Merge pull request #14 from SoftSec-KAIST/dev

Update Eclipser to v2.0

Author: jchoi2022

.gitignore

@@ -12,14 +12,11 @@ obj/
 .vscode/
 
 #etc
-Instrumentor/sparsehash/sparsehash-2.0.3
-Instrumentor/sparsehash/sparsehash-2.0.3.tar.gz
-Instrumentor/sparsehash/.compiled
-Instrumentor/qemu/.prepared
-Instrumentor/qemu/qemu-2.3.0*
-Instrumentor/qemu/.compiled_x86
-Instrumentor/qemu/.compiled_x64
-Instrumentor/qemu/.compiled
+Instrumentor/.prepared
+Instrumentor/qemu-2.10.0*
+Instrumentor/.compiled_x86
+Instrumentor/.compiled_x64
+Instrumentor/.compiled
 *.swp
 *.bin
 box

CHANGELOG.md

@@ -1,5 +1,22 @@
 # Eclipser Change Log
 
+## v2.0
+
+* Simplify architecture by removing multiple input source fuzzing. This feature
+  has been supported for the comparison against KLEE.
+* Remove our own random fuzzing module, and support integration with AFL.
+* Fix QEMU instrumentation code (update to QEMU-2.10.0, fix bugs, optimize).
+* Add a feature to decide execution timeout automatically.
+* Clean up codes.
+* Update command line interface.
+* Update test examples.
+
+## v1.1
+
+* Fix initial seed set handling.
+* Use edge coverage instead of node coverage.
+* Fix the default parameters for maximum file/stdin length.
+
 ## v1.0
 
 * Stop polluting '/tmp/' directory and keep the intermediate files internally.

Instrumentor/qemu/build_qemu_x64.sh Instrumentor/build_qemu_x64.sh

@@ -16,13 +16,15 @@
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 
+VERSION="2.10.0"
+
 build_qemu () {
     echo "[*] Configuring QEMU for x86_64..."
 
-    cd qemu-2.3.0-$1-x64 || exit 1
+    cd qemu-${VERSION}-$1-x64 || exit 1
 
     CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
-      --python=python2 --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
+      --python=python2 --disable-gtk --disable-sdl --disable-vnc \
       --target-list="x86_64-linux-user" || exit 1
 
     echo "[+] Configuration complete."
@@ -38,22 +40,16 @@ build_qemu () {
     cd ..
 }
 
-### Build QEMU tracers
-
-build_qemu pathcov
-mv "./qemu-trace" "../../build/qemu-trace-pathcov-x64" || exit 1
-echo "[+] Successfully created 'qemu-trace-pathcov-x64'."
-
-build_qemu syscall
-mv "./qemu-trace" "../../build/qemu-trace-syscall-x64" || exit 1
-echo "[+] Successfully created 'qemu-trace-syscall-x64'."
+build_qemu coverage
+mv "./qemu-trace" "../build/qemu-trace-coverage-x64" || exit 1
+echo "[+] Successfully created 'qemu-trace-coverage-x64'."
 
-build_qemu feedback
-mv "./qemu-trace" "../../build/qemu-trace-feedback-x64" || exit 1
-echo "[+] Successfully created 'qemu-trace-feedback-x64'."
+build_qemu branch
+mv "./qemu-trace" "../build/qemu-trace-branch-x64" || exit 1
+echo "[+] Successfully created 'qemu-trace-branch-x64'."
 
 build_qemu bbcount
-mv "./qemu-trace" "../../build/qemu-trace-bbcount-x64" || exit 1
+mv "./qemu-trace" "../build/qemu-trace-bbcount-x64" || exit 1
 echo "[+] Successfully created 'qemu-trace-bbcount-x64'."
 
 exit 0

Instrumentor/qemu/build_qemu_x86.sh Instrumentor/build_qemu_x86.sh

@@ -16,13 +16,15 @@
 #
 #   http://www.apache.org/licenses/LICENSE-2.0
 
+VERSION="2.10.0"
+
 build_qemu () {
     echo "[*] Configuring QEMU for i386..."
 
-    cd qemu-2.3.0-$1-x86 || exit 1
+    cd qemu-${VERSION}-$1-x86 || exit 1
 
     CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
-      --python=python2 --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
+      --python=python2 --disable-gtk --disable-sdl --disable-vnc \
       --target-list="i386-linux-user" || exit 1
 
     echo "[+] Configuration complete."
@@ -38,22 +40,16 @@ build_qemu () {
     cd ..
 }
 
-### Build QEMU tracers
-
-build_qemu pathcov
-mv "./qemu-trace" "../../build/qemu-trace-pathcov-x86" || exit 1
-echo "[+] Successfully created 'qemu-trace-pathcov-x86'."
-
-build_qemu syscall
-mv "./qemu-trace" "../../build/qemu-trace-syscall-x86" || exit 1
-echo "[+] Successfully created 'qemu-trace-syscall-x86'."
+build_qemu coverage
+mv "./qemu-trace" "../build/qemu-trace-coverage-x86" || exit 1
+echo "[+] Successfully created 'qemu-trace-coverage-x86'."
 
-build_qemu feedback
-mv "./qemu-trace" "../../build/qemu-trace-feedback-x86" || exit 1
-echo "[+] Successfully created 'qemu-trace-feedback-x86'."
+build_qemu branch
+mv "./qemu-trace" "../build/qemu-trace-branch-x86" || exit 1
+echo "[+] Successfully created 'qemu-trace-branch-x86'."
 
 build_qemu bbcount
-mv "./qemu-trace" "../../build/qemu-trace-bbcount-x86" || exit 1
+mv "./qemu-trace" "../build/qemu-trace-bbcount-x86" || exit 1
 echo "[+] Successfully created 'qemu-trace-bbcount-x86'."
 
 exit 0

Instrumentor/generate_bbcount_patch.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+VERSION="2.10.0"
+
+cp -r qemu-${VERSION}-bbcount-x64 qemu-${VERSION}-bbcount
+
+cp qemu-${VERSION}-bbcount/eclipser.cc ./patches-bbcount/
+
+cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
+   qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c.orig
+diff -Naur qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c.orig \
+           qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c \
+           > patches-bbcount/cpu-exec.diff
+
+cp qemu-${VERSION}/Makefile.target \
+   qemu-${VERSION}-bbcount/Makefile.target.orig
+diff -Naur qemu-${VERSION}-bbcount/Makefile.target.orig \
+           qemu-${VERSION}-bbcount/Makefile.target \
+           > patches-bbcount/makefile-target.diff
+
+cp qemu-${VERSION}/linux-user/syscall.c \
+   qemu-${VERSION}-bbcount/linux-user/syscall.c.orig
+diff -Naur qemu-${VERSION}-bbcount/linux-user/syscall.c.orig \
+           qemu-${VERSION}-bbcount/linux-user/syscall.c \
+           > patches-bbcount/syscall.diff
+
+rm -rf qemu-${VERSION}-bbcount

Instrumentor/generate_branch_patch.sh

@@ -0,0 +1,65 @@
+#!/bin/bash
+
+VERSION="2.10.0"
+
+cp -r qemu-${VERSION}-branch-x64 qemu-${VERSION}-branch
+
+cp qemu-${VERSION}-branch/afl-qemu-cpu-inl.h ./patches-branch/afl-qemu-cpu-inl.h
+
+cp qemu-${VERSION}-branch/tcg/eclipser.c ./patches-branch/eclipser.c
+
+cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
+   qemu-${VERSION}-branch/accel/tcg/cpu-exec.c.orig
+diff -Naur qemu-${VERSION}-branch/accel/tcg/cpu-exec.c.orig \
+           qemu-${VERSION}-branch/accel/tcg/cpu-exec.c \
+           > patches-branch/cpu-exec.diff
+
+cp qemu-${VERSION}/Makefile.target \
+   qemu-${VERSION}-branch/Makefile.target.orig
+diff -Naur qemu-${VERSION}-branch/Makefile.target.orig \
+           qemu-${VERSION}-branch/Makefile.target \
+           > patches-branch/makefile-target.diff
+
+cp qemu-${VERSION}/linux-user/syscall.c \
+   qemu-${VERSION}-branch/linux-user/syscall.c.orig
+diff -Naur qemu-${VERSION}-branch/linux-user/syscall.c.orig \
+           qemu-${VERSION}-branch/linux-user/syscall.c \
+           > patches-branch/syscall.diff
+
+cp qemu-${VERSION}/tcg/optimize.c \
+   qemu-${VERSION}-branch/tcg/optimize.c.orig
+diff -Naur qemu-${VERSION}-branch/tcg/optimize.c.orig \
+           qemu-${VERSION}-branch/tcg/optimize.c \
+           > patches-branch/optimize.diff
+
+cp qemu-${VERSION}/tcg/tcg-op.h \
+   qemu-${VERSION}-branch/tcg/tcg-op.h.orig
+diff -Naur qemu-${VERSION}-branch/tcg/tcg-op.h.orig \
+           qemu-${VERSION}-branch/tcg/tcg-op.h \
+           > patches-branch/tcg-op.diff
+
+cp qemu-${VERSION}/tcg/tcg-opc.h \
+   qemu-${VERSION}-branch/tcg/tcg-opc.h.orig
+diff -Naur qemu-${VERSION}-branch/tcg/tcg-opc.h.orig \
+           qemu-${VERSION}-branch/tcg/tcg-opc.h \
+           > patches-branch/tcg-opc.diff
+
+cp qemu-${VERSION}/tcg/i386/tcg-target.inc.c \
+   qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c.orig
+diff -Naur qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c.orig \
+           qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c \
+           > patches-branch/tcg-target.diff
+
+cp qemu-${VERSION}/target/i386/helper.h \
+   qemu-${VERSION}-branch/target/i386/helper.h.orig
+diff -Naur qemu-${VERSION}-branch/target/i386/helper.h.orig \
+           qemu-${VERSION}-branch/target/i386/helper.h \
+           > patches-branch/target-helper.diff
+
+cp qemu-${VERSION}/target/i386/translate.c \
+   qemu-${VERSION}-branch/target/i386/translate.c.orig
+diff -Naur qemu-${VERSION}-branch/target/i386/translate.c.orig \
+           qemu-${VERSION}-branch/target/i386/translate.c \
+           > patches-branch/target-translate.diff
+
+rm -rf qemu-${VERSION}-branch

Instrumentor/generate_common_patch.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+VERSION="2.10.0"
+
+diff -Naur qemu-${VERSION}/configure.orig \
+           qemu-${VERSION}/configure \
+           > patches-common/configure.diff
+
+diff -Naur qemu-${VERSION}/linux-user/elfload.c.orig \
+           qemu-${VERSION}/linux-user/elfload.c \
+           > patches-common/elfload.diff
+
+diff -Naur qemu-${VERSION}/util/memfd.c.orig \
+           qemu-${VERSION}/util/memfd.c \
+           > patches-common/memfd.diff
+
+diff -Naur qemu-${VERSION}/linux-user/signal.c.orig \
+           qemu-${VERSION}/linux-user/signal.c \
+           > patches-common/signal.diff

Instrumentor/generate_coverage_patch.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+
+VERSION="2.10.0"
+
+cp -r qemu-${VERSION}-coverage-x64 qemu-${VERSION}-coverage
+
+cp qemu-${VERSION}-coverage/accel/tcg/afl-qemu-cpu-inl.h ./patches-coverage/
+
+cp qemu-${VERSION}-coverage/accel/tcg/eclipser.c ./patches-coverage/
+
+cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
+   qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c.orig
+diff -Naur qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c.orig \
+           qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c \
+           > patches-coverage/cpu-exec.diff
+
+cp qemu-${VERSION}/accel/tcg/Makefile.objs \
+   qemu-${VERSION}-coverage/accel/tcg/Makefile.objs.orig
+diff -Naur qemu-${VERSION}-coverage/accel/tcg/Makefile.objs.orig \
+           qemu-${VERSION}-coverage/accel/tcg/Makefile.objs \
+           > patches-coverage/makefile-objs.diff
+
+cp qemu-${VERSION}/linux-user/syscall.c \
+   qemu-${VERSION}-coverage/linux-user/syscall.c.orig
+diff -Naur qemu-${VERSION}-coverage/linux-user/syscall.c.orig \
+           qemu-${VERSION}-coverage/linux-user/syscall.c \
+           > patches-coverage/syscall.diff
+
+cp qemu-${VERSION}/target/i386/helper.h \
+   qemu-${VERSION}-coverage/target/i386/helper.h.orig
+diff -Naur qemu-${VERSION}-coverage/target/i386/helper.h.orig \
+           qemu-${VERSION}-coverage/target/i386/helper.h \
+           > patches-coverage/target-helper.diff
+
+cp qemu-${VERSION}/target/i386/translate.c \
+   qemu-${VERSION}-coverage/target/i386/translate.c.orig
+diff -Naur qemu-${VERSION}-coverage/target/i386/translate.c.orig \
+           qemu-${VERSION}-coverage/target/i386/translate.c \
+           > patches-coverage/target-translate.diff
+
+rm -rf qemu-${VERSION}-coverage

Instrumentor/patches-bbcount/cpu-exec.diff

@@ -0,0 +1,25 @@
+--- qemu-2.10.0-bbcount/accel/tcg/cpu-exec.c.orig	2020-09-29 08:25:21.151543920 -0700
++++ qemu-2.10.0-bbcount/accel/tcg/cpu-exec.c	2020-09-29 08:23:51.822938454 -0700
+@@ -36,6 +36,10 @@
+ #include "sysemu/cpus.h"
+ #include "sysemu/replay.h"
+ 
++extern abi_ulong eclipser_entry_point;
++extern void eclipser_setup(void);
++extern void eclipser_log_bb(abi_ulong addr);
++
+ /* -icount align implementation. */
+ 
+ typedef struct SyncClocks {
+@@ -144,6 +148,11 @@
+     int tb_exit;
+     uint8_t *tb_ptr = itb->tc_ptr;
+ 
++    if(itb->pc == eclipser_entry_point) {
++      eclipser_setup();
++    }
++    eclipser_log_bb(itb->pc);
++
+     qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
+                            "Trace %p [%d: " TARGET_FMT_lx "] %s\n",
+                            itb->tc_ptr, cpu->cpu_index, itb->pc,