sslab-gatech / fuzzification Goto Github PK
View Code? Open in Web Editor NEWWe hinder fuzzing
We hinder fuzzing
Thanks for your great job!
I'm wondering if you can provide a Dockerfile for easier installation and usage?
The transformation performed in anti-taint.py
will create invalid c code in some cases. This is due to a missing check for the existence of variables named newvar_X
.
A minimal example of where this will be a problem is:
int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
if(strcmp(str1, "hello")) {
printf("True");
} else {
printf("False");
}
which will be transformed to:
int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
//////////////// ANTI-TAINT-STR //////////////////
char newvar_1[strlen(str1)];
if (strlen(str1) < 30){
for (int i=0;i<strlen(str1);i++){
int ch=0;
int temp = 0;
int temp2 = 0;
for (int j=0; j<8;j++){
temp = str1[i];
temp2 = temp & (1<<j);
if (temp2 !=0){
ch |= 1<<j;
}
}
newvar_1[i] = ch;
}
}
else{
strncpy(newvar_1, str1, strlen(str1));
}
//////////////////////////////////////////////////
if(strcmp(newvar_1, "hello")) {
printf("True");
} else {
printf("False");
}
where newvar_1 is already in use.
Further i would like to ask you where you apply the crc checksum replacements of the form:
// original code: if (value == 12345)
if (CRC_LOOP(value) == OUTPUT_CRC) { ... }
that you write about in your paper.
As you see, the antifuzz-tutorial contains a compile tutorial of binutils-2.23 , the binary readelf
,objdump
,objcpy
,nm-new
has the source code -> ir code command line , e.g.
COMMAND["objdump.o"] = 'afl-clang-fast -DHAVE_CONFIG_H -I. -I. -I. -I../bfd -I./../bfd -I./../include -DLOCALEDIR="\\"/usr/local/share/locale\\"" -Dbin_dummy_emulation=bin_vanilla_emulation -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread -MT objdump.o -MD -MP -MF .deps/objdump.Tpo -c -o objdump.o -DOBJDUMP_PRIVATE_VECTORS="" ./{SRC} 2> /tmp/makeout'
but if I want to compile the binary with speedbump, it will lead to :(See antifuzz-tutorial/temp/binutils/build-objdump.sh
, this is generated by src/compile.py)
elif [ "$3" == "slow" ]
then
#afl-clang-fast -DHAVE_CONFIG_H -I. -I. -I. -I../bfd -I./../bfd -I./../include -DLOCALEDIR="\"/usr/local/share/locale\"" -Dbin_dummy_emulation=bin_vanilla_emulation -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread -MT objdump.o -MD -MP -MF .deps/objdump.Tpo -c -o objdump.o -DOBJDUMP_PRIVATE_VECTORS="" ./objdump.c 1> /dev/null 2> /tmp/makeout
cp /home/lawyer61/AIFuzz/fuzzification/src/llvm_pass/bump/delaysrc/delay_$2.o ./delay.o
/bin/bash ./libtool --tag=CC --mode=link afl-clang-fast -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread -flto -o $1 delay.o huge_dummy.o objdump_bump.o dwarf_bump.o prdbg_bump.o rddbg_bump.o debug_bump.o stabs_bump.o ieee_bump.o rdcoff_bump.o bucomm_bump.o version_bump.o filemode_bump.o elfcomm_bump.o ../opcodes/libopcodes.la ../bfd/libbfd.la ../libiberty/libiberty.a -lz 1> /dev/null
The question is, all the *_bump.o file (except the objdump_bump.o) will fail in src/.work3/make_bump.sh:
opt -load ./libSkeletonPass_bump.so -SkeletonPass <$1.o> $1_bump.o
...
opt: <stdin>:1:1: error: expected top-level entity
(Garbled below)
So we will fail in the antifuzz-all.py when opening objdump_d30_r4_o3
(for example)
Traceback (most recent call last):
File "antifuzz_all.py", line 587, in <module>
bump_depay, bump_ratio, fname, c_overhead, s_overhead = speedbump()
File "antifuzz_all.py", line 415, in speedbump
c_overhead, s_overhead = _ret_overhead(gen_pn)
File "antifuzz_all.py", line 508, in _ret_overhead
newfile_size = os.path.getsize(gen_pn)
File "/usr/lib/python2.7/genericpath.py", line 57, in getsize
return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory: '../antifuzz-tutorial/temp/binutils/objdump_d50_r17_o3'
Hi,I use the parameters in the evaluation section of the paper compile readelf. Why does the CPU overhead in SpeedBump reach 80%. In addition, if the program after BranchTrap is used, the segment fault is displayed.
Sometimes the csmith will generate a code without 'main' function (This may because of too many args ). When this happens, delay*.o will not have a 'slp' symbol and bring failure when linking it with test.o
change the function ch_main_arg to this:
def ch_main_arg(pn, argname, funcname):
# change main function name with random_string name
modify_flag = 0
for line in fileinput.input(pn, inplace=True):
if "int main" in line:
line = line.replace("void", "%s" % argname)
line = line.replace("main", "%s" % funcname)
modify_flag = 1
if "int print_hash_value = 0;" in line:
#line = line.replace("0", "1")
continue
if "print_hash_value" in line:
continue
sys.stdout.write(line)
return modify_flag
and change line 116 to :
if not ch_main_arg(var[1], argname, funcname):
continue
That works for me when fail running python randomcode.py
for the first time. Hope it helps.
My system is Virtual Box Ubuntu 16.04, installed all the dependencies, but when use this command:
$ make -j 4
It always said there's no file "plugin-api.h" in the directory.
Actually, I tried to go to the folder, the file is in that folder, but when installed, the error message always show up.
I have run the following commands to test the functionality. It seems the error handling codes are modified. A segmentation fault will be produced if I feed the readelf_all
with a file that does not exist.
$ gdb ./readelf_all
pwndbg> run -a ./nofile
Starting program: /home/xposimon/Desktop/works/fuzzification/antifuzz-tutorial/test/output/readelf/readelf_all -a ./nofile
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__GI__IO_fread (buf=0x91e010, size=101, count=1, fp=0x0) at iofread.c:37
37 iofread.c: No such file or directory.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.