FuzzTrace is a "general-purpose" tracing tool for closed-source applications, aimed at generating a concise execution trace that can be used to support the fuzz-testing activity or other analyses.
At the time of writing, we provide two tracing back-ends, based on Intel BTS and PIN respectively. In any case, the execution trace is serialized to a protobuf object, that can then be processed off-line. Available back-ends are briefly described in the next paragraphs, together with some usage examples.
On a Debian/Ubuntu system, use the following commands to install the required dependencies (these are common to all the back-ends available):
roby@gimli:~$ sudo apt-get install protobuf-compiler python-protobuf libprotobuf-dev
The BTS back-end is an efficient tracer that leverages Intel "Branch Trace
Store" (BTS) technology. The source code for this back-end is located under
tracer/bts
. To compile this back-end module enter directory tracer/bin
and
run make
.
Hopefully, everything will go fine. You should now be able to trace your target
application using the bts_trace
binary:
roby@gimli:~/projects/fuzztrace/tracer/bts$ ./bts_trace -f /dev/shm/trace.bin -- /bin/ls -la >/dev/null
[*] Got 108684 events (4967 CFG edges)
[*] Serializing to /dev/shm/trace.bin
The PIN back-end is a
PIN
extension to monitor the execution of a binary application and record its
"execution trace". FuzzTrace/PIN lives in directory fuzztrace/tracer/pin
. To
compile the PIN module, set the PIN_ROOT
environment variable and launch
make
from the tracer/pin
directory, e.g.:
roby@gimli:~/apps/pin$ export PIN_ROOT=$(pwd)
roby@gimli:~/apps/pin$ cd ~/projects/fuzztrace/tracer/pin
roby@gimli:~/projects/fuzztrace/tracer/pin$ make
You should be able to trace your target program using the pintrace
PIN tool:
roby@gimli:~/projects/fuzztrace/tracer/pin$ ${PIN_ROOT}/pin.sh -t obj-intel64/pintrace.so -f /dev/shm/trace.bin -- /bin/ls
The viewer
directory provides a basic trace viewer, which parses a saved
execution traces and displays recorded branches.
Before using the viewer, compile the bbtrace.proto
file:
roby@gimli:~/projects/fuzztrace/viewer$ protoc --python_out=. bbtrace.proto
After that, usage is quite straightforward:
roby@gimli:~/projects/fuzztrace/viewer$ python trace.py /dev/shm/trace.bin
#### Trace '/dev/shm/trace.bin' ####
[/dev/shm/trace.bin] cmd: test, data: 0 bytes, time: 2015-01-29 22:47:52, hash: 3c31f, edges(s): 708, exception(s): 0
- CFG edges
[00402168 -> 00402178] 1 hit
[00402178 -> 0040217d] 1 hit
[0040217d -> 00412513] 1 hit
[00402190 -> 004124e0] 1 hit
...