Hello! I used your instructions in install.md to create a Dockerfile that makes it easy to test Fuzzification. I had to add some packages and requirements which are not included in the ubuntu:16.04 image. I used python -m pip freeze as soon as I got it running.

You can use the dockerfile with

• docker build -t fuzzification:latest .
• docker run --rm -it fuzzification:latest

The dockerfile was successfully tested against your readelf tutorial. Here is the docker.log. The python antifuzz_all.py command creates the expected five versions of readelf.

...
root@2335149a53ec:/home/fuzzification# ls ../antifuzz-tutorial/test/output/readelf/
  readelf_all  readelf_anti  readelf_bump  readelf_coverage  readelf_ori

Hi，I use the parameters in the evaluation section of the paper compile readelf. Why does the CPU overhead in SpeedBump reach 80%. In addition, if the program after BranchTrap is used, the segment fault is displayed.

I have run the following commands to test the functionality. It seems the error handling codes are modified. A segmentation fault will be produced if I feed the readelf_all with a file that does not exist.

$ gdb ./readelf_all
pwndbg> run -a ./nofile
Starting program: /home/xposimon/Desktop/works/fuzzification/antifuzz-tutorial/test/output/readelf/readelf_all -a ./nofile
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI__IO_fread (buf=0x91e010, size=101, count=1, fp=0x0) at iofread.c:37
37	iofread.c: No such file or directory.

The transformation performed in anti-taint.py will create invalid c code in some cases. This is due to a missing check for the existence of variables named newvar_X. A minimal example of where this will be a problem is:

int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
if(strcmp(str1, "hello")) {
    printf("True");
} else {
    printf("False");
}

which will be transformed to:

int newvar_1 = 1;
char str1[20];
strcpy(str1, "hello");
//////////////// ANTI-TAINT-STR //////////////////
char newvar_1[strlen(str1)];
if (strlen(str1) < 30){    
    for (int i=0;i<strlen(str1);i++){
        int ch=0;
        int temp = 0;
        int temp2 = 0;
        for (int j=0; j<8;j++){
            temp = str1[i];
            temp2 = temp & (1<<j);
            if (temp2 !=0){
                ch |= 1<<j;
            }
        }
        newvar_1[i] = ch;
    }
}
else{    
    strncpy(newvar_1, str1, strlen(str1));
}
//////////////////////////////////////////////////
   if(strcmp(newvar_1, "hello")) {
      printf("True");
   } else {
      printf("False");
   }

where newvar_1 is already in use.

Further i would like to ask you where you apply the crc checksum replacements of the form:

// original code: if (value == 12345)
if (CRC_LOOP(value) == OUTPUT_CRC) { ... }

that you write about in your paper.

My system is Virtual Box Ubuntu 16.04, installed all the dependencies, but when use this command: $ make -j 4 It always said there's no file "plugin-api.h" in the directory. Actually, I tried to go to the folder, the file is in that folder, but when installed, the error message always show up.

As you see, the antifuzz-tutorial contains a compile tutorial of binutils-2.23 , the binary readelf,objdump,objcpy,nm-new has the source code -> ir code command line , e.g.

COMMAND["objdump.o"] = 'afl-clang-fast -DHAVE_CONFIG_H -I. -I. -I. -I../bfd -I./../bfd -I./../include -DLOCALEDIR="\\"/usr/local/share/locale\\"" -Dbin_dummy_emulation=bin_vanilla_emulation -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread -MT objdump.o -MD -MP -MF .deps/objdump.Tpo -c -o objdump.o -DOBJDUMP_PRIVATE_VECTORS="" ./{SRC} 2> /tmp/makeout'

but if I want to compile the binary with speedbump, it will lead to :(See antifuzz-tutorial/temp/binutils/build-objdump.sh, this is generated by src/compile.py)

elif [ "$3" == "slow" ]
  then
    #afl-clang-fast -DHAVE_CONFIG_H -I.  -I. -I. -I../bfd -I./../bfd -I./../include -DLOCALEDIR="\"/usr/local/share/locale\"" -Dbin_dummy_emulation=bin_vanilla_emulation  -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread -MT objdump.o -MD -MP -MF .deps/objdump.Tpo -c -o objdump.o -DOBJDUMP_PRIVATE_VECTORS="" ./objdump.c  1> /dev/null 2> /tmp/makeout
    cp /home/lawyer61/AIFuzz/fuzzification/src/llvm_pass/bump/delaysrc/delay_$2.o ./delay.o
    /bin/bash ./libtool --tag=CC   --mode=link afl-clang-fast -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow -O0 -flto -std=c11 -lpthread  -flto  -o $1 delay.o huge_dummy.o objdump_bump.o dwarf_bump.o prdbg_bump.o rddbg_bump.o debug_bump.o stabs_bump.o ieee_bump.o rdcoff_bump.o bucomm_bump.o version_bump.o filemode_bump.o elfcomm_bump.o  ../opcodes/libopcodes.la ../bfd/libbfd.la ../libiberty/libiberty.a  -lz 1> /dev/null 

The question is, all the *_bump.o file (except the objdump_bump.o) will fail in src/.work3/make_bump.sh:

opt -load ./libSkeletonPass_bump.so -SkeletonPass <$1.o> $1_bump.o ...

opt: <stdin>:1:1: error: expected top-level entity
(Garbled below)

So we will fail in the antifuzz-all.py when opening objdump_d30_r4_o3(for example)

Traceback (most recent call last):
  File "antifuzz_all.py", line 587, in <module>
    bump_depay, bump_ratio, fname, c_overhead, s_overhead = speedbump()
  File "antifuzz_all.py", line 415, in speedbump
    c_overhead, s_overhead = _ret_overhead(gen_pn)
  File "antifuzz_all.py", line 508, in _ret_overhead
    newfile_size = os.path.getsize(gen_pn)
  File "/usr/lib/python2.7/genericpath.py", line 57, in getsize
    return os.stat(filename).st_size
OSError: [Errno 2] No such file or directory: '../antifuzz-tutorial/temp/binutils/objdump_d50_r17_o3'