-
llvm 11.1.0
-
SVF-2.4
-
gllvm
We tested on Ubuntu 22.04.
If you use other OS, we are not sure if it works.
-
coverage/ : Coverage test target binary and seeds
- coverage/uniseed/ : Unifuzz seeds
- coverage/darwin_targets/ : Darwin targets
- coverage/parmesan_targets/ : ParmeSan targets
-
directed/ : directed fuzzing test scripts
-
ParmeSan/ : ParmeSan fuzzer
-
WindRanger/ : WindRanger fuzzer
Before build Slicer, set LLVM_DIR environment variable and execute setup.sh in SVF
export LLVM_DIR=/path/to/llvm-11.1.0
export PATH=/path/to/llvm-11.1.0/bin:$PATH
cd <SVF_path>
./setup.sh
cd <Slicer_path>
./cmake_release.sh
- To test, set environment variable like below.
export SLICER_DIR=/path/to/Slicer
export AFLGO=/path/to/aflgo
export SELECTFUZZ=/path/to/SelectFuzz
export WINDRANGER=/path/to/windranger
- Follow the instructions in the AFLGo repo to install AFLGo.
- Before build AFLGo, patch AFLGO with the patch file
aflgo_slicer.patch
- Follow the instructions in the SelectFuzz repo to install SelectFuzz.
- Before build SelectFuzz, patch SelectFuzz with the patch file
selectfuzz_slicer.patch
- We modified the WindRanger source code to make it compatible with llvm 11.1.0.
- Please use WindRanger/ in repo.
- Follow the instructions in the WindRanger repo to build WindRanger.
- Target : cxxflit, listswf, lrzip, objdump, swftophp, swftopython
- Each target has scripts to build and fuzz with AFLGo, SelectFuzz and WindRanger.
- Follow the instructions below.
- Make slice information with
makesliceinfo_<target>_<CVE-num-ber>.sh - Build target with
build_<target>_<sliced_or_original>_<fuzzer>_<CVE-num-ber>.sh - Fuzz with
fuzz_<target>_<sliced_or_original>_<fuzzer>_<CVE-num-ber>.sh
- Example
./makesliceinfo_cxxflit_2016-4487.sh
./build_cxxflit_sliced_aflgo_2016-4487.sh
./fuzz_cxxflit_sliced_aflgo_2016-4487.sh- We used the seeds from unifuzz
- We prepared all of the target binaries and seeds in this repository, so you can use them directly.
- Due to the size of the binaries, we do not include ParmeSan target binaries. However, we included their LLVM IR bc file, you can build them on your own. Check "ParmeSan/Readme.md".
- If you want to build on your own, follow the steps below.
- Get LLVM IR bitcode file using gllvm.
- Compile LLVM IR bitcode with BlockTracer pass to make binary. ( See BlockTracer/Readme.md )
- Compile LLVM IR bitcode file with afl-clang-fast, afl-clang-fast++ or angora-clang in Darwin or ParmeSan.
- To check coverage, we developed "BlockTracer".
- All target binaries compiled with BlockTracer pass.
- While fuzzing, target binaries create "block_trace_output_<target_binary_name>.txt".
- This file contains the coverage information of the target binary.
- The size of this file will be very large, but "BlockTracer/result_parse.py" file will be helpful to parse the file.
<path_to_DARWIN>/afl-fuzz -i coverage/uniseed/<target_seed_dir> -o <out_dir> -m none -t 1000+ coverage/darwin_targets/<original_or_sliced>/<target_binary -with-options>
- example
$DARWIN/afl-fuzz -i coverage/uniseed/cflow -o out -m none -t 1000+ coverage/darwin_targets/original/cflow @@
- We ported ParmeSan to llvm 11.1.0. Please use
ParmeSan/directory in this repo to fuzz. - Again, we do not include ParmeSan target binaries, but we included their LLVM IR bc file, you can build them on your own. Check "ParmeSan/Readme.md".
<path_to_Parmesan>/fuzzer -c coverage/parmesan_targets/<original_or_sliced>/<targets.json_from_parmesan> -i coverage/uniseed/<target_seed_dir> -o <out_dir> -t <.track_file_from_parmesan> -s <sanitize_binary_from_parmesan> -- <target_binary -with-options>
- example
$PARMESAN/bin/fuzzer -c coverage/parmesan_targets/sliced/cflow.targets.json -i coverage/uniseed/cflow -o out -t coverage/parmesan_targets/sliced/cflow.bt.sliced.track -- coverage/parmesan_targets/sliced/cflow.bt.sliced.fast @@