[klee-dev] Does klee support for function return address

[Paul Marinescu]

No, there is no such function.
This paper http://security.ece.cmu.edu/aeg/aeg-current.pdf discusses the problem in detail.

Paul

On 10 Sep 2014, at 14:34, Jonathan Neuschäfer <j.neuschaefer at gmx.net> wrote:

> On Wed, Sep 10, 2014 at 09:56:19AM +0800, 高凤娟 wrote:
>> Hi,
>> Is there any function that gives us the distance between the buffer and the 
>> return address?I'm trying to detect buffer overflow.In order to make sure the buffer overflow detected is a dangerous one,I want to know if the overflowed string overlap the return address.For example,//////////////////////////.....(other code)char a[2];char b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know the distance between a[1] and the return address.Sorry for my poor english...Anyone can help me?
>> Many thanks in advance.
>> -------------------------------
>> Richel Gao
> 
> I am not very familiar with KLEE, but the distance of a stack variable
> to the return address depends on the compiler, the CPU architecture and
> maybe the operating system. Furthermore, today's compilers may use stack
> canaries[1] to make exploitation harder in case the return address is
> overwritten.
> 
> If you've found a buffer overflow and want to know if it will be able to
> overwrite the return address you should probably disassemble the
> compiled program (or ask the compiler to give you the intermediate
> assembler code), and then check this yourself. A debugger may also help.
> 
> If you've found a bunch of buffer overflows and are thinking about which
> of them you will fix, please fix all of them.
> 
> 
> Hope that helps,
> Jonathan Neuschäfer
> 
> [1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
> 
> _______________________________________________
> klee-dev mailing list
> klee-dev at imperial.ac.uk
> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev

-------------- next part --------------
HTML attachment scrubbed and removed