Skip to content

Commit

Permalink
Merge pull request #14 from SoftSec-KAIST/dev
Browse files Browse the repository at this point in the history
Update Eclipser to v2.0
  • Loading branch information
jchoi2022 authored Oct 24, 2020
2 parents 59cb9c0 + ca070ce commit 3102206
Show file tree
Hide file tree
Showing 149 changed files with 3,831 additions and 7,887 deletions.
13 changes: 5 additions & 8 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -12,14 +12,11 @@ obj/
.vscode/

#etc
Instrumentor/sparsehash/sparsehash-2.0.3
Instrumentor/sparsehash/sparsehash-2.0.3.tar.gz
Instrumentor/sparsehash/.compiled
Instrumentor/qemu/.prepared
Instrumentor/qemu/qemu-2.3.0*
Instrumentor/qemu/.compiled_x86
Instrumentor/qemu/.compiled_x64
Instrumentor/qemu/.compiled
Instrumentor/.prepared
Instrumentor/qemu-2.10.0*
Instrumentor/.compiled_x86
Instrumentor/.compiled_x64
Instrumentor/.compiled
*.swp
*.bin
box
17 changes: 17 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,22 @@
# Eclipser Change Log

## v2.0

* Simplify architecture by removing multiple input source fuzzing. This feature
has been supported for the comparison against KLEE.
* Remove our own random fuzzing module, and support integration with AFL.
* Fix QEMU instrumentation code (update to QEMU-2.10.0, fix bugs, optimize).
* Add a feature to decide execution timeout automatically.
* Clean up codes.
* Update command line interface.
* Update test examples.

## v1.1

* Fix initial seed set handling.
* Use edge coverage instead of node coverage.
* Fix the default parameters for maximum file/stdin length.

## v1.0

* Stop polluting '/tmp/' directory and keep the intermediate files internally.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,15 @@
#
# http://www.apache.org/licenses/LICENSE-2.0

VERSION="2.10.0"

build_qemu () {
echo "[*] Configuring QEMU for x86_64..."

cd qemu-2.3.0-$1-x64 || exit 1
cd qemu-${VERSION}-$1-x64 || exit 1

CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
--python=python2 --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
--python=python2 --disable-gtk --disable-sdl --disable-vnc \
--target-list="x86_64-linux-user" || exit 1

echo "[+] Configuration complete."
Expand All @@ -38,22 +40,16 @@ build_qemu () {
cd ..
}

### Build QEMU tracers

build_qemu pathcov
mv "./qemu-trace" "../../build/qemu-trace-pathcov-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-pathcov-x64'."

build_qemu syscall
mv "./qemu-trace" "../../build/qemu-trace-syscall-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-syscall-x64'."
build_qemu coverage
mv "./qemu-trace" "../build/qemu-trace-coverage-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-coverage-x64'."

build_qemu feedback
mv "./qemu-trace" "../../build/qemu-trace-feedback-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-feedback-x64'."
build_qemu branch
mv "./qemu-trace" "../build/qemu-trace-branch-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-branch-x64'."

build_qemu bbcount
mv "./qemu-trace" "../../build/qemu-trace-bbcount-x64" || exit 1
mv "./qemu-trace" "../build/qemu-trace-bbcount-x64" || exit 1
echo "[+] Successfully created 'qemu-trace-bbcount-x64'."

exit 0
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,15 @@
#
# http://www.apache.org/licenses/LICENSE-2.0

VERSION="2.10.0"

build_qemu () {
echo "[*] Configuring QEMU for i386..."

cd qemu-2.3.0-$1-x86 || exit 1
cd qemu-${VERSION}-$1-x86 || exit 1

CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
--python=python2 --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
--python=python2 --disable-gtk --disable-sdl --disable-vnc \
--target-list="i386-linux-user" || exit 1

echo "[+] Configuration complete."
Expand All @@ -38,22 +40,16 @@ build_qemu () {
cd ..
}

### Build QEMU tracers

build_qemu pathcov
mv "./qemu-trace" "../../build/qemu-trace-pathcov-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-pathcov-x86'."

build_qemu syscall
mv "./qemu-trace" "../../build/qemu-trace-syscall-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-syscall-x86'."
build_qemu coverage
mv "./qemu-trace" "../build/qemu-trace-coverage-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-coverage-x86'."

build_qemu feedback
mv "./qemu-trace" "../../build/qemu-trace-feedback-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-feedback-x86'."
build_qemu branch
mv "./qemu-trace" "../build/qemu-trace-branch-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-branch-x86'."

build_qemu bbcount
mv "./qemu-trace" "../../build/qemu-trace-bbcount-x86" || exit 1
mv "./qemu-trace" "../build/qemu-trace-bbcount-x86" || exit 1
echo "[+] Successfully created 'qemu-trace-bbcount-x86'."

exit 0
27 changes: 27 additions & 0 deletions Instrumentor/generate_bbcount_patch.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
#!/bin/bash

VERSION="2.10.0"

cp -r qemu-${VERSION}-bbcount-x64 qemu-${VERSION}-bbcount

cp qemu-${VERSION}-bbcount/eclipser.cc ./patches-bbcount/

cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c.orig
diff -Naur qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c.orig \
qemu-${VERSION}-bbcount/accel/tcg/cpu-exec.c \
> patches-bbcount/cpu-exec.diff

cp qemu-${VERSION}/Makefile.target \
qemu-${VERSION}-bbcount/Makefile.target.orig
diff -Naur qemu-${VERSION}-bbcount/Makefile.target.orig \
qemu-${VERSION}-bbcount/Makefile.target \
> patches-bbcount/makefile-target.diff

cp qemu-${VERSION}/linux-user/syscall.c \
qemu-${VERSION}-bbcount/linux-user/syscall.c.orig
diff -Naur qemu-${VERSION}-bbcount/linux-user/syscall.c.orig \
qemu-${VERSION}-bbcount/linux-user/syscall.c \
> patches-bbcount/syscall.diff

rm -rf qemu-${VERSION}-bbcount
65 changes: 65 additions & 0 deletions Instrumentor/generate_branch_patch.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
#!/bin/bash

VERSION="2.10.0"

cp -r qemu-${VERSION}-branch-x64 qemu-${VERSION}-branch

cp qemu-${VERSION}-branch/afl-qemu-cpu-inl.h ./patches-branch/afl-qemu-cpu-inl.h

cp qemu-${VERSION}-branch/tcg/eclipser.c ./patches-branch/eclipser.c

cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
qemu-${VERSION}-branch/accel/tcg/cpu-exec.c.orig
diff -Naur qemu-${VERSION}-branch/accel/tcg/cpu-exec.c.orig \
qemu-${VERSION}-branch/accel/tcg/cpu-exec.c \
> patches-branch/cpu-exec.diff

cp qemu-${VERSION}/Makefile.target \
qemu-${VERSION}-branch/Makefile.target.orig
diff -Naur qemu-${VERSION}-branch/Makefile.target.orig \
qemu-${VERSION}-branch/Makefile.target \
> patches-branch/makefile-target.diff

cp qemu-${VERSION}/linux-user/syscall.c \
qemu-${VERSION}-branch/linux-user/syscall.c.orig
diff -Naur qemu-${VERSION}-branch/linux-user/syscall.c.orig \
qemu-${VERSION}-branch/linux-user/syscall.c \
> patches-branch/syscall.diff

cp qemu-${VERSION}/tcg/optimize.c \
qemu-${VERSION}-branch/tcg/optimize.c.orig
diff -Naur qemu-${VERSION}-branch/tcg/optimize.c.orig \
qemu-${VERSION}-branch/tcg/optimize.c \
> patches-branch/optimize.diff

cp qemu-${VERSION}/tcg/tcg-op.h \
qemu-${VERSION}-branch/tcg/tcg-op.h.orig
diff -Naur qemu-${VERSION}-branch/tcg/tcg-op.h.orig \
qemu-${VERSION}-branch/tcg/tcg-op.h \
> patches-branch/tcg-op.diff

cp qemu-${VERSION}/tcg/tcg-opc.h \
qemu-${VERSION}-branch/tcg/tcg-opc.h.orig
diff -Naur qemu-${VERSION}-branch/tcg/tcg-opc.h.orig \
qemu-${VERSION}-branch/tcg/tcg-opc.h \
> patches-branch/tcg-opc.diff

cp qemu-${VERSION}/tcg/i386/tcg-target.inc.c \
qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c.orig
diff -Naur qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c.orig \
qemu-${VERSION}-branch/tcg/i386/tcg-target.inc.c \
> patches-branch/tcg-target.diff

cp qemu-${VERSION}/target/i386/helper.h \
qemu-${VERSION}-branch/target/i386/helper.h.orig
diff -Naur qemu-${VERSION}-branch/target/i386/helper.h.orig \
qemu-${VERSION}-branch/target/i386/helper.h \
> patches-branch/target-helper.diff

cp qemu-${VERSION}/target/i386/translate.c \
qemu-${VERSION}-branch/target/i386/translate.c.orig
diff -Naur qemu-${VERSION}-branch/target/i386/translate.c.orig \
qemu-${VERSION}-branch/target/i386/translate.c \
> patches-branch/target-translate.diff

rm -rf qemu-${VERSION}-branch
19 changes: 19 additions & 0 deletions Instrumentor/generate_common_patch.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
#!/bin/bash

VERSION="2.10.0"

diff -Naur qemu-${VERSION}/configure.orig \
qemu-${VERSION}/configure \
> patches-common/configure.diff

diff -Naur qemu-${VERSION}/linux-user/elfload.c.orig \
qemu-${VERSION}/linux-user/elfload.c \
> patches-common/elfload.diff

diff -Naur qemu-${VERSION}/util/memfd.c.orig \
qemu-${VERSION}/util/memfd.c \
> patches-common/memfd.diff

diff -Naur qemu-${VERSION}/linux-user/signal.c.orig \
qemu-${VERSION}/linux-user/signal.c \
> patches-common/signal.diff
41 changes: 41 additions & 0 deletions Instrumentor/generate_coverage_patch.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
#!/bin/bash

VERSION="2.10.0"

cp -r qemu-${VERSION}-coverage-x64 qemu-${VERSION}-coverage

cp qemu-${VERSION}-coverage/accel/tcg/afl-qemu-cpu-inl.h ./patches-coverage/

cp qemu-${VERSION}-coverage/accel/tcg/eclipser.c ./patches-coverage/

cp qemu-${VERSION}/accel/tcg/cpu-exec.c \
qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c.orig
diff -Naur qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c.orig \
qemu-${VERSION}-coverage/accel/tcg/cpu-exec.c \
> patches-coverage/cpu-exec.diff

cp qemu-${VERSION}/accel/tcg/Makefile.objs \
qemu-${VERSION}-coverage/accel/tcg/Makefile.objs.orig
diff -Naur qemu-${VERSION}-coverage/accel/tcg/Makefile.objs.orig \
qemu-${VERSION}-coverage/accel/tcg/Makefile.objs \
> patches-coverage/makefile-objs.diff

cp qemu-${VERSION}/linux-user/syscall.c \
qemu-${VERSION}-coverage/linux-user/syscall.c.orig
diff -Naur qemu-${VERSION}-coverage/linux-user/syscall.c.orig \
qemu-${VERSION}-coverage/linux-user/syscall.c \
> patches-coverage/syscall.diff

cp qemu-${VERSION}/target/i386/helper.h \
qemu-${VERSION}-coverage/target/i386/helper.h.orig
diff -Naur qemu-${VERSION}-coverage/target/i386/helper.h.orig \
qemu-${VERSION}-coverage/target/i386/helper.h \
> patches-coverage/target-helper.diff

cp qemu-${VERSION}/target/i386/translate.c \
qemu-${VERSION}-coverage/target/i386/translate.c.orig
diff -Naur qemu-${VERSION}-coverage/target/i386/translate.c.orig \
qemu-${VERSION}-coverage/target/i386/translate.c \
> patches-coverage/target-translate.diff

rm -rf qemu-${VERSION}-coverage
25 changes: 25 additions & 0 deletions Instrumentor/patches-bbcount/cpu-exec.diff
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
--- qemu-2.10.0-bbcount/accel/tcg/cpu-exec.c.orig 2020-09-29 08:25:21.151543920 -0700
+++ qemu-2.10.0-bbcount/accel/tcg/cpu-exec.c 2020-09-29 08:23:51.822938454 -0700
@@ -36,6 +36,10 @@
#include "sysemu/cpus.h"
#include "sysemu/replay.h"

+extern abi_ulong eclipser_entry_point;
+extern void eclipser_setup(void);
+extern void eclipser_log_bb(abi_ulong addr);
+
/* -icount align implementation. */

typedef struct SyncClocks {
@@ -144,6 +148,11 @@
int tb_exit;
uint8_t *tb_ptr = itb->tc_ptr;

+ if(itb->pc == eclipser_entry_point) {
+ eclipser_setup();
+ }
+ eclipser_log_bb(itb->pc);
+
qemu_log_mask_and_addr(CPU_LOG_EXEC, itb->pc,
"Trace %p [%d: " TARGET_FMT_lx "] %s\n",
itb->tc_ptr, cpu->cpu_index, itb->pc,
Loading

0 comments on commit 3102206

Please sign in to comment.