Compare revisions

Jason Hiser · Jason Hiser · Jason Hiser · Jason Hiser · Jason Hiser · Jason Hiser
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
 before_script:
-  - "source ~gitlab-runner/cicd_support/cicd_support.shinc" 
-
-after_script:
-  - "source ~gitlab-runner/cicd_support/cicd_support.shinc" 
-
-stages:
-  - clean
-  - build
-  - test
-  - install
-  - deploy
-
+  |-
+    source ~gitlab-runner/cicd_support/cicd_support.shinc
+    ./cicd_testing/do-clean.sh 
+    ./cicd_testing/do-build.sh 

 #
-# Cleaning
+# Testing
 #
-.do-nightly-clean: &do-nightly-clean
-  stage: clean
-  script:
-    - ./cicd_testing/do-clean.sh 
-
-do-nightly-clean-ubuntu20:
-  <<: *do-nightly-clean
-  tags:
-    - ubuntu20
-
-do-nightly-clean-ubuntu18:
-  <<: *do-nightly-clean
-  tags:
-    - ubuntu18
-
-do-nightly-clean-ubuntu16:
-  <<: *do-nightly-clean
-  tags:
-    - ubuntu16
-
-do-nightly-clean-centos76:
-  <<: *do-nightly-clean
-  tags:
-    - centos76
-
-
-#
-# Building
-#
-
-.do-build: &do-build
-  stage: build
-  script:
-    - ./cicd_testing/do-build.sh 
-
-do-build-ubuntu20:
-  <<: *do-build
-  tags:
-    - ubuntu20
-
-do-build-ubuntu18:
-  <<: *do-build
-  tags:
-    - ubuntu18
-
-do-build-ubuntu16:
-  <<: *do-build
-  tags:
-    - ubuntu16
-
-do-build-centos76:
-  <<: *do-build
-  tags:
-    - centos76
-
-
-#
-# test_cmds.sh zafl
-#
-.basic-pgms-zafl: &basic-pgms-zafl
+.test: &test
  stage: test
  script:
-    - ./cicd_testing/basic-pgms-zafl.sh
-
-basic-pgms-zafl-ubuntu20:
-  <<: *basic-pgms-zafl
-  tags:
-    - ubuntu20
-
-basic-pgms-zafl-ubuntu18:
-  <<: *basic-pgms-zafl
-  tags:
-    - ubuntu18
-
+    |-
+      ./cicd_testing/basic-pgms-zafl.sh
+      ./cicd_testing/afl-zafl.sh

-basic-pgms-zafl-ubuntu16:
-  <<: *basic-pgms-zafl
+ubuntu22:
+  <<: *test
  tags:
-    - ubuntu16
+    - ubuntu22

-basic-pgms-zafl-centos76:
-  <<: *basic-pgms-zafl
-  tags:
-    - centos76
-
-#
-# test zafl with afl
-#
-.afl-zafl: &afl-zafl
-  stage: test
-  script:
-    - ./cicd_testing/afl-zafl.sh
-
-afl-zafl-ubuntu20:
-  <<: *afl-zafl
+ubuntu20:
+  <<: *test
  tags:
    - ubuntu20

-afl-zafl-ubuntu18:
-  <<: *afl-zafl
+ubuntu18:
+  <<: *test
  tags:
    - ubuntu18

-
-afl-zafl-ubuntu16:
-  <<: *afl-zafl
-  tags:
-    - ubuntu16
-
-afl-zafl-centos76:
-  <<: *afl-zafl
+centos76:
+  <<: *test
  tags:
    - centos76

+
 #
 # Deploy a docker image to gitlab.
 #
-.deploy-zafl: &deploy-zafl
+deploy: 
  stage: deploy
-  only:
-    - master
+  needs: [ "ubuntu22", "ubuntu20", "ubuntu18", "centos76" ]
  script:
    - ./cicd_testing/deploy.sh
-
-deploy-zafl-ubuntu18:
-  <<: *deploy-zafl
  tags:
-    - ubuntu18
+    - ubuntu22
--- a/README.md
+++ b/README.md
@@ -78,6 +78,9 @@ Before continuing, be sure to prepare Zipr's environment by doing the following:
 ```bash
 cd /path/to/zipr && . set_env_vars
 ```
+```bash
+cd /path/to/zipr && ./get_packages.sh
+```

 #### Step 1: Testing Zipr
 Test the binary rewriting infrastructure by rewriting Linux's `ls` binary:
@@ -100,7 +103,7 @@ Performing step zipr [dependencies=clone,fill_in_indtargs,fill_in_cfg,pdb_regist
 ```
 Invoke the rewritten version and make sure it runs normally: 
 ```
-./tmp/ls.zipr
+/tmp/ls.zipr
 ``` 

 #### Step 2: Download and build ZAFL
@@ -112,6 +115,10 @@ Second, prepare ZAFL's environment:
 ```bash
 cd /path/to/zafl && . set_env_vars
 ```
+```bash
+cd /path/to/zafl && ./get-packages.sh
+```
+
 Lastly, build ZAFL:
 ```bash
 scons 
@@ -202,4 +209,4 @@ We hope to improve our Windows support in the near future.
 ## Supported Transformations
 To see the full list of fuzzing-enhancing code transformations that ZAFL currently supports, run `zafl.sh --help` (or for Docker-based installs, `docker run git.zephyr-software.com:4567/opensrc/zafl/zafl:latest`).

-**We welcome any community contributions, and ideas for improvements and new fuzzing transformations!** To open an issue or merge request, please contact one of the developers (`hiser@virginia.edu`, `an7s@virginia.edu`, `jwd@virginia.edu`, or `snagy2@vt.edu`).  **Happy fuzzing!**
+**We welcome any community contributions, and ideas for improvements and new fuzzing transformations!** To open an issue or merge request, please contact one of the developers (`hiser@virginia.edu`, `an7s@virginia.edu`, `jwd@virginia.edu`, or `snagy@cs.utah.edu`).  **Happy fuzzing!**
--- a/bin/zafl.sh
+++ b/bin/zafl.sh
@@ -406,10 +406,11 @@ find_main()
 		log_msg "Detected main at: 0x$main_addr"
 		options=" $options -o zax:'-e 0x$main_addr'"
 	else
-		grep -B1 "libc_start_main@" $tmp_objdump >/dev/null 2>&1
+		readelf --relocs $input_binary | grep " __libc_start_main@" >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
-			grep -B1 start_main $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1
-			if [ $? -eq 0 ]; then
+			libc_start_main_addr=$(readelf --relocs $input_binary | grep " __libc_start_main@" |cut -f1 -d' '|sed "s/^0*//" )
+			grep -B1 "# $libc_start_main_addr " $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1
+			if [ $? -ne 0 ]; then
 				ep=$(readelf -h $input_binary | grep -i "entry point" | cut -d'x' -f2)
 				if [ ! -z $ep ]; then
 					log_msg "main exec is PIE... use entry point address (0x$ep) for fork server"
@@ -418,14 +419,7 @@ find_main()
 					log_error_exit "error finding entry point address"
 				fi
 			else
-				grep "libc_start_main" $tmp_objdump | grep ">:" | grep -v -e "@plt" -e "jmp" >/dev/null 2>&1
-				if [ $? -eq 0 ]; then
-					log_msg "Detected libc: no main"
-					rm $tmp_objdump
-					return
-				fi
-
-				main_addr=$(grep -B1 libc_start_main@plt $tmp_objdump | grep mov | grep rdi | cut -d':' -f2 | cut -d'm' -f2 | cut -d',' -f1 | cut -d'x' -f2)
+				main_addr=$( grep -B1 "# $libc_start_main_addr " $tmp_objdump | grep rdi | grep rip | cut -d'#' -f2|cut -d' ' -f2)
 				if [ "$main_addr" = "" ]; then 
 					log_error_exit "error inferring main"
 				fi

--- a/cicd_testing/deploy.sh
+++ b/cicd_testing/deploy.sh
 #/bin/bash

-export ZAFL_PATH=git.zephyr-software.com:4567/opensrc/zafl/
-export ZAFL_TAG=zafl:latest
-export DOCKER_ZAFL=${ZAFL_PATH}${ZAFL_TAG}
+export DOCKER_ZAFL=$CI_REGISTRY_IMAGE/zafl:$CI_COMMIT_REF_SLUG

 do_docker_clean()
 {

--- a/test/bc.fixed_map/test_bc.sh
+++ b/test/bc.fixed_map/test_bc.sh
@@ -75,7 +75,7 @@ trace_map_address="0x10000"

 # build ZAFL version of bc executable with fixed map

-zafl.sh `which bc` bc.fixed.zafl -m $trace_map_address --tempdir analysis.bc.fixed.zafl
+zafl.sh `which bc` bc.fixed.zafl -m $trace_map_address --tempdir analysis.bc.fixed.zafl 
 if [ $? -eq 0 ]; then
 	log_success "build bc.fixed.zafl"
 else

--- a/test/strings/test_strings.sh
+++ b/test/strings/test_strings.sh
@@ -66,7 +66,7 @@ mkdir $session
 pushd $session

 # build ZAFL version of strings executable
-zafl.sh `which strings` strings.zafl.d.g.laf --enable-laf -d -g --tempdir analysis.strings.zafl.d.g.laf
+zafl.sh `which strings` strings.zafl.d.g.laf --enable-laf -d -g --tempdir analysis.strings.zafl.d.g.laf 
 if [ $? -eq 0 ]; then
 	log_success "build strings.zafl.d.g.laf"
 else

--- a/tools/zax/loop_count.cpp
+++ b/tools/zax/loop_count.cpp
@@ -144,8 +144,8 @@ bool Zedge_t::execute()
 			if(live_flags)
 			{
 				flag_save_points += 1;
-				(void)insertAssemblyBefore(inc,        "pushf");
-				(void)insertAssemblyBefore(loop_start, "popf") ;
+				(void)insertAssemblyBefore(inc,        "pushfq");
+				(void)insertAssemblyBefore(loop_start, "popfq") ;
 			}

 		}

--- a/tools/zax/zax.cpp
+++ b/tools/zax/zax.cpp
@@ -273,7 +273,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const
 	if (save_trace_map)  do_insert("push rcx");
 	if (save_prev_id)    do_insert("push rdx");
 	if (save_context)    do_insert("push r8");
-	if (live_flags)      do_insert("pushf");
+	if (live_flags)      do_insert("pushfq");

 	const auto live_flags_str = live_flags ? "live" : "dead"; 
 	if (m_verbose) cout << "   flags are "  << live_flags_str << endl;
@@ -435,7 +435,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const
 	}

 	// finally, restore any flags/registers so that the program can execute.
-	if (live_flags)       do_insert("popf");
+	if (live_flags)       do_insert("popfq");
 	if (save_context)     do_insert("pop r8");
 	if (save_prev_id)     do_insert("pop rdx");
 	if (save_trace_map)   do_insert("pop rcx");

--- a/tools/zax/zax_base.cpp
+++ b/tools/zax/zax_base.cpp
@@ -442,8 +442,9 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry)

 	// red zone
 	(void)insertAssemblyBefore(tmp, "lea rsp, [rsp-0x80]");
-	// save flags and registrers
-	tmp = insertAssemblyAfter(tmp,  "pushf ") ;
+	// save flags and registrers.  Safe flags twice to keep stack aligned properly.
+	tmp = insertAssemblyAfter(tmp,  "pushfq") ;
+	tmp = insertAssemblyAfter(tmp,  "pushfq") ;
 	for (vector<string>::const_iterator rit = regs.begin(); rit != regs.end(); ++rit)
 		tmp = insertAssemblyAfter(tmp, " push " + *rit);
 	// call fork server initialization routine (in external library)
@@ -451,8 +452,10 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry)
 	// restore registers and flags
 	for (vector<string>::const_reverse_iterator rit = regs.rbegin(); rit != regs.rend(); ++rit)
    		tmp = insertAssemblyAfter(tmp, " pop " + *rit) ;
-	tmp = insertAssemblyAfter(tmp,  "popf ") ;
-	// red zome
+	// Pop flags twice to keep stack aligned properly.
+	tmp = insertAssemblyAfter(tmp,  "popfq") ;
+	tmp = insertAssemblyAfter(tmp,  "popfq") ;
+	// red zone
 	tmp = insertAssemblyAfter(tmp,  "lea rsp, [rsp+0x80]");
 }

@@ -1154,13 +1157,13 @@ void ZaxBase_t::addContextSensitivity_Function(const ControlFlowGraph_t& cfg)
 				i = do_insert(i, "push " + reg_temp);

 			if (live_flags)
-				i = do_insert(i, "pushf");
+				i = do_insert(i, "pushfq");

 			// compute new hash chain value
 			i = compute_hash_chain(contextid, i, reg_context, reg_temp);

 			if (live_flags)
-				i = do_insert(i, "popf");
+				i = do_insert(i, "popfq");

 			if (save_temp)
 				i = do_insert(i, "pop " + reg_temp);
@@ -1283,25 +1286,29 @@ int ZaxBase_t::execute()
 			continue;
 		}

-		const auto dom_graphp=DominatorGraph_t::factory(cfgp.get());
-		const auto has_domgraph_warnings = dom_graphp -> hasWarnings();  
-
 		const auto entry_block = cfg.getEntry();
 		auto keepers = getBlocksToInstrument(cfg);

-		if (m_verbose)
-			cout << "num blocks to keep (baseline): " << keepers.size() << endl;
-
-		if(has_domgraph_warnings)
+		if(m_domgraph_optimize)
 		{
-			if(m_verbose)
+			const auto dom_graphp=DominatorGraph_t::factory(cfgp.get());
+			const auto has_domgraph_warnings = dom_graphp -> hasWarnings();  
+
+
+			if (m_verbose)
+				cout << "num blocks to keep (baseline): " << keepers.size() << endl;
+
+			if(has_domgraph_warnings)
 			{
-				cout << " Domgraph has warnings, eliding domgraph filter" << endl;
-				cout << " And the domgraph is: " << endl;
-				cout << *dom_graphp << endl;
+				if(m_verbose)
+				{
+					cout << " Domgraph has warnings, eliding domgraph filter" << endl;
+					cout << " And the domgraph is: " << endl;
+					cout << *dom_graphp << endl;
+				}
 			}
+			filterBlocksByDomgraph(keepers,dom_graphp.get());
 		}
-		filterBlocksByDomgraph(keepers,dom_graphp.get());

 		if (m_verbose)
 			cout << "num blocks to keep (after filter dom): " << keepers.size() << " / " << cfgp->getBlocks().size() << endl;
No results found