Code repository for "InstruGuard: Find and Fix Instrumentation Errors for Coverage-based Greybox Fuzzing" (in ASE'21).
InstruGuard detects instrumentation errors by static analysis on target binaries, and fixes them with a general solution based on binary rewriting. Please refer to the paper for more details.
- The error detection script is tested in IDA 7.0 and Ghidra 11.1.2, not sure if other versions could run the script.
# Install Ghidra 11.1.2
$ wget https://github.com/NationalSecurityAgency/ghidra/releases/download/Ghidra_11.1.2_build/ghidra_11.1.2_PUBLIC_20240709.zip
$ unzip ghidra_11.1.2_PUBLIC_20240709.zip- RetroWrite requires python3 and python3-venv, make sure they are installed on system.
- Run
./setup.shto setup RetroWrite andaflig.
To detect instrumentation errors,
if you are using IDA with GUI, just click File->Script file and select the ./find/IDA_checkinstru.py.
Or you can use the command line (Here we take example/test as an example):
For IDA:
$ PATH_TO_IDAPRO -A -S./find/IDA_checkinstru.py example/test
For Ghidra
$ ./ghidra_11.1.2_PUBLIC/support/analyzeHeadless ./example instruguard -import example/test -scriptPath ./find -postScript Ghidra_checkinstru.py -overwrite
IDA_checkinstru.py/Ghidra_checkinstru.py will generate two files:
test_instru.log, a report for human to read.test_instru.json, a diction which includes the MIL, EIL, and normal instrumentation.
Since RetroWrite now only supports programs compiled as position independent code (PIC/PIE), you can compile the target programs with the ./fix/aflig/afl-clang-fast, in which we add -f inside this afl-clang-fast.
Or you can add the arguments yourself during the compilation.
To fix the program with instrumentation errors, you need to:
- Generate assembly code for the target programs:
$ source ./fix/retrowrite/retro/bin/activate $ ./fix/retrowrite/retrowrite example/test example/test.s - Modify the assembly code with the instrumentation information we collect (i.e.
nm_instru.json):$ python ./fix/fix_asm.py --asm_file example/test.s --instru_info test_instru.json -O example/test+.s - Compile the modified assembly code:
LDFLAGS could be found in the Makefile/configure/CMAKEFile of the target program.
$ ./fix/aflig/afl-ig example/test+.s -o example/test+ -ldl
In example folder, we demonstrate an example and show how to use InstruGuard. Read example/README.md for more details.
The source code of the dataset in our paper can be downloaded here. We also put the binaries compiled by afl-clang-fast of AFL and the fixed binaries.