Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • opensrc/zafl
1 result
Show changes
Commits on Source (12)
before_script: before_script:
- "source ~gitlab-runner/cicd_support/cicd_support.shinc" |-
source ~gitlab-runner/cicd_support/cicd_support.shinc
after_script: ./cicd_testing/do-clean.sh
- "source ~gitlab-runner/cicd_support/cicd_support.shinc" ./cicd_testing/do-build.sh
stages:
- clean
- build
- test
- install
- deploy
# #
# Cleaning # Testing
# #
.do-nightly-clean: &do-nightly-clean .test: &test
stage: clean
script:
- ./cicd_testing/do-clean.sh
do-nightly-clean-ubuntu20:
<<: *do-nightly-clean
tags:
- ubuntu20
do-nightly-clean-ubuntu18:
<<: *do-nightly-clean
tags:
- ubuntu18
do-nightly-clean-ubuntu16:
<<: *do-nightly-clean
tags:
- ubuntu16
do-nightly-clean-centos76:
<<: *do-nightly-clean
tags:
- centos76
#
# Building
#
.do-build: &do-build
stage: build
script:
- ./cicd_testing/do-build.sh
do-build-ubuntu20:
<<: *do-build
tags:
- ubuntu20
do-build-ubuntu18:
<<: *do-build
tags:
- ubuntu18
do-build-ubuntu16:
<<: *do-build
tags:
- ubuntu16
do-build-centos76:
<<: *do-build
tags:
- centos76
#
# test_cmds.sh zafl
#
.basic-pgms-zafl: &basic-pgms-zafl
stage: test stage: test
script: script:
- ./cicd_testing/basic-pgms-zafl.sh |-
./cicd_testing/basic-pgms-zafl.sh
basic-pgms-zafl-ubuntu20: ./cicd_testing/afl-zafl.sh
<<: *basic-pgms-zafl
tags:
- ubuntu20
basic-pgms-zafl-ubuntu18:
<<: *basic-pgms-zafl
tags:
- ubuntu18
basic-pgms-zafl-ubuntu16: ubuntu22:
<<: *basic-pgms-zafl <<: *test
tags: tags:
- ubuntu16 - ubuntu22
basic-pgms-zafl-centos76: ubuntu20:
<<: *basic-pgms-zafl <<: *test
tags:
- centos76
#
# test zafl with afl
#
.afl-zafl: &afl-zafl
stage: test
script:
- ./cicd_testing/afl-zafl.sh
afl-zafl-ubuntu20:
<<: *afl-zafl
tags: tags:
- ubuntu20 - ubuntu20
afl-zafl-ubuntu18: ubuntu18:
<<: *afl-zafl <<: *test
tags: tags:
- ubuntu18 - ubuntu18
centos76:
afl-zafl-ubuntu16: <<: *test
<<: *afl-zafl
tags:
- ubuntu16
afl-zafl-centos76:
<<: *afl-zafl
tags: tags:
- centos76 - centos76
# #
# Deploy a docker image to gitlab. # Deploy a docker image to gitlab.
# #
.deploy-zafl: &deploy-zafl deploy:
stage: deploy stage: deploy
only: needs: [ "ubuntu22", "ubuntu20", "ubuntu18", "centos76" ]
- master
script: script:
- ./cicd_testing/deploy.sh - ./cicd_testing/deploy.sh
deploy-zafl-ubuntu18:
<<: *deploy-zafl
tags: tags:
- ubuntu18 - ubuntu22
...@@ -78,6 +78,9 @@ Before continuing, be sure to prepare Zipr's environment by doing the following: ...@@ -78,6 +78,9 @@ Before continuing, be sure to prepare Zipr's environment by doing the following:
```bash ```bash
cd /path/to/zipr && . set_env_vars cd /path/to/zipr && . set_env_vars
``` ```
```bash
cd /path/to/zipr && ./get_packages.sh
```
#### Step 1: Testing Zipr #### Step 1: Testing Zipr
Test the binary rewriting infrastructure by rewriting Linux's `ls` binary: Test the binary rewriting infrastructure by rewriting Linux's `ls` binary:
...@@ -100,7 +103,7 @@ Performing step zipr [dependencies=clone,fill_in_indtargs,fill_in_cfg,pdb_regist ...@@ -100,7 +103,7 @@ Performing step zipr [dependencies=clone,fill_in_indtargs,fill_in_cfg,pdb_regist
``` ```
Invoke the rewritten version and make sure it runs normally: Invoke the rewritten version and make sure it runs normally:
``` ```
./tmp/ls.zipr /tmp/ls.zipr
``` ```
#### Step 2: Download and build ZAFL #### Step 2: Download and build ZAFL
...@@ -112,6 +115,10 @@ Second, prepare ZAFL's environment: ...@@ -112,6 +115,10 @@ Second, prepare ZAFL's environment:
```bash ```bash
cd /path/to/zafl && . set_env_vars cd /path/to/zafl && . set_env_vars
``` ```
```bash
cd /path/to/zafl && ./get-packages.sh
```
Lastly, build ZAFL: Lastly, build ZAFL:
```bash ```bash
scons scons
...@@ -202,4 +209,4 @@ We hope to improve our Windows support in the near future. ...@@ -202,4 +209,4 @@ We hope to improve our Windows support in the near future.
## Supported Transformations ## Supported Transformations
To see the full list of fuzzing-enhancing code transformations that ZAFL currently supports, run `zafl.sh --help` (or for Docker-based installs, `docker run git.zephyr-software.com:4567/opensrc/zafl/zafl:latest`). To see the full list of fuzzing-enhancing code transformations that ZAFL currently supports, run `zafl.sh --help` (or for Docker-based installs, `docker run git.zephyr-software.com:4567/opensrc/zafl/zafl:latest`).
**We welcome any community contributions, and ideas for improvements and new fuzzing transformations!** To open an issue or merge request, please contact one of the developers (`hiser@virginia.edu`, `an7s@virginia.edu`, `jwd@virginia.edu`, or `snagy2@vt.edu`). **Happy fuzzing!** **We welcome any community contributions, and ideas for improvements and new fuzzing transformations!** To open an issue or merge request, please contact one of the developers (`hiser@virginia.edu`, `an7s@virginia.edu`, `jwd@virginia.edu`, or `snagy@cs.utah.edu`). **Happy fuzzing!**
...@@ -406,10 +406,11 @@ find_main() ...@@ -406,10 +406,11 @@ find_main()
log_msg "Detected main at: 0x$main_addr" log_msg "Detected main at: 0x$main_addr"
options=" $options -o zax:'-e 0x$main_addr'" options=" $options -o zax:'-e 0x$main_addr'"
else else
grep -B1 "libc_start_main@" $tmp_objdump >/dev/null 2>&1 readelf --relocs $input_binary | grep " __libc_start_main@" >/dev/null 2>&1
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
grep -B1 start_main $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1 libc_start_main_addr=$(readelf --relocs $input_binary | grep " __libc_start_main@" |cut -f1 -d' '|sed "s/^0*//" )
if [ $? -eq 0 ]; then grep -B1 "# $libc_start_main_addr " $tmp_objdump | grep rdi | grep rip >/dev/null 2>&1
if [ $? -ne 0 ]; then
ep=$(readelf -h $input_binary | grep -i "entry point" | cut -d'x' -f2) ep=$(readelf -h $input_binary | grep -i "entry point" | cut -d'x' -f2)
if [ ! -z $ep ]; then if [ ! -z $ep ]; then
log_msg "main exec is PIE... use entry point address (0x$ep) for fork server" log_msg "main exec is PIE... use entry point address (0x$ep) for fork server"
...@@ -418,14 +419,7 @@ find_main() ...@@ -418,14 +419,7 @@ find_main()
log_error_exit "error finding entry point address" log_error_exit "error finding entry point address"
fi fi
else else
grep "libc_start_main" $tmp_objdump | grep ">:" | grep -v -e "@plt" -e "jmp" >/dev/null 2>&1 main_addr=$( grep -B1 "# $libc_start_main_addr " $tmp_objdump | grep rdi | grep rip | cut -d'#' -f2|cut -d' ' -f2)
if [ $? -eq 0 ]; then
log_msg "Detected libc: no main"
rm $tmp_objdump
return
fi
main_addr=$(grep -B1 libc_start_main@plt $tmp_objdump | grep mov | grep rdi | cut -d':' -f2 | cut -d'm' -f2 | cut -d',' -f1 | cut -d'x' -f2)
if [ "$main_addr" = "" ]; then if [ "$main_addr" = "" ]; then
log_error_exit "error inferring main" log_error_exit "error inferring main"
fi fi
......
#/bin/bash #/bin/bash
export ZAFL_PATH=git.zephyr-software.com:4567/opensrc/zafl/ export DOCKER_ZAFL=$CI_REGISTRY_IMAGE/zafl:$CI_COMMIT_REF_SLUG
export ZAFL_TAG=zafl:latest
export DOCKER_ZAFL=${ZAFL_PATH}${ZAFL_TAG}
do_docker_clean() do_docker_clean()
{ {
......
...@@ -75,7 +75,7 @@ trace_map_address="0x10000" ...@@ -75,7 +75,7 @@ trace_map_address="0x10000"
# build ZAFL version of bc executable with fixed map # build ZAFL version of bc executable with fixed map
zafl.sh `which bc` bc.fixed.zafl -m $trace_map_address --tempdir analysis.bc.fixed.zafl zafl.sh `which bc` bc.fixed.zafl -m $trace_map_address --tempdir analysis.bc.fixed.zafl
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
log_success "build bc.fixed.zafl" log_success "build bc.fixed.zafl"
else else
......
...@@ -66,7 +66,7 @@ mkdir $session ...@@ -66,7 +66,7 @@ mkdir $session
pushd $session pushd $session
# build ZAFL version of strings executable # build ZAFL version of strings executable
zafl.sh `which strings` strings.zafl.d.g.laf --enable-laf -d -g --tempdir analysis.strings.zafl.d.g.laf zafl.sh `which strings` strings.zafl.d.g.laf --enable-laf -d -g --tempdir analysis.strings.zafl.d.g.laf
if [ $? -eq 0 ]; then if [ $? -eq 0 ]; then
log_success "build strings.zafl.d.g.laf" log_success "build strings.zafl.d.g.laf"
else else
......
...@@ -144,8 +144,8 @@ bool Zedge_t::execute() ...@@ -144,8 +144,8 @@ bool Zedge_t::execute()
if(live_flags) if(live_flags)
{ {
flag_save_points += 1; flag_save_points += 1;
(void)insertAssemblyBefore(inc, "pushf"); (void)insertAssemblyBefore(inc, "pushfq");
(void)insertAssemblyBefore(loop_start, "popf") ; (void)insertAssemblyBefore(loop_start, "popfq") ;
} }
} }
......
...@@ -273,7 +273,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const ...@@ -273,7 +273,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const
if (save_trace_map) do_insert("push rcx"); if (save_trace_map) do_insert("push rcx");
if (save_prev_id) do_insert("push rdx"); if (save_prev_id) do_insert("push rdx");
if (save_context) do_insert("push r8"); if (save_context) do_insert("push r8");
if (live_flags) do_insert("pushf"); if (live_flags) do_insert("pushfq");
const auto live_flags_str = live_flags ? "live" : "dead"; const auto live_flags_str = live_flags ? "live" : "dead";
if (m_verbose) cout << " flags are " << live_flags_str << endl; if (m_verbose) cout << " flags are " << live_flags_str << endl;
...@@ -435,7 +435,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const ...@@ -435,7 +435,7 @@ void Zax_t::instrumentBasicBlock(BasicBlock_t *p_bb, bool p_honorRedZone, const
} }
// finally, restore any flags/registers so that the program can execute. // finally, restore any flags/registers so that the program can execute.
if (live_flags) do_insert("popf"); if (live_flags) do_insert("popfq");
if (save_context) do_insert("pop r8"); if (save_context) do_insert("pop r8");
if (save_prev_id) do_insert("pop rdx"); if (save_prev_id) do_insert("pop rdx");
if (save_trace_map) do_insert("pop rcx"); if (save_trace_map) do_insert("pop rcx");
......
...@@ -442,8 +442,9 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry) ...@@ -442,8 +442,9 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry)
// red zone // red zone
(void)insertAssemblyBefore(tmp, "lea rsp, [rsp-0x80]"); (void)insertAssemblyBefore(tmp, "lea rsp, [rsp-0x80]");
// save flags and registrers // save flags and registrers. Safe flags twice to keep stack aligned properly.
tmp = insertAssemblyAfter(tmp, "pushf ") ; tmp = insertAssemblyAfter(tmp, "pushfq") ;
tmp = insertAssemblyAfter(tmp, "pushfq") ;
for (vector<string>::const_iterator rit = regs.begin(); rit != regs.end(); ++rit) for (vector<string>::const_iterator rit = regs.begin(); rit != regs.end(); ++rit)
tmp = insertAssemblyAfter(tmp, " push " + *rit); tmp = insertAssemblyAfter(tmp, " push " + *rit);
// call fork server initialization routine (in external library) // call fork server initialization routine (in external library)
...@@ -451,8 +452,10 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry) ...@@ -451,8 +452,10 @@ void ZaxBase_t::insertForkServer(Instruction_t* p_entry)
// restore registers and flags // restore registers and flags
for (vector<string>::const_reverse_iterator rit = regs.rbegin(); rit != regs.rend(); ++rit) for (vector<string>::const_reverse_iterator rit = regs.rbegin(); rit != regs.rend(); ++rit)
tmp = insertAssemblyAfter(tmp, " pop " + *rit) ; tmp = insertAssemblyAfter(tmp, " pop " + *rit) ;
tmp = insertAssemblyAfter(tmp, "popf ") ; // Pop flags twice to keep stack aligned properly.
// red zome tmp = insertAssemblyAfter(tmp, "popfq") ;
tmp = insertAssemblyAfter(tmp, "popfq") ;
// red zone
tmp = insertAssemblyAfter(tmp, "lea rsp, [rsp+0x80]"); tmp = insertAssemblyAfter(tmp, "lea rsp, [rsp+0x80]");
} }
...@@ -1154,13 +1157,13 @@ void ZaxBase_t::addContextSensitivity_Function(const ControlFlowGraph_t& cfg) ...@@ -1154,13 +1157,13 @@ void ZaxBase_t::addContextSensitivity_Function(const ControlFlowGraph_t& cfg)
i = do_insert(i, "push " + reg_temp); i = do_insert(i, "push " + reg_temp);
if (live_flags) if (live_flags)
i = do_insert(i, "pushf"); i = do_insert(i, "pushfq");
// compute new hash chain value // compute new hash chain value
i = compute_hash_chain(contextid, i, reg_context, reg_temp); i = compute_hash_chain(contextid, i, reg_context, reg_temp);
if (live_flags) if (live_flags)
i = do_insert(i, "popf"); i = do_insert(i, "popfq");
if (save_temp) if (save_temp)
i = do_insert(i, "pop " + reg_temp); i = do_insert(i, "pop " + reg_temp);
...@@ -1283,25 +1286,29 @@ int ZaxBase_t::execute() ...@@ -1283,25 +1286,29 @@ int ZaxBase_t::execute()
continue; continue;
} }
const auto dom_graphp=DominatorGraph_t::factory(cfgp.get());
const auto has_domgraph_warnings = dom_graphp -> hasWarnings();
const auto entry_block = cfg.getEntry(); const auto entry_block = cfg.getEntry();
auto keepers = getBlocksToInstrument(cfg); auto keepers = getBlocksToInstrument(cfg);
if (m_verbose) if(m_domgraph_optimize)
cout << "num blocks to keep (baseline): " << keepers.size() << endl;
if(has_domgraph_warnings)
{ {
if(m_verbose) const auto dom_graphp=DominatorGraph_t::factory(cfgp.get());
const auto has_domgraph_warnings = dom_graphp -> hasWarnings();
if (m_verbose)
cout << "num blocks to keep (baseline): " << keepers.size() << endl;
if(has_domgraph_warnings)
{ {
cout << " Domgraph has warnings, eliding domgraph filter" << endl; if(m_verbose)
cout << " And the domgraph is: " << endl; {
cout << *dom_graphp << endl; cout << " Domgraph has warnings, eliding domgraph filter" << endl;
cout << " And the domgraph is: " << endl;
cout << *dom_graphp << endl;
}
} }
filterBlocksByDomgraph(keepers,dom_graphp.get());
} }
filterBlocksByDomgraph(keepers,dom_graphp.get());
if (m_verbose) if (m_verbose)
cout << "num blocks to keep (after filter dom): " << keepers.size() << " / " << cfgp->getBlocks().size() << endl; cout << "num blocks to keep (after filter dom): " << keepers.size() << " / " << cfgp->getBlocks().size() << endl;
......