- docker pull klee/klee
- docker run -ti --name=<container_name> klee/klee
- git clone https://github.com/sufuf3/ST2017-hw2-coverage.git ST2017-hw4-Symbolic_and_Fuzz
- cd ST2017-hw4-Symbolic_and_Fuzz/[hw]
- modify *.cpp
- clang -I /home/klee/klee_src/include/ -emit-llvm -c -g triangle.cpp
#Compile to LLVM bitcode - klee triangle.bc
#Run KLEE
KLEE: output directory is "/home/klee/ST2017-hw4-Symbolic_and_Fuzz/triangle/klee-out-0"
KLEE: Using STP solver backend
KLEE: done: total instructions = 135
KLEE: done: completed paths = 9
KLEE: done: generated tests = 9
- ktest-tool --write-ints klee-last/<test_id.ktest>
#KLEE-generated test cases
ktest file : 'klee-last/test000001.ktest'
args : ['triangle.bc']
num objects: 3
object 0: name: b'a'
object 0: size: 4
object 0: data: 0
object 1: name: b'b'
object 1: size: 4
object 1: data: 0
object 2: name: b'c'
object 2: size: 4
object 2: data: 0
- clang -I /home/klee/klee_src/include/ -emit-llvm -c -g nextdate.cpp .
- klee nextdate.bc .
KLEE: output directory is "/home/klee/ST2017-hw4-Symbolic_and_Fuzz/nextdate/klee-out-0"
KLEE: Using STP solver backend
KLEE: done: total instructions = 392
KLEE: done: completed paths = 18
KLEE: done: generated tests = 18
- ktest-tool --write-ints test000001.ktest .
ktest file : 'test000001.ktest'
args : ['nextdate.bc']
num objects: 3
object 0: name: b'yy'
object 0: size: 4
object 0: data: 0
object 1: name: b'mm'
object 1: size: 4
object 1: data: 0
object 2: name: b'dd'
object 2: size: 4
object 2: data: 0
- clang -I /home/klee/klee_src/include/ -emit-llvm -c -g commission.cpp .
- klee commission.bc .
KLEE: output directory is "/home/klee/ST2017-hw4-Symbolic_and_Fuzz/commission/klee-out-0"
KLEE: Using STP solver backend
KLEE: WARNING ONCE: silently concretizing (reason: floating point) expression (Add w32 (Add w32 (Mul w32 45
(ReadLSB w32 0 lock))
(Mul w32 30
(ReadLSB w32 0 stock)))
(Mul w32 25
(ReadLSB w32 0 barrel))) to value 100 (/home/klee/ST2017-hw4-Symbolic_and_Fuzz/commission/commission.cpp:16)
KLEE: done: total instructions = 70
KLEE: done: completed paths = 2
KLEE: done: generated tests = 2
- ktest-tool --write-ints klee-last/test000001.ktest .
ktest file : 'klee-last/test000001.ktest'
args : ['commission.bc']
num objects: 3
object 0: name: b'lock'
object 0: size: 4
object 0: data: 0
object 1: name: b'stock'
object 1: size: 4
object 1: data: 0
object 2: name: b'barrel'
object 2: size: 4
object 2: data: 0
- wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
- tar zxvf afl-latest.tgz
- cd afl-2.42b/
- make
- sudo make install
- echo core > sudo /proc/sys/kernel/core_pattern
#root
- cd ~/ST2017-hw4-Symbolic_and_Fuzz/triangle
- afl-gcc triangle.cpp -o triangle_fuzz
afl-cc 2.42b by <lcamtuf@google.com>
afl-as 2.42b by <lcamtuf@google.com>
[+] Instrumented 13 locations (64-bit, non-hardened mode, ratio 100%).
- mkdir afl_in afl_out
- echo "22" > ./afl_in/1
- afl-fuzz -i afl_in -o afl_out ./triangle_fuzz
- cd ~/ST2017-hw4-Symbolic_and_Fuzz/nextdate
- afl-gcc nextdate.cpp -o nextdate_fuzz
afl-cc 2.42b by <lcamtuf@google.com>
afl-as 2.42b by <lcamtuf@google.com>
[+] Instrumented 34 locations (64-bit, non-hardened mode, ratio 100%).
- mkdir afl_in afl_out
- echo "22" > ./afl_in/1
- afl-fuzz -i afl_in -o afl_out ./nextdate_fuzz
- cd ~/ST2017-hw4-Symbolic_and_Fuzz/commission
- afl-gcc commission.cpp -o commission_fuzz
afl-cc 2.42b by <lcamtuf@google.com>
afl-as 2.42b by <lcamtuf@google.com>
[+] Instrumented 34 locations (64-bit, non-hardened mode, ratio 100%).
- mkdir afl_in afl_out
- echo "22" > ./afl_in/1
- afl-fuzz -i afl_in -o afl_out ./commission_fuzz
Triangle problems
- symbolic testing: klee
- fuzz testing: AFL
NextDate problems
- symbolic testing: klee
- fuzz testing: AFL
Commission problems
- symbolic testing: klee
- fuzz testing: AFL