LTL-Fuzzer is a greybox fuzzer to find violations of arbitrary Linear-time Temporal Logic(LTL) properties. It is built on top of the AFL fuzzer and involves additional program instrumentation to check if a particular execution trace is accepted by the Büchi automaton representing the negation of the given LTL property. Our framework takes as input a sequential program written in C/C++, and an LTL property. It finds violations, or counterexample traces, of the LTL property in stateful software systems.
LTL-Fuzzer substantially extends directed greybox fuzzing to witness arbitrarily complex event orderings. We note that existing directed greybox fuzzing approaches are limited to witnessing reaching a location or witnessing simple event orderings such as crashes or use-after-free. This is the main contribution of our work: algorithms and an implementation of our ideas in a tool that is able to validate any LTL property, thereby covering a much more expressive class of properties than crashes or use-after-free. Our work adapts directed greybox fuzzing (which directs the search towards specific program locations) to find violations of temporal logic formulae.
The paper PDF can be found at https://arxiv.org/abs/2109.02312.
@InProceedings{ltlfuzzer,
title={Linear-time Temporal Logic guided Greybox Fuzzing},
author={Meng, Ruijie and Dong, Zhen and Li, Jialin and Beschastnikh, Ivan and Roychoudhury, Abhik},
booktitle={proceedings of the 37th IEEE International Conference on Software Engineering (ICSE 2022)},
year={2022},
publisher={ACM}
}Install basic dependencies:
sudo apt install -y build-essential make cmake ninja-build git binutils-gold binutils-dev curl wgetInstall Boost 1.71:
sudo apt install libboost-all-dev libboost-devInstall LLVM 11.0.0 with Gold-plugin(can refer to this building script. After that, please copy the following libraries into the specified location:
sudo cp /usr/lib/llvm-11/lib/libLTO.so /usr/lib/bfd-plugins/
sudo cp /usr/lib/llvm-11/lib/LLVMgold.so /usr/lib/bfd-plugins/ Install spot 2.9.7. You could also follow thses instructions.
wget -q -O - https://www.lrde.epita.fr/repo/debian.gpg | sudo apt-key add -
sudo echo 'deb http://www.lrde.epita.fr/repo/debian/ stable/' >> /etc/apt/sources.list
sudo apt update
sudo apt install -y spot libspot-dev libgtest-dev sudo install python3 python3-dev python3-pip
sudo pip3 install --upgrade pip
sudo pip3 install networkx pydot pydotpluscd LTL-Fuzzer
mkdir build
cd build
cmake ../
make
cd ../AFLGo
make
cd llvm-mode
make
cd ../distance_calculator
cmake -G Ninja ./
cmake --build ./LTL-Fuzzer/experiment/Problem1/srcLTL-Fuzzer/experiment/Problem1/all_event_dir/all_events.txtLTL-Fuzzer/experiment/Problem1/target/targets.txtLTL-Fuzzer/experiment/Problem1/build_dirLTL-Fuzzer/experiment/Problem1/ltl_dirLTL-Fuzzer/experiment/Problem1/input_folder
LTL-Fuzzer/experiment/Problem1/output_folderexport LTLFuzzer=~/LTL-Fuzzer/export SUBJECT=$LTLFuzzer/experiment/Problem1/
export EXECName=Problem1export LTL="!(! (true U oU) | (! oU U ((oZ & ! oU) & X (! oU U oP))))"cd $LTLFuzzer/scripts/
./instrument-problem1.sh $SUBJECT/target/targets.txt $SUBJECT/src $SUBJECT/build_dir cd LTL-Fuzzer/build/src
./ltlfuzz 0LTL-Fuzzer/experiment/testTelnet/telnet.dictexport LTLFuzzer=~/LTL-Fuzzer/export SUBJECT=$LTLFuzzer/experiment/testTelnet/
export EXECName=telnet-server.minimal-netexport LTL="!(G((WILL_DISABLED)->(X(G((DO)|(DONT))))))"cd $LTLFuzzer/scripts/
./instrument-telnet.sh $SUBJECT/targets/targets.txt $SUBJECT/contiki $SUBJECT/build_dir cd LTL-Fuzzer/build/src
./ltlfuzz 1We use AFLGo as one component to direct fuzzing towards a particular program location. Thanks to AFLGo's developers. We also welcome other contributors to improve and extend LTL-Fuzzer.
This project is licensed under the Apache License 2.0 - see the LICENSE file for details.