Moflow is a software security framework developed by Talos, containing tools for vulnerability, discovery, and triage. Moflow is focused on providing automated solutions based upon the latest research to assist in building more secure software. The vulnerability discovery tools include an automated test generation engine based on concolic execution combining dynamic taint tracing and symbolic execution, which is considered state of the art for zero-configuration parser fuzzing. The triage tools include the ability to automatically determine input bytes related to an exception using dynamic trace slicing algorithms as well as a forward symbolic execution based exploitability analysis. Mitigations include a novel use-after-free exploit prevention technique that is implemented as a LLVM compiler plugin.
Vulnerability Discovery Tools
FuzzFlow is an automated test generation tool based on concolic execution. FuzzFlow leverages dynamic binary instrumentation to modify x86 ELF binaries to enable dataflow tracking for taint analysis. New tests are generated by analyzing dataflow paths for nearby constraints and solving for new inputs by translating the binary for symbolic execution.
Crash Triage Tools
SliceFlow is a tool that assists with root cause analysis by slicing forward or backward from arbitrary points in a dataflow trace. Graph slicing allows the user to determine dependencies between a selected point of execution and previous or future instructions. This is used in crash analysis to slice from the corrupted value causing an exception back to the specific input bytes that caused the exception, greatly reducing the total number of instructions needed to be analyzed to determine root cause.
ExploitFlow is a tool for determining exploitability by applying forward symbolic execution from the point of a crash. Forward symbolic execution allows an estimated emulation forward from an exception that determines whether a similar but modified input would be able to reach nearby points on the execution graph. All nearby reachable points are checked to determine if a higher degree of control can be achieved. This is useful for determining whether a memory access violation may be tweaked to give attackers the ability to write to memory or gain control of execution.