πUBGenπ is an automated UB program genertor for C. Given a valid C program, UBGen can mutate it to generate programs containing undefined behaviors. For each of the generated UB program, it only contains one kind of undefined behavior at one program location.
| UB | buffer-overflow | division-by-zero | null-pointer-dereference | use-after-free | use-after-scope | double-free | integer-overflow |
|---|---|---|---|---|---|---|---|
| Status | β | β | β | β | β | β | β |
β : Supported; π¨: Coming soon;
Compile dynamic analyzer for analyzing C source code:
./build.shInstall necessary Python packages:
pip install -r requirements.txtThe generator is ubgen.py. Each time you run it, ubgen.py generates more than one UB programs based on one Csmith-generated program.
Note that, for the first run of ubgen.py, it will download and install Csmith under the same directory.
For example, the following code will generate programs containing buffer-overflow and all the generated UB programs are saved into ./mutants:
./ubgen.py --ub buffer-overflow --out ./mutantsAlternatively, you can use an integer index to specify the UB. For example, the above command is equivalent to
./ubgen.py --ub 0 --out ./mutantsYou can use ./ubgen --help to find detailed help information.
Suppose there are generated programs under ./mutants/ and one of the file is ./mutants/mutated_0_tmp6a83k7sn.c. All generated files of the same prefix are from the same seed Csmith program.
For example, ./mutants/mutated_1_tmp6a83k7sn.c would be another UB program from the same seed. To compile the generated UB program, you need to include the path the Csmith header files ./csmith_install/include/csmith-2.3.0:
gcc -I./csmith_install/include/csmith-2.3.0 -fsanitize=address -g -w ./mutants/mutated_0_tmp6a83k7sn.c -o test.outExecuting ./test.out would normally cause sanitizer warning as such
=================================================================
==468815==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55595b49d950 at pc 0x55595b47a4aa bp 0x7ffd77bbd580 sp 0x7ffd77bbd570
READ of size 16 at 0x55595b49d950 thread T0
#0 0x55595b47a4a9 in func_1 /UBGen/mutants/mutated_0_tmp6a83k7sn.c:698
#1 0x55595b495534 in main /UBGen/mutants/mutated_0_tmp6a83k7sn.c:3502
#2 0x7fa853629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#3 0x7fa853629e3f in __libc_start_main_impl ../csu/libc-start.c:392
#4 0x55595b470424 in _start (/UBGen/mutants/a.out+0x9424)
0x55595b49d950 is located 0 bytes to the right of global variable 'g_1576' defined in 'mutated_0_tmp6a83k7sn.c:261:18' (0x55595b49d940) of size 16
0x55595b49d950 is located 48 bytes to the left of global variable 'g_1589' defined in 'mutated_0_tmp6a83k7sn.c:262:18' (0x55595b49d980) of size 16
SUMMARY: AddressSanitizer: global-buffer-overflow /UBGen/mutants/mutated_0_tmp6a83k7sn.c:698 in func_1
Shadow bytes around the buggy address:
0x0aabab68bad0: 02 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0aabab68bae0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aabab68baf0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0aabab68bb00: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
0x0aabab68bb10: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
=>0x0aabab68bb20: 04 f9 f9 f9 f9 f9 f9 f9 00 00[f9]f9 f9 f9 f9 f9
0x0aabab68bb30: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
0x0aabab68bb40: 01 f9 f9 f9 f9 f9 f9 f9 00 00 04 f9 f9 f9 f9 f9
0x0aabab68bb50: 01 f9 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0aabab68bb60: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
0x0aabab68bb70: 00 f9 f9 f9 f9 f9 f9 f9 02 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==468815==ABORTING
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent