CONTENTS ======== This directory contains the data files for the "V8 OOB write to JIT code pages" benchmark (listed under "Exploit Analysis" in the paper), which is described in: Oliver Chang. 2017. Exploiting a V8 OOB write. https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ The files in this directory are: - trace.out : trace file (binary) - slice_criterion.txt : gives the slice criterion used in the paper "Representing and Reasoning about Dynamic Code" (ASE 2020) together with the expected output. - slice_criterion-NOP.txt : gives the slice criterion for starting with a NOP instruction generated as part of the NOP sled in the generated shellcode. - REF-SLICE.txt : reference slice obtained using the slicer tool. - REF-SLICE-NOP.txt : reference slice obtained using the slicer tool for the slice staring with the NOP instruction in the generated NOP sled. - SLICE-SHOULD-CONTAIN.txt : a file containing addresses of instructions that should be contained in the computed slice for correctness. - SLICE-SHOULD-CONTAIN-NOP.txt : a file containing addresses of instructions that should be contained in the computed slice starting with the NOP instruction in the generated NOP sled. An text version of the trace file, obtained by applying the trace2ascii tool to the trace.out file, is available in the parent directory of this directory. The format of this file is described below. This file is not an essential part of the dataset but is provided for the benefit of curious readers. DETAILS OF THE BUG ================== Oliver Chang. 2017. Exploiting a V8 OOB write. https://halbecaf.com/2017/05/24/exploiting-a-v8-oob-write/ USING THE DATA ============== 1. For the slice starting at the OOB write: Run the slicer as follows: /slicer -i trace.out -a 0x102e66c3e809 -p -o OUTFILE This will write the slice computed into the file OUTFILE. To check correctness of the computed slice: the command grep -c -f SLICE-SHOULD-CONTAIN.txt OUTFILE should produce the same value as the command wc -l SLICE-SHOULD-CONTAIN.txt (If these two values are the same, this means that each address mentioned in the file SLICE-SHOULD-CONTAIN.txt occurs in the slice computed into the file OUTPUT.) 2. For the slice starting at a generated NOP instruction in the NOP sled: Run the slicer as follows: /slicer -i trace.out -a 0x102e66c3e800 -p -o OUTFILE This will write the slice computed into the file OUTFILE. To check correctness of the computed slice: the command grep -c -f SLICE-SHOULD-CONTAIN-NOP.txt OUTFILE should produce the same value as the command wc -l SLICE-SHOULD-CONTAIN-NOP.txt (If these two values are the same, this means that each address mentioned in the file SLICE-SHOULD-CONTAIN.txt occurs in the slice computed into the file OUTPUT.) ASCII TRACE FORMAT ================== The file 'ascii-trace.txt' is produced by the trace2ascii tool applied to the binary trace file 'trace.out'. It lists the instructions in the file 'trace.out' in the order in which they occur in the trace, one instruction per line. Each line consists of a sequence of semicolon-delimited fields in the following order: - position in the trace (start = 0); - thread id; - instruction address; - file the instruction originated in; - function the instruction belongs to; - binary encoding of the instruction (a sequence of bytes, in hex); - instruction mnemonic; - register and memory values read and written by the instruction. These are labeled as follows (all numbers are in hex format): - R:reg=val the value val is read from register reg - W:reg=val the value val is written to register reg - MR[addr]=val the value val is read from memory location addr - MW[addr]=val the value val is written to memory location addr