Dynamic analysis pitfalls to address

[Col-E]

In our dynamic model, the plan is to force visitation of as many control paths as possible. This maximizes the amount of content we can match against, but may introduce some additional issues we'll have to address.

Each of these should have test cases written for them, with demonstrations on configuring Concoction to circumvent the issues.

Infinite loops in dead code blocks

A simple example:

if (true) { 
    // real application code
} else {
    while (true) { ... } // fake control flow path
}

Sneaky manipulation of values

Ideally, most of these are supported by SSVM out of the box given how specific it is at reimplementing JVM features.

• Changing String.value via reflection
  • Straight-forward reflection
  • Via sun.reflect.ConstantPool and abusing constant interning

Abusing slow methods to delay execution beyond a set threshold

Example code:

// stupid delay mechanism that runs after a 'reasonable' amount of time on a host machine, but slower when all steps are interpreted in our VM
for (int i = Integer.MIN_VALUE; i < Integer.MAX_VALUE; i++){ 
  double unused = Math.sqrt(i) * (i - 1) / (i - 0.5) + 432 * i; // replace with slow math operation
}
// malicious code here

Ideally, we can define intrinsic implementations for most common things, even if they don't technically need to be implemented. For instance, the Math utils can be fully run with SSVM without any intrinsic handling. But defining handlers for them would speed things up and be a benefit on multiple fronts.

[Col-E]

Infinite loops can be addressed with: xxDark/SSVM@4030675