Additional Questions (sorry, don't know where to put them) #27
Comments
|
I think it's perfectly fine to create issues for these questions so that others can find the answers as well :)
Yes, and I should document it better: SymCC never changes the length of the input (which is the same behavior as, for example, QSYM or S2E). We rely on the fuzzer to vary the input length. If you want to run only concolic execution, you can pick an input that is known to be long enough - in the case of the example program, SymCC will insert null characters in various positions and eventually produce a string of length 4 that leads to the interesting code path (see the helper script to automate the process of repeatedly running SymCC on a target, and #14 for some drawbacks of this approach).
So this is outside the Docker container? Could you show me the SymCC-related output of
This is because we currently don't have wrappers for the string-related functions in libc; see #23. My comment on the issue mentions three possible solutions; I agree that the first should be implemented at least for the most common functions (which should be really easy), but I haven't had the time yet. (Note that the C++ equivalent will work because the instrumented libc++ enables SymCC to see the internals of the string comparison; it is, unfortunately, much harder to get users to work with an instrumented libc...) |
|
Below is the content for 'env'. This is within the docker container created from the Dockerfile ubuntu@symcc:~$ env |
|
So the build issues that you asked about in (2) are inside the Docker container? That's curious - I double-checked the Docker image after reading your message, and it worked fine for me. Maybe some changes in the base image that affect SymCC? 🤔 But if building inside the container doesn't work for you, does that mean you did the experiments that you mentioned in (1) outside the container? Sorry for the confusion, I think I'm missing something... |
|
The first experiment was performed within docker as well. After the container was successfully built, i see a built copy of the file. I will redo the entire container later today to see I am seeing the same behaviour. |
|
I rebuilt docker and I can compile sample.cpp fine again. |
So i suspect my compilation of my target under symcc is not working correctly. I went back to the 'whiteboard' and try to build some basic code to ensure it generates some output under /tmp/output.
(1) I first played with the sample.cpp that came with the docker file. I noticed the solution is only discovered if i provided an input with a string length equal to the value that is being compared (root). If i tried anything else such as echo 'a' or echo 'aaaaa' and pass it to the sample binary. the generated solution under /tmp/output does not contain 'root'. Is this the correct behaviour?
(2) The second thing I tried is to compile the sample.cpp through sym++. I understand the libc++ stuff have to also be instrumented, and that the docker container have already setup and environment variable SYMCC_LIBCXX_PATH which points to "/libcxx_symcc_install". However, when i compiled the sample.cpp, i get the following error:
ubuntu@symcc:~$ sym++ -o sample sample.cpp
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:214:
/libcxx_symcc_install/include/c++/v1/iosfwd:189:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> streampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:190:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> wstreampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:195:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> u16streampos;
^
/libcxx_symcc_install/include/c++/v1/iosfwd:196:14: error: use of undeclared identifier 'mbstate_t'
typedef fpos<mbstate_t> u32streampos;
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
In file included from /libcxx_symcc_install/include/c++/v1/cstring:60:
/libcxx_symcc_install/include/c++/v1/string.h:73:64: error: use of undeclared identifier 'strchr'
char* __libcpp_strchr(const char* __s, int __c) {return (char*)strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:80:75: error: use of undeclared identifier 'strpbrk'
char* __libcpp_strpbrk(const char* __s1, const char* __s2) {return (char*)strpbrk(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:87:65: error: use of undeclared identifier 'strrchr'; did you mean 'strchr'?
char* __libcpp_strrchr(const char* __s, int __c) {return (char*)strrchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:94:76: error: use of undeclared identifier 'memchr'
void* __libcpp_memchr(const void* __s, int __c, size_t __n) {return (void*)memchr(__s, __c, __n);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:74: error: use of undeclared identifier 'strstr'; did you mean 'strchr'?
char* __libcpp_strstr(const char* __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:77:13: note: 'strchr' declared here
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:74: error: no matching function for call to 'strchr'
char* __libcpp_strstr(const char* __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^
/libcxx_symcc_install/include/c++/v1/string.h:77:13: note: candidate disabled:
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
/libcxx_symcc_install/include/c++/v1/string.h:101:81: error: cannot initialize a parameter of type 'char ' with an lvalue of type 'const char '
char __libcpp_strstr(const char __s1, const char* __s2) {return (char*)strstr(__s1, __s2);}
^~~~
/libcxx_symcc_install/include/c++/v1/string.h:77:32: note: passing argument to parameter '__s' here
char* strchr( char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:69:9: error: no member named 'memcpy' in the global namespace; did you mean 'memchr'?
using ::memcpy;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:96:13: note: 'memchr' declared here
const void* memchr(const void* __s, int __c, size_t __n) {return __libcpp_memchr(__s, __c, __n);}
^
In file included from sample2.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:70:9: error: no member named 'memmove' in the global namespace
using ::memmove;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:71:9: error: no member named 'strcpy' in the global namespace; did you mean 'strchr'?
using ::strcpy;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:72:9: error: no member named 'strncpy' in the global namespace
using ::strncpy;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:73:9: error: no member named 'strcat' in the global namespace; did you mean 'strchr'?
using ::strcat;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:74:9: error: no member named 'strncat' in the global namespace
using ::strncat;
~~^
/libcxx_symcc_install/include/c++/v1/cstring:75:9: error: no member named 'memcmp' in the global namespace; did you mean 'memchr'?
using ::memcmp;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:96:13: note: 'memchr' declared here
const void* memchr(const void* __s, int __c, size_t __n) {return __libcpp_memchr(__s, __c, __n);}
^
In file included from sample.cpp:1:
In file included from /libcxx_symcc_install/include/c++/v1/iostream:37:
In file included from /libcxx_symcc_install/include/c++/v1/ios:215:
In file included from /libcxx_symcc_install/include/c++/v1/__locale:14:
In file included from /libcxx_symcc_install/include/c++/v1/string:504:
In file included from /libcxx_symcc_install/include/c++/v1/string_view:175:
In file included from /libcxx_symcc_install/include/c++/v1/__string:57:
In file included from /libcxx_symcc_install/include/c++/v1/algorithm:641:
/libcxx_symcc_install/include/c++/v1/cstring:76:9: error: no member named 'strcmp' in the global namespace; did you mean 'strchr'?
using ::strcmp;
~~^
/libcxx_symcc_install/include/c++/v1/string.h:75:13: note: 'strchr' declared here
const char* strchr(const char* __s, int __c) {return __libcpp_strchr(__s, __c);}
^
fatal error: too many errors emitted, stopping now [-ferror-limit=]
20 errors generated.
(3) Lastly, I tried to build a 'sample' under C with the following code:
#include <stdio.h>
int main(int argc, char *argv[]) {
//char *name = argv[1];
char name[100];
printf("What is your name?\n");
gets(name);
if (strcmp(name, "root") == 0)
printf("What is your command?\n");
else
printf("Hello %s\n", name);
return 0;
}
I ran symcc -o sample3 sample3.c
The build is successful, but when i run it like: "echo 'aaaa' | ./sample3", nothing gets generated in the /tmp/output folder.
buntu@symcc:
$ echo 'aaaa' | ./sample3$ ls /tmp/output/This is SymCC running with the QSYM backend
Reading program input until EOF (use Ctrl+D in a terminal)...
What is your name?
Hello aaaa
ubuntu@symcc:
ubuntu@symcc:
$ ls -al /tmp/output/$total 12
drwxr-xr-x 1 ubuntu ubuntu 4096 Oct 2 14:10 .
drwxrwxrwt 1 root root 4096 Oct 2 14:21 ..
ubuntu@symcc:
Any suggestion as to why this is not working?
Thanks.
The text was updated successfully, but these errors were encountered: