wisec / dominator Goto Github PK

Getting a segmentation fault while running unit_tests.js

Array map new Array A string abcdefghilmnopqrstuvz.tainted true
Array map new Array A string 1234567890.tainted true
Array join v.tainted
[Ko] String in Object test Object.keys(obj)[1].tainted 'd' in obj String in Object tainted keys Object.keys(obj)[1].tainted
GCCalled

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000010
0x00000001000d7cc4 in js::gc::MarkGCThing (trc=, thing=Cannot access memory at address 0xffffffffffffffef
) at dominator/js/src/jsgcmark.cpp:435
435 JS_SET_TRACING_NAME(trc, name);

(gdb) bt
#0 0x00000001000d7cc4 in js::gc::MarkGCThing (trc=, thing=0x0, name=) at dominator/js/src/jsgcmark.cpp:435
#1 0x0000000100089579 in markLiveObjects (cx=0x0, theStatus=JSGC_END) at dominator/js/src/taint.cpp:261
#2 0x00000001000bef67 in MarkAndSweep (cx=, comp=, gckind=, gcTimer=@0x10400c208) at dominator/js/src/jsgc.cpp:2298
#3 0x00000001000c0901 in GCCycle (cx=, comp=, gckind=, gcTimer=@0x181e414a3) at dominator/js/src/jsgc.cpp:2653
#4 0x00000001000c0c0f in js_GC (cx=, comp=, gckind=) at dominator/js/src/jsgc.cpp:2739
#5 0x000000010007373c in js_DestroyContext (cx=0x100510148, mode=JSDCM_MAYBE_GC) at dominator/js/src/jscntxt.cpp:533
#6 0x00000001000417f5 in JS_DestroyContext (cx=0x7fff5fbff440) at dominator/js/src/jsapi.cpp:1014
#7 0x000000010000999a in DestroyContext (cx=Cannot access memory at address 0xffffffffffffffe7

) at dominator/js/src/shell/js.cpp:5215
#8 0x0000000100014158 in main (argc=Cannot access memory at address 0xffffffffffffff1b

) at dominator/js/src/shell/js.cpp:5674
(gdb)

I believe the following case is missing - wonder if it is something we should add:

var s = String.newTainted("foo"); // "foo" will be potential attack payload
s.tainted; // true
var f = new Function("", "return '" + s + "';");
var x = f();   // x is now "foo", but...
x.tainted; // currently false - I believe should be true to avoid losing the propagation of the tainted flag, right?

Under Windows the latest flash player seems to cause the crash of plugin container preventing DOMinator to run swf files.

The tainted flag is not propagated through RegExp.source() method:

var s = new StringTainted("foo");  // "foo" is the attack payload
s.tainted;  // true
var re = new RegExp('/' + s + '/', 'g');
var src = re.source(); // "\/foo\/" - the attack payload inside
src.tainted; // false, should be true

Let me know if you consider this a valid case, I can add it to the tainttests/unit_tests.js

Fedora 17 is 64-bit Linux, would be great to be able to compile DOMinator on it with a newer compiler toolchain (such as gcc-4.7). Some code changes (in the stock FF code, unrelated to the tainted part) would be needed.

It seems to me that the tests on
https://github.com/wisec/DOMinator/blob/master/tainttests/unit_tests.js#L27
and
https://github.com/wisec/DOMinator/blob/master/tainttests/unit_tests.js#L42
are identical - is it so?

The comment for the second one says "Yet to implement" but I believe it is implemented and works now...

Unless I'm missing some details, I suggest to remove the second test (and add missing semicolons :) ).

Array map new Array A string AAAAAAAAAAAAAAAAAAAAAA.tainted false
Array map new Array A string abcdefghilmnopqrstuvz.tainted true
Array map new Array A string 1234567890.tainted true
Array join v.tainted
[Ko]

I tried reinstalling, I have Visual C++ redistributable too but all in vain. It is the Pro trial on Windows 7x64 however can't get it to work. Please help.

I tried to run
./dominator.sh
and got:
./dominator.sh: line 4: 4158 Segmentation fault
LD_LIBRARY_PATH=$DIRN:$LD_LIBRARY_PATH $DIRN/firefox -NO-REMOTE $@

http://seleniumhq.wordpress.com/2013/01/22/a-plan-to-drop-firefox-3-x-support/

"Once support for Firefox 3.x is removed, the earliest supported Firefox version will be the ESR-1 release (currently Firefox 10)." - I wonder if this would affect the ability to automate DOMinator with WebDriver

Compilation of the up-to-date source fails with an asm error (I could attach the full error if it's possible):

/usr/bin/gcc -o x86state.o -c -fvisibility=hidden -DTHEORA_DISABLE_ENCODE -DOC_X86_ASM -DOC_X86_64_ASM -DOSTYPE="Darwin11.4.0" -DOSARCH=Darwin -I/Users/dsavints/dev/hack/dominator/media/libtheora/lib -I/Users/dsavints/dev/hack/dominator/media/libtheora/lib -I. -I../../../dist/include -I../../../dist/include/nsprpub -I/Users/dsavints/dev/hack/dominator/ff-taintOPT/dist/include/nspr -I/Users/dsavints/dev/hack/dominator/ff-taintOPT/dist/include/nss -fPIC -DTAINTED=1 -Wall -W -Wno-unused -Wpointer-arith -Wdeclaration-after-statement -Wcast-align -W -DTAINTED=1 -fno-strict-aliasing -fno-common -pthread -DNO_X11 -pipe -DNDEBUG -DTRIMMED -g -O3 -fomit-frame-pointer -DTAINTED=1 -include ../../../mozilla-config.h -DMOZILLA_CLIENT -MD -MF .deps/x86state.pp /Users/dsavints/dev/hack/dominator/media/libtheora/lib/x86/x86state.c
x86cpu.c
/usr/bin/gcc -o x86cpu.o -c -fvisibility=hidden -DTHEORA_DISABLE_ENCODE -DOC_X86_ASM -DOC_X86_64_ASM -DOSTYPE="Darwin11.4.0" -DOSARCH=Darwin -I/Users/dsavints/dev/hack/dominator/media/libtheora/lib -I/Users/dsavints/dev/hack/dominator/media/libtheora/lib -I. -I../../../dist/include -I../../../dist/include/nsprpub -I/Users/dsavints/dev/hack/dominator/ff-taintOPT/dist/include/nspr -I/Users/dsavints/dev/hack/dominator/ff-taintOPT/dist/include/nss -fPIC -DTAINTED=1 -Wall -W -Wno-unused -Wpointer-arith -Wdeclaration-after-statement -Wcast-align -W -DTAINTED=1 -fno-strict-aliasing -fno-common -pthread -DNO_X11 -pipe -DNDEBUG -DTRIMMED -g -O3 -fomit-frame-pointer -DTAINTED=1 -include ../../../mozilla-config.h -DMOZILLA_CLIENT -MD -MF .deps/x86cpu.pp /Users/dsavints/dev/hack/dominator/media/libtheora/lib/x86/x86cpu.c
cc1: error in backend: Invalid operand found in inline asm: '#OC_ROW_IDCT_10
#OC_IDCT_BEGIN_10
movq (3)_16-8+${1:H},%mm2
nop
movq 0x30-8+${2:H},%mm6
movq %mm2,%mm4
movq 0x50-8+${2:H},%mm1
pmulhw %mm6,%mm4
movq (1)_16-8+${1:H},%mm3
pmulhw %mm2,%mm1
movq 0x10-8+${2:H},%mm0
paddw %mm2,%mm4
pxor %mm6,%mm6
paddw %mm1,%mm2
movq (2)_16-8+${1:H},%mm5
pmulhw %mm3,%mm0
movq %mm5,%mm1
paddw %mm3,%mm0
pmulhw 0x70-8+${2:H},%mm3
psubw %mm2,%mm6
pmulhw 0x20-8+${2:H},%mm5
psubw %mm4,%mm0
movq (2)_16-8+${1:H},%mm7
paddw %mm4,%mm4
paddw %mm5,%mm7
paddw %mm0,%mm4
pmulhw 0x60-8+${2:H},%mm1
psubw %mm6,%mm3
movq %mm4,(1)_16-8+${0:H}
paddw %mm6,%mm6
movq 0x40-8+${2:H},%mm4
paddw %mm3,%mm6
movq %mm3,%mm5
pmulhw %mm4,%mm3
movq %mm6,(2)_16-8+${0:H}
movq %mm0,%mm2
movq (0)_16-8+${1:H},%mm6
pmulhw %mm4,%mm0
paddw %mm3,%mm5
paddw %mm0,%mm2
psubw %mm1,%mm5
pmulhw %mm4,%mm6
paddw (0)_16-8+${1:H},%mm6
paddw %mm1,%mm1
movq %mm6,%mm4
paddw %mm5,%mm1
psubw %mm2,%mm6
paddw %mm2,%mm2
movq (1)_16-8+${0:H},%mm0
paddw %mm6,%mm2
psubw %mm1,%mm2
nop
#end OC_IDCT_BEGIN_10
movq (2)_16-8+${0:H},%mm3
psubw %mm7,%mm4
paddw %mm1,%mm1
paddw %mm7,%mm7
paddw %mm2,%mm1
paddw %mm4,%mm7
psubw %mm3,%mm4
paddw %mm3,%mm3
psubw %mm5,%mm6
paddw %mm5,%mm5
paddw %mm4,%mm3
paddw %mm6,%mm5
psubw %mm0,%mm7
paddw %mm0,%mm0
movq %mm1,(1)_16-8+${0:H}
paddw %mm7,%mm0
#end OC_ROW_IDCT_10
#OC_TRANSPOSE
movq %mm4,%mm1
punpcklwd %mm5,%mm4
movq %mm0,(0)_16-8+${0:H}
punpckhwd %mm5,%mm1
movq %mm6,%mm0
punpcklwd %mm7,%mm6
movq %mm4,%mm5
punpckldq %mm6,%mm4
punpckhdq %mm6,%mm5
movq %mm1,%mm6
movq %mm4,((4)-4)_16+8-8+${0:H}
punpckhwd %mm7,%mm0
movq %mm5,((5)-4)_16+8-8+${0:H}
punpckhdq %mm0,%mm6
movq (0)_16-8+${0:H},%mm4
punpckldq %mm0,%mm1
movq (1)_16-8+${0:H},%mm5
movq %mm4,%mm0
movq %mm6,((7)-4)_16+8-8+${0:H}
punpcklwd %mm5,%mm0
movq %mm1,((6)-4)_16+8-8+${0:H}
punpckhwd %mm5,%mm4
movq %mm2,%mm5
punpcklwd %mm3,%mm2
movq %mm0,%mm1
punpckldq %mm2,%mm0
punpckhdq %mm2,%mm1
movq %mm4,%mm2
movq %mm0,(0)_16-8+${0:H}
punpckhwd %mm3,%mm5
movq %mm1,(1)_16-8+${0:H}
punpckhdq %mm5,%mm4
punpckldq %mm5,%mm2
movq %mm4,(3)_16-8+${0:H}
movq %mm2,(2)_16-8+${0:H}
#end OC_TRANSPOSE
#OC_COLUMN_IDCT_10
#OC_IDCT_BEGIN_10
movq (3)_16-8+${0:H},%mm2
nop
movq 0x30-8+${2:H},%mm6
movq %mm2,%mm4
movq 0x50-8+${2:H},%mm1
pmulhw %mm6,%mm4
movq (1)_16-8+${0:H},%mm3
pmulhw %mm2,%mm1
movq 0x10-8+${2:H},%mm0
paddw %mm2,%mm4
pxor %mm6,%mm6
paddw %mm1,%mm2
movq (2)_16-8+${0:H},%mm5
pmulhw %mm3,%mm0
movq %mm5,%mm1
paddw %mm3,%mm0
pmulhw 0x70-8+${2:H},%mm3
psubw %mm2,%mm6
pmulhw 0x20-8+${2:H},%mm5
psubw %mm4,%mm0
movq (2)_16-8+${0:H},%mm7
paddw %mm4,%mm4
paddw %mm5,%mm7
paddw %mm0,%mm4
pmulhw 0x60-8+${2:H},%mm1
psubw %mm6,%mm3
movq %mm4,(1)_16-8+${0:H}
paddw %mm6,%mm6
movq 0x40-8+${2:H},%mm4
paddw %mm3,%mm6
movq %mm3,%mm5
pmulhw %mm4,%mm3
movq %mm6,(2)_16-8+${0:H}
movq %mm0,%mm2
movq (0)_16-8+${0:H},%mm6
pmulhw %mm4,%mm0
paddw %mm3,%mm5
paddw %mm0,%mm2
psubw %mm1,%mm5
pmulhw %mm4,%mm6
paddw (0)_16-8+${0:H},%mm6
paddw %mm1,%mm1
movq %mm6,%mm4
paddw %mm5,%mm1
psubw %mm2,%mm6
paddw %mm2,%mm2
movq (1)*16-8+${0:H},%mm0
paddw %mm6,%mm2
psubw %mm1,%mm2
nop

Consider the following example:

var s = String.newTainted("foo"); // "foo" is the potential attack payload
s.tainted; // true, of course
eval("function myfun() {return '" + s + "';}"); // define function f() that returns the tainted string
var x = myfun();  // invoke newly define function
x.tainted; // currently false, should be true

Additionally, consider the return value of toSource() call that also contains the attack payload:

var src = myfun.toSource(); "function myfun() {return "foo";}"
src.tainted; // currently false, should be true

Hello wisec

i have compiled the DOMinator successfully on the Mac Lion machine recently with some adjustment in this branch
https://github.com/neraliu/DOMinator/tree/maclionbuild

uname -a
Darwin clockenemy-lm 11.4.0 Darwin Kernel Version 11.4.0: Mon Apr 9 19:33:05 PDT 2012; root:xnu-1699.26.8~1/RELEASE_I386 i386 i386

however, when i follow this installation instruction, i found out that the DOMinator Extension is missing in the final build, am i missing something?
http://code.google.com/p/dominator/wiki/InstallationInstructions