trailofbits / manticoreui Goto Github PK
View Code? Open in Web Editor NEWThe Manticore User Interface with plugins for Binary Ninja and Ghidra
License: GNU Affero General Public License v3.0
The Manticore User Interface with plugins for Binary Ninja and Ghidra
License: GNU Affero General Public License v3.0
Acceptance Criteria:
state_list_widget
and binja log should be appropriately updatedRight now hooks are tied to a specific address, but manticore also supports adding hooks that apply to all instructions executed.
Example:
# None: The hook will be applied to all the instructions
@m.hook(None)
def record_trace(state):
pass
This would get MUI's feature set closer to that of manticore and should be useful to users as well.
Evelyn needs to know what Manticore detected and wants this data presented in MUI
Manticore has models for common library functions. These help to improve performance, as opposed to symbolically executing the instructions of the original function.
Adding a command to apply these models would be helpful to expose these features to users less familiar with manticore.
Additionally, we could leverage on the Binary Ninja analysis API to try to apply these function models automatically (perhaps with a warning/prompt for the user).
Documentation for usage of function models: https://github.com/trailofbits/manticore/blob/master/docs/native.rst#function-models
As of commit c6b9ac5 the MUI Server now uses protobuf version ~=3.20
This means that we can safely support Explicit Field Presence (https://github.com/protocolbuffers/protobuf/blob/main/docs/field_presence.md) - most notably by denoting specific fields as optional
- this helps make the proto spec clearer for devs, and exposes the HasField
API method so we don't have to manually set defaults to make them unambiguous
Natalie needs some guidance for running MUI and exploring it's features
Ghidra is written in Java, which presents a challenge for interaction with Manticore written in Python.
We want to first develop a prototype Ghidra plugin that will appear similarly to the Binary Ninja plugin but written for Ghidra in Java.
This will initially exist as a separate repository because it's a prototype. The features will be very light in terms of MUI capabilities, but will at least support starting Manticore with an arbitrary command line argument list from a Ghidra UI component and then piping Manticore's output to a Ghidra UI component. The user will also be able to stop Manticore.
os/linux_x86_64
)os/mac_x86_64
)Shiv might be useful for packaging Manticore into an executable.
From #1
Similar to how pause is implemented (#67), it could be helpful if we could kill/abandon a state through the UI while manticore is solving.
This should be useful in scenarios where we've identified undesired states that are:
avoid
hookNatalie can provide concrete data so that Manticore doesn't waste time
Natalie can write a Manticore script that raises a SerializeState
exception to generate the initial state seed that should be loaded.
Natalie could also choose a state from a previous MUI run to use as the seed.
Right now, find and avoid hooks in ghidra will highlight the disassembly green/red accordingly. But this is not done for custom hooks. Without highlighting it's less obvious to the user that a custom hook exists at that disassembly line.
Natalie needs to be able to pause and restart a state
Natalie would like some guidance on where to start with MUI's features
Closed by #24
Currently when we use the Solve with manticore
functionality, manticore will start and the background process indicator will show in the bottom right corner, but this is not very obvious when looking at the logs. Similarly, when manticore exits without hitting any find/avoids, it will just quietly stop the worker threads with not much information to the user.
I think it would be beneficial to add the following logging messages:
I think timestamps could be useful as well (so that we can track how long manticore has been running), but I'm not sure if we want that.
Supersedes #81
Discussed with @lordidiot and agreed that implementing the ability to:
would be useful
There is a mismatch between the behaviour of the Ghidra and Binary Ninja plug-ins.
Ghidra
If a custom hook exists at address A, creating a custom hook at A again creates a new custom hook at the same address.
Binary Ninja
If a custom hook exists at address A, trying to create a custom hook at A again will edit the old custom hook.
I think the way binary ninja does it is more convenient for the user as they can edit their past mistakes/update their custom hooks. However, it may be useful to also support adding multiple hooks on the same address to partition out functionally different custom hooks that are needed on the same address.
What:
A minimal implementation such that the Binja plugin can interact with a running MUICore binary on localhost and a hardcoded port, and Start/Terminate a single instance of Manticore.
Acceptance Criteria:
Once chess branch logging changes have been merged into master, the Binja plugin on master
will need some edits - the current state will not successfully log output.
You can refer to this PR trailofbits/ManticoreUI-Ghidra#21 on how the logging updates should work. Specifically, a custom handler may have to be created and attached to the manticore
logger object.
It would be helpful to have an additional window in MUI that would list the find/avoid/hooks that have been added to the project. Currently, users have to search through the disassembly to find existing hooks that have been implemented. This overall view should improve usability of the tool.
Basic features:
Additional(?) features:
MUI exists as a Binary Ninja plugin that can be installed from the plugin manager
Natalie can keep track of state explosion and have an overall view of progress
Allow hooks to be named, this will aid hook management when the db complexity starts to increase.
Evelyn needs to know where manticore is executing in a given state
Acceptance Criteria:
Notes:
George wants to better understand the state exploration
Do we know the next instruction of a forked state?
From: trailofbits/manticore#2439
From #5
as per #61 (comment)
George needs to know where manticore is executing in a given state
From #6
Evelyn wants to be confident that her analysis has covered the important parts of her target.
During initial exploration of a target, it is easier to specify points of interest with the UI, but if a user wants to write additional logic or even just have the ability to run the same logic from the command-line, then they should be able to do that.
One way to do this would be to export a sort of human-readable configuration file that represents the state of the current Manticore configuration, as specified through the UI.
The configuration file could be passed to a new tool that would do some Python code generation to create a Manticore script that would be used as a starting point for writing more logic. The layout and fields of the configuration file should probably follow closely with the upcoming MUICore messages in the hope that eventually a UI could also be initialized.
The implementation for the codegen isn't decided but there are templating engines that would be good to look at first, like Jinja.
George would like sensible defaults so that he can run MUI with as little clicks as possible
Natalie would like to easily see the vulnerability locations from a detector result
TBD
Evelyn would like sensible defaults so that she can run MUI with as little clicks as possible
TBD
Implement the feature in #58 but for the mui server - Ghidra/Binja-integration support can come in a subsequent PR
Natalie needs to know what's running and its status.
We have some initial implementation for Manticore introspection for the TUI feature.
We would like to set up MUI with a relatively normal Python package directory structure, but Binary Ninja plugin manager can't be configured to use a subdirectory in a Git repo.
We should open an issue to see how difficult it would be to do this.
Ethersplay also has this issue and directs users to install it manually.
What
Currently, Binja plugin users are restricted to the options presented in the Run Dialogs. There should be an additional field where users who are more familiar with Manticore can choose to supply CLI arguments for greater control over Manticore execution.
This issue is chiefly for the muicore integration branch, but may also be relevant to the existing master implementation.
Acceptance Criteria - MUICore
Acceptance Criteria - master
George would like some guidance on where to start with MUI's features
Natalie would like sensible defaults so that she can run MUI with as little clicks as possible
TBD
George needs to know what's running and its status.
We have some initial implementation for Manticore introspection for the TUI feature.
We are going to need to generate Java code from the protobuf specification for Manticore's introspection data
From: #2
As of the change that introduces the Hook List component as part of the MUI Setup component, on a fresh install of the plugin the component looks like this:
The current layout is patched together by a series of borderlayouts and gridbaglayouts. We should overhaul this so that it's more easily maintainable and the component is more appropriately laid out and sized
George is presented a right-click menu option to either 'find' or 'avoid' and instruction, which will color the instruction in a color to represent the selection.
To keep the PRs smaller, this issue is only for the UI component. Upon clicking, George should be presented with an "Unimplemented" message.
Natalie can pause and restart manticore or stop the manticore run
Ensure that configurable Manticore settings like find/avoid instruction are able to be saved in a Binary Ninja Database so that when Binary Ninja is saved and closed, it can reopened and loaded with the same Manticore state to continue where you left off.
This would make it easier to share databases between people.
Natalie is notified that MUI does not support her Mac machine when trying to run a native binary.
Related to #1 (trailofbits/manticore#2431)
Evelyn wants to better understand the state exploration
Do we know the next instruction of a forked state?
From: trailofbits/manticore#2439
Closed by #22
MUI was initially developed for Binary Ninja, but with Ghidra support, we will need some way to reduce the duplication of data constants like colors, data structures, and supported interaction commands.
The implementation should be easily supported across various languages and ideally support code generation for those languages (for data structure definitions).
During development of Ghidra, we should note any of these features that are shared with Binary Ninja.
After completion of #35 we need to implement the backend logic that Manticore will use to process the 'find' and 'avoid' commands.
This backend will likely be a grpc service.
Upon reaching a 'find' instruction, Manticore will print the solution to all symbolic variables in that state and then kill all remaining states. A state that reaches an 'avoid' instruction will terminate itself (which helps with state explosion).
See this code snippet for more info on Manticore handling
Lines 87 to 103 in 903b976
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.