I followed the setup in run_target.md, here is the script I used to build the readelf target:
# start in top folder
cd binutils-2.37
export LLVM_CC_NAME=clang-10 LLVM_CXX_NAME=clang++-10
CC=wllvm LLVM_COMPILER=clang ./configure --disable-shared
LLVM_COMPILER=clang make -j$(nproc)
cd binutils
extract-bc readelf
cp readelf.bc ../../
# back in top folder
cd ../..
# The random seed can be set with $AFL_RAND_SEED
BB_IDENT_FILE=/tmp/bb_ident_file Trace_CC=clang-10 Trace_CXX=clang++-10 trace/build/clang-trace readelf.bc -o readelf_trace
AFL_CC=clang-10 AFL_CXX=clang++-10 fuzzer/afl-clang-fast readelf.bc -o readelf_afl
third_party/concolic/qsym/symcc readelf.bc -o readelf_cofuzz
mkdir test
cp readelf* test/
Create readelf.cfg under test/:
[put]
# Program under test
cohuzz_bin=readelf_cofuzz
trace_bin=readelf_trace
argument=-a @@
Run the two commands concurrently under test/ to execute afl and cofuzz:
I am trying to understand how CoFuzz's concolic execution works by running the
readelf
target.https://github.com/Tricker-z/CoFuzz/blob/main/src/fuzz/executor.py#L130-L154 The main loop in
HybridExecutor.run()
keeps calling__crack_seed
, but I found this function did not work at all becauseconstraint_info = self.concolic.crack(seed_input, crack_addr)
doesn't contain valid patterns fordump_constraint
to parse constraint. Soconstraint_dict
is always empty and no seeds are generated by 'crack'. https://github.com/Tricker-z/CoFuzz/blob/main/src/fuzz/executor.py#L101-L102I followed the setup in
run_target.md
, here is the script I used to build thereadelf
target:Create
readelf.cfg
undertest/
:Run the two commands concurrently under
test/
to execute afl and cofuzz: