Coder Social home page Coder Social logo

ctfpwner / chopper Goto Github PK

View Code? Open in Web Editor NEW

This project forked from davidtr1037/chopper

0.0 0.0 0.0 5.12 MB

KLEE / CSE Project

License: Other

CMake 3.17% Makefile 4.04% Shell 0.97% M4 1.05% C++ 50.25% C 35.13% Python 3.08% LLVM 2.01% SMT 0.01% Emacs Lisp 0.10% Dockerfile 0.19%

chopper's Introduction

KLEE/CSE Project

An extension of KLEE (http://klee.github.io).

Build

Build LLVM (3.4)

mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DLLVM_ENABLE_ASSERTIONS=ON <LLVM_SRC>
make

Build SVF (Pointer Analysis)

Build DG (Static Slicing)

Build Chopper:

git checkout master
mkdir klee_build
cd klee_build
CXXFLAGS="-fno-rtti" cmake \
    -DENABLE_SOLVER_STP=ON \
    -DENABLE_POSIX_RUNTIME=ON \
    -DENABLE_KLEE_UCLIBC=ON \
    -DKLEE_UCLIBC_PATH=<KLEE_UCLIBC_DIR> \
    -DLLVM_CONFIG_BINARY=<LLVM_CONFIG_PATH> \
    -DENABLE_UNIT_TESTS=OFF \
    -DKLEE_RUNTIME_BUILD_TYPE=Release+Asserts \
    -DENABLE_SYSTEM_TESTS=ON \
    -DSVF_ROOT_DIR=<SVF_PROJECT_DIR> \
    -DDG_ROOT_DIR=<DG_PROJECT_DIR> \
    <KLEE_ROOT_DIR>
make

Notes:

  • Use llvm-config from the CMake build (LLVM 3.4)
  • Use klee-uclibc from here

Usage Example

Let's look at the following program:

#include <stdio.h>

#include <klee/klee.h>

typedef struct {
    int x;
    int y;
} object_t;

void f(object_t *o) {
    o->x = 0;
    o->y = 0;
}

int main(int argc, char *argv[]) {
    object_t o;
    int k;

    klee_make_symbolic(&k, sizeof(k), "k");

    f(&o);
    if (k > 0) {
        printf("%d\n", o.x);
    } else {
        printf("%d\n", o.y);
    }

    return 0;
}

Compile the program:

clang -c -g -emit-llvm main.c -o main.bc
opt -mem2reg main.bc -o main.bc (required for better pointer analysis)

Run KLEE (static analysis related debug messages are written to stdout):

klee -libc=klee -search=dfs -skip-functions=f main.bc

Options

Skipping Functions

The skipped functions are set using the following option:

-skip-functions=<function1>[:line1/line2/...],<function2>[:line1/line2/...],...

Inlining

In some cases, inlining can improve the precision of static analysis. Functions can be inlined using the following option:

-inline=<function1>,<function2>,...

Search Heuristic

The chopping-aware search heuristic can be used using the following option:

-split-search

and the ratio can be set by:

-split-ratio=<uint> // ratio for choosing recovery states (default = 20)

Slicing

Slicing for skipped functions can be disabled using the following option:

-use-slicer=0

Debugging

More verbose debug messages can be produced using the following option:

-debug-only=basic

Notes:

  • When using klee-libc, some files (memcpy.c, memset.c) should be recompiled with -O1 to avoid vector instructions.

chopper's People

Contributors

ccadar avatar davidtr1037 avatar ddunbar avatar martinnowack avatar andreamattavelli avatar pcc avatar delcypher avatar hpalikareva avatar holycrap872 avatar willemp avatar antiagainst avatar kren1 avatar kaomoneus avatar 251 avatar ddcc avatar adrianherrera avatar jordr avatar msoos avatar ret2libc avatar paulmar avatar ahorn avatar yotann avatar rsas avatar mvillmow avatar mdimjasevic avatar cunningbaldrick avatar justme0 avatar wuestholz avatar omeranson avatar mchalupa avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.