2.8.0
Highlights
Reven version 2.8 is packed with new features, still with a strong focus on providing you with a "bird's eye view" over a trace, so that you can get important information about what happens in a scenario at a glance! Here are some highlights:
-
Call Tree view in Axion GUI: the GUI now proposes a new Call Tree view that provides users with far more semantic information about what is going on in the trace. Navigate to one transition and immediately visualize the call history before and after this transition, from there jump to surrounding points of interests.
-
New vulnerability detection notebooks: new Jupyter Notebooks are available to help you detect Buffer Overflow vulnerabilities and Uninitialized Memory vulnerabilities. The notebooks are available in the "Python API - Analyze" examples of the "Download" page of the Project Manager, as well as on our GitHub.
Important Compatibility Notes
-
Reven version 2.8 is the first version of Reven to support Debian Buster and Python 3.7. As a result, support for Debian Stretch and Python 2.7 has been removed.
See the migration guide for more information on the upgrade process.(outdated) -
Reven version 2.8 switches from Capstone to Zydis as its disassembler backend. This modifies the result of the
reven2.trace.Instruction.mnemonic
and thereven2.trace.Instruction.operands
methods, as well as the display of some instructions in Axion.For example, the instruction
xmmword ptr [rdi + rcx]
is now rendered asxmmword ptr [rdi+rcx*1]
, the instructionrep movsq qword ptr [rdi], qword ptr [rsi]
is now rendered asrep movsq
(the operands are implicit), or the instructioncmpltps xmm1, xmm0
is now rendered ascmpps xmm1, xmm0, 0x1
(fixing the mnemonic and the operands). -
The behavior of the
Tainter.simple_taint
andTaintResultView.filter_by_context_range
functions has been modified in the way theto_context
parameter is handled. Previously, the taint would not propagate through theTransition
right before theto_context
parameter. With this change, it is now the case. This means that a simple taint between contextc
and contextc + 1
will now propagate through the transition between contextc
and its successor context, whereas before it would propagate through no context at all.
Improvements
Reven
- Taint performance has been improved up to x4 in some workloads (long taint with lots of tainted memory benefit most from the improvement)
- In the Python API
Taint.accesses
slicer, more instructions are reported as "accessed":- When the conditional flag is tainted in a conditional move or jump
- When a tainted register is used to dereference memory
- Changed Reven's disassembler backend from Capstone to Zydis, yielding runtime improvements in performance and correctness.
- In the Enterprise edition, it is now possible to start and stop recording using the ASM stub, even when performing an automatic binary record. This allows for more flexiblity in the record options.
Analysis Python API
- The accuracy of the
Transition.find_inverse
method has been improved so that it returns the correct transition in more cases. - Added an example script
thread_id.py
to detect the current thread and find the transition where it was created. You can find it in theDownload
page of the Project Manager. - The standalone Python API Debian package is now easier to use with the addition of a
sourceme
script. Please refer to the installation documentation for more information.
Axion
- The Backtrace view now skips "trampoline" calls by default. Trampoline calls are calls that immediately call another function selected dynamically by an indirect jump. It is desirable to skip them, since they muddle the backtrace and don't add any useful information.
- The accuracy of the "%" (find inverse) plugin has been improved so that it jumps to the correct transition in more cases.
- You can now choose the numeric base in which to display the register values in the CPU view.
- Displaying symbols in the Taint view is now optional.
VirtualBox
- VirtualBox is now shipped in version to 6.1.18, which brings all the benefits of VirtualBox 6 to Reven, such as the major rework of the user interface and the support of host Linux kernels up to version 5.10. QEMU remains the recommended way to record scenarios for most usages.
Fixed issues
Analysis Python API
TaintResultView.filter_by_context_range
would raise anAttributeError
when theto_context
parameter wasNone
.- The provided
automatic-scenario-creation.py
example no longer fails attempting to replay the deprecatedbinary_ranges
resource. Context.find_register_change
could loop infinitely when invoked in backward.Context.find_register_change
could skip changes depending on the value of the technicalfetch_count
parameter.Context.find_register_change
would mistakenly raiseAttributeError
when itsto_context
parameter wasNone
.
Project Manager
- When recording a QEMU VM with UEFI enabled, the UEFI boot option is now passed correctly when replaying.
- External processes launched by the Project Manager are correctly terminated by clicking the various
Stop session
buttons. - It was not possible to use OSSI without the kernel description and light filesystem resources. The snapshot filesystem can now be used if the light filesystem is not available.
- The Project Manager would sometimes fail to correctly terminate its subprocesses. This would lead to some zombie processes remaining on the server running the Project Manager, and in some cases would lead to a failure to stop a VM when clicking the "Stop VM" button.
- A superfluous and misleading error was displayed when attempting to replay without being able to delete all the necessary resources.