def check_s2e_vm():
''' check whether s2e vm images exists '''
vm_file_list = [
'{}/vm/i386/disk.s2e'.format(S2EDIR),
'{}/vm/i386/disk.s2e.saved'.format(S2EDIR),
'{}/vm/x86_64/disk.s2e'.format(S2EDIR),
'{}/vm/x86_64/disk.s2e.saved'.format(S2EDIR)
]
need_get = False
for vm_file in vm_file_list:
if not os.path.isfile(vm_file):
need_get = True
if need_get == False:
print_sep()
print '[C]: s2e guest VM images found!'
return need_get
# download vm file
print_sep()
print '[C]: ONE OR MORE S2E VM IMAGE NOT FOUND at dir [{}/vm]'.format(
S2EDIR)
answer = 'input'
while answer.lower() not in ['', 'y', 'n', 'yes', 'no']:
answer = raw_input('Do you want the script to set it up? (Y/n): ')
if not answer.lower() in ['', 'y', 'yes']:
print '[C]: cimfunzz won\'t work without s2e image, Exiting now ...'
exit(0)
return need_get
def run_watcher(d_s, argv):
'''execute the directory watcher for each of the AFL instance '''
setproctitle.setproctitle('cimfuzz file watcher')
import watcher
launcher_args = dict()
db_config = dict()
db_config['database'] = argv['database']
db_config['user'] = argv['user']
db_config['password'] = argv['password']
db_config['host'] = argv['host']
db_config['port'] = argv['port']
launcher_args['db_config'] = db_config
launcher_args['qemu'] = '{}/qemu-{}'.format(argv['qemu'], argv['arch'])
launcher_args['project_id'] = argv['project_id']
launcher_args['max_testcase_size'] = argv['max_testcase_size']
launcher_args['basedir'] = d_s['.']
# watcher related
launcher_args['out_afl'] = '{}/{}'.format(d_s['out_afl'], argv['fid'])
launcher_args['out_s2e'] = d_s['out_s2e']
launcher_args['seedbox'] = '{}/seedbox/queue'.format(
launcher_args['out_afl'])
print_sep()
print '[C]: args used for launching watcher:'
print ''
pprint.pprint(launcher_args)
print ''
watcher.launch(launcher_args)
def run_afl(d_s, argv, queue=None):
''' start afl with its own launcher script '''
import afl_launcher
launcher_args = dict()
launcher_args['qemu'] = True # qemumode
launcher_args['fuzz_lib'] = argv['fuzz_lib'] # fuzz library
launcher_args['debug'] = argv['debug'] # debug
launcher_args['timeout'] = argv['timeout_afl'] # timeoutofafl
launcher_args['fid'] = argv['fid'] # file id: first 8 bytes of md5
launcher_args['uid'] = argv['docker_uid'] # real user id of the container
launcher_args['docker_img']= argv['docker_afl'] # container name
launcher_args['arch'] = argv['arch'] # binaryarchitecture
launcher_args['parallel'] = argv['num_afl'] # numberofaflprocessestorun
launcher_args['resume'] = argv['resume']
launcher_args['mode'] = argv['mode_afl']
launcher_args['basedir'] = d_s['.']
launcher_args['cmd_file'] = '{}/command.json'.format(d_s['.'])
launcher_args['masters'] = argv.get('num_master') if argv.get('num_master') is not None else argv.get('num_afl')
launcher_args['container_name']= argv['docker_afl']
print_sep()
print '[C]: args used for launching AFL:'
print ''
pprint.pprint(launcher_args)
print ''
# call afl launcher
launcher = afl_launcher.AFLLauncher(launcher_args)
container = launcher.launch()
if queue:
queue.put(container)
return container
def run_fuzz(argv):
''' run the test '''
# check the requirements of cim_fuzz
check_req(argv)
# working directory name
working_dir = '{}/cb_{}'.format(
argv['cbhome'], str(datetime.now().strftime('%Y-%m-%d-%H%M%S.%f')))
check_dir(working_dir)
# 1. download from remote or get the file with path
file_name = url_get_file(argv['uri'], working_dir)
# 2. unzip the file
dir_name = unzip(file_name, working_dir)
argv['tar_file'] = file_name
print_sep()
print '[C]: working directory: [{}]'.format(dir_name)
# prepare the experiment directory structure
dir_struct = prepare_dir(dir_name)
# get the architecture of the test binary
binary = '{}/cb'.format(dir_struct['binary'])
bin_arch = get_file_arch(binary)[0]
if bin_arch not in ['32bit', '64bit']:
print '[C]: unsupported file arch!, exiting now'
exit(0)
if bin_arch == '64bit':
argv['arch'] = 'x86_64'
if bin_arch == '32bit':
argv['arch'] = 'i386'
# first 8 bytes of md5 as file id
argv['md5sum'] = md5sum(binary)
argv['fid'] = argv['md5sum'][:8]
check_dir('{}/{}'.format(dir_struct['out_afl'], argv['fid']))
print "out_afl:{}/{}".format(dir_struct['out_afl'], argv['fid'])
# save command to cimfuzz.cmd file
argv.pop('func', None)
with open('{}/cimfuzz.cmd'.format(dir_name), 'w') as fuzz_cmd:
json.dump(argv, fuzz_cmd)
# globals for flask
if argv['afl_only']:
execute_aflonly(dir_struct, argv)
else:
execute(dir_struct, argv)
def check_docker_image(image, c_type):
''' check the docker image and prepare the setup '''
# if docker image already exists
if check_docker_image_exist(image):
return (False, False, False)
print_sep()
print '[C]: [{}] docker image [{}] not found!'.format(
c_type.upper(), image)
if c_type == 'afl':
root_dir = AFLDIR
elif c_type == 's2e':
root_dir = S2EDIR
else:
print '[C]: container type not known, Exiting now ...'
exit(0)
# check tar file
need_import = False
need_build = False
need_export = False
image_tar = '{}/DockerImage/{}.tar'.format(root_dir, image)
file_exist = os.path.isfile(image_tar)
if file_exist:
print '[C]: FOUND local copy of the image at {}'.format(image_tar)
imp = 'input'
while imp.lower() not in ['', 'y', 'n', 'yes', 'no']:
imp = raw_input('Do you want the script to import it? (Y/n): ')
if imp.lower() in ['', 'y', 'yes']:
need_import = True
if need_import == False or not file_exist:
build = 'input'
while build.lower() not in ['', 'y', 'n', 'yes', 'no']:
build = raw_input(
'Do you want the script to build the image? (Y/n): ')
if build.lower() in ['', 'y', 'yes']:
need_build = True
export = 'input'
while export.lower() not in ['', 'y', 'n', 'yes', 'no']:
export = raw_input(
'Export the image to a tar file after build? (Y/n): ')
if export.lower() in ['', 'y', 'yes']:
need_export = True
return (need_import, need_build, need_export)
def build_or_import(root_dir, image, import_img=True):
''' prepare docker image '''
image_tar = '{}/DockerImage/{}.tar'.format(root_dir, image)
if os.path.isfile(image_tar) and import_img:
print '[C]: FOUND local copy of the image at {}'.format(image_tar)
print '[C]: Importing docker image from file ...'
command = 'docker load -i {}'.format(image_tar)
else:
if import_img:
print '[C]: NO local copy of the image found at {}'.format(
image_tar)
print '[C]: Building a new one with Dockerfile at {}/Dockerfile ...'.format(
root_dir)
command = 'docker build -t {} {}/Dockerfile'.format(image, root_dir)
run_command_noret(command)
print_sep()
print '[C]: Build finished ...'
def main(
agent_to_evaluate: str,
opponents: List[str],
n_rounds_per_agent: int,
n_processes: int,
base_path: str,
store_results: bool,
):
# Load all agents
if not agent_to_evaluate.endswith(".py"):
agent_to_evaluate = agent_to_evaluate + ".py"
opponents = [
opponent + ".py" if not opponent.endswith(".py") else opponent
for opponent in opponents
]
# Load all opponents
all_agents = list(Path(base_path).absolute().iterdir())
agent_path = [
agent_path for agent_path in all_agents
if agent_path.name.startswith(agent_to_evaluate)
and not agent_path.name == "__pycache__"
]
opponent_pool_paths = [
agent_path for agent_path in all_agents if any(
agent_path.name.startswith(opponent)
for opponent in opponents) and not agent_path.name == "__pycache__"
]
if len(agent_path) > 1:
raise ValueError(
f"You specified the following agent to be evaluated {agent_to_evaluate}, but there are more then one candidate: {', '.join([agent.name for agent in agent_path])}"
)
else:
agent_path = agent_path.pop()
print(print_sep())
print(
f"The agent {agent_path.name} will be tested against the following agents: {', '.join([agent.name for agent in opponent_pool_paths])}\n"
f"The candidate agent will be tested for {n_rounds_per_agent} rounds against each agent. \nThe process parallelized on {n_processes} processes."
)
prints, results = evaluate_against_opponents(agent_path,
opponent_pool_paths,
n_rounds_per_agent,
n_processes)
print(prints)
if store_results is True:
# Store results in data
file_name = f'data/results_{datetime.datetime.now().strftime("%Y-%m-%d--%H-%M-%S")}.pickle'
with open(file_name, "wb") as file_handler:
pickle.dump(results, file_handler)
print(f"Store results to {file_name}")
def run_s2e(d_s, argv):
''' start s2e with its own launcher script '''
setproctitle.setproctitle('cimfuzz SYM launcher')
import s2e_launcher
launcher_args = dict()
launcher_args['basedir'] = d_s['.'] # /path/to/the/binary/
launcher_args['process'] = argv[
'num_s2e'] # number of s2e processes to run
launcher_args['timeout'] = argv[
'timeout_s2e'] # timeout time for a single s2e instance
launcher_args['debug'] = argv['debug'] # debug
launcher_args['project_id'] = argv['project_id'] # container name
launcher_args['arch'] = argv['arch'] # binaryarchitecture
launcher_args['interval'] = argv['s2e_check_interval']
launcher_args['threshold'] = argv['s2e_launch_threshold']
launcher_args['mem_limit'] = argv['s2e_mem_limit']
db_config = dict()
db_config['database'] = argv['database']
db_config['user'] = argv['user']
db_config['password'] = argv['password']
db_config['host'] = argv['host']
db_config['port'] = argv['port']
launcher_args['db_config'] = db_config
print_sep()
print '[C]: args used for launching S2E:'
print ''
pprint.pprint(launcher_args)
print ''
print_sep()
launcher = s2e_launcher.S2ELauncher(launcher_args)
launcher.start()
def main(
candidate: str,
opponent: str,
n_rounds_per_agent: int,
n_processes: int,
base_path: str,
):
# Load all agents
if not candidate.endswith(".py"):
candidate = candidate + ".py"
if not opponent.endswith(".py"):
opponent = opponent + ".py"
all_agents = list(Path(base_path).absolute().iterdir())
agent_path = [
agent_path for agent_path in all_agents if agent_path.name.startswith(candidate)
]
opponent_path = [
agent_path for agent_path in all_agents if agent_path.name.startswith(opponent)
]
if len(agent_path) == 0:
raise ValueError(
f"Candidate agent {candidate} could not be found in {base_path}"
)
else:
agent_path = agent_path.pop()
if len(opponent_path) == 0:
raise ValueError(
f"Candidate agent {opponent} could not be found in {base_path}"
)
print(print_sep())
print(
f"The agent {agent_path.name} will be tested against the following agent: {opponent_path[0].name}\n"
f"The candidate agent will be tested for {n_rounds_per_agent} rounds against each agent. \nThe process parallelized on {n_processes} processes."
)
prints, _ = evaluate_against_opponents(
agent_path, opponent_path, n_rounds_per_agent, n_processes
)
print(prints)
def check_req(argv):
''' check the requirements of cim_fuzz'''
# check afl docker image
ret = check_docker_image(argv['docker_afl'], 'afl')
(import_afl, build_afl, export_afl) = ret
# (import_afl, build_afl, export_afl) = (False, False, False)
# check s2e docker image
# ret = check_docker_image(argv['docker_s2e'], 's2e')
# (import_s2e, build_s2e, export_s2e) = ret
(import_s2e, build_s2e, export_s2e) = (False, False, False)
# check s2e VM images
# get_s2e_vm = check_s2e_vm()
get_s2e_vm = False
# process afl docker image according to check result
if import_afl:
build_or_import(AFLDIR, argv['docker_afl'], True)
if build_afl:
build_or_import(AFLDIR, argv['docker_afl'], False)
if export_afl:
export_docker_image(argv['docker_afl'], 'afl')
# process s2e docker image according to check result
if import_s2e:
build_or_import(S2EDIR, argv['docker_s2e'], True)
if build_s2e:
build_or_import(S2EDIR, argv['docker_s2e'], False)
if export_s2e:
export_docker_image(argv['docker_s2e'], 's2e')
# process s2e VM images
if get_s2e_vm:
print_sep()
print '[C]: NOW DOWNLOADING S2E VM IMAGE TARBALL'
vm_path = '{}/vm'.format(S2EDIR)
file_name = url_get_file(IMAGE_URL, vm_path)
print_sep()
print '[C]: EXTRACTING DOWNLOADED FILE'
unzip(file_name, vm_path)
# check python packages
pip_check('psycopg2')
pip_check('watchdog')
pip_check('setproctitle')
pip_check('docker')
pip_check('psutil')
pip_check(check='concurrent', install='futures')
globals()['docker'] = __import__('docker')
globals()['setproctitle'] = __import__('setproctitle')
# check for qemu build (for dynamic basic block coverage)
curpath = os.path.dirname(os.path.realpath(__file__))
qemu_1 = '{}/coverage/qemu-x86_64'.format(curpath)
qemu_2 = '{}/coverage/qemu-i386'.format(curpath)
if not os.path.isfile(qemu_1) or not os.path.isfile(qemu_2):
cmd = '{}/coverage/setup.sh'.format(curpath)
run_command_noret(cmd, debug=True)
argv['qemu'] = '{}/coverage'.format(curpath)
print_sep()
print '[C]: Using docker image [{}] as the afl docker for the test'\
.format(argv['docker_afl'])
print '[C]: Using docker image [{}] as the s2e docker for the test'\
.format(argv['docker_s2e'])
