Currently QSYM is using Pin 2.14 build 71313, and it doesn't support latest linux kernel versions. I wonder why, and tried to build it with Pin 3.7, but there were some issues:

• Latest PinCRT uses memory.h but it's overriden by ./memory.h on pintool/. Renaming it into _memory.h fixed the issue.
• seems like LLVM's APInt, APSInt uses C++11 standard, but Pin's latest approach is replacing all C++ headers into their own one (it's not C++ >= 11 compatible), maybe using another integer class or copying whole dependencies into pintool/third_party/llvm will work.

Hello,

I had a question about the environment variable
QSYM_CMDLINE: command line for a testing program for QSYM (Naive)

I understand that this means I will need to pass a program that will not be instrumented but I'm having some difficulties visualizing this I tried an input that looked something like this

$bin/run_qsym_afl.py -a afl-slave -o bin/output/ -n qsym ./binutils/readelf

where the program is readelf of the binutils program but this error is thrown

Traceback (most recent call last): File "bin/run_qsym_afl.py", line 17, in <module> import qsym ImportError: No module named qsym

Thank you.

Hey all,

I'm having some trouble with the current release of QSYM when running in hybrid mode with AFL. It doesn't appear that any generated test cases are getting queued. I'm setting up QSYM to run with QEMU mode tracing (I set qemu_mode to be True by default in minimizer.py) and using a differently-instrumented binary (e.g., Dyninst) for the AFL component. The /out_dir/qsym/queue/ directory is empty even after 24hrs of fuzzing. Any ideas?

Thanks,
-Stefan

Hello,

I noticed this line in the environment variables:
# AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)

Is using an ASAN explicitly required?

Also, what instrumentation is required? I'm guessing by this you mean afl-cc, but I'm also wondering if AFL-Dyninst and AFL-QEMU are supported?

Thanks,
-Stefan

In solver.cpp of pintool:

Is the optimistic solving should have not negate "taken" as parameter rather than current one?

Hello,

I've successfully got QSYM running with 1 AFL instance (slave). Can you please explain the meaning of the output information below?

DEBUG:qsym.afl:Total=8 s, Emulation=8 s, Solver=0 s, Return=1
DEBUG:qsym.afl:Generate 44 testcases
DEBUG:qsym.afl:0 testcases are new

Thanks,
-Stefan

I get this:

DEBUG:qsym.afl:Temp directory=/tmp/tmpwCabXk
DEBUG:qsym.afl:Cannot find pintool. Maybe updating?
Traceback (most recent call last):
  File "bin/run_qsym_afl.py", line 47, in <module>
    main()
  File "bin/run_qsym_afl.py", line 41, in main
    e.run()
  File "/usr/local/google/home/benl/git-work/qsym/venv/local/lib/python2.7/site-packages/qsym-0.1-py2.7.egg/qsym/afl.py", line 355, in run
    self.run_file(fp)
  File "/usr/local/google/home/benl/git-work/qsym/venv/local/lib/python2.7/site-packages/qsym-0.1-py2.7.egg/qsym/afl.py", line 359, in run_file
    check_so_file()
  File "/usr/local/google/home/benl/git-work/qsym/venv/local/lib/python2.7/site-packages/qsym-0.1-py2.7.egg/qsym/afl.py", line 61, in check_so_file
    FATAL("Cannot find SO file!")
NameError: global name 'FATAL' is not defined

Hello there!

I have a small question about how QSYM puts out its new findings:
Does it just make us of the afl folder structure and adds inputs to the crashes/ directory that procuded crashes or does it have some sort of extra output format?

Thanks!

In the documentation i can see the following guide:

run AFL master

$ $(AFL_ROOT)/afl-fuzz -M afl-master -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)

run AFL slave

$ $(AFL_ROOT)/afl-fuzz -S afl-slave -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)

run QSYM

$ bin/run_qsym_afl.py -a afl-slave -o $(OUTPUT) -n qsym -- $(QSYM_CMDLINE)

However, i have several questions:

1. Can i create a 50 AFL slaves and later run 1 slave of QSYM?, or i need create 50 AFL slaves and 50 QSYM slaves?, example

$(AFL_ROOT)/afl-fuzz -S afl-slave1 -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)
$(AFL_ROOT)/afl-fuzz -S afl-slave2 -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)
$(AFL_ROOT)/afl-fuzz -S afl-slave3 -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)
...
bin/run_qsym_afl.py -a afl-slave1 -o $(OUTPUT) -n qsym -- $(QSYM_CMDLINE)
bin/run_qsym_afl.py -a afl-slave2 -o $(OUTPUT) -n qsym -- $(QSYM_CMDLINE)
bin/run_qsym_afl.py -a afl-slave3 -o $(OUTPUT) -n qsym -- $(QSYM_CMDLINE)
...

2. the name of QSYM "afl-slave" should match with the "afl-slave" name of alf-fuzz? or is irrelevant?, example

$(AFL_ROOT)/afl-fuzz -S afl-slave1 -i $(INPUT) -o $(OUTPUT) -- $(AFL_CMDLINE)
bin/run_qsym_afl.py -a afl-slaveNOTMATCH999 -o $(OUTPUT) -n qsym -- $(QSYM_CMDLINE)

Thanks!

after about a week of fuzzing mp3gain using qsym with two afl instances, we found many zombie processes:

# ps aux|grep defunct|wc -l
1176

# ps aux
root        315  0.0  0.0      0     0 ?        Z    Jul07   0:57 [3.mp3gain] <defunct>
root        321  0.0  0.0      0     0 ?        Z    Jul06   0:31 [3.mp3gain] <defunct>
root        496  0.3  0.0      0     0 ?        Z    09:34   1:08 [3.mp3gain] <defunct>
root        721  0.0  0.0      0     0 ?        Z    Jul07   1:00 [3.mp3gain] <defunct>
root        821  0.0  0.0      0     0 ?        Z    Jul07   0:56 [3.mp3gain] <defunct>
root       1032  0.0  0.0      0     0 ?        Z    Jul10   0:58 [3.mp3gain] <defunct>
root       1056  0.0  0.0      0     0 ?        Z    Jul08   0:56 [3.mp3gain] <defunct>
root       1137  0.0  0.0      0     0 ?        Z    Jul10   1:00 [3.mp3gain] <defunct>
root       1187  0.0  0.0      0     0 ?        Z    Jul09   0:58 [3.mp3gain] <defunct>
root       1276  0.1  0.0      0     0 ?        Z    05:20   1:03 [3.mp3gain] <defunct>
root       1292  0.0  0.0      0     0 ?        Z    Jul08   1:02 [3.mp3gain] <defunct>
root       1405  0.0  0.0      0     0 ?        Z    Jul09   0:59 [3.mp3gain] <defunct>
root       1626  0.0  0.0      0     0 ?        Z    Jul06   0:32 [3.mp3gain] <defunct>
root       1760  0.0  0.0      0     0 ?        Z    Jul08   0:29 [3.mp3gain] <defunct>
root       1913  0.0  0.0      0     0 ?        Z    Jul07   1:00 [3.mp3gain] <defunct>
root       1927  0.0  0.0      0     0 ?        Z    Jul05   0:30 [3.mp3gain] <defunct>
root       1969  0.0  0.0      0     0 ?        Z    Jul05   0:35 [3.mp3gain] <defunct>
root       1978  0.0  0.0      0     0 ?        Z    Jul07   1:01 [3.mp3gain] <defunct>
root       2009  0.1  0.0      0     0 ?        Z    01:42   1:01 [3.mp3gain] <defunct>
root       2161  0.0  0.0      0     0 ?        Z    Jul08   1:03 [3.mp3gain] <defunct>
root       2474  0.0  0.0      0     0 ?        Z    Jul06   0:30 [3.mp3gain] <defunct>
root       2558  0.0  0.0      0     0 ?        Z    Jul07   0:58 [3.mp3gain] <defunct>
root       3100  0.0  0.0      0     0 ?        Z    Jul06   0:30 [3.mp3gain] <defunct>
root       3113  0.1  0.0      0     0 ?        Z    Jul10   1:05 [3.mp3gain] <defunct>
root       3205  0.0  0.0      0     0 ?        Z    Jul06   0:33 [3.mp3gain] <defunct>
root       3318  0.0  0.0      0     0 ?        Z    Jul07   0:53 [3.mp3gain] <defunct>
root       3451  0.0  0.0      0     0 ?        Z    Jul10   1:03 [3.mp3gain] <defunct>
root       3706  0.0  0.0      0     0 ?        Z    Jul06   0:33 [3.mp3gain] <defunct>
root       3871  0.0  0.0      0     0 ?        Z    Jul07   0:57 [3.mp3gain] <defunct>
root       3901  0.0  0.0      0     0 ?        Z    Jul08   1:09 [3.mp3gain] <defunct>
root       4158  0.3  0.0      0     0 ?        Z    09:01   1:06 [3.mp3gain] <defunct>
root       4188  0.0  0.0      0     0 ?        Z    Jul05   0:34 [3.mp3gain] <defunct>
root       4240  0.0  0.0      0     0 ?        Z    Jul09   0:58 [3.mp3gain] <defunct>
root       4262  0.0  0.0      0     0 ?        Z    Jul09   0:58 [3.mp3gain] <defunct>
root       4703  0.1  0.0      0     0 ?        Z    04:41   1:02 [3.mp3gain] <defunct>
root       5180  0.0  0.0      0     0 ?        Z    Jul09   1:07 [3.mp3gain] <defunct>
root       5447  0.0  0.0      0     0 ?        Z    Jul07   0:31 [3.mp3gain] <defunct>
root       5480  0.0  0.0      0     0 ?        Z    Jul10   0:58 [3.mp3gain] <defunct>
root       5511  0.0  0.0      0     0 ?        Z    Jul05   0:34 [3.mp3gain] <defunct>
root       5519  0.1  0.0      0     0 ?        Z    02:56   1:03 [3.mp3gain] <defunct>
root       5767  0.0  0.0      0     0 ?        Z    Jul10   0:57 [3.mp3gain] <defunct>
...
root     130859  0.0  0.0      0     0 ?        Z    Jul09   1:02 [3.mp3gain] <defunct>
root     130865  0.0  0.0      0     0 ?        Z    Jul05   0:33 [3.mp3gain] <defunct>
root     130869  0.0  0.0      0     0 ?        Z    Jul06   0:37 [3.mp3gain] <defunct>
root     130891  0.0  0.0      0     0 ?        Z    Jul05   0:30 [3.mp3gain] <defunct>
root     131058  0.0  0.0      0     0 ?        Z    Jul05   0:33 [3.mp3gain] <defunct>

I don't know whether it's qsym issue, but I didn't notice same issue when using other fuzzers (afl, aflfast, etc.).

Hi,

I am trying to setup qsym but encountered test failures. The pin.log shows

"Unable to load /qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so: /qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so: undefined symbol: _ZN4llvm5APInt12initSlowCaseEmb"

could you please provide some suggestions on how to resolve this?

Hi, thank you for the great work and making it open source.

I'm having a trouble while testing QSYM on some simple toy program.

I wrote a simple toy program that reads in 8 byte input from file and compare it to magic value. Running it with input "DCBAabcd" will raise a segfault as follow.

jason@debian-8:~/example$ cat test.c 
#include <unistd.h>
#include <fcntl.h>
#include <stdint.h>

int main(int argc, char** argv)
{
  char buf[9];
  int fd;

  fd = open(argv[1], O_RDONLY);
  read(fd, buf, sizeof(buf) - 1);
  buf[8] = 0;

  if (*(int32_t*) &buf[0] == 0x41424344) {
    if(buf[4] == 'a') {
        *(int*) NULL = 0;
    }
  }
  return 0;
}
jason@debian-8:~/example$ gcc test.c  -o test.bin
jason@debian-8:~/example$ echo "DCBAabcd" > file
jason@debian-8:~/example$ ./test.bin file
Segmentation fault

When I tested QSYM on this program, it seems to fail in finding a test input that penetrates the branch condition. I followed the instructions in README to run one AFL master, one AFL slave and one QSYM. I provided 8 bytes of "A" as initial dummy seed of AFL. The standard output of QSYM looks as follow.

...
(venv)jason@debian-8:~/example$ export QSYM_CMDLINE="/home/jason/example/test.bin /home/jason/example/file_qsym"
(venv)jason@debian-8:~/example$ /home/jason/qsym/bin/run_qsym_afl.py -f /home/jason/example/file_qsym -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE
DEBUG:qsym.afl:Temp directory=/tmp/tmpluyS8E
DEBUG:qsym.afl:Run qsym: input=/home/jason/example/output/afl-slave/queue/id:000000,orig:empty
DEBUG:qsym.Executor:Executing timeout -k 5 90 /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpluyS8E/qsym-out-0/pin.log -i /home/jason/example/file_qsym -s 1 -o /tmp/tmpluyS8E/qsym-out-0 -l 1 -b /home/jason/example/output/qsym/bitmap -- /home/jason/example/test.bin /home/jason/example/file_qsym
DEBUG:qsym.afl:Total=4 s, Emulation=4 s, Solver=0 s, Return=0
DEBUG:qsym.afl:Generate 0 testcases
DEBUG:qsym.afl:0 testcases are new
DEBUG:qsym.afl:Sleep for getting files
DEBUG:qsym.afl:Sleep for getting files
...

The content of input file to QSYM was 4 bytes of 'A', and I think concolic execution should be able to find a new test input "DCBA" that can flip the first if branch.

jason@debian-8:~/example$ xxd output/afl-master/queue/id\:000000\,orig\:empty 
0000000: 4141 4141                                AAAA

Could you take a look at this problem, or point out my mistakes if I'm making some?

I am using debian 8.11 OS, but its kernel version is same to Ubuntu 14.04, and the build succeeded without any error.

Thank you.

When I install QSYM on a fresh Ubuntu 14.04 according to the instructions in the README and then execute the test suite I see a lot of the assembly tests fail, e.g. tests/assembly/imul. On Ubuntu 16.04 all tests pass.

Concretely, I'm using Vagrant with images ubuntu/trusty64 and ubuntu/xenial64, respectively. Inside the VM I install git, build-essentials and sudo, followed by running ./setup.sh and pip install . in the project's root directory. I run the tests via cd tests; python build.py; python -m pytest -n 2 --maxfail=3 as root. (When I run them with normal user permissions the Pin tool fails with error "out of memory", which I assume to be a permission issue.)

The README lists both Ubuntu 14.04 and 16.04 as supported versions, so I assume failing tests indicate a problem ;) Let me know if there's any way I can help investigating the issue with 14.04!

Hello!

I was wondering whether Qsym now supports synchronization over multiple instances? I am trying to perform cloud-based hybrid fuzzing and wanted to know it made sense to have more than one Qsym instance.

QSYM can solve multi-byte comparisons such as strcmp or memcmp gradually. But unfortunately, these functions are usually. not instrumented by AFL. Even though they are instrumented, AFL will consider intermediate results as uninteresting due to its loop bucketization.

This is not a big issue in fuzzing binary-formatted binaries that are main targets for AFL and QSYM.
But we can still partially solve these cases by wrapping functions like angr did. For example, we can make strcmp wrapper and tries to generate a testcase that pass strcmp in one shot instead of intermediate results.

Hello,

I've been running QSYM with 1xAFL (slave), and after running for about 20-24hrs, QSYM seems to crash irregularly. I didn't manage to get save the full error report, but I recall it containing something along the lines of "Memory Error".

My environment of choice is a Ubuntu-16.04 x64 VM with 4gigs of RAM and 3 cores.

Any ideas? Could this mean QSYM is maxing-out its python data structures?

Thanks,
-Stefan

This might be not the right place to ask this - why Pin? and why such a very old version that is not suited for modern kernels and x64?

DynamoRio is about 10x faster, but yes, it takes longer to code the same functionality.

 third_party/libdft/syscall_desc.cpp: In function ‘void qsym::postRecvMmsgHook(qsym::SyscallContext*)’:
  third_party/libdft/syscall_desc.cpp:1201:2: error: this ‘if’ clause does not guard... [-Werror=misleading-indentation]
    if ((struct timespec *)ctx->arg[SYSCALL_ARG4] != NULL);
    ^~
  third_party/libdft/syscall_desc.cpp:1202:3: note: ...this statement, but the latter is misleadingly indented as if it were guarded by the ‘if’
     g_memory.clearExprFromMem(ctx->arg[SYSCALL_ARG4], sizeof(struct timespec));
     ^~~~~~~~

This would appear to be an actual error.

Likes this, and many directories is empty.

/tmp/tmprXGtmv# cd qsym-out-
Display all 36755 possibilities? (y or n)

It is only used for finding interesting testcases, isn`t it?(That means I can remove empty directories and have no effect on qsym)

        target = os.path.basename(fp)[:len("id:......")]
        num_testcase = 0
        for testcase in q.get_testcases():
            num_testcase += 1
            if not self.minimizer.check_testcase(testcase):
                # Remove if it's not interesting testcases
                os.unlink(testcase)
                continue
            index = self.state.tick()
            filename = os.path.join(
                    self.my_queue,
                    "id:%06d,src:%s" % (index, target))
            shutil.move(testcase, filename)
            logger.debug("Creating: %s" % filename)

Hi there,
Thanks for providing such an amazing tool. I tried QSYM recently against CGC binaries, but got the following error: E Unable to load ***/obj-ia32/libqsym.so. Check the architecture type.

I used driller-afl to fuzz those binaries. I noticed that in the QSYM's paper CGC binaries were also evaluated with QSYM. I wonder how can I achieve it?

Thanks,
Weiteng

Tested on SO: Ubuntu 18.04 TLS

#error The C++ ABI of your compiler does not match the ABI of the pin kit.
^~~~~
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/include/pin/compiler_version_check2.H:117:2: error: #error This kit requires gcc 3.4 or later
#error This kit requires gcc 3.4 or later
^~~~~
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Config/makefile.default.rules:170: recipe for target 'obj-intel64/allocation.o' failed
make: *** [obj-intel64/allocation.o] Error 1
make: *** Waiting for unfinished jobs....
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Config/makefile.default.rules:170: recipe for target 'obj-intel64/call_stack_manager.o' failed
make: *** [obj-intel64/call_stack_manager.o] Error 1
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Config/makefile.default.rules:170: recipe for target 'obj-intel64/afl_trace_map.o' failed
make: *** [obj-intel64/afl_trace_map.o] Error 1
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Config/makefile.default.rules:170: recipe for target 'obj-intel64/analysis_instruction.o' failed
make: *** [obj-intel64/analysis_instruction.o] Error 1
/tmp/pip-req-build-QqjGha/third_party/pin-2.14-71313-gcc.4.4.7-linux/source/tools/Config/makefile.default.rules:170: recipe for target 'obj-intel64/analysis.o' failed
make: *** [obj-intel64/analysis.o] Error 1
make: Leaving directory '/tmp/pip-req-build-QqjGha/qsym/pintool'
Traceback (most recent call last):
File "", line 1, in
File "/tmp/pip-req-build-QqjGha/setup.py", line 54, in
data_files=data_files
File "/usr/lib/python2.7/distutils/core.py", line 151, in setup
dist.run_commands()
File "/usr/lib/python2.7/distutils/dist.py", line 953, in run_commands
self.run_command(cmd)
File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/home/peto/qsym/venv/local/lib/python2.7/site-packages/setuptools/command/install.py", line 61, in run
return orig.install.run(self)
File "/usr/lib/python2.7/distutils/command/install.py", line 601, in run
self.run_command('build')
File "/usr/lib/python2.7/distutils/cmd.py", line 326, in run_command
self.distribution.run_command(command)
File "/usr/lib/python2.7/distutils/dist.py", line 972, in run_command
cmd_obj.run()
File "/tmp/pip-req-build-QqjGha/setup.py", line 29, in run
self.execute(build_pintool, (), msg='Building pintool')
File "/usr/lib/python2.7/distutils/cmd.py", line 349, in execute
util.execute(func, args, msg, dry_run=self.dry_run)
File "/usr/lib/python2.7/distutils/util.py", line 309, in execute
func(*args)
File "/tmp/pip-req-build-QqjGha/setup.py", line 18, in build_pintool
raise ValueError("Unable to build pintool")
ValueError: Unable to build pintool

----------------------------------------

Command "/home/peto/qsym/venv/bin/python2 -u -c "import setuptools, tokenize;file='/tmp/pip-req-build-QqjGha/setup.py';f=getattr(tokenize, 'open', open)(file);code=f.read().replace('\r\n', '\n');f.close();exec(compile(code, file, 'exec'))" install --record /tmp/pip-record-gr2RlI/install-record.txt --single-version-externally-managed --compile --install-headers /home/peto/qsym/venv/include/site/python2.7/qsym" failed with error code 1 in /tmp/pip-req-build-QqjGha/

Hello,
I am currently trying to get QSYM to work and am facing a few questions regarding the setup, with which you can maybe help me out:

1. Do the inputs AFL_CMDLINE and QSYM_CMDLINE have to be paths to a binary (QEMU mode AFL) or just the source code of the target program I want to fuzz?
2. I guess AFL_CMDLINE and QSYM_CMDLINE have to point to the same program for it to make any sense, right? So AFL_CMDLINE would point to an instrumented target (compiled with afl-cc) and QSYM_CMDLINE to the same program but compiled normally? (or completely uncompiled? does qsym compile it itself?)
3. How exactly would I go about running it via Docker? When builiding a container via the provided Dockerfile, there is no AFL installed inside this container and I cannot access an AFL installation outside of the container from within. Would I have to add to the Dockerfile to also install AFL inside the container, so I can follow the instructions under "Run hybrid fuzzing with AFL" in your ReadMe?
4. What exactly do the commands listed under your point "Run for testing" in your ReadMe do? Is that just to test if QSYM was installed correctly or is this actually another way of fuzzing a target without the hybrid method with AFL master+slave explained in the chapter above that in your ReadMe?

I am trying to understand how everything works, so I apologize for all the questions, but I would be very glad if you could help me.

Thanks a lot and best wishes!

Hello, I tried QSYM using ImageMagick in Docker environment with an ubuntu 16.04 server.
However, when it analyzes magick binary, the pin program crashes.
Debugging shows it seems to generate a xbegin instruction which is not supported on my server.
Dry run without instrumentation is fine. Do you have any idea about this issue?
Here is some log

......
[INFO] fixed mapping via mmap(2) at 0x7f9c4f082000
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libfreetype.so.6
[INFO] IMG: /lib/x86_64-linux-gnu/libpng12.so.0
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libfontconfig.so.1
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libxml2.so.2
[INFO] IMG: /lib/x86_64-linux-gnu/libz.so.1
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libgomp.so.1
[INFO] IMG: /lib/x86_64-linux-gnu/libm.so.6
[INFO] IMG: /lib/x86_64-linux-gnu/libgcc_s.so.1
[INFO] IMG: /lib/x86_64-linux-gnu/libpthread.so.0
[INFO] IMG: /lib/x86_64-linux-gnu/libc.so.6
[INFO] IMG: /lib/x86_64-linux-gnu/libexpat.so.1
[INFO] IMG: /lib/x86_64-linux-gnu/libdl.so.2
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libicuuc.so.55
[INFO] IMG: /lib/x86_64-linux-gnu/liblzma.so.5
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libicudata.so.55
[INFO] IMG: /usr/lib/x86_64-linux-gnu/libstdc++.so.6
C: Tool (or Pin) caused signal 4 at PC 0x7f9cbc669d00
C: Location may be in in-lined analysis code, try re-running with '-inline 0' to debug it[1]    10316 illegal hardware instruction -ifeellucky -t  -logfile /tmp/tmpPVaJv1/qsym-out-0/pin.log -i

Hi guys,

I tried to run qsym in docker with the command as below, however it failed everytime. My guess if qsym cannot find /tmp/tmpzyrIYP and the new inputs in it. However I can get access to those files under root. I also tried to run qsym command in root but it didn't work. Any idea why this happened?

root@a0c7f4708328:/mnt/Research/afl_qsym_test/qsym# bin/run_qsym_afl.py -a afl-slave -o /mnt/Research/afl_qsym_test/base64/findings/ -n qsym -- /mnt/Research/afl_qsym_test/base64/base64 -d @@
DEBUG:qsym.afl:Temp directory=/tmp/tmpzyrIYP
DEBUG:qsym.afl:Run qsym: input=/mnt/Research/afl_qsym_test/base64/findings/afl-slave/queue/id:000068,src:000036+000050,op:splice,rep:32,+cov
DEBUG:qsym.Executor:Executing timeout -k 5 90 /usr/local/lib/python2.7/dist-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /usr/local/lib/python2.7/dist-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpzyrIYP/qsym-out-0/pin.log -i /mnt/Research/afl_qsym_test/base64/findings/qsym/.cur_input -f 1 -o /tmp/tmpzyrIYP/qsym-out-0 -l 1 -b /mnt/Research/afl_qsym_test/base64/findings/qsym/bitmap -- /mnt/Research/afl_qsym_test/base64/base64 -d /mnt/Research/afl_qsym_test/base64/findings/qsym/.cur_input
DEBUG:qsym.afl:Total=11 s, Emulation=9 s, Solver=1 s, Return=0
Traceback (most recent call last):
  File "bin/run_qsym_afl.py", line 47, in <module>
    main()
  File "bin/run_qsym_afl.py", line 41, in main
    e.run()
  File "/usr/local/lib/python2.7/dist-packages/qsym/afl.py", line 356, in run
    self.run_file(fp)
  File "/usr/local/lib/python2.7/dist-packages/qsym/afl.py", line 376, in run_file
    if not self.minimizer.check_testcase(testcase):
  File "/usr/local/lib/python2.7/dist-packages/qsym/minimizer.py", line 64, in check_testcase
    proc = sp.Popen(cmd, stdin=sp.PIPE, stdout=devnull, stderr=devnull)
  File "/usr/lib/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib/python2.7/subprocess.py", line 1343, in _execute_child
    raise child_exception
OSError: [Errno 2] No such file or directory

Hi,

I'm trying to run the QSYM on the virtual machine (VirtualBox on the Windows 2012 r2)
I don't see any errors but the qsym doesn't generate any new testcases. I tried with instrumented binary and without. I also stopped the AFL so no new coverage is added.

`DEBUG:qsym.afl:Total=48 s, Emulation=48 s, Solver=0 s, Return=255
DEBUG:qsym.afl:Generate 41 testcases
DEBUG:qsym.afl:0 testcases are new

DEBUG:qsym.afl:Total=185 s, Emulation=185 s, Solver=0 s, Return=-9
DEBUG:qsym.afl:Generate 298 testcases
DEBUG:qsym.afl:0 testcases are new

DEBUG:qsym.afl:Total=185 s, Emulation=185 s, Solver=0 s, Return=-9
DEBUG:qsym.afl:Generate 252 testcases
DEBUG:qsym.afl:0 testcases are new
`

What can be wrong? Can I check any logs to see what is the problem? Or is there any easy way to confirm that QSYM works?

Regards
Marek

I followed the install instructions:

; disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

; install z3 and system deps
$ ./setup.sh

; install using virtual env
$ virtualenv venv
$ source venv/bin/activate
$ pip install .

and tried running the tests

$ cd tests
$ python build.py
$ python -m pytest -n $(nproc)

It seems like I also need to pip install python-afl and something else that provides from executor import Executor to resolve dependency errors when running the tests?

I can't figure out which package I need to install to resolve the from executor import Executor error.

I found some information in AFL's docs parallel_fuzzing.txt that you can synchronize new inputs with parallel fuzzing just by adding a directory (let's say qsym) in output directory of fuzzing. You can put new inputs with sequential name id:nnnnnn in output/qsym/queue. I tried with pure AFL but looks like nothing in this directory has been synchronized. Can I ask how QSYM did for synchronization? I can see the maintenance of bitmap in qsym but I think that's just for selecting and narrowing new inputs.

Hello,

I've been testing QSYM + 1xAFL (slave) and noticed that the QSYM-generated inputs are being written to $OUTDIR/qsym/queue (and not our_dir/afl-slave/queue). Is this the intended output?

Thanks,
-Stefan

Hi guys,

Thank you for amazing project. Does QSYM support AFL with ASAN mode ?

I tried it for one open-source project and it worked pretty good without ASAN but when I compile my target with Address Sanitizer, QSYM reports "0 testcases are new".

Hello qsym community and thank you for your nice work.
I recently wanted to run qsym using the docker image but get several errors while building it.

Mainly:

efile:4112: recipe for target 'z3' failed
/workdir/qsym/third_party/z3 /workdir/qsym



small_object_allocator.cpp:(.text+0xc53): undefined reference to `std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, int)'
small_object_allocator.cpp:(.text+0xc6e): undefined reference to `std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, int)'
util/util.a(small_object_allocator.o):small_object_allocator.cpp:(.text+0xcb1): more undefined references to `std::basic_ostream<char, std::char_traits<char> >& std::__ostream_insert<char, std::char_traits<char> >(std::basic_ostream<char, std::char_traits<char> >&, char const*, int)' follow
collect2: error: ld returned 1 exit status
make: *** [z3] Error 1

,

Collecting pytest>=4.4.0 (from pytest-xdist->qsym===0.1)
  Downloading https://files.pythonhosted.org/packages/3a/3b/f839b8431582e0f4e5f98230300db70b795f467503b2cdb0bf7eb9b18351/pytest-5.2.1.tar.gz (971kB)
  Running setup.py (path:/tmp/pip-build-F1lVhE/pytest/setup.py) egg_info for package pytest produced metadata for project name unknown. Fix your #egg=pytest fragments.

and

Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-jbTM4_-build/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-0fhZeV-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-jbTM4_-build/
You are using pip version 8.1.1, however version 19.2.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.

I am on ubuntu16.04.

Am i missing something?
Best.

Hi,
When running AFL (only master or with a slave), everything works well. However, after starting Qsym on AFL test-cases, it gets stuck after a while (between minutes to half an hour)

I am running the tasks on a server with 122 GB RAM available.

Any guesses why it happens?
Thanks!

Hi guys! I had some problems with the tool. I installed everything as told in README.md. When I run
python -m pytest -n $(nproc)
I got a lot of errors. An example is as below.

___________________________________ test_dup ___________________________________
[gw0] linux2 -- Python 2.7.12 /home/natalie/Research/qsym/venv/bin/python
def test_dup():
testcases = get_all_testcases("dup")
# default + 0xdeadbeef
assert len(testcases) == 2
E AssertionError: assert 1 == 2
E + where 1 = len(['\x00\x00\x00\x00\n'])
test_schedule.py:79: AssertionError
------------------------------ Captured log call -------------------------------
executor.py 92 DEBUG Executing /home/natalie/Research/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/natalie/Research/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-sf0C_q/qsym-out-0/pin.log -i /tmp/qsym-B8Vz_X -s 1 -o /tmp/qsym-sf0C_q/qsym-out-0 -b /tmp/qsym-hLzZtC -- /home/natalie/Research/qsym/tests/schedule/dup/main
========================== 249 failed in 2.82 seconds ==========================

Also, I got this in the pin.log file.

Pin 2.14 kit 71293
E: Unable to load /home/natalie/Research/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so: /home/natalie/Research/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so: undefined symbol: _ZN4llvm24DisableABIBreakingChecksE

I have no idea about where this symbol comes from.

Another question about this tool: can I use it to fuzz 64-bit binaries? I saw your TODO file and it says it is going to support both 32bit and 64bit. But for now, is it compatible with 64bit binaries?

I am now using a Ubuntu 14.04 64bit machine.

If I run the tests, there are 249 tests and 249 failures. For example:

target = '/usr/local/google/home/benl/git-work/qsym/tests/syscall/mremap'

    def test_syscall(target):
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/usr/local/google/home/benl/git-work/qsym/tests/syscall/mremap')

test_syscall.py:19: AssertionError

Hi,
I notice the usage tells to use the non-instrumented binary for qsym. I wonder if I can run it on the instrumented binary? if so, will it cause any problems? Thank you.

The file pin.log
Pin 2.14kit 71293
E: Unable to load /home/kj/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so: /home/kj/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so:
undefined symbol:Z3_is_seq_sort

Thank you!

When node->getDependencies() returns an empty set, the loop is not executed, so the tree is also not updated. Thus, it directly accesses tree, which is initialized to null pointer, after the loop. I'm not sure if we can just add a nullptr check here or the dependency set should not be empty. In my case, the node is a ConstantExpr, so it does not have any child.

I'm using this temporary fix to avoid crashes.

diff --git a/qsym/pintool/dependency.h b/qsym/pintool/dependency.h
index 0a1d185..2f3594e 100644
--- a/qsym/pintool/dependency.h
+++ b/qsym/pintool/dependency.h
@@ -80,7 +80,8 @@ namespace qsym {
           }
           forest_[index] = tree;
         }
-        tree->addNode(node);
+        if (tree != nullptr)
+          tree->addNode(node);
       }
 
     private:

qsym always says that solving time is 0sec.

DEBUG:qsym.afl:Total=90 s, Emulation=90 s, Solver=0 s, Return=124

I found that qsym tries to find log lines starting with SMT: in pin.log, but the pintool saves SMT time logs with a prefix [STAT].

 [STAT] SMT: { "solving_time": 456074, "total_time": 256521223 }
 [STAT] SMT: { "solving_time": 456386 }
 [STAT] SMT: { "solving_time": 456386, "total_time": 256521872 }
 [STAT] SMT: { "solving_time": 456560 }

and, one more really minor thing I want to point out is that I think this variable name MS_TO_S should be US_TO_S(microsecond).

Hi,
I'm trying to set only few bytes in the input as symbolic.

My idea is to transform the makeExpr method in memory.h from

  inline void makeExpr(ADDRINT addr) {
    ExprRef e = g_expr_builder->createRead(off_++);
    setExprToMem(addr, e);
  }

to something like this:

  inline void makeExpr(ADDRINT addr) {
   ExprRef e = g_expr_builder->createRead(off_++);
    if(off_ not in symbolic_offsets) {
      e = e.evaluateImpl();
    }
    setExprToMem(addr, e);
  }

Can you give me an opinion about this? Do you think that is possible to use QSYM in this way?
I'm modifying the right part of the codebase?

Thanks :)

My own experience: check() is much faster than get_model(). Maybe we need to change the tactics to solve this issue.

The first of all thank you for perfect work.
I install QSYM successfully by the following README and I install AFL 2.52b as well.
However, when I run QSYM_CMDLINE bin/run_qsym_afl.py -a afl-slave -o output/ -n qsym -- ./home/bek/Desktop/qsym/uniq I get ERROR IOError: [Errno 2] No such file or directory: 'output/afl-slave/fuzzer_stats

(venv) bek@ubuntu:~/Desktop/qsym$bin/run_qsym_afl.py -a afl-slave -o output/ -n qsym -- ./home/bek/Desktop/qsym/uniq Traceback (most recent call last): File "bin/run_qsym_afl.py", line 47, in <module> main() File "bin/run_qsym_afl.py", line 39, in main args.name, args.filename, args.mail, args.asan_bin) File "/home/bek/Desktop/qsym/venv/local/lib/python2.7/site-packages/qsym/afl.py", line 130, in __init__ cmd, afl_path, qemu_mode = self.parse_fuzzer_stats() File "/home/bek/Desktop/qsym/venv/local/lib/python2.7/site-packages/qsym/afl.py", line 197, in parse_fuzzer_stats cmd = get_afl_cmd(os.path.join(self.afl_dir, "fuzzer_stats")) File "/home/bek/Desktop/qsym/venv/local/lib/python2.7/site-packages/qsym/afl.py", line 65, in get_afl_cmd with open(fuzzer_stats) as f: IOError: [Errno 2] No such file or directory: 'output/afl-slave/fuzzer_stats'
Even I create folder "afl-slave -> fuzzer_stats" There is an error anyway!
I am a beginner in software testing area, maybe I wrote something wrong.
Any advice will be appreciated.

Thanks for releasing qsym. This project is really awesome.

We recently tried to run qsym on LAVA but we do not know how to turn on/off the optimistic solving. When running qsym with the default options, we obtained results that are more like those without optimistic solving (Fig. 11 in the paper of USENIX Security).

Our settings:
Ubuntu 16.04, 64bit,
Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz, 16 GB memory
afl 2.52b, one master and one slave.

Hi,

I'm confused about how QSYM decide whether a ExprRef is concrete or not. Please have a look at loop.c, shouldn't the branch at line 25 is symbolic? //if ( c == '\n' ) {

However, the attached my.log shows that this becomes concrete after loop counter increases to 24. Is there something wrong during the propagation? I added some log info printing code to qsym/pintool/solver.cpp as follows:

diff --git a/qsym/pintool/solver.cpp b/qsym/pintool/solver.cpp
index 147334f..6cbf29b 100644
--- a/qsym/pintool/solver.cpp
+++ b/qsym/pintool/solver.cpp
@@ -161,8 +161,17 @@ void Solver::addJcc(ExprRef e, bool taken, ADDRINT pc) {
   // Save the last instruction pointer for debugging
   last_pc_ = pc;

-  if (e->isConcrete())
-    return;
+  if (e->isConcrete()){
+   std::ofstream outfile;
+   outfile.open("my.log", std::ios_base::app);
+   outfile << "this branch is concrete(" << pc << "), action: ";
+   if(taken)
+     outfile << "true " << std::endl;
+   else
+     outfile << "false " << std::endl;
+   outfile.close();
+   return;
+  }

   // if e == Bool(true), then ignore
   if (e->kind() == Bool) {

Application loop.c:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

static inline void write2log(const size_t loopCounter){
  FILE *fp = fopen("my.log", "a+");
  if (fp != NULL)
  {
    fprintf(fp, "%lu, ", loopCounter);
    fclose(fp);
  }
}

size_t receive( char *dst, char delim, size_t max ){
    size_t len = 0;
    char c = 0;
    while( len < max ) {
        dst[len] = 0x00;
        if ( read(0, &c, sizeof(unsigned char)) <= 0 ) {
            len = 0;
            goto end;
        }
        // for debug
        write2log(len);
        if ( c == '\n' ) {
            continue;
        }
        dst[len] = c;
        len++;
    }
end:
    return len;
}

int main(int argc, char **argv){
    char packet[256];
    receive(packet, '\n', 255);
    return 0;
}

Command line to run qsym:

#!/bin/bash

set -e
set -x

OPTION=$1
QSYM_PATH=$(pwd)

cd $QSYM_PATH
source venv/bin/activate
####################################################################################
###########################/ The general cases /####################################
####################################################################################
# The root directory of AFL:
export AFL_ROOT=/home/sghzeng/work/afl-2.52b
# The output directory of AFL:
export OUTPUT=/home/sghzeng/work/afl-2.52b/afl_out
####################################################################################
############################/ Target program: Simple_Loop /####################
####################################################################################
# The input directory of AFL
export INPUT=/home/sghzeng/work/afl/afl_in
# The target program of afl instrumented version:
export AFL_CMDLINE=/home/sghzeng/work/test/simpleQA/simpleLoop_afl
# The target program of Non-instrumented version:
export QSYM_CMDLINE=/home/sghzeng/work/test/simpleQA/simpleLoop
####################################################################################
if [ "$OPTION" == "master" ] || [ "$OPTION" == "m" ] ; then
    # run AFL master
    $AFL_ROOT/afl-fuzz -M afl-master -m none -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
fi
if [ "$OPTION" == "slave" ] || [ "$OPTION" == "s" ] ; then
    # run AFL slave
    $AFL_ROOT/afl-fuzz -S afl-slave -m none -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
fi
if [ "$OPTION" == "qsym"  ] || [ "$OPTION" == "q"  ] ; then
    $QSYM_PATH/bin/run_qsym_afl.py -a afl-master -o $OUTPUT -n qsym -- $QSYM_CMDLINE
fi

I use the latest version of QSYM and AFL, with Ubuntu 16.04.6 LTS x64 4.4.0-159-generic.

In the file of <executor.py>. The solving time is not correctly parsed from the log file because of the wrong initialization of LOG_SMT_HEADER . As a result, the solving time is always 0 because the branch of
if l.startswith(LOG_SMT_HEADER): is never entered.

This is how the pin.log file looks like in my case:

There's blank in the beginning of each line, so it should be:
LOG_SMT_HEADER = " [STAT] SMT:" // there's a blank in the beginning
instead of:
LOG_SMT_HEADER = "[STAT] SMT:" // without the blank

In function at ExprRef SymbolicExprBuilder::createDistinct(ExprRef l, ExprRef r) at
https://github.com/sslab-gatech/qsym/blob/master/qsym/pintool/codegen/expr_builder.cpp#L1081

Would it be better if:

ExprRef SymbolicExprBuilder::createDistinct(ExprRef l, ExprRef r) {
-  return createLNot(createEqual(l, r));
+  if (l == r)
+    return createTrue();
+  return ExprBuilder::createDistinct(l, r);
}

Hi,

I'm trying to install qsym using the virtual environment, but it seems I cannot compile pin. The message error was

This kit requires gcc 3.4 or later

While I have gcc 6.3. I'm attaching the full message

virtualError.txt

I cannot install with Docker either, but it might be due to some problems with the proxy, I will try again in another machine. I think it would be useful if you have an image in Docker Hub.

Best,
Sang

Hi,
I am trying to trace only my target binary and ignore all shared libraries.
I found an option of filter_no_shared_libs that should be send to the pin tool, but it does not work for me.

'~/PycharmProjects/Qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh' -ifeellucky -t '~/PycharmProjects/Qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so' -filter_no_shared_libs -logfile /tmp/tmpLlMTku/qsym-out-0/pin.log -i ~/PycharmProjects/Qsym/Tests/afl-output/qsym/.cur_input -s '1' -o '/tmp/tmpLlMTku/qsym-out-0' -help -l '1' -b '~/PycharmProjects/Qsym/Tests/afl-output/qsym/bitmap' -- '~/PycharmProjects/Qsym/Tests/test_null_pointer.out'

Please your help.
Thanks.

Hi,

QSYM is a great tool.

Recently when I look at the code, I have one question.

Can I ask why qsym will produce new input when calling makeAddrConcrete? What is this function actually does? I thought it was for getting the value from a certain address?

Regards,

Hi, thanks for open sourcing your work.

I've been testing QSYM on the LAVA-M who dataset, and it appears that QSYM cannot find any bugs. I'm using two AFL instances and a QSYM instance as listed in the README. The queue directory under the QSYM output directory is empty, and all the input files under errors and hangs can run without crashing or hanging.

Any idea where I might have made a mistake?

I am trying to run qsym in a docker container.
However, when i check the output of qsym I only get a lot of:
DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=247
DEBUG:qsym.afl:Generate 0 testcases
DEBUG:qsym.afl:0 testcases are new

All output dirs of qsym are empty.
Afl seems to run fine (e.g., it finds crashes). Any idea on what I am be doing wrong?