Merge branch '34-better-parsing-of-zafl-sh-parameters' into 'master'

Resolve "Better parsing of zafl.sh parameters" Closes #34 See merge request allzp/zfuzz!4

Merge branch '34-better-parsing-of-zafl-sh-parameters' into 'master'
821e33a4 · Anh Nguyen-Tuong · ef506e02 · fba13677 · 821e33a4 · 821e33a4
Commit 821e33a4 authored 6 years ago by Anh Nguyen-Tuong
--- a/afl_transforms/tools/zafl/zafl.cpp
+++ b/afl_transforms/tools/zafl/zafl.cpp
@@ -1105,6 +1105,7 @@ int Zafl_t::execute()
 	cout << "#ATTRIBUTE num_bb_keep_exit_block=" << num_bb_keep_exit_block << endl;
 	cout << "#ATTRIBUTE num_style_afl=" << num_style_afl << endl;
 	cout << "#ATTRIBUTE num_style_collafl=" << num_style_collafl << endl;
+	cout << "#ATTRIBUTE graph_optimize=" << boolalpha << m_bb_graph_optimize << endl;

 	return 1;
 }
--- a/bin/zafl.sh
+++ b/bin/zafl.sh
 #!/bin/bash
+
 #
-# Pass-through to underlying zipr toolchain command
-#
-# @todo: make it more user-friendly and have zafl-specific options
+# Invoke underlying Zipr toolchain with Zafl step and parameters
 #
+
+RED=`tput setaf 1`
+GREEN=`tput setaf 2`
+YELLOW=`tput setaf 3`
+ORANGE=`tput setaf 214`
+MAGENTA=`tput setaf 5`
+NC=`tput sgr0`
+
 usage()
 {
 	echo
 	echo "zafl.sh <input_binary> <output_zafl_binary> [options]"
 	echo 
 	echo "options:"
-	echo "     --ida                      Use IDAPro (default)"
-	echo "     --rida                     Do not use IDAPro"
-	echo "     --stars                    Use STARS (default)"
-	echo "     --no-stars                 Do not use STARS"
-	echo "     --graph-optimization       Use basic block graph optimizations"
-	echo "     --no-graph-optimization    Do not use basic block graph optimizations (default)"
+	echo "     --ida                          Use IDAPro (default)"
+	echo "     --rida                         Do not use IDAPro"
+	echo "     -s, --stars                    Use STARS (default)"
+	echo "     -S, --no-stars                 Do not use STARS"
+	echo "     -g, --graph-optimization       Use basic block graph optimizations"
+	echo "     -G, --no-graph-optimization    Do not use basic block graph optimizations (default)"
+	echo "     -t, --tempdir                  Specify location of analysis directory"
 }

-if [ "$1" = "-h" -o "$1" = "--help" ];
-then
-	usage
-	exit 0
-fi
+ida_or_rida_opt=" -s meds_static=off -s rida=on "
+stars_opt=" -o zafl:--stars "
+graph_opt=" "
+other_args=""
+
+me=$(whoami)
+tmp_dir=/tmp/${me}/$$
+mkdir -p $tmp_dir
+
+cleanup()
+{
+	if [ ! -z "$tmp_dir" ]; then
+		rm -fr $tmp_dir
+	fi
+}
+
+log_msg()
+{
+	echo -e "${GREEN}Zafl: $1 ${NC}"
+}

-if [ "$#" -lt 2 ]; then
-	usage
+log_warning()
+{
+	echo -e "${ORANGE}Zafl: $1 ${NC}"
+}
+
+log_error()
+{
+	echo -e "${RED}Zafl: $1 ${NC}"
+}
+
+log_error_exit()
+{
+	log_error "$1"
+	cleanup
 	exit 1
-fi
+}

-input_binary=$(realpath $1)
-output_zafl_binary=$2
+parse_args()
+{
+	PARAMS=""
+	while (( "$#" )); do
+		key="$1"

-shift
-shift
+		case $key in
+			-h|--help)
+				usage
+				exit 0
+				;;
+			--ida)
+				ida_or_rida_opt=" "
+				shift
+				;;
+			--rida)
+				ida_or_rida_opt=" -s meds_static=off -s rida=on "
+				shift
+				;;
+			-s | --stars)
+				stars_opt=" -o zafl:--stars "
+				shift
+				;;
+			-S | --no-stars)
+				stars_opt=" "
+				shift
+				;;
+			-g | --graph-optimization)
+				graph_opt=" -o zafl:-g "
+				shift
+				;;
+			-G | --no-graph-optimization)
+				graph_opt=" "
+				shift
+				;;
+			-v | --verbose)
+				verbose_opt=" -o zafl:-v "
+				shift
+				;;
+			-t | --tempdir)
+				shift
+				other_args=" --tempdir $1"
+				shift
+				;;
+			-*|--*=) # unsupported flags
+				echo "Error: Unsupported flag $1" >&2
+				exit 1
+				;;
+    			*) # preserve positional arguments
+				PARAMS="$PARAMS $1"
+				shift
+				;;
+		esac
+	done

-#ida_or_rida_opt=" "
-ida_or_rida_opt=" -s meds_static=off -s rida=on "
-stars_opt=" -o zafl:--stars "
-graph_opt=" "
+	eval set -- "$PARAMS"
+	positional=($PARAMS)
+	input_binary=$(realpath ${positional[0]})
+	output_zafl_binary=${positional[1]}

-other_args=""
-# parse args
-while [[ $# -gt 0 ]]
-do
-	key="$1"
-
-	case $key in
-		-h|--help)
-			usage
-			exit 0
-			;;
-		--ida)
-			ida_or_rida_opt=" "
-			shift
-			;;
-		--rida)
-			ida_or_rida_opt=" -s meds_static=off -s rida=on "
-			shift
-			;;
-		-s | --stars)
-			stars_opt=" -o zafl:--stars "
-			shift
-			;;
-		-S | --no-stars)
-			stars_opt=" "
-			shift
-			;;
-		-g | --graph-optimization)
-			graph_opt=" -o zafl:-g "
-			shift
-			;;
-		-G | --no-graph-optimization)
-			graph_opt=" "
-			shift
-			;;
-		-v | --verbose)
-			verbose_opt=" -o zafl:-v "
-			shift
-			;;
-    		*)    # unknown option
-			other_args="$other_args $1"         
-			shift # past argument
-			;;
-esac
-done
-
-# find main
-main_addr=""
-tmp_objdump=/tmp/$$.objdump
-objdump -d $input_binary > $tmp_objdump
-grep "<main>:" $tmp_objdump >/dev/null 2>&1
-if [  $? -eq 0 ]; then
-	echo Zafl: Detected main program in $input_binary
-else
-	grep -B1 "libc_start_main@" $tmp_objdump >/dev/null 2>&1
-	if [ $? -eq 0 ]; then
-		grep -B1 start_main $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1
+	if [ -z $input_binary ]; then
+		usage
+		log_error_exit "You must specify an input binary to be protected"
+	fi
+
+	if [ -z $output_zafl_binary ]; then
+		usage
+		log_error_exit "You must specify the name of the output binary"
+	fi
+}
+
+find_main()
+{
+	main_addr=""
+	tmp_objdump=$tmp_dir/tmp.objdump
+	tmp_main=$tmp_dir/tmp.main
+
+	objdump -d $input_binary > $tmp_objdump
+
+	grep "<main>:" $tmp_objdump > $tmp_main
+
+	if [  $? -eq 0 ]; then
+		main_addr=$(cut -d' ' -f1 $tmp_main)
+		log_msg "detected main at: 0x$main_addr"
+		options=" $options -o zafl:'-e 0x$main_addr'"
+	else
+		grep -B1 "libc_start_main@" $tmp_objdump >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
-			ep=$(readelf -h $input_binary | grep -i "entry point" | cut -d'x' -f2)
-			if [ ! -z $ep ]; then
-				echo "Zafl: Main exec is PIE... use entry point address (0x$ep) for fork server"
-				options=" $options -o zafl:'-e 0x$ep'"
+			grep -B1 start_main $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1
+			if [ $? -eq 0 ]; then
+				ep=$(readelf -h $input_binary | grep -i "entry point" | cut -d'x' -f2)
+				if [ ! -z $ep ]; then
+					log_msg "main exec is PIE... use entry point address (0x$ep) for fork server"
+					options=" $options -o zafl:'-e 0x$ep'"
+				else
+					log_error_exit "error finding entry point address"
+				fi
 			else
-				echo "Zafl: error finding entry point address"
-				exit 1
+				main_addr=$(grep -B1 libc_start_main@plt $tmp_objdump | grep mov | grep rdi | cut -d':' -f2 | cut -d'm' -f2 | cut -d',' -f1 | cut -d'x' -f2)
+				if [ "$main_addr" = "" ]; then 
+					log_error_exit "error inferring main"
+				fi
+
+				log_msg "inferring main to be at: 0x$main_addr"
+				options=" $options -o zafl:'-e 0x$main_addr'"
 			fi
 		else
-			main_addr=$(grep -B1 libc_start_main@plt $tmp_objdump | grep mov | grep rdi | cut -d':' -f2 | cut -d'm' -f2 | cut -d',' -f1 | cut -d'x' -f2)
-			if [ "$main_addr" = "" ]; then 
-				echo "Zafl: Error inferring main"
-				exit 1
-			fi
-
-			echo "Zafl: Inferring main to be at: 0x$main_addr"
-			options=" $options -o zafl:'-e 0x$main_addr'"
+			log_warning "no main() detected, probably a library ==> no fork server"
 		fi
-	else
-		echo "Zafl: no main() detected, probably a library ==> no fork server"
 	fi
-fi
-rm $tmp_objdump
+	rm $tmp_objdump >/dev/null 2>&1
+}

-echo "Zafl: Transforming input binary $input_binary into $output_zafl_binary"
-cmd="$PSZ $input_binary $output_zafl_binary $ida_or_rida_opt -c move_globals=on -c zafl=on -o move_globals:--elftables-only -o zipr:--traceplacement:on $stars_opt $graph_opt $verbose_opt $options $other_args"
-echo "Zafl: Issuing command: $cmd"
-eval $cmd
-if [ $? -eq 0 ]; then
-	ldd $output_zafl_binary | grep -e libzafl -e libautozafl >/dev/null 2>&1
+verify_zafl_symbols()
+{
+	# verify library dependency set
+	ldd $1 | grep -e libzafl -e libautozafl >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
-		echo
-		echo Zafl: success. Output file is: $output_zafl_binary
-		echo
+		log_msg "success. Output file is: $1"
 	else
-		ldd $output_zafl_binary
-		echo
-		echo Zafl: error: output binary does not show a dependence on the Zafl support library
-		exit 1
+		ldd $1
+		log_error_exit "output binary does not show a dependence on the Zafl support library"
 	fi

-	ldd -d $output_zafl_binary | grep symbol | grep 'not defined' >/dev/null 2>&1
+	# sanity check symbols in zafl library resolve
+	ldd -d $1 | grep symbol | grep 'not defined' >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
-		echo Zafl: error: something went wrong in resolving Zafl symnbols
-		exit 1
+		log_error_exit "something went wrong in resolving Zafl symbols"
 	fi
+}
+
+parse_args $*
+find_main
+
+#
+# Execute Zipr toolchain with Zafl options
+#
+log_msg "Transforming input binary $input_binary into $output_zafl_binary"
+
+cmd="$PSZ $input_binary $output_zafl_binary $ida_or_rida_opt -c move_globals=on -c zafl=on -o move_globals:--elftables-only -o zipr:--traceplacement:on $stars_opt $graph_opt $verbose_opt $options $other_args"
+
+log_msg "Issuing command: $cmd"
+eval $cmd
+if [ $? -eq 0 ]; then
+	verify_zafl_symbols $output_zafl_binary
 else
-	echo Zafl: error transforming input program
-	exit 1
+	log_error_exit "error transforming input program"
 fi

--- a/test/bc/test_bc.sh
+++ b/test/bc/test_bc.sh
 export AFL_TIMEOUT=15
 export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$SECURITY_TRANSFORMS_HOME/lib/:. 

-session=/tmp/tmp.bc.$$
+user=$(whoami)
+session=/tmp/${user}/tmp.bc.$$

 cleanup()
 {
-	rm -fr /tmp/gzip.tmp* gzip*.zafl peasoup_exec*.gzip* zafl_in zafl_out $session
+	rm -fr $session
 }

 log_error()
@@ -52,11 +53,10 @@ fuzz_with_zafl()

 }

-mkdir $session
+mkdir -p $session
 pushd $session

 # build ZAFL version of bc executable
-#$PSZ `which bc` bc.stars.zafl -c move_globals=on -c zafl=on -o move_globals:--elftables -o zipr:--traceplacement:on -o zipr:true -o zafl:--stars  
 zafl.sh `which bc` bc.stars.zafl --tempdir analysis.bc.stars.zafl
 if [ $? -eq 0 ]; then
 	log_success "build bc.stars.zafl"
@@ -64,10 +64,19 @@ else
 	log_error "build bc.stars.zafl"
 fi
 grep ATTR analysis.bc.stars.zafl/logs/zafl.log
-
 log_message "Fuzz for $AFL_TIMEOUT secs"
 fuzz_with_zafl $(realpath ./bc.stars.zafl)

+# build with graph optimization
+zafl.sh `which bc` bc.stars.zafl.g -g --tempdir analysis.bc.stars.zafl.g
+if [ $? -eq 0 ]; then
+	log_success "build bc.stars.zafl.g"
+else
+	log_error "build bc.stars.zafl.g"
+fi
+log_message "Fuzz for $AFL_TIMEOUT secs"
+fuzz_with_zafl $(realpath ./bc.stars.zafl.g)
+
 # build ZAFL version of readline shared library
 readline=$( ldd `which bc` | grep libreadline | cut -d'>' -f2 | cut -d'(' -f1 )
 readline_basename=$( basename $readline )
@@ -81,12 +90,28 @@ else
 	log_error "build zafl version of $readline_basename at $readline_realpath"
 fi

-ls -lt
-
 ldd bc.stars.zafl

 log_message "Fuzz for $AFL_TIMEOUT secs (with readline library zafl'ed)"
 fuzz_with_zafl $(realpath ./bc.stars.zafl)
+
+# test functionality
+echo "2+3" | `which bc` > out.bc.orig
+echo "2+3" | ./bc.stars.zafl > out.bc.stars.zafl
+echo "2+3" | ./bc.stars.zafl.g > out.bc.stars.zafl.g
+diff out.bc.orig out.bc.stars.zafl >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	log_success "bc.stars.zafl basic functionality"
+else
+	log_error "bc.stars.zafl basic functionality"
+fi
+diff out.bc.orig out.bc.stars.zafl.g >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+	log_success "bc.stars.zafl.g basic functionality"
+else
+	log_error "bc.stars.zafl.g basic functionality"
+fi
+
 popd

 cleanup