About VSA

[jiongyichen]

Hi guys, I love this project, which is very suitable and promising for firmware analysis. Just have a few questions: It looks like the implementation of VSA is not included yet? If no, do you have any future plans? Also, any plans about integrating symbolic execution engines?

[Enkelmann]

We have implemented a value set analysis, it is just named differently. Take a look at the Pointer Inference analysis, it combines the things you usually do in value set analysis and points-to analysis into one analysis.

The specific role of the Pointer Inference analysis changed several times. For example, until recently it also included CWE checks for buffer overflows, but we eventually extracted that code into its own analysis. Since the things this analysis will do probably will change again in the future and may also contain things that are usually not associated with a values set analysis, I do not want to just name it value set analysis. But from a practical viewpoint it currently is the value set analysis of the cwe_checker.

Regarding symbolic execution: Yes, there are plans to use symbolic execution engines for the purpose of verifying results of the cwe_checker in the future. But this could take a while, because there is still so much to implement for the cwe_checker! Also, it is currently undecided whether this will be directly included into the cwe_checker code base or whether we put the symbolic execution parts into a separate repository, i.e. develop it as a standalone tool. When the time comes, I will make sure to mention it in the Readme in bold letters. ;-)