2.8.0

Highlights

Reven version 2.8 is packed with new features, still with a strong focus on providing you with a "bird's eye view" over a trace, so that you can get important information about what happens in a scenario at a glance! Here are some highlights:

  • Call Tree view in Axion GUI: the GUI now proposes a new Call Tree view that provides users with far more semantic information about what is going on in the trace. Navigate to one transition and immediately visualize the call history before and after this transition, from there jump to surrounding points of interests.

  • New vulnerability detection notebooks: new Jupyter Notebooks are available to help you detect Buffer Overflow vulnerabilities and Uninitialized Memory vulnerabilities. The notebooks are available in the "Python API - Analyze" examples of the "Download" page of the Project Manager, as well as on our GitHub.

Important Compatibility Notes

  • Reven version 2.8 is the first version of Reven to support Debian Buster and Python 3.7. As a result, support for Debian Stretch and Python 2.7 has been removed. See the migration guide for more information on the upgrade process. (outdated)

  • Reven version 2.8 switches from Capstone to Zydis as its disassembler backend. This modifies the result of the reven2.trace.Instruction.mnemonic and the reven2.trace.Instruction.operands methods, as well as the display of some instructions in Axion.

    For example, the instruction xmmword ptr [rdi + rcx] is now rendered as xmmword ptr [rdi+rcx*1], the instruction rep movsq qword ptr [rdi], qword ptr [rsi] is now rendered as rep movsq (the operands are implicit), or the instruction cmpltps xmm1, xmm0 is now rendered as cmpps xmm1, xmm0, 0x1 (fixing the mnemonic and the operands).

  • The behavior of the Tainter.simple_taint and TaintResultView.filter_by_context_range functions has been modified in the way the to_context parameter is handled. Previously, the taint would not propagate through the Transition right before the to_context parameter. With this change, it is now the case. This means that a simple taint between context c and context c + 1 will now propagate through the transition between context c and its successor context, whereas before it would propagate through no context at all.

Improvements

Reven

  • Taint performance has been improved up to x4 in some workloads (long taint with lots of tainted memory benefit most from the improvement)
  • In the Python API Taint.accesses slicer, more instructions are reported as "accessed":
    • When the conditional flag is tainted in a conditional move or jump
    • When a tainted register is used to dereference memory
  • Changed Reven's disassembler backend from Capstone to Zydis, yielding runtime improvements in performance and correctness.
  • In the Enterprise edition, it is now possible to start and stop recording using the ASM stub, even when performing an automatic binary record. This allows for more flexiblity in the record options.

Analysis Python API

  • The accuracy of the Transition.find_inverse method has been improved so that it returns the correct transition in more cases.
  • Added an example script thread_id.py to detect the current thread and find the transition where it was created. You can find it in the Download page of the Project Manager.
  • The standalone Python API Debian package is now easier to use with the addition of a sourceme script. Please refer to the installation documentation for more information.

Axion

  • The Backtrace view now skips "trampoline" calls by default. Trampoline calls are calls that immediately call another function selected dynamically by an indirect jump. It is desirable to skip them, since they muddle the backtrace and don't add any useful information.
  • The accuracy of the "%" (find inverse) plugin has been improved so that it jumps to the correct transition in more cases.
  • You can now choose the numeric base in which to display the register values in the CPU view.
  • Displaying symbols in the Taint view is now optional.

VirtualBox

Fixed issues

Analysis Python API

  • TaintResultView.filter_by_context_range would raise an AttributeError when the to_context parameter was None.
  • The provided automatic-scenario-creation.py example no longer fails attempting to replay the deprecated binary_ranges resource.
  • Context.find_register_change could loop infinitely when invoked in backward.
  • Context.find_register_change could skip changes depending on the value of the technical fetch_count parameter.
  • Context.find_register_change would mistakenly raise AttributeError when its to_context parameter was None.

Project Manager

  • When recording a QEMU VM with UEFI enabled, the UEFI boot option is now passed correctly when replaying.
  • External processes launched by the Project Manager are correctly terminated by clicking the various Stop session buttons.
  • It was not possible to use OSSI without the kernel description and light filesystem resources. The snapshot filesystem can now be used if the light filesystem is not available.
  • The Project Manager would sometimes fail to correctly terminate its subprocesses. This would lead to some zombie processes remaining on the server running the Project Manager, and in some cases would lead to a failure to stop a VM when clicking the "Stop VM" button.
  • A superfluous and misleading error was displayed when attempting to replay without being able to delete all the necessary resources.