We use ptrace
to instrument system calls made by the target program to detect
various vulnerabilities.
This detector currently works by
- Checking if
execve
is called with/tmp/tripwire
(which comes from our dictionary). - Checking if
execve
is invoking a shell with invalid syntax. This is likely caused by our input.
TODO: documentation.
Note this will delete /tmp/tripwire if it exists.
make clean
Note this will overwrite /tmp/tripwire if it exists.
make test
Look for one of the following lines:
===BUG DETECTED: Shell injection===
which indicates the detection of executing the planted /tmp/tripwire
.
===BUG DETECTED: Shell corruption===
which indicates the detection of executing a syntactic erroneous command.
With SystemSan
, Artheris
can detect a shell injection bug in version v1.5.10 of pytorch-lightning
.
make pytorch-lightning-1.5.10
With SystemSan
, Jsfuzz
can detect a shell corrpution bug in the latest version (v1.7.3) of shell-quote
without any seed.
make node-shell-quote-v1.7.3
This is based on a shell injection exploit report of version v1.7.2 of shell-quote
.
SystemSan
can also discover the same shell injection bug with a corpus file containing:
`:`/tmp/tripwire``:`