def do_run_test(project, test, apis, run_state, should_call_state):
"""Symbolically executes a single test function."""
if should_call_state:
test_state = project.factory.call_state(test.ea, base_state=run_state)
else:
test_state = run_state
mc = DeepAngr(state=test_state)
# Tell the system that we're using symbolic execution.
mc.write_uint32_t(apis["UsingSymExec"], 8589934591)
mc.begin_test(test)
del mc
errored = []
test_manager = angr.SimulationManager(project=project,
active_states=[test_state],
errored=errored)
try:
test_manager.run()
except Exception as e:
L.error("Uncaught exception: {}\n{}".format(e, traceback.format_exc()))
for state in test_manager.deadended:
DeepAngr(state=state).report()
for error in test_manager.errored:
da = DeepAngr(state=error.state)
da.crash_test()
da.report()
def do_run_test(project, test, apis, run_state):
"""Symbolically executes a single test function."""
test_state = project.factory.call_state(
test.ea,
base_state=run_state)
mc = DeepAngr(state=test_state)
mc.begin_test(test)
del mc
errored = []
test_manager = angr.SimulationManager(
project=project,
active_states=[test_state],
errored=errored)
try:
test_manager.run()
except Exception as e:
L.error("Uncaught exception: {}\n{}".format(e, traceback.format_exc()))
for state in test_manager.deadended:
DeepAngr(state=state).report()
for error in test_manager.errored:
da = DeepAngr(state=error.state)
da.crash_test()
da.report()
def main_take_over(args, project, takeover_symbol):
takeover_ea = find_symbol_ea(project, takeover_symbol)
if not args.klee:
hook_function(project, takeover_ea, TakeOver)
if not takeover_ea:
L.critical("Cannot find symbol `{}` in binary `{}`".format(
takeover_symbol, args.binary))
return 1
entry_state = project.factory.entry_state(
add_options={
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY,
angr.options.STRICT_PAGE_ACCESS
})
# addr_size_bits = entry_state.arch.bits
# Concretely execute up until `DeepState_TakeOver`.
concrete_manager = angr.SimulationManager(project=project,
active_states=[entry_state])
concrete_manager.explore(find=takeover_ea)
try:
takeover_state = concrete_manager.found[0]
except:
L.critical("Execution never hit `{}` in binary `{}`".format(
takeover_symbol, args.binary))
return 1
try:
run_state = takeover_state.step().successors[0]
except:
L.critical("Unable to exit from `{}` in binary `{}`".format(
takeover_symbol, args.binary))
return 1
# Read the API table, which will tell us about the location of various
# symbols. Technically we can look these up with the `labels.lookup` API,
# but we have the API table for Manticore-compatibility, so we may as well
# use it.
ea_of_api_table = find_symbol_ea(project, 'DeepState_API')
if not ea_of_api_table:
L.critical("Could not find API table in binary `{}`".format(
args.binary))
return 1
_, apis = hook_apis(args, project, run_state)
fake_test = TestInfo(takeover_ea, '_takeover_test', '_takeover_file', 0)
return run_test(project,
fake_test,
apis,
run_state,
should_call_state=False)
def main_unit_test(args, project):
setup_ea = find_symbol_ea(project, 'DeepState_Setup')
if not setup_ea:
L.critical(
"Cannot find symbol `DeepState_Setup` in binary `{}`".format(
args.binary))
return 1
entry_state = project.factory.entry_state(
add_options={
angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY,
angr.options.STRICT_PAGE_ACCESS
})
addr_size_bits = entry_state.arch.bits
# Concretely execute up until `DeepState_Setup`.
concrete_manager = angr.SimulationManager(project=project,
active_states=[entry_state])
concrete_manager.explore(find=setup_ea)
try:
run_state = concrete_manager.found[0]
except:
L.critical(
"Execution never hit `DeepState_Setup` in binary `{}`".format(
args.binary))
return 1
# Hook the DeepState API functions.
mc, apis = hook_apis(project, run_state)
# Find the test cases that we want to run.
tests = mc.find_test_cases()
del mc
L.info("Running {} tests across {} workers".format(len(tests),
args.num_workers))
pool = multiprocessing.Pool(processes=max(1, args.num_workers))
results = []
# For each test, create a simulation manager whose initial state calls into
# the test case function.
test_managers = []
for test in tests:
res = pool.apply_async(run_test, (project, test, apis, run_state))
results.append(res)
pool.close()
pool.join()
return 0
def main():
"""Run DeepState."""
args = DeepAngr.parse_args()
try:
project = angr.Project(
args.binary,
use_sim_procedures=True,
translation_cache=True,
support_selfmodifying_code=False,
auto_load_libs=True,
exclude_sim_procedures_list=['printf', '__printf_chk',
'vprintf', '__vprintf_chk',
'fprintf', '__fprintf_chk',
'vfprintf', '__vfprintf_chk',
'puts', 'abort', '__assert_fail',
'__stack_chk_fail'])
except Exception as e:
L.critical("Cannot create Angr instance on binary {}: {}".format(
args.binary, e))
return 1
setup_ea = find_symbol_ea(project, 'DeepState_Setup')
if not setup_ea:
L.critical("Cannot find symbol `DeepState_Setup` in binary `{}`".format(
args.binary))
return 1
entry_state = project.factory.entry_state(
add_options={angr.options.ZERO_FILL_UNCONSTRAINED_MEMORY,
angr.options.STRICT_PAGE_ACCESS})
addr_size_bits = entry_state.arch.bits
# Concretely execute up until `DeepState_Setup`.
concrete_manager = angr.SimulationManager(
project=project,
active_states=[entry_state])
concrete_manager.explore(find=setup_ea)
try:
run_state = concrete_manager.found[0]
except:
L.critical("Execution never hit `DeepState_Setup` in binary `{}`".format(
args.binary))
return 1
# Read the API table, which will tell us about the location of various
# symbols. Technically we can look these up with the `labels.lookup` API,
# but we have the API table for Manticore-compatibility, so we may as well
# use it.
ea_of_api_table = find_symbol_ea(project, 'DeepState_API')
if not ea_of_api_table:
L.critical("Could not find API table in binary `{}`".format(args.binary))
return 1
mc = DeepAngr(state=run_state)
apis = mc.read_api_table(ea_of_api_table)
# Hook various functions.
hook_function(project, apis['IsSymbolicUInt'], IsSymbolicUInt)
hook_function(project, apis['ConcretizeData'], ConcretizeData)
hook_function(project, apis['ConcretizeCStr'], ConcretizeCStr)
hook_function(project, apis['MinUInt'], MinUInt)
hook_function(project, apis['MaxUInt'], MaxUInt)
hook_function(project, apis['Assume'], Assume)
hook_function(project, apis['Pass'], Pass)
hook_function(project, apis['Crash'], Crash)
hook_function(project, apis['Fail'], Fail)
hook_function(project, apis['Abandon'], Abandon)
hook_function(project, apis['SoftFail'], SoftFail)
hook_function(project, apis['Log'], Log)
hook_function(project, apis['StreamInt'], StreamInt)
hook_function(project, apis['StreamFloat'], StreamFloat)
hook_function(project, apis['StreamString'], StreamString)
hook_function(project, apis['ClearStream'], ClearStream)
hook_function(project, apis['LogStream'], LogStream)
# Find the test cases that we want to run.
tests = mc.find_test_cases()
del mc
L.info("Running {} tests across {} workers".format(
len(tests), args.num_workers))
pool = multiprocessing.Pool(processes=max(1, args.num_workers))
results = []
# For each test, create a simulation manager whose initial state calls into
# the test case function.
test_managers = []
for test in tests:
res = pool.apply_async(run_test, (project, test, apis, run_state))
results.append(res)
pool.close()
pool.join()
return 0
