You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been playing with Driller for a bit, and I noticed something that looks weird when drilling certain inputs. I wrote a toy program to illustrate this (below).
Basically, I ran driller using AFL to fuzz it first with the seed fuzzmesoftlyhere. AFL ran for a while and sent a few inputs to drill. However, the drilled input in question is Aset option\x00. Since AFL had already explored some paths, it modified its bitmap, so I had to capture both the bitmap and input to reproduce the result.
What I was expecting was driller to generate an output that makes the program crash. However, none of the generated output will make the toy program crash, and AFL wasn't smart enough to combine the results from driller and its own findings.
The generated output 00bada552100000000000000 from transition 4006d8 -> 4006dd contains the crash string, but it lacks the 'A' magic number prefix that would make the program crash during a real run.
$ echo -e "\x00\xba\xda\x55!"| ./listing_stdin
Bad magic number
I am wondering how I could fix this? I looked a bit, and I think it comes down to this code in the tracer when it removes the preconstraints. It looks like it removes the 'A' because it was preconstrained when the tracer was initialized, but that constraint is necessary to even check for the crash string.
Thank you for the help!! Let me know if anything isn't clear.
Resources
Here are the resources: test script, input file, program, program source and binary, and output log. I'm pretty sure I tested on this commit (unless I've messed something up in my workspace...)
I compiled this on Ubuntu 16.04 with gcc listing_stdin.c -o listing_stdin. Here is the compiled binary in case the fuzzing bitmap causes problems with a recompilation... listing_stdin.zip
I think the fix is to not remove the constraints that match preconstraints. In line 591 of tracer/tracer.py change new_constraints = filter(lambda x: x.cache_key not in precon_cache_keys, path.state.se.constraints) to new_constraints = path.state.se.constraints.
I believe this was necessary in the old style of preconstraining before we switched to the replacement frontend. If so, and the filter isn't necessary, making this change should not break any existing tests and will fix this issue.
I have been playing with Driller for a bit, and I noticed something that looks weird when drilling certain inputs. I wrote a toy program to illustrate this (below).
Basically, I ran driller using AFL to fuzz it first with the seed
fuzzmesoftly
here. AFL ran for a while and sent a few inputs to drill. However, the drilled input in question isAset option\x00
. Since AFL had already explored some paths, it modified its bitmap, so I had to capture both the bitmap and input to reproduce the result.What I was expecting was driller to generate an output that makes the program crash. However, none of the generated output will make the toy program crash, and AFL wasn't smart enough to combine the results from driller and its own findings.
The generated output
00bada552100000000000000
from transition4006d8 -> 4006dd
contains the crash string, but it lacks the 'A' magic number prefix that would make the program crash during a real run.vs.
I am wondering how I could fix this? I looked a bit, and I think it comes down to this code in the tracer when it removes the preconstraints. It looks like it removes the 'A' because it was preconstrained when the tracer was initialized, but that constraint is necessary to even check for the crash string.
Thank you for the help!! Let me know if anything isn't clear.
Resources
Here are the resources: test script, input file, program, program source and binary, and output log. I'm pretty sure I tested on this commit (unless I've messed something up in my workspace...)
Test Script
Input File
Here: listing_stdin_c13fd238a6ed9a0311be4cd5426bb42f.py.zip. It contains the binary path, input used, time run, and fuzz bitmap.
Program Source and Binary
I compiled this on Ubuntu 16.04 with
gcc listing_stdin.c -o listing_stdin
. Here is the compiled binary in case the fuzzing bitmap causes problems with a recompilation... listing_stdin.zipOutput
The text was updated successfully, but these errors were encountered: