def main(argv):
try:
afl_binary = sys.argv[1] # name of the program for afl
llvm_obj = sys.argv[2] # name of the program for klee
testcases = sys.argv[3] # testcases for the program used by afl-fuzz
fuzz_time = int(sys.argv[4]) # time to run afl-fuzzer
gcov_dir = sys.argv[5] # gcov
afl_flag = sys.argv[6]
llvm_flag = sys.argv[7]
except IndexError:
print("Wrong number of command line args:", sys.exc_info()[0])
raise
# get a list of functions topologically ordered
args = [
os.environ['HOME'] + "/build/llvm/Release/bin/opt", "-load",
os.environ['HOME'] + "/build/macke-opt-llvm/bin/libMackeOpt.so",
llvm_obj, "--listallfuncstopologic", "-disable-output"
]
result = subprocess.check_output(args)
result = str(result, 'utf-8')
all_funcs_topologic = order_funcs_topologic(result)
print("TOTAL FUNCS : ")
print(len(all_funcs_topologic))
time.sleep(5)
uncovered_funcs = []
if afl_flag == 1:
# run afl-fuzz
pos = afl_binary.rfind('/')
afl_out_dir = afl_binary[:pos + 1] + "afl_results"
args = [
"afl-fuzz", "-i", testcases, "-o", afl_out_dir, afl_binary, "@@"
]
# take the progs args as given from command line
# if sys.argv[5:]:
# args = args + sys.argv[5:]
print("Preparing to fuzz...")
time.sleep(3)
proc = subprocess.Popen(args)
time.sleep(fuzz_time)
os.kill(proc.pid, signal.SIGKILL)
func_list_afl = run_afl_cov(afl_binary, afl_out_dir, gcov_dir)
print(len(func_list_afl))
print(func_list_afl)
print("Computing function coverage after fuzzing...")
time.sleep(3)
for index in range(len(all_funcs_topologic)):
if all_funcs_topologic[index] not in func_list_afl:
uncovered_funcs.append(all_funcs_topologic[index])
# save the list of covered and uncovered functions after fuzzing
cov_funcs = afl_out_dir + "/covered_functions.txt"
with open(cov_funcs, 'w+') as the_file:
the_file.write("%s\n" % len(func_list_afl))
for index in range(len(func_list_afl)):
the_file.write("%s\n" % func_list_afl[index])
uncov_funcs = afl_out_dir + "/uncovered_functions.txt"
with open(uncov_funcs, 'w+') as the_file:
the_file.write("%s\n" % len(uncovered_funcs))
for index in range(len(uncovered_funcs)):
the_file.write("%s\n" % uncovered_funcs[index])
if llvm_flag == 1:
func_dir = OrderedDict()
if afl_flag == 0:
uncovered_funcs = all_funcs_topologic
for index in range(len(uncovered_funcs)):
func = uncovered_funcs[index]
func_dir[func] = 0
targ = "-targeted-function="
covered_from_klee = set()
pos = llvm_obj.rfind('/')
klee_cov_funcs = llvm_obj[:pos + 1] + "covered_funcs.txt"
klee_uncov_funcs = llvm_obj[:pos + 1] + "uncovered_funcs.txt"
print("Preparing to symbolically execute...")
time.sleep(3)
for key in func_dir:
print(key)
if func_dir[key] != 1:
args = [
os.environ['HOME'] +
"/build/klee/Release+Asserts/bin/klee", "--posix-runtime",
"--libc=uclibc", "--only-output-states-covering-new",
"--disable-inlining", "--optimize", "--max-time=60",
"--watchdog", "-search=ld2t", targ + key, llvm_obj,
"--sym-arg 20", "--sym-files 1 100"
]
subprocess.Popen(args)
time.sleep(65)
klee_dir = llvm_obj[:pos + 1] + "klee-last/run.istats"
f = open(klee_dir, "r")
for line in f:
if line[:4] == "cfn=":
covered_from_klee.add(line[4:-1])
for func in covered_from_klee:
if func in func_dir:
func_dir[func] = 1
print(func_dir)
cov_file = open(klee_cov_funcs, 'w+')
uncov_file = open(klee_uncov_funcs, 'w+')
for key in func_dir:
if func_dir[key] == 1:
cov_file.write("%s\n" % key)
else:
uncov_file.write("%s\n" % key)
return 1
def main(argv):
try:
prog = sys.argv[1] # name of the program for afl
prog_klee = sys.argv[2] # name of the program for klee
testcases = sys.argv[3] # testcases for the program used by afl-fuzz
fuzz_time = int(sys.argv[4]) # time to run afl-fuzzer
except IndexError:
print("Wrong number of command line args:", sys.exc_info()[0])
raise
# compile twice with afl-clang
os.environ["AFL_DONT_OPTIMIZE"] = "1"
llvm_obj = prog_klee[:-2] + ".bc"
args = ["afl-clang", "-emit-llvm", "-c", "-g", prog_klee, "-o", llvm_obj]
subprocess.call(args) # creates <prog_name>.bc
afl_binary = prog[:-2] + " _bin"
args = ["afl-clang", prog, "-o",
afl_binary] # creates the instrumented binary to fuzz with afl
subprocess.call(args)
# get a list of functions topologically ordered
# TODO: Document macke-opt-llvm functions
args = [
"opt-3.4", "-load",
"/home/eirini/macke/macke-opt-llvm/bin/libMackeOpt.so", llvm_obj,
"--listallfuncstopologic", "-disable-output"
]
result = subprocess.check_output(args)
all_funcs_topologic = order_funcs_topologic(result)
# run afl-fuzz
afl_out_dir = prog[:-2] + "_afl_out_dir"
afl_binary = "./" + afl_binary
args = ["afl-fuzz", "-i", testcases, "-o", afl_out_dir, afl_binary]
# take the progs args as given from command line
if sys.argv[5:]:
args = args + sys.argv[5:]
proc = subprocess.Popen(args)
time.sleep(fuzz_time)
os.kill(proc.pid, signal.SIGKILL)
func_list_afl = run_afl_cov(prog, afl_out_dir)
print(func_list_afl)
# run KLEE with targeted search with the functions not covered by afl
# be sure it's topologically sorted
uncovered_funcs = []
for elem in all_funcs_topologic:
if elem not in func_list_afl:
uncovered_funcs.append(elem)
# print(uncovered_funcs)
uncovered_funcs = ['matchhere']
os.chdir("../")
targ = "-targeted-function="
# while loop: while there are uncovered functions
# remove also the functions that covered during this klee run
while (uncovered_funcs):
temp = uncovered_funcs
elem = temp.pop(0)
args = [
"/home/eirini/repos/klee/Release+Asserts/bin/klee",
"--disable-inlining", "-search=ld2t", targ + elem, llvm_obj
]
subprocess.call(args)
# check which funcs are covered and remove them
f = open("klee-last/run.istats", "r")
covered_from_klee = set()
for line in f:
if line[:4] == "cfn=":
covered_from_klee.add(line[4:-1])
covered_from_klee = list(covered_from_klee)
print(covered_from_klee)
for l in covered_from_klee:
if l in temp:
temp.remove(l)
uncovered_funcs = temp
print(uncovered_funcs)
return 1