def main(argv): try: afl_binary = sys.argv[1] # name of the program for afl llvm_obj = sys.argv[2] # name of the program for klee testcases = sys.argv[3] # testcases for the program used by afl-fuzz fuzz_time = int(sys.argv[4]) # time to run afl-fuzzer gcov_dir = sys.argv[5] # gcov afl_flag = sys.argv[6] llvm_flag = sys.argv[7] except IndexError: print("Wrong number of command line args:", sys.exc_info()[0]) raise # get a list of functions topologically ordered args = [ os.environ['HOME'] + "/build/llvm/Release/bin/opt", "-load", os.environ['HOME'] + "/build/macke-opt-llvm/bin/libMackeOpt.so", llvm_obj, "--listallfuncstopologic", "-disable-output" ] result = subprocess.check_output(args) result = str(result, 'utf-8') all_funcs_topologic = order_funcs_topologic(result) print("TOTAL FUNCS : ") print(len(all_funcs_topologic)) time.sleep(5) uncovered_funcs = [] if afl_flag == 1: # run afl-fuzz pos = afl_binary.rfind('/') afl_out_dir = afl_binary[:pos + 1] + "afl_results" args = [ "afl-fuzz", "-i", testcases, "-o", afl_out_dir, afl_binary, "@@" ] # take the progs args as given from command line # if sys.argv[5:]: # args = args + sys.argv[5:] print("Preparing to fuzz...") time.sleep(3) proc = subprocess.Popen(args) time.sleep(fuzz_time) os.kill(proc.pid, signal.SIGKILL) func_list_afl = run_afl_cov(afl_binary, afl_out_dir, gcov_dir) print(len(func_list_afl)) print(func_list_afl) print("Computing function coverage after fuzzing...") time.sleep(3) for index in range(len(all_funcs_topologic)): if all_funcs_topologic[index] not in func_list_afl: uncovered_funcs.append(all_funcs_topologic[index]) # save the list of covered and uncovered functions after fuzzing cov_funcs = afl_out_dir + "/covered_functions.txt" with open(cov_funcs, 'w+') as the_file: the_file.write("%s\n" % len(func_list_afl)) for index in range(len(func_list_afl)): the_file.write("%s\n" % func_list_afl[index]) uncov_funcs = afl_out_dir + "/uncovered_functions.txt" with open(uncov_funcs, 'w+') as the_file: the_file.write("%s\n" % len(uncovered_funcs)) for index in range(len(uncovered_funcs)): the_file.write("%s\n" % uncovered_funcs[index]) if llvm_flag == 1: func_dir = OrderedDict() if afl_flag == 0: uncovered_funcs = all_funcs_topologic for index in range(len(uncovered_funcs)): func = uncovered_funcs[index] func_dir[func] = 0 targ = "-targeted-function=" covered_from_klee = set() pos = llvm_obj.rfind('/') klee_cov_funcs = llvm_obj[:pos + 1] + "covered_funcs.txt" klee_uncov_funcs = llvm_obj[:pos + 1] + "uncovered_funcs.txt" print("Preparing to symbolically execute...") time.sleep(3) for key in func_dir: print(key) if func_dir[key] != 1: args = [ os.environ['HOME'] + "/build/klee/Release+Asserts/bin/klee", "--posix-runtime", "--libc=uclibc", "--only-output-states-covering-new", "--disable-inlining", "--optimize", "--max-time=60", "--watchdog", "-search=ld2t", targ + key, llvm_obj, "--sym-arg 20", "--sym-files 1 100" ] subprocess.Popen(args) time.sleep(65) klee_dir = llvm_obj[:pos + 1] + "klee-last/run.istats" f = open(klee_dir, "r") for line in f: if line[:4] == "cfn=": covered_from_klee.add(line[4:-1]) for func in covered_from_klee: if func in func_dir: func_dir[func] = 1 print(func_dir) cov_file = open(klee_cov_funcs, 'w+') uncov_file = open(klee_uncov_funcs, 'w+') for key in func_dir: if func_dir[key] == 1: cov_file.write("%s\n" % key) else: uncov_file.write("%s\n" % key) return 1
def main(argv): try: prog = sys.argv[1] # name of the program for afl prog_klee = sys.argv[2] # name of the program for klee testcases = sys.argv[3] # testcases for the program used by afl-fuzz fuzz_time = int(sys.argv[4]) # time to run afl-fuzzer except IndexError: print("Wrong number of command line args:", sys.exc_info()[0]) raise # compile twice with afl-clang os.environ["AFL_DONT_OPTIMIZE"] = "1" llvm_obj = prog_klee[:-2] + ".bc" args = ["afl-clang", "-emit-llvm", "-c", "-g", prog_klee, "-o", llvm_obj] subprocess.call(args) # creates <prog_name>.bc afl_binary = prog[:-2] + " _bin" args = ["afl-clang", prog, "-o", afl_binary] # creates the instrumented binary to fuzz with afl subprocess.call(args) # get a list of functions topologically ordered # TODO: Document macke-opt-llvm functions args = [ "opt-3.4", "-load", "/home/eirini/macke/macke-opt-llvm/bin/libMackeOpt.so", llvm_obj, "--listallfuncstopologic", "-disable-output" ] result = subprocess.check_output(args) all_funcs_topologic = order_funcs_topologic(result) # run afl-fuzz afl_out_dir = prog[:-2] + "_afl_out_dir" afl_binary = "./" + afl_binary args = ["afl-fuzz", "-i", testcases, "-o", afl_out_dir, afl_binary] # take the progs args as given from command line if sys.argv[5:]: args = args + sys.argv[5:] proc = subprocess.Popen(args) time.sleep(fuzz_time) os.kill(proc.pid, signal.SIGKILL) func_list_afl = run_afl_cov(prog, afl_out_dir) print(func_list_afl) # run KLEE with targeted search with the functions not covered by afl # be sure it's topologically sorted uncovered_funcs = [] for elem in all_funcs_topologic: if elem not in func_list_afl: uncovered_funcs.append(elem) # print(uncovered_funcs) uncovered_funcs = ['matchhere'] os.chdir("../") targ = "-targeted-function=" # while loop: while there are uncovered functions # remove also the functions that covered during this klee run while (uncovered_funcs): temp = uncovered_funcs elem = temp.pop(0) args = [ "/home/eirini/repos/klee/Release+Asserts/bin/klee", "--disable-inlining", "-search=ld2t", targ + elem, llvm_obj ] subprocess.call(args) # check which funcs are covered and remove them f = open("klee-last/run.istats", "r") covered_from_klee = set() for line in f: if line[:4] == "cfn=": covered_from_klee.add(line[4:-1]) covered_from_klee = list(covered_from_klee) print(covered_from_klee) for l in covered_from_klee: if l in temp: temp.remove(l) uncovered_funcs = temp print(uncovered_funcs) return 1