search

shellphish / driller

Driller: augmenting AFL with symbolic execution!
BSD 2-Clause "Simplified" License
905 stars 161 forks source link

Question about the test input of driller #56

Open JsHuang opened 6 years ago

JsHuang commented 6 years ago

When testing program with AFL , the program must read a file as an input , thus AFL can do the mutation job with the input file. While driller‘s test input was from stdin,see ("https://github.com/shellphish/driller/issues/48"). But in the Driller paper, the CGC test program NRFIN_00017, reads an xml file as input ,so how can driller test this program reads a file as an input?

rhelmot commented 6 years ago

All CGC programs can only read from stdin. The xml file is delivered over stdin.

On Mon, Jan 15, 2018 at 4:39 AM Jin notifications@github.com wrote:

When testing program with AFL , the program must read a file as an input , thus AFL can do the mutation job with the input file. While driller‘s test input was from stdin,see ("#48 https://github.com/shellphish/driller/issues/48"). But in the Driller paper, the CGC test program NRFIN_00017, reads an xml file as input ,so how can driller test this program reads a file as an input?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/shellphish/driller/issues/56, or mute the thread https://github.com/notifications/unsubscribe-auth/ACYg9bgD8oiGK742RHFN5qwSC5NTBLq6ks5tK0cdgaJpZM4ReWyj .

JsHuang commented 6 years ago

So you changed AFL to let it test CGC programs that read from stdin? I tried to use the same command shellphuzz("https://github.com/shellphish/fuzzer/blob/master/shellphuzz") used to start afl with cgc program CADET_00001 , the command I used is 

/usr/bin/afl-cgc/afl-fuzz -i - -o ./afl-work/CADET_00001/sync -m 8G -Q -M fuzzer-master -x ./afl-work/CADET_00001/CADET_00001.dict -- ./CADET_00001

but it always failed with error:

    handshake with the injected code. There are two probable explanations:

    - The current memory limit (8.00 GB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[8191 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:208

if I chanaged the -m option as "-m none", it also failed:

[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <lcamtuf@coredump.cx> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2088

I don't konw why. I have looked your version of driller-afl, it seems you build your own version of afl-qemu-trace, did this error has anything to to with afl-qemu-trace?

zardus commented 6 years ago

Are you doing this in the shellphish/mechaphish docker container? If not, it could be any number of things... Please try it in the container.

JsHuang commented 6 years ago

thanks ,in the container it runs well.