Skip to content
Collection of LLVM passes and triage tools for use with the KRF fuzzer
LLVM Other
  1. LLVM 99.8%
  2. Other 0.2%
Branch: master
Clone or download
Latest commit 8c6f7b6 Aug 6, 2019
Type Name Latest commit message Commit time
Failed to load latest commit information.
KRFAnalysisPass TOC/TOU (#11) Jul 11, 2019
binja binja: Better instruction detection logic, removes bad workaround for… Aug 1, 2019
test-bc test-bc: Replace .bc files with .ll files Jul 1, 2019
tests TOC/TOU (#11) Jul 11, 2019
triage Taint analysis (#8) Jul 8, 2019
.clang-format KRFAnalysisPass: add output opt and consts Jun 27, 2019
.gitignore Update .gitignore Jul 1, 2019
.travis.yml binja: Add taint analysis binja plugin Jul 30, 2019
Dockerfile Add functional dockerfile Jul 1, 2019
pyproject.toml triage: Add black and reformat Jun 27, 2019


Build Status

KRFAnalysis contains an LLVM pass and related scipts that test potential vulnerability to the tool KRF by checking whether the result of a syscall is checked for errors.

It runs through opt on LLVM IR files (.bc)


An LLVM Pass runs on the LLVM IR and can do analysis, transformations, and optimizations. In our case, we attempt to analyze when the results of syscalls are used.

LLVM Passes have several benefits:

  • Works on any platform (since IR is platform agnostic)
  • Works with Go, C, C++, and Rust
  • Extremely rich capability for static analysis

But also some downsides:

  • Need to have the IR bytecode, which effectively means you must have the source code
  • Only works with Go, C, C++, and Rust
  • LLVM has a somewhat steep learning curve



Docker is recommended, since it makes the setup and build process easier.

git clone && cd KRFAnalysis
docker build . -t krf
docker run -it krf

Not docker

First, you needs to install the dependencies including cmake, llvm, llvm-dev, and python3.7
Then, run the following commands to clone and build the repository, which will generate a file.

git clone && cd KRFAnalysis
mkdir build && cd build
cmake ../
cmake --build .


The LLVM pass runs through opt (which may be opt-6.0 or whatever version of llvm you have).

To analyze the file file.bc and output human readable text into the file output.txt, you would run:

opt -load path/to/ -KRF -disable-output -krf-output output.txt file.bc

To analyze the file file.bc and output JSON into the file pass_output.json, you would run:

opt -load path/to/ -KRF -disable-output -krf-output pass_output.json -krf-json file.bc

If -krf-output is not specified, the output will default to krfpass.out

After creating JSON output, it can be further analyzed and triaged by the triage script:

python3 triage/ pass_output.json # Outputs human readable triaged information
python3 triage/ -json pass_output.json # Outputs JSON
You can’t perform that action at this time.