Smudge consists of the following components:
- scanner : Collect instructions to fuzz from standard binary programs
- fuzzer : Automatically determine instruction semantics and taint flow rules
- optimizer: Optimize taint rules generated by fuzzer
- dbi : Generate DTA library for a given DBI from taint rules
A brief explanation can be found in the release notes, available on my website and also included here. These are written in a dialect of Markdown intended to be converted to a more readable form with Pandoc, but they are also readable as-is.
- Automatic inductive taint rule inference (inspired by TaintInduce)
- Multi-architecture, designed for easy portability to any Linux-based system
- Taint rules stored in IR format agnostic of DBI frontend
- Automatic optimization and generalization of taint rules
- Automatic generation of DTA library for DBI platform of choice, with reference implementation for Pin
- Libraries for IR parsing and shadow memory provided for low-effort portability to new DBI platforms
- Reference taint tracker optimized for speed and near-realtime use on real-world applications
- Reference taint tracker supports per-BB "taint summaries" for increased performance
- Capstone (for fuzzer): http://www.capstone-engine.org/
- Keystone (for fuzzer): http://www.keystone-engine.org/
- Espresso (for fuzzer, included)
- Yacc/bison (for parser generation)
- Pin 3.x (for reference taint tracker, tested with Pin 3.17)
- nasm
These architectures are currently supported:
- x86-64
Smudge attempts to minimize the amount of architecture-specific code, but in some cases it's unavoidable. Here's a list of architecture-specific components. To support a new architecture, you'll have to update these components (a few hours work).
fuzzer:
- The Makefile
- The analyzer process (analyzer-.s)
- Enumerations of registers and architecture-specific quirks (arch.h and arch.cc)
- Architecture-specific disassembly routines for parsing instruction operands (disasm.cc)
- Architecture-specific ptrace code (iface_ptrace.cc)
dbi:
- Smudge provides a reference taint tracking library for Pin, so x86 only
Smudge is licensed under GPL v3 (see the file COPYING). This applies to the original source, but not to dependencies I have included for convenience in the bin folder (e.g. Capstone and Keystone) and the lib folder (e.g. Espresso). Those projects come with their own licenses.