }
  const SystemInfo* system_info() const { return &system_info_; }
  const CodeModules* modules() const { return modules_; }
+  ExploitabilityRating exploitability() const { return exploitability_; }

 private:
  // MinidumpProcessor is responsible for building ProcessState objects.
@ -119,6 +156,11 @@ class ProcessState {
  // The modules that were loaded into the process represented by the
  // ProcessState.
  const CodeModules *modules_;
+
+  // The exploitability rating as determined by the exploitability
+  // engine. When the exploitability engine is not enabled this
+  // defaults to EXPLOITABILITY_NONE.
+  ExploitabilityRating exploitability_;
 };

 }  // namespace google_breakpad