# Exercise 4: Testing


### Assignment Deadline: April 4 (Friday) before 11:59PM

**This assignment is worth 15% of the semester grade.**


In this assignment, we will try two major techniques for improving testing coverage---one is **Fuzz Testing**, and the other is **Symbolic Execution**.

## Part 1: Fuzz Testing

We will use the AFL fuzzer to test an older version of OpenSSL. In order to set up AFL and the OpenSSL, run the following cell by pressing `SHIFT+ENTER`. Once the cell is executed successfully, check if there are two folders named `AFL` and `openssl` in the `Files` panel on the left-hand side.





In [1]:
!wget -O AFL.zip https://github.com/chiache/csce713-assignments/raw/master/lab4/AFL.zip
!wget -O openssl.zip https://github.com/chiache/csce713-assignments/raw/master/lab4/openssl.zip
!unzip -o -q AFL.zip
!unzip -o -q openssl.zip

--2025-04-03 17:11:39--  https://github.com/chiache/csce713-assignments/raw/master/lab4/AFL.zip
Resolving github.com (github.com)... 140.82.116.4
Connecting to github.com (github.com)|140.82.116.4|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://raw.githubusercontent.com/chiache/csce713-assignments/master/lab4/AFL.zip [following]
--2025-04-03 17:11:39--  https://raw.githubusercontent.com/chiache/csce713-assignments/master/lab4/AFL.zip
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.110.133, 185.199.108.133, 185.199.109.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 917247 (896K) [application/zip]
Saving to: ‘AFL.zip’


2025-04-03 17:11:39 (21.9 MB/s) - ‘AFL.zip’ saved [917247/917247]

--2025-04-03 17:11:39--  https://github.com/chiache/csce713-assignments/raw/master/lab4/openssl.zip
Resolving github.com 

Next, build the AFL tool from the unpacked source code in the next cell.

In [2]:
!cd AFL && make

[*] Checking for the ability to compile x86 code...
[+] Everything seems to be working, ready to compile.
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-gcc.c -o afl-gcc -ldl
set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $i; done
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-fuzz.c -o afl-fuzz -ldl
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-showmap.c -o afl-showmap -ldl
cc -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-tmin.c -o afl-tmin -ldl
cc -O3 -fun

Next, we need to compile the openssl source code using the AFL compiler, which will embed the code for collecting coverage information in the binary. This may take several minutes (You may check `openssl/build.log` for the progress).

In [3]:
import os

os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1'
os.environ['AFL_USE_ASAN'] = '1'
os.environ['PATH'] += ':/content/AFL'
os.environ['AFL_PATH'] = '/content/AFL'

!echo "Configuring OpenSSL..."
!cd openssl && CC="afl-gcc -g" CXX="afl-g++ -g" ./config -d &> config.log
!echo "Building OpenSSL... (This will take a while)"
!cd openssl && make &> build.log

Configuring OpenSSL...
Building OpenSSL... (This will take a while)


### Challenge 1.1: A Simple Program

The first exercise is a simple example of fuzzing a broken program. This will familiarize you with the basics of running AFL. In the later exercises, the "targets" (what you're fuzzing) will get trickier.




In [4]:
%%writefile simple.c
#include <math.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>

int main(int argc, const char* argv[]) {
    char input[101];
    input[read(STDIN_FILENO, input, sizeof(input) - 1)] = '\0';

    char* func_str;
    double (*func)(double) = NULL;
    if (strncmp("s", input, 1) == 0) {
        (void) (func =  &sin);
        func_str = "sin";
    } else if (strncmp("c", input, 1) == 0) {
        (void) (func == &cos);
        func_str = "cos";
    } else {
        fprintf(stderr, "Unknown command\n");
        return EXIT_FAILURE;
    }

    int in_val;
    if (!sscanf(input + 2, "%d", &in_val)) {
        fprintf(stderr, "Can't read input value\n");
        return EXIT_FAILURE;
    }
    printf("%s(%d) = %f\n", func_str, in_val, func(in_val));
    return EXIT_SUCCESS;
}

Writing simple.c


Now compile `simple.c` with the special GCC compiler provided by AFL:

In [5]:
!afl-gcc -g simple.c -lm -o simple
!mkdir -p input1

[0;36mafl-cc [1;97m2.57b[0m by <lcamtuf@google.com>
[0;36mafl-as [1;97m2.57b[0m by <lcamtuf@google.com>
[1;92m[+] [0mInstrumented 14 locations (64-bit, ASAN/MSAN mode, ratio 33%).[0m


To fuzz the program, we need to create an initial input to AFL. Run the following cell to create an initial input as `in/seed.txt`.


In [6]:
%%writefile input1/seed.txt
s 10

Writing input1/seed.txt


Next, let's run the simple program under AFL. You should immediately see at least 1 crash reported on the AFL dashboard (the screen that afl-fuzz shows while fuzzing).

In [7]:
!AFL_BENCH_UNTIL_CRASH=1 afl-fuzz -i input1 -o output1 -m none ./simple

[0;36mafl-fuzz [1;97m2.57b[0m by <lcamtuf@google.com>
[1;92m[+] [0mYou have 2 CPU cores and 1 runnable tasks (utilization: 50%).[0m
[1;92m[+] [0mTry parallel jobs - see docs/parallel_fuzzing.txt.[0m
[1;94m[*] [0mChecking CPU core loadout...[0m
[1;92m[+] [0mFound a free CPU core, binding to #0.[0m
[1;94m[*] [0mChecking core_pattern...[0m

[1;91m[-] [0mHmm, your system is configured to send core dump notifications to an
    external utility. This will cause issues: there will be an extended delay
    between stumbling upon a crash and having this information relayed to the
    fuzzer via the standard waitpid() API.

    To avoid having crashes misinterpreted as timeouts, please log in as root
    and temporarily modify /proc/sys/kernel/core_pattern, like so:

    echo core >/proc/sys/kernel/core_pattern
[1;94m[*] [0mSetting up output directories...[0m
[1;94m[*] [0mScanning 'input1'...[0m
[1;92m[+] [0mNo auto-generated dictionary tokens to reuse.[0m
[1;94m[*]

Next, review the program `simple.c` using the `Files` panel on the left-hand side (You can double-click to open the file in an editor).


*   Notice that it reads its input from stdin (which is required for AFL).

*   Inspect lines 14 and 17. Does something look off? Is this related to the crash that AFL found?





Your answer: The issue in the program arises from the following mistake in the `else if` branch:


(void) (func == &cos);


- The intention of this line was to assign func = &cos;, but instead, it mistakenly uses the comparison operator == rather than the assignment operator =.
- The expression (func == &cos) is a boolean expression that evaluates to 0 or 1, but it does not assign &cos to func.
- As a result, func remains NULL because it was initialized to NULL earlier in the program.

- When the input "c 10" is provided, execution enters the else if block, but func is never actually assigned to cos.  
- Later, the program attempts to call func(in_val), where func is still NULL.  
- Since calling a function via a NULL function pointer results in undefined behavior, the program crashes due to a segmentation fault or an illegal memory access.


### Challenge 1.2: The OpenSSL "HeartBleed"

As promised, the target for this exercise is a little harder. We'll be finding the heartbleed vulnerability in OpenSSL. You also have more responsibility for this exercise, as you'll be writing a small "harness" for AFL to use when fuzzing.




#### Step 1.2.1. Write the harness

Edit the following `handshake_fuzz.c` using the file editor and locate the `BIO_write_from_stdin` function. Don't worry if you don't understand the `main` function! Your goal is to fill in the `BIO_write_from_stdin` function as described in the comment (this should only take a few lines of code). Unless you're already fluent in the OpenSSL API, you may need to look up the [`BIO_write` function](https://linux.die.net/man/3/bio_write) to make sense of its parameters and behavior.



In [10]:
%%writefile handshake_fuzz.c
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <assert.h>
#include <stdint.h>
#include <stdlib.h>
#include <stddef.h>
#include <unistd.h>

void BIO_write_from_stdin(BIO* b) {
    // Fill in: Read 100 bytes from stdin (look at simple.c
    //          if you need help with this) and use the BIO_write()
    //          function to write these bytes to `b`.
    char input[100];
    read(STDIN_FILENO, input, sizeof(input));
    BIO_write(b, input, sizeof(input));
}

int main(int argc, const char* argv[]) {
    SSL_library_init();
    SSL_load_error_strings();
    ERR_load_BIO_strings();
    OpenSSL_add_all_algorithms();
    SSL_CTX* sctx = SSL_CTX_new(TLSv1_method());
    SSL_CTX_use_certificate_file(sctx, "openssl.pem", SSL_FILETYPE_PEM);
    SSL_CTX_use_PrivateKey_file(sctx, "openssl.key", SSL_FILETYPE_PEM);
    SSL *server = SSL_new(sctx);
    BIO *b = BIO_new(BIO_s_mem());

    BIO_write_from_stdin(b);

    SSL_set_bio(server, b, BIO_new(BIO_s_mem()));
    SSL_set_accept_state(server);
    SSL_do_handshake(server);
    SSL_free(server);
    return EXIT_SUCCESS;
}

Overwriting handshake_fuzz.c


Once you have finished the file, press `SHIFT+ENTER` to save the file and try compiling it with AFL:

In [21]:
!afl-gcc -g handshake_fuzz.c openssl/libssl.a openssl/libcrypto.a -o handshake_fuzz -I openssl/include/ -ldl
!mkdir -p input2

[0;36mafl-cc [1;97m2.57b[0m by <lcamtuf@google.com>
[0;36mafl-as [1;97m2.57b[0m by <lcamtuf@google.com>
[1;92m[+] [0mInstrumented 6 locations (64-bit, ASAN/MSAN mode, ratio 33%).[0m


#### Step 1.2.2. Fuzz (vigorously)




OpenSSL is quite a bit bigger than the previous simple.c we fuzzed. This process may take several minutes. To perform fuzz testing, we need to provide the initial test input, and the encryption key files for OpenSSL:

In [12]:
%%writefile input2/seed.txt
abcdefghijklmnopqrstuv

Writing input2/seed.txt


In [13]:
%%writefile openssl.key
-----BEGIN PRIVATE KEY-----
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEArxZwUMlbs/olUxH4
rd+xChPoa2TMXfCzByx0fYuclkWUkZArr7iwEVh2F6t6vTAXuSP3/lxyjKm2ZmOB
e+LhSwIDAQABAkBWrfgqtpUUs+lYh9QiWFTwVUzCJiPa+ffXvFVrdfuulK/9GTLE
+l2atVV7znexPly6R82Xost00PPRDolXUlrBAiEA3017kUgUgulyNI2fBGPVB50m
WRpOX+xEM8GNZJ+xPWECIQDIuZzQY4N9goUN32PqB9lGqFrCLDVfnXNCEd6LV0TS
KwIhANnZ3MCa4q/pEislM0r0HoPkE+J/4JCCjvMzVD8j8KVhAiBAq6S9c0J7HqE1
vgKX9V1oqXdMVigAHV90KwOzizNuLwIgXP0YF7dn+plQ1I1ngq3HB7TqDjvzFWDR
ne5YmRG1LqI=
-----END PRIVATE KEY-----

Writing openssl.key


In [14]:
%%writefile openssl.pem
-----BEGIN CERTIFICATE-----
MIIBbzCCARmgAwIBAgIUHHdU8p9n7PzvPbgYXkvVox/MNnswDQYJKoZIhvcNAQEL
BQAwDDEKMAgGA1UEAwwBYTAeFw0yMTEwMDkwMDM5MDNaFw00OTAyMjMwMDM5MDNa
MAwxCjAIBgNVBAMMAWEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArxZwUMlbs/ol
UxH4rd+xChPoa2TMXfCzByx0fYuclkWUkZArr7iwEVh2F6t6vTAXuSP3/lxyjKm2
ZmOBe+LhSwIDAQABo1MwUTAdBgNVHQ4EFgQU2bm1eYZbrazb1zQHXiTpqTxERPAw
HwYDVR0jBBgwFoAU2bm1eYZbrazb1zQHXiTpqTxERPAwDwYDVR0TAQH/BAUwAwEB
/zANBgkqhkiG9w0BAQsFAANBAF7sVRffX6ACIWkFoWwuKEoSgdfao0F77eTd4emr
7mKiyfQgouXjIyNjbg9D1elRGGgAdvaQBWrJBgzJPPDrNz8=
-----END CERTIFICATE-----

Writing openssl.pem


Next, let's run the program with AFL. This can take a long time, and the time needed is entirely random since we are doing fuzz testing. To allow checking of the progress, we will pipe the output of AFL into a separate file, so that we can check the output (`handshake_fuzz.log`) from the File panel.

In [15]:
!AFL_BENCH_UNTIL_CRASH=1 afl-fuzz -i input2 -o output2 -m none ./handshake_fuzz &> handshake_fuzz.log

Note that the above command may randomly take a long period of time. If you see the command hanging too long (like more than 30 minutes), you may retry the command and the result may be significantly different.

#### Step 1.2.3: Investigate the crash

Once you have captured the crash with AFL, open the `File` panel on the left and check the `output2` directory. You should find at least one test case in the `crashes` folder. The file name will contain the id, the signal, and other information to identify the crash. Double-click the file and check the content of the test case. It may not be readable.

The content of the file can be used as a crashing input and be fed back to the tested program. Now, run the `handshake_fuzz` executable with crashing input in the cell below.

In [22]:
# Modify the following line to show the crashing input
!./handshake_fuzz < /content/output2/crashes/id:000000,sig:06,src:000032,op:arith8,pos:0,val:+2

[1m[31m==176534==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000009748 at pc 0x7ef28b5bd397 bp 0x7ffd7f22f8f0 sp 0x7ffd7f22f098
[1m[0m[1m[34mREAD of size 61375 at 0x629000009748 thread T0[1m[0m
    #0 0x7ef28b5bd396 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
    #1 0x5d137940e620 in tls1_process_heartbeat /content/openssl/ssl/t1_lib.c:2586
    #2 0x5d13794ca2ea in ssl3_read_bytes /content/openssl/ssl/s3_pkt.c:1092
    #3 0x5d13794d1b68 in ssl3_get_message /content/openssl/ssl/s3_both.c:457
    #4 0x5d13794711fc in ssl3_get_client_hello /content/openssl/ssl/s3_srvr.c:941
    #5 0x5d1379489b2c in ssl3_accept /content/openssl/ssl/s3_srvr.c:357
    #6 0x5d13793f08fc in main /content/handshake_fuzz.c:33
    #7 0x7ef28b383d8f  (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)
    #8 0x7ef28b383e3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x29e3f)
    #9 0x5d13793fb174 in _start (/content/handshake

You should see error output from the **Address Sanitizer (ASAN)**. In this output you should see something from a heartbeat. If so, you've found heartbleed!

Note: The error reported from the Address Sanitizer should **NOT** be from your own code. You can examine the function backtrace to find out where the error originates.

Now, let's examine the input for crashing the program. We will need to use `xxd` to read the input in hexadecimal format:

In [19]:
# Modify the following line to show the crashing input
!xxd /content/output2/crashes/id:000000,sig:06,src:000032,op:arith8,pos:0,val:+2

00000000: 1803 0000 0301 efbf bd00 1603 0000       ..............


The reason why this input is crashing the SSL server is that it contains ill-formatted SSL messages that confuse the server. A SSL message is formatted as follows:

```
| Type (1 byte) | SSL version (2 bytes) | Length (2 bytes) |  Payload (= Length) |
```

If the message is a Heartbeat message, then the type will be 24 (`=TLS1_RT_HEARTBEAT`), with the payload part structured as the follows:

```
| Heartbeat Type (1 byte) | Length (2 bytes) | Heartbeat messages (= Length) |
```

Based on this format, try making a hypothesis as why the input is crashing the server, and then test your hypothesis by changing part of the input and running it against the program. Write down your hypothesis below and explain why you believe your explanation of the crash to be correct.

Your Answer: The input crashes the SSL server because it contains a malformed Heartbeat message with an incorrect length field. If the Heartbeat payload length is larger than the actual data provided, the server attempts to read beyond allocated memory, leading to an out-of-bounds read or memory corruption, similar to the Heartbleed vulnerability.



*   The input starts with TLS1_RT_HEARTBEAT (0x18), meaning it’s a Heartbeat request.
*   The Length field (0xefbf = 61375 bytes) is much larger than the actual input.

*  OpenSSL attempts to copy 61375 bytes from the input buffer into a response buffer, causing an invalid memory read.





### Challenge 1.3: Invariant Checking

So far we've seen fuzzing detect memory errors and crashes, but that's not all fuzzing can do. Fuzzing is a form of dynamic testing using automatically-generated inputs. On any inputs, certain properties of a program -- "[invariants](https://en.wikipedia.org/wiki/Invariant_(mathematics))" -- should always hold. An example of an invariant might be, "for any integer x, the square of x should be equivalent to x * x". We can use fuzzing as a tool to test these invariants.

Beyond being vulnerable to heartbleed, the version of OpenSSL used in this assignment is also vulnerable to [CVE-2014-4370](hhttps://nvd.nist.gov/vuln/detail/CVE-2014-3570) -- a bug where the square of a big number x was not equal to x * x.

In this exercise you'll be finding this failed invariant by comparing two supposedly-equivalent operations:

*   `BN_sqr` on a `BIGNUM` (`x^2`)
*   `BN_mul` to multiple a `BIGNUM` by itself (`x*x`)

**Note: AFL will treat a failed assert statement as a crash.**

#### Step 1.3.1: Write the fuzzing harness

Use the following cell to create `bn_test.c`, write the `main` function such that it performs to the spec given. You should not need to read `openssl/bn.h` in its entirety. However, you do need to know about `BIGNUM`s in OpenSSL. To learn that, feel free to run a web search for documentation and example code about OpenSSL `BIGNUM`s.

In [None]:
%%writefile bn_test.c
#include <openssl/bn.h>
#include <assert.h>
#include <stdint.h>
#include <stdlib.h>
#include <stddef.h>
#include <unistd.h>
#include <stdio.h>

int main() {
    // Fill in: Read a hexidecimal string of length 64 from stdin (no prefix)
    //          and use `BN_hex2bn` to initialize a BIGNUM with this value. Then
    //          use `BN_sqr`, `BN_mul`, and `BN_cmp` to compare the results of
    //          squaring that number and multiplying it by itself, if they disagree
    //          then we've found our issue.
    //
    // Hint: You might want something like: `assert(BN_cmp(x, y) == 0);` in your code.
    return EXIT_SUCCESS;
}

#### Step 1.3.2: Compile `bn_test.c`



In [None]:
!afl-gcc bn_test.c openssl/libcrypto.a -o bn_test -I openssl/include/ -ldl
!mkdir -p input3

After compilation, you should be able to run the following and have no errors:

In [None]:
!echo "D3ADB33F" | ./bn_test

#### Step 1.3.3: Fuzz


You need the initial input for testing:

In [None]:
%%writefile in/seed.txt
80000000000000008000000000000001FFFFFFFFFFFFFFFE000000000000000

In [None]:
!AFL_BENCH_UNTIL_CRASH=1 afl-fuzz -i input3 -o output3 -m none ./bn_test

If your harness code works, you should see at least one crash within 3 minutes.

#### Step 1.3.4: Inspect the offending string

Look at the test case that caused the error:

In [None]:
# Modify the following line to show the crashing input
!cat output3/crashes/id:000000...

Please provide your observation as for why the test case is causing the crash:



Answer:

## Part 2: Symbolic Execution

As we observed in Part 1, fuzz testing may be able to reach certain corner cases or crashing condition, but the process is randomized. Due to randomization, there's no guarantee that one may reach the desired test results or coverage soon. In this part, we will learn how to use **Angr**, a symbolic execution tool based on binary analysis, to discover test cases that can expose bugs within the target program.

First, we will need to install angr, which has a decent Python API as its frontend. The installation may take a while, as many dependencies need to be installed for the software.

In [None]:
!pip install angr

### Challenge 2.1: Trying Angr for Symbolic Execution

To start, we will learn how to use Angr to perform symbolic execution on programs. Let's start with a simple `test_password` program, which will compare the password and print out "Good job." or "Try again." based on the result.

In [None]:
!wget -O test_password https://github.com/chiache/csce713-assignments/raw/master/lab4/test_password
!chmod 755 test_password

In [None]:
!echo "hello" | ./test_password

#### Step 2.1.1: Find the address to reach

Next, as the first step, we can use angr to disassemble the program.

In [None]:
import angr
import re

project = angr.Project('test_password', auto_load_libs = False)
cfg = project.analyses.CFGFast(normalize=True)
for func in cfg.functions.values():
    dec = project.analyses.Decompiler(func, cfg=cfg.model)
    print("Function %s<0x%x>:" % (func.name, func.addr))
    if dec.codegen:
        print(dec.codegen.text)

Now examine the decompiled code and see if you can guess what the password is. You will soon realize that it is quite difficult because the program is extremely complex and highly obfuscated.

Now, let's use symbolic execution to quickly figure out how to reach certain corner cases. A cool thing about Angr is that you can set certain address to find, which it will use to search the path that will eventually reach this address. Use the decompiled code above to find out which function is printing out "Good Jobs.", and search in the output of the following cell to find the instruction that print out the said message:


In [None]:
for node in sorted(cfg.model.nodes(), key=lambda n: n.addr):
    if not node.is_simprocedure:
        node.block.pp()

#### Step 2.1.2: Simulating with Symbolic Execution

Once you know the address to find, update the following cell to conduct symbolic execution. In this cell, you will create a Angr project, and create a **Simulation Manager** to start exploring the possible paths and their predicates until it reaches the address you want to find.



In [None]:
address_to_find = # You need to update this
project = angr.Project('test_password')
initial_state = project.factory.entry_state()
simulation = project.factory.simgr(initial_state)
simulation.explore(find=address_to_find)

If the symbolic execution can successfully find the test case, it will show that the Simulation Manager has found at least one case in the output above. Then, you can print out the test case and try in the next cell to see if you pass the test in `test_password`.

In [None]:
if simulation.found:
    solution_state = simulation.found[0]
    solution = solution_state.posix.dumps(0) # 0 represents the file descriptor no. of stdin
    print("[+] Solution found! : {}".format(solution.decode('utf-8')))
else:
    raise Exception("Could not find the solution")

In [None]:
# Update the following command with the password you found
!echo "" | ./test_password

#### Step 2.1.3: Setting Condition to Find and Condition to Avoid

Although it is very useful to search for a start that reaches a certain instruction address, in some cases, you may not be able to find out the address of the specific instruction you want to reach.  Another option besides specifying the instruction address to search is to specify the condition to find within the program.

Another useful feature of Angr is to set the condition or address to **avoid**, by giving a parameter to the Simulation Manager. That way, the symbolic execution will stop exploring any future paths derived from one that matches with the condition.

In the cell below, please finish two functions, `is_successful` and `should_abort`, to be set as the condition to find and the condition to avoid in the symbolic execution.

In [None]:
import angr

# Define a function that checks if you have found the state you are looking for.
def is_successful(state):
    # Dump whatever has been printed out by the binary so far into a string.
    stdout_output = state.posix.dumps(1) # 1 represents the file descriptor no. of stdout

    # TODO: Return whether 'Good Job.' has been printed yet.
    return False # Update this line

# Same as above, but this time check if the state should abort. If you return
# False, Angr will continue to step the state. In this specific challenge, the
# only time at which you will know you should abort is when the program prints
# "Try again."
def should_abort(state):
    stdout_output = state.posix.dumps(1) # 1 represents the file descriptor no. of stdout

    ## TODO: Return whether 'Try again.' has been printed yet.
    return False  # Update this line

project = angr.Project('test_password')
initial_state = project.factory.entry_state(
    add_options = { angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
                    angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)
simulation = project.factory.simgr(initial_state)
simulation.explore(find=is_successful, avoid=should_abort)

if simulation.found:
    solution_state = simulation.found[0]
    solution = solution_state.posix.dumps(0)
    print("[+] Solution found! : {}".format(solution.decode('utf-8')))
else:
    raise Exception("Could not find the solution")

### Challenge 2.2: Injecting Path Constraints

Next, we are gonna try something a little different. Download the following program (`test_password2`) and try to use the same logic in the last challenge to obtain the password.

In [None]:
!wget -O test_password2 https://github.com/chiache/csce713-assignments/raw/master/lab4/test_password2
!chmod 755 test_password2

In [None]:
!echo "hello" | ./test_password2

#### Step 2.2.1: The failed attempt

Make the same changes as the last cell in Step 2.1.3 and try to run the symbolic execution. You will find that you can no longer obtain the password within a few minutes.

In [None]:
import angr

# Define a function that checks if you have found the state you are looking for.
def is_successful(state):
    # Dump whatever has been printed out by the binary so far into a string.
    stdout_output = state.posix.dumps(1) # 1 represents the file descriptor no. of stdout

    # TODO: Return whether 'Good Job.' has been printed yet.
    return False # Update this line

# Same as above, but this time check if the state should abort. If you return
# False, Angr will continue to step the state. In this specific challenge, the
# only time at which you will know you should abort is when the program prints
# "Try again."
def should_abort(state):
    stdout_output = state.posix.dumps(1) # 1 represents the file descriptor no. of stdout

    ## TODO: Return whether 'Try again.' has been printed yet.
    return False  # Update this line

project = angr.Project('test_password2')
initial_state = project.factory.entry_state(
    add_options = { angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
                    angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)
simulation = project.factory.simgr(initial_state)
simulation.explore(find=is_successful, avoid=should_abort)

if simulation.found:
    solution_state = simulation.found[0]
    solution = solution_state.posix.dumps(0)
    print("[+] Solution found! : {}".format(solution.decode('utf-8')))
else:
    raise Exception("Could not find the solution")

Now, it is okay to abort the cell and move on to the next step. We are going to try some new techniques to push the symbolic execution further.

#### Step 2.2.2: Back to decompiling/diassembling

The binary asks for a 16 character password to which is applies a complex
function and then compares with a reference string with the function
**check_equals_[some reference string]**. (Decompile the binary and take a look at it!)
The source code for this function is provided here. However, the reference
string in your version will be different than `AABBCCDDEEFFGGHH`:

```
#define REFERENCE_PASSWORD = "AABBCCDDEEFFGGHH";
int check_equals_AABBCCDDEEFFGGHH(char* to_check, size_t length) {
    uint32_t num_correct = 0;
    for (int i=0; i<length; ++i) {
        if (to_check[i] == REFERENCE_PASSWORD[i]) {
            num_correct += 1;
        }
    }
    return num_correct == length;
}

...

char* input = user_input();
char* encrypted_input = complex_function(input);
if (check_equals_AABBCCDDEEFFGGHH(encrypted_input, 16)) {
    puts("Good Job.");
} else {
    puts("Try again.");
}
```

The function checks if `to_check == "AABBCCDDEEFFGGHH"` (Remember: the string `AABBCCDDEEFFGGHH` is just an example--you need to dissemble the binary to find the actual string). Verify this yourself.
While you, as a human, can easily determine that this function is equivalent
to simply comparing the strings, the computer cannot. Instead the computer
would need to branch every time the if statement in the loop was called (16
times), resulting in 2^16 = 65,536 branches, which will take too long of a
time to evaluate for our needs.

We do not know how the `complex_function` works, but we want to find an input
that, when modified by `complex_function`, will produce the string exactly identical to `to_check`.



In this step, you need to dissemble the binary to find out:

1.   The expected target string **after** processing the correct input through `complex_function`
2.   The address of the variable used to store the input
3.   The address of the instruction to push the processed input before calling check_equals_[some reference string]



Your answer:

In [None]:
import angr
import re

project = angr.Project('test_password2', auto_load_libs = False)
cfg = project.analyses.CFGFast(normalize=True)
for func in cfg.functions.values():
    dec = project.analyses.Decompiler(func, cfg=cfg.model)
    print("Function %s<0x%x>:" % (func.name, func.addr))
    if dec.codegen:
        print(dec.codegen.text)

In [None]:
for node in sorted(cfg.model.nodes(), key=lambda n: n.addr):
    if not node.is_simprocedure:
        node.block.pp()

#### Step 2.2.3: Adding constraint to symbolic execution

In this step, your goal will be to stop the program before the checking function (**check_equals_[some reference string]**) is
called and manually constrain the variable storing the processed input to be equal to the reference string you identified by decompiling the binary. Since, you, as a human, know
that if the strings are equal, the program will print "Good Job.", you can
be assured that if the program can solve for an input that makes them equal,
the input will be the correct password.

Here, we need to set the password as a **Symbolic** and ask the Z3 solver to solve the puzzle that `complex_function(password) == [reference string]`. To define a symbolic, we will use the **Claripy** API, a set of Python API introduced by Angr to specify symbolics and constraints. We will define `password` as a **Bit Vector Symbol (BVS)**. The syntax for defining a Claripy BVS is as follows:

```
claripy.BVS([symbolic name], [bit vector size (in number of bits)])
```

Once you have defined the BVS, you can add a constraint to the state right before the process input is about to be compared. The Z3 solver will then solve the constraint and identify an input to be equal to the injected reference string after being processed by `complex_function()`.

In [None]:
import angr
import claripy

project = angr.Project('test_password2')

# In this challenge, we hardcode the start address with a blank initial state.
start_address = 0x804863c
initial_state = project.factory.blank_state(
    addr=start_address,
    add_options = { angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
                    angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)

password = # TODO: Define this as a claripy BVS

password_address = # TODO: Add the address where the input is stored
initial_state.memory.store(password_address, password)

simulation = project.factory.simgr(initial_state)

# Angr will not be able to reach the point at which the binary prints out
# 'Good Job.'. We cannot use that as the target anymore. Therefore, we need to
# set an earlier address, the one right before we are about to check the
# injected constraint
#
# TODO: Update this part to add the address to find before solving the constraint
address_to_check_constraint = # To be updated
simulation.explore(find=address_to_check_constraint)

if simulation.found:
    solution_state = simulation.found[0]

    # Recall that we need to constrain the to_check parameter (see top) of the
    # check_equals_ function. Determine the address that is being passed as the
    # parameter and load it into a bitvector so that we can constrain it.
    # (!)
    constrained_parameter_address = # TODO: Address of the string to be checked
    constrained_parameter_size_bytes = 16
    constrained_parameter_bitvector = solution_state.memory.load(
      constrained_parameter_address,
      constrained_parameter_size_bytes
    )

    # We want to constrain the system to find an input that will make
    # constrained_parameter_bitvector equal the desired value.
    constrained_parameter_desired_value = ''.encode() # TODO: Update the reference string

    # Specify a claripy expression (using Pythonic syntax) that tests whether
    # constrained_parameter_bitvector == constrained_parameter_desired_value.
    # Add the constraint to the state to let z3 attempt to find an input that
    # will make this expression true.
    solution_state.add_constraints(constrained_parameter_bitvector == constrained_parameter_desired_value)

    # Solve for the constrained_parameter_bitvector.
    solution = solution_state.solver.eval(password, cast_to=bytes).decode()

    print(solution)
else:
    raise Exception('Could not find the solution')

Now, send the solution into the program to check if it passed the check:

In [None]:
# Update the following command with the password you found
!echo "" | ./test_password2

## Submission

Once you have finished this notebook, click "File > Download > Download as .ipynb" and upload the file to **Assignment 4** on MS Teams.

## Reference

Please cite all the sources if there's any.