search

panda-re / lava

LAVA: Large-scale Automated Vulnerability Addition
Other
371 stars 60 forks source link

Trying getting a new target working with LAVA #55

Open esaurimentocronico opened 3 years ago

esaurimentocronico commented 3 years ago

Hi Everyone, I have been trying getting a new target working with LAVA but i have the same error posted here https://github.com/panda-re/lava/issues/52. I tried a simple Hello World in c to understand how LAVA works too and i followed the documentation 'how-to-lava' step by step however i got the error:

/usr/bin/python /home/ubuntu/lava/scripts/inject.py -t ptr_add,rel_write,malloc_off_by_one -m 50 -e 0 /home/ubuntu/lava/host.json hello_world
allowed bug types: [0, 2, 4]
Getting locked bugs directory...
Using dir /home/ubuntu/lava/target_injections/hello_world/bugs/0
Picking bugs to inject.
Selecting 50 bugs for injection of 0 available
Traceback (most recent call last):
  File "/home/ubuntu/lava/scripts/inject.py", line 163, in <module>
    (update_db, bug_list) = get_bug_list(args, db, allowed_bugtypes)
  File "/home/ubuntu/lava/scripts/inject.py", line 52, in get_bug_list
    assert available >= num_bugs_to_inject
AssertionError

That is the output of the /lava/target_injections/hello_world/logs/inject-1.log file.

The json file i created for the project is:

{
    "name": "hello_world",
    "db": "hello_world",
    "preprocessed": true,
    "dataflow": true,

    "tarfile": "hello_world-pre.tar.gz",

    "qcow": "wheezy_panda2.qcow2",
    "snapshot": "root",
    "expect_prompt": "root@debian-i386:~#",

    "make": "make",
    "clean": "make clean",
    "install": "make install",
    "command": "{install_dir}/bin/hello_world",

    "main_file": [ "src/hello_world.c" ]
}

And the Makefile in according to /lava/target_injections/file/file-5.22/src/Makefile is :

all: hello_world

CFLAGS += -m32 -g -DHAVE_CONFIG_H -I. -I.. -gdwarf-2

LIBOBJ = \
    hello_world-pre.o

.SECONDARY:
%-pre.c :
    $(CC) $(CFLAGS) -include stdio.h -DHAVE_CONFIG_H -I. -I.. -E $<  -o $@ $(shell echo "$@" | sed -e "s/-pre//")
    sed -i '/^#/ d' $@

%.o : %.c
    $(CC) $(CFLAGS) -c $<  -fPIC -DPIC -o $@

hello_world : $(LIBOBJ)
     $(CC) -g $(CFLAGS) -o $@ $^ -lz

preclean : 
    rm -f *-pre.c
    rm -f *-pre.h

clean : 
    rm -f *.o \
    rm -f *.so \
    rm -f *.Tpo \
    rm -f hello_world

Can you help me to fix and understand how to carry out it please ? I need some help thank you.

HighW4y2H3ll commented 3 years ago

can you attach your bug-mining-*.log?

moyix commented 3 years ago

What does your hello world program look like? Does it read input from a file?

esaurimentocronico commented 3 years ago

can you attach your bug-mining-*.log?

There is no bug-mining-*.log file. I see add_queries.log, dbwipe.log make.log and inject-1.log files within the /lava/target_inhections/hello_world/logs

esaurimentocronico commented 3 years ago

What does your hello world program look like? Does it read input from a file?

no it does not, it is a simple printf("Hello world!") is it required the program read some input ?

moyix commented 3 years ago

Yep, LAVA creates bugs that are triggered by some particular input to the program, so if the program doesn't use any input it won't find any opportunities to inject bugs.

esaurimentocronico commented 3 years ago

Yep, LAVA creates bugs that are triggered by some particular input to the program, so if the program doesn't use any input it won't find any opportunities to inject bugs.

Ok thank you, i am going to run the program by using some input

esaurimentocronico commented 3 years ago

Hi i made the changes to the code and now the lava -ak name_project command seems to be completed. However i have a question i can see the following line in the output of the command so the question is: Is that a permission error or a syntax error ? Below you can see the entire output of the command lava -ak name_project and the .JSON file .

[everything] JSON file is /home/osboxes/Desktop/lava/target_configs/vuln/vuln.json 
tar: write error

Output of the command lava -ak name_projec:

[everything] Parsing args
[everything] All steps will be executed
[everything] --force: Forcing through deletes

[everything] JSON file is /home/osboxes/Desktop/lava/target_configs/vuln/vuln.json
tar: write error
[lava] Deleting /home/osboxes/Desktop/lava/target_injections/vuln/vuln.
...deleting
[lava] Deleting /home/osboxes/Desktop/lava/target_injections/vuln/bugs.
...deleting
[lava] Deleting /home/osboxes/Desktop/lava/target_injections/vuln/inputs.
...deleting
[lava] Deleting /home/osboxes/Desktop/lava/target_injections/vuln/*rr-*.
...deleting
[lava] Deleting /home/osboxes/Desktop/lava/target_injections/vuln/*.plog.
...deleting
[everything] Truncating logs...

[everything] Resetting lava db -- logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/dbwipe.log
dropdb --if-exists -U postgres vuln_fasano
createdb -U postgres vuln_fasano || true
psql -d vuln_fasano -f /home/osboxes/Desktop/lava/tools/lavaODB/generated/lava.sql -U postgres
echo dbwipe complete
reset complete 1.15 seconds

[everything] Add queries step -- btrace lavatool and fixups

[everything] Adding queries to source -- logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/add_queries.log
docker run lava32 sh -c /home/osboxes/Desktop/lava/scripts/add_queries.sh  vuln

[everything] No fixups
add queries complete 2.32 seconds

[everything] Make step -- making 32-bit version with queries
docker run lava32 sh -c cd /home/osboxes/Desktop/lava/target_injections/vuln/vuln && make
docker run lava32 sh -c cd /home/osboxes/Desktop/lava/target_injections/vuln/vuln && rm -rf lava-install
docker run lava32 sh -c cd /home/osboxes/Desktop/lava/target_injections/vuln/vuln && make install
make complete 1.82 seconds

[everything] Resetting lava db -- logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/dbwipe.log
dropdb --if-exists -U postgres vuln_fasano
createdb -U postgres vuln_fasano || true
psql -d vuln_fasano -f /home/osboxes/Desktop/lava/tools/lavaODB/generated/lava.sql -U postgres
echo dbwipe complete

[everything] Taint step -- running panda and fbi

[everything] PANDA taint analysis prospective bug mining -- input inputs/input-vuln -- logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/bug_mining-inputs-input-vuln.log
/usr/bin/python /home/osboxes/Desktop/lava/scripts/bug_mining.py /home/osboxes/Desktop/lava/host.json vuln inputs/input-vuln 0
Num Bugs in db: Found psql -At vuln_fasano -U postgres -c 'select count(*) from bug'
psql -At vuln_fasano -U postgres -c 'select count(*) from bug'
145 bugs

psql vuln_fasano -U postgres -c 'select count(*), type from bug group by type order by type'
psql vuln_fasano -U postgres -c 'select count(*), type from bug group by type order by type'
 count | type 
-------+------
    89 |    0
    56 |    1
(2 rows)

bug_mining complete 34.20 seconds

[everything] Injecting step -- 3 trials

[everything] Trial 1 -- injecting 50 bugs logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/inject-1.log
docker run lava32 sh -c /usr/bin/python /home/osboxes/Desktop/lava/scripts/inject.py -t ptr_add,rel_write,malloc_off_by_one -m 50 -e 0   /home/osboxes/Desktop/lava/host.json vuln
yield 0.00 (0 out of 50) real bugs (95% CI +/- 0.00) 

[everything] Trial 2 -- injecting 50 bugs logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/inject-2.log
docker run lava32 sh -c /usr/bin/python /home/osboxes/Desktop/lava/scripts/inject.py -t ptr_add,rel_write,malloc_off_by_one -m 50 -e 0   /home/osboxes/Desktop/lava/host.json vuln
yield 0.00 (0 out of 39) real bugs (95% CI +/- 0.00) 

[everything] Trial 3 -- injecting 50 bugs logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/inject-3.log
docker run lava32 sh -c /usr/bin/python /home/osboxes/Desktop/lava/scripts/inject.py -t ptr_add,rel_write,malloc_off_by_one -m 50 -e 0   /home/osboxes/Desktop/lava/host.json vuln

.JSON file

{
    "name": "vuln",
    "db": "vuln",
    "preprocessed": true,
    "dataflow": true,

    "tarfile": "vuln-pre.tar.gz",

    "qcow": "wheezy_panda2.qcow2",
    "snapshot": "root",
    "expect_prompt": "root@debian-i386:~#",

    "make": "make",
    "clean": "make clean",
    "install": "make install",
    "command": "{install_dir}/bin/vuln {input_file}",

    "max_tcn": 10,

    "main_file": [ "src/vuln.c" ],

    "inputs": ["inputs/input-vuln"]
}
moyix commented 3 years ago

I think the tar write error is just because we pipe tar to head here to get the source directory:

https://github.com/panda-re/lava/blob/90a2f51c304ed8d18053876c7e831ea022f2e6fa/scripts/lava.sh#L118

Piping it to head means that when head exits it closes the pipe, and so tar then throws an error because it tries to write to a closed pipe. It shouldn't actually hurt anything though.

It looks like LAVA has now found some (potential) bugs to inject, but it is not managing to validate any of them (validation runs the buggy program on the triggering input and checks to see if it actually crashes). So at this point you may want to try to take a look at the bugs it has injected and their triggering inputs and see if there is some obvious reason why they aren't actually crashing the program.

esaurimentocronico commented 3 years ago

Thank you for your reply. Which file should i take a look at ? Is that the -pre.c file or the original source file (.c) within the target_injections/my_target/bugs/0/my_target directory?

I run the latest command /scripts/lava.sh -i 1 name_project and i got the following output:

[everything] Parsing args
[everything] Inject step will be executed: num_trials = 1

[everything] JSON file is /home/osboxes/Desktop/lava/target_configs/vuln/vuln.json
tar: write error

[everything] Injecting step -- 1 trials

[everything] Trial 1 -- injecting 50 bugs logging to /home/osboxes/Desktop/lava/target_injections/vuln/logs/inject-1.log
docker run lava32 sh -c /usr/bin/python /home/osboxes/Desktop/lava/scripts/inject.py -t ptr_add,rel_write,malloc_off_by_one -m 50 -e 0   /home/osboxes/Desktop/lava/host.json vuln

it all worked out ?