evanmak / savior-source Goto Github PK
View Code? Open in Web Editor NEWsource code for savior fuzzer
License: Apache License 2.0
savior-source's People
Stargazers
Watchers
Forkers
manouchehri meng-wu jack51706 c0de3 imtiazkarimik23 jarlob cvvt mewbak hyperca microsvuln bao00065 luzhujiu vraebfdsb zyh1121 leonbett firefoxxpyang ufwt cponcelets kjfff hikame puppet-meteor diewufeihong zenhumany zhaoxiaoyunok tricker-z yeshuibosavior-source's Issues
SIMPLE_FILES macro necessary with KLEE
Hello, when I run Savior I get the following error:
Traceback (most recent call last):
File "../../coordinator/moriarty.py", line 278, in <module>
init(args.target, args.config);
File "../../coordinator/moriarty.py", line 268, in init
moriarty.start()
File "../../coordinator/moriarty.py", line 241, in start
utils.loop_every(self.epoch, self.poke_switch_oracle)
File "/root/savior/ml_fuzzing/savior-source/coordinator/utils/utils.py", line 226, in loop_every
func();
File "../../coordinator/moriarty.py", line 158, in poke_switch_oracle
self.se_factory.run(deduplicated_list, self.explorer_cov_file_list, self.batch_run_seed_num)
File "/root/savior/ml_fuzzing/savior-source/coordinator/SEs/klee_explorer.py", line 63, in run
_.run(input_list[input_base : input_base + batch_run_input_num], cov_file_list[explorer_base : explorer_base + self.se_num][i])
File "/root/savior/ml_fuzzing/savior-source/coordinator/SEs/klee_conc_explorer.py", line 152, in run
if max_input_size < os.path.getsize(afl_input):
File "/usr/lib/python2.7/genericpath.py", line 57, in getsize
return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory: 'obj-savior/out/master/queue/id_000181'
When the coordinator tries to get the seed files specified in coverage.csv to give to KLEE, it cannot find them unless the SIMPLE_FILES macro in AFL/config.h is uncommented (since the file names written in coverage.csv are only the simple versions). Is this normal? Is there a way to get Savior to run while allowing the file names to be their longer versions?
Installer for Ubuntu 18.04 or 16.04
Hi .
I tried the Docker but failed and I don't know why it's failed to build .
I went though https://github.com/evanmak/savior-source/tree/master/Docker script for building, built with some errors and now there are some problem on llvm_mode directory of AFL .
Seems there are problems around Savior installation process.
Would you please make it more convenient and compatible to work with ubuntu 18.04 ? (Failed about installing in that also) .
I would appreciate if you can make a clean installation or a vbox image for it .
Thanks
What is the difference between paired_edges.csv and *.edge?
paired_edges.csv is generated in step two,*.edge is generated in step three. Is paired_edges.csv useful?What is the difference between paired_edges.csv and *edge?
KLEE installation
Thanks for releasing the code and this looks very interesting!
I have a question regarding the KLEE part. I saw the KLEE binaries have already been build in the KLEE folder. Are we supposed to use the pre-built version in our installation? If so, is it correct to just do a make install according to https://github.com/evanmak/savior-source/blob/master/Docker/build_savior.sh#L162-L169?
I tried that. But it failed because of the missing CMakeLists.txt. Any suggestions?
Thanks again!!
root@2d071248c33d:~/work/savior/KLEE/klee-build# ll
total 88
drwxr-xr-x 11 root root 4096 Jun 20 17:57 ./
drwxr-xr-x 3 root root 4096 Jun 23 18:38 ../
-rw-r--r-- 1 root root 21480 Jun 20 17:57 CMakeCache.txt
drwxr-xr-x 3 root root 4096 Jun 20 17:57 CMakeFiles/
-rw-r--r-- 1 root root 12259 Jun 20 17:57 Makefile
drwxr-xr-x 3 root root 4096 Jun 20 17:57 Release+Debug+Asserts/
drwxr-xr-x 2 root root 4096 Jun 20 17:57 bin/
-rw-r--r-- 1 root root 3335 Jun 20 17:57 cmake_install.cmake
drwxr-xr-x 3 root root 4096 Jun 20 17:57 docs/
drwxr-xr-x 3 root root 4096 Jun 20 17:57 include/
-rw-r--r-- 1 root root 513 Jun 20 17:57 install_manifest.txt
drwxr-xr-x 9 root root 4096 Jun 20 17:57 lib/
drwxr-xr-x 9 root root 4096 Jun 20 17:57 runtime/
drwxr-xr-x 3 root root 4096 Jun 20 17:57 tests/
drwxr-xr-x 10 root root 4096 Jun 20 17:57 tools/
root@2d071248c33d:~/work/savior/KLEE/klee-build# make install
CMake Error: The source directory "/root/work/savior/KLEE" does not appear to contain CMakeLists.txt.
Specify --help for usage, or press the help button on the CMake GUI.
Makefile:390: recipe for target 'cmake_check_build_system' failed
make: *** [cmake_check_build_system] Error 1get the error "SyntaxError: invalid syntax" when `RUN pip install -U pip`
How to run a simple fuzzing job with SAVIOR
Hey !
I successfully compiled the savior and followed along the readme of savior .
but finally I don't know how to run the fuzzing job in order to run fuzzing with savior .
Would you please give a sample here so I can run savior for a fuzzing job ? the fuzzing command to run fuzzing with savior is enough .
thanks .
problem: compile the libtiff
the target software: https://download.osgeo.org/libtiff/tiff-4.0.10.tar.gz
the build.sh:
export SOFTWARE_DIR=/root/softwares
export WORK_DIR=/root/work/
export PROG=tiffcp
# generate whole program bc
export CC=wllvm
export LLVM_COMPILER=clang
export CFLAGS="-fsanitize=integer,bounds,shift -g"
export LDFLAGS=-lubsan
./configure --enable-shared=no --enable-static=yes
make clean
make
# extract bc
extract-bc tools/$PROG
#set up fuzzing work dir
mkdir obj-savior
cp tools/$PROG.bc obj-savior
cd obj-savior
#generate binary to be fuzzed and target bc to be analyzed
$WORK_DIR/savior/AFL/afl-clang-fast $PROG.bc -o savior-$PROG -lubsan -lm
#run svf analyzer (llvm-4.0) on the target bc
$WORK_DIR/savior/svf/SVF/Release-build/bin/dma -fspta savior-$PROG.bc -savior-label-only -o $PROG.reach.bug -edge $PROG.edge
#run insertbug pass to generate bc runnable by llvm-3.6 (required by klee) with bug coverage infomation
opt -load /root/work/savior/svf/InsertBugPotential/build/insertpass/libInsertBugPass.so -InsertBug -i $PROG.reach.bug savior-$PROG.bc -o savior-$PROG.dma.bc
but when I execute the command $WORK_DIR/savior/AFL/afl-clang-fast $PROG.bc -o savior-$PROG -lubsan -lm
the problem is as follow, could tell me how to fix it
qsym vs klee
the klee can't scale to real soft, I want to know why not choose qsym ?
AFL Compile Error : error: no matching constructor for initialization of 'llvm::DILocation'
Hi there .
I just got this error while compiling and building savior .
It's not able to build AFL.
error: no matching constructor for initialization of 'llvm::DILocation'
I am looking for a workaround for this, getting it to work .
Thanks!
KLEE source code
Hi there,
Is it possible to release your KLEE modifications, either as full source or as a patch? Currently, I only see the build files.
Thanks!
~Adrian
unable to execute the 'Savior' program on the 'jpegsrc test, KLEE get error
@evanmak I am unable to execute the 'Savior' program on the 'jpegsrc test.' I am encountering an error message stating 'KLEE: ERROR: Link with library /root/work/savior/KLEE/klee-build/Release+Debug+Asserts/lib/klee-uclibc.bca failed: Unrecognized file type.' Can you provide guidance on how to resolve this issue?
problem about AFL
Thanks fist! Could you tell me how to deal with the problem?
AFL file patterns
Dear Savior team,
There is a misuse of AFL regarding the test case file names.
AFL is computed using the SIMPLE_FILES variable making the fuzzer to print files using id_ patterns. However, Converter is translating Klee test cases using the standard id: patterns which prevents AFL from importing the test cases.
You might want to choose one of the two patterns.
Thank you for this interesting tool,
Best
Wrong values within Klee testcases
Dear SAVIOR team,
I am doing a simple example for SAVIOR and figured out a strange behavior from Klee.
You can find the example attached to this post.
It includes a Makefile generating the instrumented binaries and the configuration.
The idea is simple, I want a file starting with the "POTS_LFA" magic number (having the hex value 41464c5f53544f50) as you can see below:
#echo "POTS_LFA" > test.in
#cat test.in
POTS_LFA
#./savior-example < test.in
read 41464c5f53544f50 compared against 41464c5f53544f50
Magic number passed
However, this is the result I have when I try a testcase klee generated to solve the magic number constraint:
./savior-example < output_folder/klee_instance_conc_000001/queue/id\:000002
read 41464c5f53544faf compared against 41464c5f53544f50
Note that in this case the printf is before the check at line 14.
The reason I pushed it after into the attached code is to prevent from disturbing klee.
As you can see, the problem is that the last byte is wrong, the sequence is "AFL_STO¯" hence the check is not passed.
More surprising, Klee is actually working if I remove --concolic-explorer=true from the list of options.
I show you the commands I executed:
- with SAVIOR (from the command prompted during its execution):
#/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --concolic-explorer=true --named-seed-matching=true --allow-external-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=150 --afl-covered-branchid-file=/root/work/example-folder/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/example-folder/output_folder/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/example-folder/klee_new_input/klee_instance_conc_1 --sync-dir=/root/work/example-folder/output_folder/klee_instance_conc_000001/queue /root/work/example-folder/savior-example.dma.bc --sym-stdin 27
#cat output_folder/klee_instance_conc_000001/queue/id\:000002
�OTS_LFA0 �&?�!�
Without --concolic-explorer=true (and with fresh folders created to store the testcases):
#/root/work/savior/KLEE/klee-build/bin/klee --libc=uclibc --disable-inject-ctor-and-dtor=true --posix-runtime --named-seed-mat-sym-calls --use-non-intrinsics-memops=false --check-overshift=false --solver-backend=z3 --max-solver-time=5 --disable-bound-check=true --disable-ubsan-check=true -remove-unprioritized-states --free-mode=false --fixup-afl-ids=true --relax-constraint-solving=false --savior-ubsan=false --max-memory=0 --max-time-per-seed=150 --afl-covered-branchid-file=/root/work/example-folder/.afl_coverage_combination --klee-covered-branchid-outfile=/root/work/example-folder/output_folder/.tmp_se_0.cov --edge-sanitizer-heuristic --seed-out-dir=/root/work/example-folder/klee_new_input/klee_instance_conc_4 --sync-dir=/root/work/example-folder/output_folder/klee_instance_conc_000004/queue /root/work/example-folder/savior-example.dma.bc --sym-stdin 27
#cat /root/work/example-folder/output_folder/klee_instance_conc_000004/queue/id:000001
POTS_LFAAAAAAAAAAAAAAAAAAAA
- Do I have a bad configuration or use SAVIOR in a wrong way?
I am using the Dockerfile, which has clang version 3.6.0 and KLEE 1.4.0.0.
Except this detail, SAVIOR seems to work normally.
Best
example.tar.gz
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.