Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add MIPS support #25

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add MIPS support #25

wants to merge 1 commit into from

Conversation

vobst
Copy link

@vobst vobst commented Sep 12, 2024

I recently had the need for a symbolic execution engine with nice Rust bindings (or even better, written in Rust) and MIPS support. The first thing worked out well here, the second thing required a bit of work, but it now works nicely :)

The main problem with MIPS support was handling of delay slots. I decided to handle them using the existing (but by default disabled) explicit delay-slot related operations in ESIL strings. See for details on my changes on the radare side radareorg/radare2#23307. The other thing was putting the right return address in the backtrace, but this works nicely since the fail address is already delay slot aware. Note that the handling of delay slots is incomplete, in the sense that "likely" instructions are not handled correctly. Those instructions only execute the delay slot if the branch is taken. It should be straight forward to do this properly by changing the ESIL of those instructions to

...,?{,"addr", SETJT, 1, SETD}{4,pc,+,pc,:=}

Also note that currently only a single delay slot is supported. Extending the code to multiple delay slots should be straight forward as well, e.g., by making delay a counter.

However, this patch is everything but clean, thus only a draft PR. Mostly for reference (on what to do do, or not to do) if you, or any other contributor, ever want to add delay slot support. The main blockers are:

  • I am quite opinionated about conditional symbolic values -- I thoroughly hate them :) -- and thus I removed them completely. IMHO this makes the code much simpler without any drawbacks, THB I think those values should not exist in symbolic states in the first place, it breaks the whole idea of a symbolic state corresponding to an equivalence class of concrete executions that go down a single path. In fact, without this change I would not have known how to implement delay slots without incredibly awkward code.
  • I broke a bunch of features related to stuff that I did not need for my use-case (which was UC symex on bare metal firmware). Those should be easy to fix.
  • I added a hack to duplicate the solver on each fork of a state. This was needed since else boolector would abort if two states independently created the same symbolic memory. Since I also don't found a way to check if a variable already exists in a solver (boolector would just abort if it doesn't ...?!?! ... it would probably be an easy change on their side to provide such a method) I introduced this ugly inefficiency.

There are some other things, like adding doc comments, renaming things in a (IMO) descriptive way, which shouldn't me major problems though.

Thanks for creating this great project! If you want to add delay slot support I'd be happy to discuss my experience with you.

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vobst