search

vusec / vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
Apache License 2.0
175 stars 51 forks source link

libdft64 terminates early? #9

Open deekshadangwal opened 5 years ago

deekshadangwal commented 5 years ago

I'm trying to use libdft-dta tool for taint tracking. But, I'm having issues with running it with flags. This is the command I'm using:

$PIN_HOME/pin -follow_execv -t $DFT_HOME/tools/libdft-dta.so -s 1 -- ./hw.o

Here is hw.c:

#include <stdio.h>

int main () {
   char str1[20], str2[30];

   printf("Enter name: ");
   scanf("%s", str1);

   printf("Enter your website name: ");
   scanf("%s", str2);

   printf("Entered Name: %s\n", str1);
   printf("Entered Website:%s", str2);

   return(0);
}

compiled with: gcc hw.c -o hw.o

However, cmp.out and lea.out are empty. pintool.log says "died": 

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 died

It does not even prompt me for stdin as per hw.c.

However, when not using the -s 1 flag, it prompt me for stdin as expected and the pintool.log looks like it ran (?):

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 In open
 in_dtracker_whitelist /etc/ld.so.cache
 Info ignoring fd 3
 In mmap 3 0
 close 3
 In open
 in_dtracker_whitelist /lib/x86_64-linux-gnu/libc-2.27.so
 Info ignoring fd 3
 In mmap -1 0
 In mmap 3 0
 In mmap 3 1994752
 In mmap -1 0
 close 3

But, pin.log reports "missing application":

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
E:  Missing application name

Also, cmp.out and lea.out are empty.

Any ideas? Thanks in advance!

marekzmyslowski commented 5 years ago

The libdft-dta.so from the vuzzer64 directory doesn't support the -s option - that is why it always dies. The pin.log is created when the PIN generates error. Before you run the application please delete the file. I'm also facing the same problem. Both files are empty and I don't know why.

tosanjay commented 5 years ago

have a look at run_2.sh to understand how to call it separately.

deekshadangwal commented 5 years ago

@tosanjay Thanks for your response! Is there a description of the -x flag somewhere? Is there some example usage for run_2.sh? I'm not sure what the inputs are here.

Also, if -s 1 is not supported, is there some other way to mark "tainted data" in this version of libdft64?

tosanjay commented 5 years ago

$PIN_ROOT/pin -t libdft-dta.so -filename $2 -x $3 -- $1

If you look at the function execute2 in runfuzzer.py, you can derive that

$2= name of the file which is input to the program (taint source) $1= commandline to invoke your program $3= 0 (default but you can set some other value)

deekshadangwal commented 5 years ago

Thanks @tosanjay, this works! I am trying to also print out the instruction trace with a tainted/not tainted tag alongside it. Is there a function I could use/expand to do that? If not, did you have some idea as to what part of the api I should start looking at first?

Thanks again!