SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update and fix concolic support (#901)

Browse Source 
* fix incorrect assert condition and document it

* update symcc

* adapt to changes in symcc API

* more fixes

* fix formatting

* more fixes

* speed up smoke test by building multiple crates in one command

* update symcc commit to latest main
This commit is contained in:
julihoh 2022-11-19 23:05:15 +01:00 committed by GitHub
parent f7f6392a4b
commit 948c94d695
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 23 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
libafl/src/observers/concolic/mod.rs
View File

@ -58,6 +58,7 @@ impl From<usize> for Location {
pub enum SymExpr { pub enum SymExpr {
InputByte { InputByte {
offset: usize, offset: usize,
value: u8,
}, },
Integer { Integer {
@ -312,9 +313,8 @@ pub enum SymExpr {
op: SymExprRef, op: SymExprRef,
bits: u8, bits: u8,
}, },
BoolToBits { BoolToBit {
op: SymExprRef, op: SymExprRef,
bits: u8,
}, },
Concat { Concat {

9
libafl/src/observers/concolic/serialization_format.rs
View File

@ -135,7 +135,7 @@ impl<R: Read> MessageFileReader<R> {
| SymExpr::FloatToBits { op } | SymExpr::FloatToBits { op }
| SymExpr::FloatToSignedInteger { op, .. } | SymExpr::FloatToSignedInteger { op, .. }
| SymExpr::FloatToUnsignedInteger { op, .. } | SymExpr::FloatToUnsignedInteger { op, .. }
| SymExpr::BoolToBits { op, .. } | SymExpr::BoolToBit { op, .. }
| SymExpr::Extract { op, .. } => { | SymExpr::Extract { op, .. } => {
*op = self.make_absolute(*op); *op = self.make_absolute(*op);
self.current_id += 1; self.current_id += 1;
@ -248,7 +248,10 @@ impl<W: Write + Seek> MessageFileWriter<W> {
// calculate size of trace // calculate size of trace
let end_pos = self.writer.stream_position()?; let end_pos = self.writer.stream_position()?;
let trace_header_len = 0_u64.to_le_bytes().len() as u64; let trace_header_len = 0_u64.to_le_bytes().len() as u64;
assert!(end_pos > self.writer_start_position + trace_header_len); assert!(
end_pos >= self.writer_start_position + trace_header_len,
"our end position can not be before our start position"
);
let trace_length = end_pos - self.writer_start_position - trace_header_len; let trace_length = end_pos - self.writer_start_position - trace_header_len;
// write trace size to beginning of trace // write trace size to beginning of trace
@ -298,7 +301,7 @@ impl<W: Write + Seek> MessageFileWriter<W> {
| SymExpr::FloatToBits { op } | SymExpr::FloatToBits { op }
| SymExpr::FloatToSignedInteger { op, .. } | SymExpr::FloatToSignedInteger { op, .. }
| SymExpr::FloatToUnsignedInteger { op, .. } | SymExpr::FloatToUnsignedInteger { op, .. }
| SymExpr::BoolToBits { op, .. } | SymExpr::BoolToBit { op, .. }
| SymExpr::Extract { op, .. } => { | SymExpr::Extract { op, .. } => {
*op = self.make_relative(*op); *op = self.make_relative(*op);
self.id_counter += 1; self.id_counter += 1;

9
libafl/src/stages/concolic.rs
View File

@ -157,7 +157,7 @@ fn generate_mutations(iter: impl Iterator<Item = (SymExprRef, SymExpr)>) -> Vec<
for (id, msg) in iter { for (id, msg) in iter {
let z3_expr: Option<Dynamic> = match msg { let z3_expr: Option<Dynamic> = match msg {
SymExpr::InputByte { offset } => { SymExpr::InputByte { offset, .. } => {
Some(BV::new_const(&ctx, Symbol::Int(offset as u32), 8).into()) Some(BV::new_const(&ctx, Symbol::Int(offset as u32), 8).into())
} }
SymExpr::Integer { value, bits } => { SymExpr::Integer { value, bits } => {
@ -211,12 +211,9 @@ fn generate_mutations(iter: impl Iterator<Item = (SymExprRef, SymExpr)>) -> Vec<
SymExpr::Sext { op, bits } => Some(bv!(op).sign_ext(u32::from(bits)).into()), SymExpr::Sext { op, bits } => Some(bv!(op).sign_ext(u32::from(bits)).into()),
SymExpr::Zext { op, bits } => Some(bv!(op).zero_ext(u32::from(bits)).into()), SymExpr::Zext { op, bits } => Some(bv!(op).zero_ext(u32::from(bits)).into()),
SymExpr::Trunc { op, bits } => Some(bv!(op).extract(u32::from(bits - 1), 0).into()), SymExpr::Trunc { op, bits } => Some(bv!(op).extract(u32::from(bits - 1), 0).into()),
SymExpr::BoolToBits { op, bits } => Some( SymExpr::BoolToBit { op } => Some(
bool!(op) bool!(op)
.ite( .ite(&BV::from_u64(&ctx, 1, 1), &BV::from_u64(&ctx, 0, 1))
&BV::from_u64(&ctx, 1, u32::from(bits)),
&BV::from_u64(&ctx, 0, u32::from(bits)),
)
.into(), .into(),
), ),
SymExpr::Concat { a, b } => bv_binop!(a concat b), SymExpr::Concat { a, b } => bv_binop!(a concat b),

2
libafl_concolic/symcc_libafl/src/lib.rs
View File

@ -4,7 +4,7 @@
/// The URL of the `LibAFL` `SymCC` fork. /// The URL of the `LibAFL` `SymCC` fork.
pub const SYMCC_REPO_URL: &str = "https://github.com/AFLplusplus/symcc.git"; pub const SYMCC_REPO_URL: &str = "https://github.com/AFLplusplus/symcc.git";
/// The commit of the `LibAFL` `SymCC` fork. /// The commit of the `LibAFL` `SymCC` fork.
pub const SYMCC_REPO_COMMIT: &str = "5cccc33456c48ad83008eb618e7da5d005c72d89"; pub const SYMCC_REPO_COMMIT: &str = "2a3229da6101596af220f20fef5085e59537abcb";
#[cfg(feature = "clone")] #[cfg(feature = "clone")]
mod clone { mod clone {

4
libafl_concolic/symcc_runtime/src/filter.rs
View File

@ -68,7 +68,7 @@ macro_rules! rust_filter_function_declaration {
/// } /// }
/// ///
/// impl Filter for SelectiveSymbolication { /// impl Filter for SelectiveSymbolication {
/// fn get_input_byte(&mut self, offset: usize) -> bool { /// fn get_input_byte(&mut self, offset: usize, value: u8) -> bool {
/// self.bytes_to_symbolize.contains(&offset) /// self.bytes_to_symbolize.contains(&offset)
/// } /// }
/// // Note: No need to implement methods that we are not interested in! /// // Note: No need to implement methods that we are not interested in!
@ -150,7 +150,7 @@ impl SelectiveSymbolication {
} }
impl Filter for SelectiveSymbolication { impl Filter for SelectiveSymbolication {
fn get_input_byte(&mut self, offset: usize) -> bool { fn get_input_byte(&mut self, offset: usize, _value: u8) -> bool {
self.bytes_to_symbolize.contains(&offset) self.bytes_to_symbolize.contains(&offset)
} }
} }

4
libafl_concolic/symcc_runtime/src/tracing.rs
View File

@ -62,7 +62,7 @@ macro_rules! binary_expression_builder {
} }
impl Runtime for TracingRuntime { impl Runtime for TracingRuntime {
expression_builder!(get_input_byte(offset: usize) => InputByte); expression_builder!(get_input_byte(offset: usize, value: u8) => InputByte);
expression_builder!(build_integer(value: u64, bits: u8) => Integer); expression_builder!(build_integer(value: u64, bits: u8) => Integer);
expression_builder!(build_integer128(high: u64, low: u64) => Integer128); expression_builder!(build_integer128(high: u64, low: u64) => Integer128);
@ -144,7 +144,7 @@ impl Runtime for TracingRuntime {
expression_builder!(build_float_to_bits(op: RSymExpr) => FloatToBits); expression_builder!(build_float_to_bits(op: RSymExpr) => FloatToBits);
expression_builder!(build_float_to_signed_integer(op: RSymExpr, bits: u8) => FloatToSignedInteger); expression_builder!(build_float_to_signed_integer(op: RSymExpr, bits: u8) => FloatToSignedInteger);
expression_builder!(build_float_to_unsigned_integer(op: RSymExpr, bits: u8) => FloatToUnsignedInteger); expression_builder!(build_float_to_unsigned_integer(op: RSymExpr, bits: u8) => FloatToUnsignedInteger);
expression_builder!(build_bool_to_bits(op: RSymExpr, bits: u8) => BoolToBits); expression_builder!(build_bool_to_bit(op: RSymExpr) => BoolToBit);
binary_expression_builder!(concat_helper, Concat); binary_expression_builder!(concat_helper, Concat);
expression_builder!(extract_helper(op: RSymExpr, first_bit:usize, last_bit:usize) => Extract); expression_builder!(extract_helper(op: RSymExpr, first_bit:usize, last_bit:usize) => Extract);

8
libafl_concolic/test/expected_constraints.txt
View File

@ -1,7 +1,7 @@
1 InputByte { offset: 0 } 1 InputByte { offset: 0, value: 49 }
2 InputByte { offset: 1 } 2 InputByte { offset: 1, value: 50 }
3 InputByte { offset: 2 } 3 InputByte { offset: 2, value: 51 }
4 InputByte { offset: 3 } 4 InputByte { offset: 3, value: 52 }
5 Concat { a: 2, b: 1 } 5 Concat { a: 2, b: 1 }
6 Concat { a: 3, b: 5 } 6 Concat { a: 3, b: 5 }
7 Concat { a: 4, b: 6 } 7 Concat { a: 4, b: 6 }

9
libafl_concolic/test/smoke_test.sh
View File

@ -16,7 +16,7 @@ if [ ! -d "symcc" ]; then
echo "cloning symcc" echo "cloning symcc"
git clone https://github.com/AFLplusplus/symcc.git symcc git clone https://github.com/AFLplusplus/symcc.git symcc
cd symcc cd symcc
git checkout 5cccc33456c48ad83008eb618e7da5d005c72d89 git checkout 2a3229da6101596af220f20fef5085e59537abcb
cd .. cd ..
fi fi
@ -30,11 +30,8 @@ if [ ! -d "symcc_build" ]; then
fi fi
echo "building runtime" echo "building runtime and dump_constraints"
cargo build -p runtime_test cargo build -p runtime_test -p dump_constraints
echo "building dump_constraints"
cargo build -p dump_constraints
echo "building target" echo "building target"
SYMCC_RUNTIME_DIR=../../target/debug symcc_build/symcc symcc/test/if.c -o "if" SYMCC_RUNTIME_DIR=../../target/debug symcc_build/symcc symcc/test/if.c -o "if"