Simple Example

# example.py
def callee(a):
    b = a["x"]
    #vulnerable_function
    b["func"] = lambda x : print("vulnerable")

o = {
    "x" : {}
}

def caller():
    p = o["x"]
    # benign_function
    p["func"] = lambda x : print("benign")
    callee(o)
    target = p["func"]
    target()

caller()

Run With LIAN

1	`scripts/test.sh <example.py> # only for test`

Screenshot of Execution

输入图片说明

GIR Results

callee Function Definition

输入图片说明

caller Function Definition

输入图片说明

%unit_init Function Definition

Interpretation of Results

From the GIR table (gir.bundle0), it can be seen that the call target() statement corresponds to the 55th GIR_stmt.
输入图片说明
After running LIAN, the state space of the program (s2space_p3.bundle0) is generated. In this state space, for the 55th GIR_stmt, the state index in the target variable is 61.

By searching the state space (s2space_p3.bundle0) for the state with index 61, we find that its data_type is a method declaration, and its value of 27 represents the GIR_stmt_id of this method declaration.
输入图片说明
Checking the GIR, the 27th GIR_stmt corresponds to the malicious method %mm1, indicating that this state was successfully computed.

Simple Example

Run With LIAN

1scripts/test.sh <example.py> # only for test

Screenshot of Execution

GIR Results

callee Function Definition

caller Function Definition

%unit_init Function Definition

Interpretation of Results

1
`scripts/test.sh <example.py> # only for test`