search

shellphish / driller

Driller: augmenting AFL with symbolic execution!
BSD 2-Clause "Simplified" License
880 stars 163 forks source link

How to solve a Tracer(aslr=False) #97

Open paintedveil5 opened 2 months ago

paintedveil5 commented 2 months ago

I'm testing Driller with Angr on the binaries of the Angr testsuit. The following error messages are returned for most of the binaries in the x86_64 directory, such as cat. Could you provide some suggestions to solve them?

#########################
### test_drilling_cgc ###
#########################
DEBUG    | 2024-04-24 22:15:47,586 | driller.driller | [echo] drilling started on Wed Apr 24 22:15:47 2024.
WARNING  | 2024-04-24 22:15:47,587 | driller.driller | Debug directory is not set. Will not log fuzzing bitmap.
Traceback (most recent call last):
  File "/home/lily/Desktop/Driller/driller/test_driller.py", line 74, in <module>
    run_all()
  File "/home/lily/Desktop/Driller/driller/test_driller.py", line 65, in run_all
    all_functions[f]()
  File "/home/lily/Desktop/Driller/driller/test_driller.py", line 26, in test_drilling_cgc
    new_inputs = d.drill()
  File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 85, in drill
    list(self._drill_input())
  File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 131, in _drill_input
    simgr.use_technique(t)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 248, in use_technique
    tech.setup(self)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 303, in setup
    self._identify_aslr_slides()
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 255, in _identify_aslr_slides
    raise AngrTracerError(
angr.errors.AngrTracerError: Trace does not seem to contain object initializers for <ELF Object libc.so.6, maps [0x700000:0xac42bf]>. Do you want to have a Tracer(aslr=False)?
rhelmot commented 2 months ago

Are you making sure that the same libraries are being loaded in angr and qemu? I believe angr will privilege libraries in the current directory, while qemu will need LD_LIBRARY_PATH=. to do the same.

paintedveil5 commented 2 months ago

Are you making sure that the same libraries are being loaded in angr and qemu? I believe angr will privilege libraries in the current directory, while qemu will need LD_LIBRARY_PATH=. to do the same.

I solved the issue as you suggested. After setting fast_forward_to_entry=False, I'm facing new issues as follows. How do I solve them? I really like your tool and urgently need a working example. Thanks!

DEBUG    | 2024-04-25 01:52:47,380 | driller.driller | Drilling into b'AAAA'.
DEBUG    | 2024-04-25 01:52:47,380 | driller.driller | Input is b'AAAA'.
Traceback (most recent call last):
  File "test_driller.py", line 74, in <module>
    run_all()
  File "test_driller.py", line 65, in run_all
    all_functions[f]()
  File "test_driller.py", line 26, in test_drilling_cgc
    new_inputs = d.drill()
  File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 85, in drill
    list(self._drill_input())
  File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 141, in _drill_input
    simgr.step()
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
    simgr.step(stash=stash, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 356, in step
    return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 43, in step
    simgr.step(stash=stash, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 101, in __call__
    return self.func(*args, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 469, in step
    successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
    result = current_hook(self.func.__self__, *args, **kwargs)
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 422, in step_state
    self._update_state_tracking(succs[0])
  File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 569, in _update_state_tracking
    raise TracerDesyncError(
angr.exploration_techniques.tracer.TracerDesyncError: Oops! angr did not follow the trace
ltfish commented 2 months ago

Trace divergence is a known problem in hybrid fuzzing that is often caused by unmatched environments between concrete execution and symbolic execution. Expecting Driller to "drill" through modern glibc might be a tall order to ask. Note that Driller has test cases on CGC binaries. You may want to run them first.

paintedveil5 commented 2 months ago

Trace divergence is a known problem in hybrid fuzzing that is often caused by unmatched environments between concrete execution and symbolic execution. Expecting Driller to "drill" through modern glibc might be a tall order to ask. Note that Driller has test cases on CGC binaries. You may want to run them first.

Yes, it works on CGC binaries and meets my needs. Also, I know that concolic tracing does not work well on real binaries. Thanks.

ltfish commented 2 months ago

I know that concolic tracing does not work well on real binaries.

It does not work well unless some proper engineering effort is spent. For example, we can totally trace after libc's initialization code, which eliminates a lot of headaches for aligning traces inside libc.