In [1]:
import angr, monkeyhex
import random, time
from collections import deque

In [2]:
binary_name = 'if2'

In [3]:
proj = angr.Project(binary_name, auto_load_libs=False)
_state = proj.factory.entry_state()

In [4]:
inx1 = _state.solver.BVS('inx1', 16)
inxs = [inx1]

In [5]:
ninputs = 3
nlengths = [2, 2]

In [6]:
def genSymbolicCommandLineArgs(_state, ninputs, nlengths):
    if len(nlengths) < ninputs:
        nlengths += [nlengths[-1]] * (ninputs - len(nlengths))
    print(nlengths)
    
    return [ _state.solver.BVS('inx{0}'.format(i), leni * 8) for (i,leni) in enumerate(nlengths) ]

In [7]:
def genInitState(proj, inxs, ins):
    state = proj.factory.entry_state(args=inxs)
    assert( len(inxs) >= len(ins) )
    for i in range(len(ins)):
        state.add_constraints(inxs[i] == ins[i])
    return state

In [8]:
def executeState(proj, state, max_branches):  # will only randomly pick one path if multiple paths possible
    simgr = proj.factory.simulation_manager(state)
    branches = 0
    while simgr.active and branches < max_branches:
        simgr.step(until=lambda s: not s.active or s.active[0].history.recent_constraints)
        branches += 1
        if (len(simgr.active) == 2):
            r = random.randint(0,1)
            simgr.active.pop(r)
            
    if simgr.active:
        return simgr.active[0]
    elif simgr.deadended:
        return simgr.deadended[0]
    elif simgr.errored:
        return simgr.errored[0].state
    else:
        return None

In [9]:
def getConstraints(proj, start, end):
    ins = start.history.constraints_since(start)
    constraints = end.history.constraints_since(start)
    
    for _ in range(len(ins)): # pop constraints for input
        constraints.pop() 
    constraints.reverse() # adjust to correct order
    
    return [c.ast for c in constraints] # extract ast/condition from Simulation Action Object

In [10]:
def executeSymbolic(proj, inx, ins, max_branches):
    start = genInitState(proj, inxs, ins)
    end = executeState(proj, start,  max_branches)
    assert( end != None and "unhandled case")
    
    return getConstraints(proj, start, end)

In [11]:
def getInversedConds(proj, conds, i):
    state = proj.factory.blank_state()
    new_conds = conds[:i]
    new_conds.append(state.solver.Not(conds[i]))
    return new_conds

In [12]:
def solveForInput(proj, inxs, conds):
    state = proj.factory.blank_state()
    state.add_constraints(*conds)
    return [ state.solver.eval(inx, cast_to=str) for inx in inxs ] if state.satisfiable() else None

In [21]:
def fuzz(proj, cmdInxs, max_branches, time_limit):
    start = time.time()
    
    # initial inputs
    conds_ini = executeSymbolic(proj, cmdInxs, [], max_branches)
    ins_ini = solveForInput(proj, cmdInxs, conds_ini)
    
    # Start trying all paths
    cmd_ins = []
    
    queue = deque([])
    queue.append( (ins_ini, -1) )

    while queue:
        if (time.time() - start) > time_limit:
            print("reaches time limit, stopping...")
            break
        
        ins, bound = queue.popleft()
        # TODO: run actual program and check bugs
        cmd_ins.append(ins)
        
        _start = time.time()
        conds = executeSymbolic(proj, cmdInxs, ins, max_branches)
        print('executeSymbolic, time: {0}'.format(time.time() - _start))
        
        for i in range(bound+1, len(conds)):
            _start = time.time()
            new_conds = getInversedConds(proj, conds, i)
            print('getInversedConds, time: {0}'.format(time.time() - _start))
            
            _start = time.time()
            new_ins = solveForInput(proj, cmdInxs, new_conds)
            print('solveForInput, time: {0}'.format(time.time() - _start))
            
            if new_ins != None:
                queue.append( (new_ins, i) )
    
    return cmd_ins, time.time() - start

In [22]:
max_branches = 10
time_limit = 10

inxs = genSymbolicCommandLineArgs(_state, ninputs, nlengths)
cmd_ins, time_collapsed = fuzz(proj, inxs, max_branches, time_limit)

[2, 2, 2]
executeSymbolic, time: 0.424659013748
getInversedConds, time: 0.00187397003174
solveForInput, time: 0.0423710346222
getInversedConds, time: 0.00247406959534
solveForInput, time: 0.0399069786072
getInversedConds, time: 0.00272798538208
solveForInput, time: 0.0393779277802
executeSymbolic, time: 0.413058996201
getInversedConds, time: 0.00195908546448
solveForInput, time: 0.0428788661957
getInversedConds, time: 0.00242209434509
solveForInput, time: 0.0351991653442
executeSymbolic, time: 0.505300045013
getInversedConds, time: 0.00263118743896
solveForInput, time: 0.0401690006256
executeSymbolic, time: 0.442910909653
executeSymbolic, time: 0.42191195488
getInversedConds, time: 0.00244998931885
solveForInput, time: 0.038458108902
executeSymbolic, time: 0.435720205307
executeSymbolic, time: 0.42724108696
executeSymbolic, time: 0.463316917419


In [23]:
cmd_ins, time_collapsed

([['8\x00', '0\x00', '0\x00'],
  ['0\x00', '\x00\x00', '\x00\x00'],
  ['8\x00', '8\x00', '\x00\x00'],
  ['8\x00', '0\x00', '8\x00'],
  ['0\x00', '8\x00', '\x00\x00'],
  ['0\x00', '0\x00', '8\x00'],
  ['8\x00', '8\x00', '8\x00'],
  ['0\x00', '8\x00', '8\x00']],
 4.311079025268555)