cargo-call-stack VS angr

Yes, it's what I wrote about in the last paragraph. If you can compute maximum stack size of a function, then you can avoid dynamic allocation with fibers as well. You are right that such implementations do not exist in right now, but I think it's technically possible as demonstrated by tools such as https://github.com/japaric/cargo-call-stack The main stumbling block here is FFI, historically shared libraries do not have any annotations about stack usage, so functions with bounded stack usage would not be able to use even libc.

For rust code, I have found https://github.com/japaric/cargo-call-stack to be the best available option, as it does take advantage of how Rust types are implemented in LLVM-IR to handle function pointers / dynamic dispatch a little better. An even better solution would try to use MIR type information as well to further narrow down targets of dynamic calls in a Rust-specific way, but no such tool exists that I know of.

cargo-call-stack Static stack analysis!

Generators can just dump stuff on the stack. They have additional their own stack for storing their state. If you can prove an upper amount of creation of generators in the call graph, that would however work. There is for example this nice tool for Rust doing the overapproximation.

Not easy at all.

I know that in the small-embedded world, people do work on such things.

Eg https://github.com/japaric/cargo-call-stack

That's awesome! That's exactly how modern decompilers deal with a special type of goto occurrence. They reduce gotos (or completely eliminate them) by introducing a `while(true)` loop, followed by corresponding `continue` and `breaks`... we all, of course, know that `while(true)` did not exist in the source, but it's a nice hack!

We even do this in the angr decompiler, found here: https://github.com/angr/angr/blob/8e48d001e18a913ecd4ed2e995...

One would hope browser and OS vendors would use AI to remediate vulnerabilities but vast majority of software vendors won't ever use it.

Also, automated vulnerability finding is very much real and already used today. This isn't something that has just become viable via LLMs, but I guess LLMs can enhance it:

https://github.com/angr/angr

Check out angr [1], a symbolic execution engine, and claripy [2], its frontend to SMT solvers like z3.

[1] https://angr.io

[2] https://api.angr.io/claripy.html

BAP (https://github.com/binaryanalysisplatform/bap), angr (https://angr.io/) and others already do what you're asking for as more purpose-built solutions for dynamic analysis. Angr specifically in python.

As /u/hkei noted, it's actually quite difficult to do in general, and usually requires some kind of heuristic. For example, see https://github.com/dyninst/dyninst/blob/v12.1.0/dyninstAPI/src/image.C#L476. Full disclosure, I am a Dyninst developer. There is also the python-based angr that might be more amenable to a one-off solution.

I think there's a lot of promise in automation that's been spun off from the CTF community. Angr and Binary Ninja are both very much spinoffs from contest hacking, and are pretty great for helping a skilled hacker find flaws in software.

angr - Platform-agnostic binary analysis framework.

angr uses z3.

https://github.com/angr/angr

Supposedly, the DoD has used angr for some use cases.

Try using angr to automate bug finding