nssl-sjtu / satc Goto Github PK

A prototype of Shared-keywords aware Taint Checking, a novel static analysis approach that tracks the data flow of the user input between front-end and back-end to precisely detect security vulnerabilities.

Python 99.42% Shell 0.01% JavaScript 0.30% Dockerfile 0.27%

satc's Introduction

SaTC

Chinese Version.

A prototype of Shared-keywords aware Taint Checking(SaTC), a static analysis method that tracks user input between front-end and back-end for vulnerability discovery effectively and efficiently.

Overview of SaTC

Research paper

We present our approach in the following research paper accepted at the 30th USENIX Security Symposium:

Sharing More and Checking Less: Leveraging Common Input Keywords to Detect Bugs in Embedded Systems [PDF]

Running Environment

We provide a usable Docker environment and a Dockerfile that can be used to build Docker images.

Use the compiled docker environment directly

# Get image from Docker hub 
docker pull smile0304/satc

# Run SaTC (Need to add mapping directory by yourself)
docker run -v <mapping>:<mapping> -it smile0304/satc

Or build it by dockerfile

# Cd SaTC code directory
cd SaTC

# Use Dockerfile to build docker image
docker build . -t satc

# Run SaTC (Need to add mapping directory by yourself)
docker run -v <mapping>:<mapping> -it satc

Instructions for running this tool

Usage: satc.py [-h] -d /root/path/_ac18.extracted -o /root/output
               [--ghidra_script {ref2sink_cmdi,ref2sink_bof,share2sink,ref2share,all}]
               [--save_ghidra_project] --taint_check
               [-b /var/ac18/bin/httpd | -l 3]

Arguments:
  -h, --help            Show help in details
  -d /root/path/_ac18.extracted, --directory /root/path/_ac18.extracted
                        File system uncompressed from firmware
  -o /root/output, --output /root/output
                        Directory result saved
  --ghidra_script {ref2sink_cmdi,ref2sink_bof,share2sink,ref2share,all}
                        (Option) Specify the Ghidra script to be used. If you use the `all` command, the three scripts `ref2sink_cmdi`,`ref2sink_bof` and `ref2share` will be run at the same time
  --ref2share_result /root/path/ref2share_result 
                        (Option) When running the `share2sink` Ghidra script, you need to use this parameter to specify the output result of the `ref2share` script
  --save_ghidra_project (Option) Save the ghidra project generated during analysis
  --taint_check         (Option) Use taint analysis engine for analysis
  -b /var/ac18/bin/httpd, --bin /var/ac18/bin/httpd  OR `-b httpd` , `--bin httpd`    
                        (Option) Used to specify the program to be analyzed, if not specified, SaTC will leverage the built-in algorithm to match targeted bin
  -l num, --len num     (Option) To set the top N programs to be defined as the border bins in our matching results[Default value is 3]

Ghidra script

ref2sink_cmdi: The script to discover the paths of the command injection type sink function from the reference of the given shared-keywords.
ref2sink_bof : The script to discover the paths of the buffer overflow type sink function from the reference of the given shared-keywords.
ref2share : This script to find parameters in shared data handling functions, such as nvram_set, setenv or other similar functions. Need to be used in conjunction with share2sink.
share2sink : This script is corresponding to ref2share, such as nvram_get, getenv or other functions. Need to be used in conjunction with ref2share, and the input of this script is the output from the ref2share script.

Output

Directory structure：

|-- ghidra_extract_result
|   |-- httpd
|       |-- httpd
|       |-- httpd_ref2sink_bof.result
|       |-- httpd_ref2sink_cmdi.result
|       |-- httpd_ref2sink_cmdi.result-alter2
|-- keyword_extract_result
|   |-- detail
|   |   |-- API_detail.result
|   |   |-- API_remove_detail.result
|   |   |-- api_split.result
|   |   |-- Clustering_result_v2.result
|   |   |-- File_detail.result
|   |   |-- from_bin_add_para.result
|   |   |-- Not_Analysise_JS_File.result
|   |   |-- Prar_detail.result
|   |   |-- Prar_remove_detail.result
|   |-- info.txt
|   |-- simple
|       |-- API_simple.result
|       |-- Prar_simple.result
|-- result-httpd-ref2sink_cmdi-ctW8.txt

Need to follow such important directories:

keyword_extract_result/detail/Clustering_result_v2.result : The match of front-end keywords in bin. Input for the Input Entry Recognition module
ghidra_extract_result/{bin}/* : Analysis result of ghidra script. Input for Input Sensitive Taint Analysise module
result-{bin}-{ghidra_script}-{random}.txt: taint analysis result

Other directories:

|-- ghidra_extract_result # ghidra looks for the analysis results of the function call path, enabling the `--ghidra_script` option will output the directory
|   |-- httpd # Each bin analyzed will generate a folder with the same name
|       |-- httpd # Bin being analyzed
|       |-- httpd_ref2sink_bof.result # Locate BoF sink function path
|       |-- httpd_ref2sink_cmdi.result # Locate CmdI sink function path
|-- keyword_extract_result  # Keyword extraction results
|   |-- detail  # Front-end keyword extraction results (detailed analysis results)
|   |   |-- API_detail.result # Detailed results of the extracted API
|   |   |-- API_remove_detail.result # API information filtered out
|   |   |-- api_split.result  # Matching API results
|   |   |-- Clustering_result_v2.result # Detailed matching results 
|   |   |-- File_detail.result  # Keywords extracted from each file
|   |   |-- from_bin_add_para.result # Share-keywords generated during binary matching
|   |   |-- Not_Analysise_JS_File.result #Igored JS files by common lib matching
|   |   |-- Prar_detail.result # Detailed results of extracted Prarmeters
|   |   |-- Prar_remove_detail.result # Detailed results of filtered Prarmeters
|   |-- info.txt  # Record processing time and other information
|-- result-httpd-ref2sink_cmdi-ctW8.txt # a typical result file that enable `--taint-check` and `--ghidra_script` options

Our dataset

You should download dataset from SaTC_dateset.zip.

Case Study

To discover command injection and buffer overflow bugs in D-Link 878

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

To discover command injection bugs in specific target prog.cgi of D-Link 878

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi -b prog.cgi --taint_check

To discover command injection bugs in multi-bin of D-Link 878, setting input data in prog.cgi and sink functions in rc

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2share -b prog.cgi

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=share2sink --ref2share_result=/home/satc/res/ghidra_extract_result/prog.cgi/prog.cgi_ref2share.result --ghidra_script=ref2sink_cmdi -b rc --taint_check

Real-world Vulnerabilities

As shown below, SaTC detected 33 previously unknown bugs, and at the time of paper writing, 30 of them have been confirmed by their developers. 25 bugs are command injection vulnerabilities; two of them are buffer overflow bugs; the other six belong to incorrect access control which could result in privacy disclosure.

satc's People

Contributors

Stargazers

Watchers

Forkers

research-zoo hepburnsunsir cossack9989 newthis heartsleep toughrunner mz21g h4lo muyeyingyang minxin b33t1e ele7enxxh luyj peiqi0 crackercat 10tg wjaxx jaygith jg3233 huahai111 wokough licae jungerschwarz usaribbon miko99jh xxy1126 a1paca233 jesson3264 skywalker365 whiter6666 sixiango abduqasem wangyeyu2016 smllxzbz blueblizza ccxiaop double-q1015 mark0519 bob81135 f01965 driverowen ytrick jiechensimon sixover nicholas-wei colinlh k3ppf0r

satc's Issues

No handler found when running program

$ python satc.py -d /pwd -o results --ghidra_script=ref2sink_bof -b /pwd/www/htdocs/web.cgi --taint_check

[...snip]...

2021-10-11 11:43:18,157-root-logger.py-[line:111]-DEBUG : [*] Find Binary file : /pwd/lib/lighttpd/mod_cgi.so
2021-10-11 11:43:18,157-root-logger.py-[line:111]-DEBUG : [*] Find Binary file : /pwd/lib/lighttpd/mod_compress.so
2021-10-11 11:43:18,158-root-logger.py-[line:111]-DEBUG : [*] Find Binary file : /pwd/lib/lighttpd/mod_access.so
No handlers could be found for logger "root"
/home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/cffi/cparser.py:165: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern')
  "(usually 'extern')" % (decl.name,))

I do not undersand what is meant by No handlers could be found for logger "root". Do you have any advice? web.cgi is a CGI binary. The lighttpd.conf is as such

[...snip...]

fastcgi.server = (
        "/www/" => (( "socket" => "/tmp/webserver.socket", "bin-path" => "/pwd/www/htdocs/web.cgi", "max-procs" => 1 )),
[...snip...]

前端正则匹配

html的正则匹配是在虚拟中写的么，还是在哪里

测试时间问题

python satc.py -d ./squashfs-root/ -o ./result/ --ghidra_script=ref2sink_cmdi -b httpd --taint_check
测试的对象是US_AC15V1.0BR_V15.03.05.19_multi_TD01.bin

用的satc是v1.0版本；
跑了9个小时才跑完，正常吗？
主要是因为电脑性能原因吗？
照这样计算，--ghidra_script=all的时候岂不是要跑一天。实战中通常建议的做法是什么呢？

Can not docker pull v:2.0

"2c3571768a7d: Extracting 340.8MB/340.8MB" always is extracting, download again and again, fail finally.

satc的调试如何进行

目前在docker中运行satc，如果想学习和分析satc架构的执行逻辑（看代码晕的很，也没有提供doc文档），应该如何在satc测试过程中调试程序，如下断点，分析程序的运行过程？
期待老师能够解答，谢谢。

Questions about outputting alert results

Hi,
Thanks to SaTC for providing a way to find vulnerabilities in firmware.

As a newcomer, what I want to confirm is the content of the file 'result-{bin}-{ghidra_script}-{random}.txt' in the output directory:

'total case' refers to the number of paths for taint analysis by SaTC;
'find cases' refers to the number of paths that have passed the engine inspection, which corresponds to the number of Alerts in the SaTC paper

Is my understanding correct? looking forward to your answer

运行报错“No handlers could be found for logger "root"”

多文件测试问题

对于一个固件，提供web服务（例如httpd），而漏洞本身是在aa.so共享文件中；
如果不知道漏洞在aa.so中，仅仅对httpd做satc测试，包括_cmdi、bof等，这种测试必然是无效的，因为漏洞点不在httpd中；
那么盲测中，推荐的做法又是什么，如何在盲测中定位到aa.so呢？

issuse中讨论的一种情况是，keywords-----httpd----aa.so；先对httpd做ref2share，其结果导入到aa.so中，从而发现漏洞；
但实际在盲测中，并不知道httpd和aa.so产生了漏洞，那么应该怎么测试呢？

思路：盲测的时候，不使用-b参数，自动对固件中所有二进制程序做satc测试；但疑惑是，这种思路存在的问题是，没法自动构建ref2share和share2sink的组合测试（因为污点路径是keywords-----httpd----aa.so），那么最终也是无效。

还有其他可行的建议吗？谢谢师傅。

totolink固件分析报错

作者您好，我用您提供的satc的docker容器和数据集，去分析论文中提到的totolink a950和t10这两个固件，用-b指定了要分析有漏洞的cgi文件，但是无法输出命令执行和缓冲区溢出的两个包含函数路径调用的txt文件，最后导致程序在后续的分析中找不到这两个txt然后终止了，您有空解答一下么

Fail to analyze `/usr/sbin/lighttpd` of Vigor 2960 v1.5.1.3

SaTC succeeded to analyze the cgi of Vigor 2960 v1.5.1.3, but failed to analyze /usr/sbin/lighttpd, the command is
python satc.py -d /targetfs/ -o ../lighttpd_result/ --ghidra_script=ref2sink_bof --ghidra_script=ref2sink_cmdi --taint_check -b /usr/sbin/lighttpd

为什么你们写文档不好好写？真可悲！

如果路由器中两个名字相同的文件，怎么处理

解析boa程序报错

命令python SaTC/satc.py -d /home/satc/ -o /home/satc/ --ghidra_script=all -b /home/satc/boa --taint_check

error in use_sim_procedures

用smile的docker对dir-878使用bof脚本进行复现的过程中，报assert错误，提示使用angr 的use_sim_procedures，具体怎么用呀。

when i construct docker image, it occured error, what should i do .

 Running setup.py develop for angr
    Running command /home/satc/.virtualenvs/SaTC/bin/python2 -c 'import sys, setuptools, tokenize; sys.argv[0] = '"'"'/home/satc/deps/angr-dev/angr/setup.py'"'"'; __file__='"'"'/home/satc/deps/angr-dev/angr/setup.py'"'"';f=getattr(tokenize, '"'"'open'"'"', open)(__file__);code=f.read().replace('"'"'\r\n'"'"', '"'"'\n'"'"');f.close();exec(compile(code, __file__, '"'"'exec'"'"'))' develop --no-deps
    running develop
    Building angr_native
    Traceback (most recent call last):
      File "<string>", line 1, in <module>
      File "/home/satc/deps/angr-dev/angr/setup.py", line 125, in <module>
        'angr': ['lib/*']
      File "/home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/setuptools/__init__.py", line 162, in setup
        return distutils.core.setup(**attrs)
      File "/usr/lib/python2.7/distutils/core.py", line 151, in setup
        dist.run_commands()
      File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands
        self.run_command(cmd)
      File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
        cmd_obj.run()
      File "/home/satc/deps/angr-dev/angr/setup.py", line 77, in run
        self.execute(_build_native, (), msg='Building angr_native')
      File "/usr/lib/python2.7/distutils/cmd.py", line 349, in execute
        util.execute(func, args, msg, dry_run=self.dry_run)
      File "/usr/lib/python2.7/distutils/util.py", line 309, in execute
        func(*args)
      File "/home/satc/deps/angr-dev/angr/setup.py", line 30, in _build_native
        import unicorn
      File "/home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/unicorn/__init__.py", line 4, in <module>
        from .unicorn import Uc, uc_version, uc_arch_supported, version_bind, debug, UcError, __version__
      File "/home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/unicorn/unicorn.py", line 110
        print("Found an old style dynamic library libunicorn.so, consider checking your installation", file=sys.stderr)
                                                                                                           ^
    SyntaxError: invalid syntax
  Rolling back uninstall of angr

您提供的额外修复脚本CodatifyFixupData.py，找不到包utils

作者您好，请问utils包是您自己实现的功能包么？
查阅了GhidraScript，这个包并没有在ghidra自带jython中提供

寻找时出错

python satc.py -d /home/satc/xxxxx.extracted/squashfs-root -o /home/satc/res --ghidra_script=ref2sink_cmdi -b uhttpd --taint_check

提示了
ERROR REPORT: Import failed for file: /home/satc/_xxx.img.extracted/squashfs-root/etc/init.d/uhttpd (HeadlessAnalyzer)
No handlers could be found for logger "root"
/home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/cffi/cparser.py:165: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern')
"(usually 'extern')" % (decl.name,))
Traceback (most recent call last):
File "satc.py", line 293, in
main()
File "satc.py", line 284, in main
taint_stain_analysis(bin_path, ghidra_result, args.output)
File "/home/satc/SaTC/taint_check/main.py", line 129, in taint_stain_analysis
conv_Ghidra_output.main(ghidra_analysis_result)
File "/home/satc/SaTC/taint_check/conv_Ghidra_output.py", line 11, in main
with open(filename,'r') as f:
IOError: [Errno 2] No such file or directory: '/home/satc/res/ghidra_extract_result/uhttpd/uhttpd_ref2sink_bof.result'

发现他找到的是etc/init.d/uhttpd 而不是usr/sbin/uhttpd
但是参数-b不可以直接指定路径

论文数据集复现以及对比的问题

您好，最近我们在复现satc的实验，数据集均使用了satc的数据，想问下用哪个docker复现漏洞挖掘和开销实验比较好，我用了cpegg下的docker但是无法对一些satc数据集中提供的固件进行分析

Multiple function definitions for __sigsetjmp at EXTERNAL:00000011 found. No function signature applied. (ApplyFunctionDataTypesCmd)

执行到这一步会卡住是怎么回事呀？
使用的是docker hub的镜像

docker pull smile0304/satc

具体命令为：

python satc.py -d /home/squashfs-root/ -o /home/satc/res  --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

固件是解密后的文件

关于dlink878的复现问题

您好！CVE-2019-8316命令注入漏洞发生在librcm.so的tw_add_url_filter_iptables_rule，SaTC已经找到了这个关键词，但是请问为什么result-librcm.so-ref2sink_cmdi-XXXX.txt文件最后的结果都是Not found呢？

dlink878

。。。

mips类报错是否能解决？

看了一下issue中，好几个都是mips类的报错，是bug还是使用方法问题呢？
老师能否解释一下；
INFO REPORT: Save succeeded for file: /httpd (HeadlessAnalyzer) No handlers could be found for logger "root" /home/satc/.virtualenvs/SaTC/local/lib/python2.7/site-packages/cffi/cparser.py:165: UserWarning: Global variable 'r' in cdef(): for consistency with C it should have a storage class specifier (usually 'extern') "(usually 'extern')" % (decl.name,)) Converting Ghidra output to simple data... Convert success, output in ./result/ghidra_extract_result/httpd/httpd_ref2sink_cmdi.result-alter2 Traceback (most recent call last): File "satc.py", line 293, in <module> main() File "satc.py", line 284, in main taint_stain_analysis(bin_path, ghidra_result, args.output) File "/home/satc/SaTC/taint_check/main.py", line 133, in taint_stain_analysis proj = angr.Project(binary, auto_load_libs=False, use_sim_procedures=True) File "/home/satc/deps/angr-dev/angr/angr/project.py", line 154, in __init__ self.loader = cle.Loader(self.filename, **load_options) File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 124, in __init__ self.initial_load_objects = self._internal_load(main_binary, *force_load_libs) File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 475, in _internal_load main_obj = self._load_object_isolated(main_spec) File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 569, in _load_object_isolated return backend_cls(full_spec, is_main_bin=self.main_object is None, loader=self, **options) File "/home/satc/deps/angr-dev/cle/cle/backends/elf/elf.py", line 114, in __init__ self._load_plt() File "/home/satc/deps/angr-dev/cle/cle/backends/elf/metaelf.py", line 200, in _load_plt guessed_addr = plt_sec.vaddr AttributeError: 'NoneType' object has no attribute 'vaddr'

D-Link823G分析报错

运行命令

python satc.py -d /home/satc/SaTC/SaTC_data -o /home/satc/res --ghidra_script=ref2sink_cmdi -b goahead --taint_check

Traceback (most recent call last):
  File "satc.py", line 310, in <module>
    main()
  File "satc.py", line 301, in main
    taint_stain_analysis(bin_path, ghidra_result, args.output)
  File "/home/satc/SaTC/taint_check/main.py", line 133, in taint_stain_analysis
    proj = angr.Project(binary, auto_load_libs=False, use_sim_procedures=True)
  File "/home/satc/deps/angr-dev/angr/angr/project.py", line 154, in __init__
    self.loader = cle.Loader(self.filename, **load_options)
  File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 124, in __init__
    self.initial_load_objects = self._internal_load(main_binary, *force_load_libs)
  File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 475, in _internal_load
    main_obj = self._load_object_isolated(main_spec)
  File "/home/satc/deps/angr-dev/cle/cle/loader.py", line 569, in _load_object_isolated
    return backend_cls(full_spec, is_main_bin=self.main_object is None, loader=self, **options)
  File "/home/satc/deps/angr-dev/cle/cle/backends/elf/elf.py", line 114, in __init__
    self._load_plt()
  File "/home/satc/deps/angr-dev/cle/cle/backends/elf/metaelf.py", line 200, in _load_plt
    guessed_addr = plt_sec.vaddr
AttributeError: 'NoneType' object has no attribute 'vaddr'

貌似分析mips架构都会出现这个问题？求解如何修复。

how about angr==9

Is it Still Run....?

Hello, I'm sangjun who very interested in your Project.

Now, I'm trying to Run your Poc command below.

I followed your instructions exactly as you directed, but I couldn't achieve the results you guided me to.

the firmware that i used is D-Link 878.

1. bof detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

2. command injection detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi -b prog.cgi --taint_check

3. detect injection bugs
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2share -b prog.cgi

python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=share2sink --ref2share_result=/home/satc/res/ghidra_extract_result/prog.cgi/prog.cgi_ref2share.result --ghidra_script=ref2sink_cmdi -b rc --taint_check

this is script that i used.

docker pull smile0304/satc
docker run -it -d --privileged --net=host --cap-add=SYS_PTRACE --security-opt seccomp=unconfined --name satc f1e2ce760f4b /bin/bash
docker exec -it satc /bin/bash

cd /home/satc
source .virtualenvs/SaTC/bin/activate

cd SaTC
pip install "colorlog<5"

cd /home/satc/SaTC
1. bof detect
python satc.py -d /home/satc/dlink_878 -o /home/satc/res --ghidra_script=ref2sink_cmdi --ghidra_script=ref2sink_bof --taint_check

2. command injection detect 
python satc.py -d /home/satc/dlink_878 -o /home/satc/res2 --ghidra_script=ref2sink_cmdi -b prog.cgi --taint_check

3. detect injection
python satc.py -d /home/satc/dlink_878 -o /home/satc/res3 --ghidra_script=ref2share -b prog.cgi

python satc.py -d /home/satc/dlink_878 -o /home/satc/res3 --ghidra_script=share2sink --ref2share_result=/home/satc/res/ghidra_extract_result/prog.cgi/prog.cgi_ref2share.result --ghidra_script=ref2sink_cmdi -b rc --taint_check

i'll show my video for more detail.
https://youtu.be/TIIVkZXvQGo

Is it really true that SaTC is functioning? I need a detailed explanation. If so, I would truly appreciate it.

Thanks

-sangjun-

疑似存在内存泄漏？

在使用satc对固件进行分析时，随着时间经过，docker占用的内存会越来越多，不能确定正常开销还是存在内存泄漏。使用32GB内存主机进行分析10小时的过程中，内存占用如图所示：

Incorrect access control IAC 复现问题

作者您好，论文中提到发现了 IAC 漏洞，比如D-Link中的DIR 823G。复现这类漏洞命令是什么呢？是使用哪个ref2sink_cmdi 还是ref2sink_bof，谢谢。

源码构建

能否给出此工具从源码进行构建的过程？告诉我们需要什么地方配置哪些信息，谢谢

satc执行时间计算

satc.py中图示的执行时间计算应该是不小心写反了，导致计算结果一直不正确。

对老师代码做了点优化，欢迎交流

https://gitee.com/jesson-deng/sat-opt
[email protected]

from angr.engines import SimEngine, SimSuccessors, SimEngineVEX, SimEngineProcedure, SimEngineUnicorn

When I Use the branch dev_python3

File "E:\ANACONDA\lib\site-packages\simuvex\__init__.py", line 14, in <module>
    from angr.engines import SimEngine, SimSuccessors, SimEngineVEX, SimEngineProcedure, SimEngineUnicorn

What should I Do.

TypeError in taint_check

What I use is V1.0 docker image of SaTC

多文件和ref2share相关问题

当前的测试脚本是基于已测试的固件编写，但并不适用于所有固件；
测试的有效性和脚本的初始化也有关；
例如_cmdi.py中：
sinks = ['system', '___system', 'bstar_system', 'popen',
'doSystemCmd', 'doShell', 'twsystem', 'CsteSystem', 'cgi_deal_popen',
'ExeCmd', 'ExecShell', 'exec_shell_popen', 'exec_shell_popen_str'
]
如果测试对象并不包含这些函数，那么测试效果可以想象（所以需要根据实际情况完善脚本）；
再比如，ref2share.py中：
heuristicMin = 4
sinks = ['nvram_safe_set', 'nvram_bufset', 'setenv']
digest = ['strcpy', 'sprintf', 'memcpy', 'strcat']
同样的，测试对象中如果并不是通过nvram_safe_set与其他程序交互，那么测试结果必然为空；

不足之处请指正，实际测试中的问题也希望大家能多交流。

Does the current SaTC (dev-python3) fully support running under python3?

SaTC is a very nice tool. Thank you for being open source.
However, I would like to run it under python3, and I would like to run it under a higher version of angr, but I find that the current version (dev-python3) throws a lot of errors when I run it, have you fully tested it under python3 and a higher version of anger (e.g., 9.x), and can you provide the latest version?
Thank you.

关于archinfo的问题

作者您好，代码的前端分析和基于Ghidra的input entries到sink functions路径的分析都能正确运行

但是在执行污点分析时遇到archinfo没有键的问题，这个是否有解决方案？附上报错点

对应satc.py 污点分析部分的代码报错