Code repository for "InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing" (in ASE'21).
InstruGuard detects instrumentation errors by static analysis on target binaries, and fixes them with a general solution based on binary rewriting. Please refer to the paper for more details.
- The error detection script is tested in IDA 7.0, not sure if other versions could run the script.
- RetroWrite requires python3 and python3-venv, make sure they are installed on system.
- Run
./setup.shto setup RetroWrite and aflig.
To detect instrumentation errors,
if you are using IDA with GUI, just click File->Script file and select the ./find/IDA_checkinstru.py.
Or you can use the command line (Here we take nm as an example):
$ PATH_TO_IDAPRO -A -S./find/IDA_checkinstru.py PATH_TO_TARGET
IDA_checkinstru.py will generate two files:
nm_instru.log, a report for human to read.nm_instru.json, a diction which includes the MIL, EIL, and normal instrumentation.
Since RetroWrite now only supports programs compiled as position independent code (PIC/PIE), you can compile the target programs with the ./fix/aflig/afl-clang-fast, in which we add -f inside this afl-clang-fast.
Or you can add the arguments yourself during the compilation.
To fix the program with instrumentation errors, you need to:
- Generate assembly code for the target programs:
$ source ./fix/retrowrite/retro/bin/activate $ ./fix/retrowrite/retrowrite nm nm.s - Modify the assembly code with the instrumentation information we collect (i.e.
nm_instru.json):$ python ./fix/fix_asm.py --asm_file nm.s --instru_info nm_instru.json -O nm+.s - Compile the modified assembly code:
LDFLAGS could be found in the Makefile/configure/CMAKEFile of the target program.
$ ./fix/aflig/afl-ig nm+.s -o nm+ -ldl
In example folder, we demonstrate an example and show how to use InstruGuard. Read example/README.md for more details.
The source code of the dataset in our paper can be downloaded here. We also put the binaries compiled by afl-clang-fast of AFL and the fixed binaries.