Error when Running Concolic Executor Over Test Binaries

[cganas]

When running the concolic executor over the test binaries a and b I'm receiving this error.

*** program is /home/cganas/con-qira/tracers/bap_concolic/a with hash 479726b160060246823186cce67d363675003aa2
**** using /home/cganas/con-qira/tracers/qemu/qemu-2.1.3/i386-linux-user/qemu-i386 for 0x3
no qira server found, starting it
*** deleting old runs
**** running /home/cganas/con-qira/tracers/bap_concolic/a
****** starting WEB SERVER on 0.0.0.0:3002
 * Running on http://0.0.0.0:3002/
bap failed ValueError Empty memory at 0x804806f
on 0 going from 1 to 54...*** using base 0 for 0
done 0.031000 ms
*** WARNING, changing segment 0x8048000 134512751
getting address 8049093
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib64/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/home/cganas/con-qira/middleware/qira_program.py", line 397, in analysis_thread
    print satisfy_constraints(self.program, data['start'], data['regs'], data['mem'], data['constraints'])
  File "tracers/bap_concolic/concolic_executor.py", line 452, in satisfy_constraints
    s.add(executor.state.get_mem(int(key, 16), size) == value)
  File "tracers/bap_concolic/concolic_executor.py", line 64, in get_mem
    return self.memory.get_mem(addr, size, little_endian)
  File "tracers/bap_concolic/concolic_executor.py", line 34, in get_mem
    memresult = [self[address] for address in range(addr, addr+size)]
  File "tracers/bap_concolic/concolic_executor.py", line 52, in __getitem__
    raw = ord(self.fetch_mem(addr, 1))
TypeError: ord() expected a character, but string of length 0 found

However, on binary c I'm receiving this:

*** program is /home/cganas/con-qira/tracers/bap_concolic/c with hash b51ee9aa214b04905e978acb819ccea8d5b4b37b
**** using /home/cganas/con-qira/tracers/qemu/qemu-2.1.3/i386-linux-user/qemu-i386 for 0x3
no qira server found, starting it
*** deleting old runs
**** running /home/cganas/con-qira/tracers/bap_concolic/c
****** starting WEB SERVER on 0.0.0.0:3002
 * Running on http://0.0.0.0:3002/
bap failed ValueError Empty memory at 0x8048093
on 0 going from 1 to 47...*** using base 0 for 0
done 0.040000 ms
*** WARNING, changing segment 0x8048000 134512787
getting address 8049093
1801675112
Exception in thread Thread-3:
Traceback (most recent call last):
  File "/usr/lib64/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib64/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "/home/cganas/con-qira/middleware/qira_program.py", line 397, in analysis_thread
    print satisfy_constraints(self.program, data['start'], data['regs'], data['mem'], data['constraints'])
  File "tracers/bap_concolic/concolic_executor.py", line 472, in satisfy_constraints
    for bil_ins in bil_instrs:
TypeError: 'NoneType' object is not iterable

I am running the binaries by ./qira ./tracers/bap_concolic/c

On ff0fe66c9e556caa2aeb5082038c6806f84ad03b

[tim-becker]

The errors on binaries a and b result from trying to read from an address of memory that is not assigned. This is likely due to the memory constraint added in test_data (the data in there is for binary c in particular). That address likely is unmapped in the other binaries.

The NoneType issue seems to suggest that you are not getting the BIL for one of the instructions. Do you have the latest version of BAP / python bindings installed? You may have a version from before the x86 support was added.

EDIT: Also, we'll want to create an actual system for passing the constraint data into QIRA. This test_data file was only a hacky way to quickly test if the code worked.

[nedwill]

Yeah the list of things we need in order of priority are:

• UI
• Robustness over test suite of input binaries
• Cone of influence analysis from decision points

[nedwill]

UI is officially integrated; this is no longer an issue.