QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Overview

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Environment

  • Tested on Ubuntu 14.04 64bit and 16.04 64bit

Installation

# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

# install z3 and system deps
$ ./setup.sh

# install using virtual env
$ virtualenv venv
$ source venv/bin/activate
$ pip install .

Installation using Docker

# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

# build docker image
$ docker build -t qsym ./

# run docker image
$ docker run --cap-add=SYS_PTRACE -it qsym /bin/bash

Installation using vagrant

Since QSYM is dependent on underlying kernel because of its old PIN, we decided to provide a convenient way to install QSYM with VM. Please take a look our vagrant directory.

Run hybrid fuzzing with AFL

# require to set the following environment variables
#   AFL_ROOT: afl directory (http://lcamtuf.coredump.cx/afl/)
#   INPUT: input seed files
#   OUTPUT: output directory
#   AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)
#   QSYM_CMDLINE: command line for a testing program for QSYM (Non-instrumented)

# run AFL master
$ $AFL_ROOT/afl-fuzz -M afl-master -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run AFL slave
$ $AFL_ROOT/afl-fuzz -S afl-slave -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run QSYM
$ bin/run_qsym_afl.py -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE

Run for testing

$ cd tests
$ python build.py
$ python -m pytest -n $(nproc)

Troubleshooting

If you find that you can't get QSYM to work and you get the undefined symbol: Z3_is_seq_sort error in pin.log file, please make sure that you compile and make the target when you're in the virtualenv (env) environment. When you're out of this environment and you compile the target, QSYM can't work with the target binary and issues the mentioned error in pin.log file. This will save your time a lot to compile and make the target from env and then run QSYM on the target, then QSYM will work like a charm!

Authors

Publications

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

@inproceedings{yun:qsym,
  title        = {{QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing}},
  author       = {Insu Yun and Sangho Lee and Meng Xu and Yeongjin Jang and Taesoo Kim},
  booktitle    = {Proceedings of the 27th USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2018,
  address      = {Baltimore, MD},
}
Comments
  • `DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255`the return value of output is invalid.

    `DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255`the return value of output is invalid.

    Tested in docker . The output is below. Is the qsym seem not work ? the return value is 255 and -9. What should I do to solve the error? Thanks!

    DEBUG:qsym.afl:Run qsym: input=output/afl-slave/queue/id:000214,src:000096+000063,op:splice,rep:32,+cov
    DEBUG:qsym.Executor:Executing timeout -k 5 90 /usr/local/lib/python2.7/dist-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /usr/local/lib/python2.7/dist-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpDVwaLZ/qsym-out-214/pin.log -i /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input -f 1 -o /tmp/tmpDVwaLZ/qsym-out-214 -l 1 -b output/qsym/bitmap -- ./bsdtar_vanilla -tf /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input
    DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255
    DEBUG:qsym.afl:Generate 0 testcases
    DEBUG:qsym.afl:0 testcases are new
    DEBUG:qsym.afl:Run qsym: input=output/afl-slave/queue/id:000215,src:000096+000183,op:splice,rep:4
    DEBUG:qsym.Executor:Executing timeout -k 5 90 /usr/local/lib/python2.7/dist-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /usr/local/lib/python2.7/dist-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpDVwaLZ/qsym-out-215/pin.log -i /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input -f 1 -o /tmp/tmpDVwaLZ/qsym-out-215 -l 1 -b output/qsym/bitmap -- ./bsdtar_vanilla -tf /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input
    DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255
    DEBUG:qsym.afl:Generate 0 testcases
    DEBUG:qsym.afl:0 testcases are new
    DEBUG:qsym.afl:Sleep for getting files
    
    
    opened by Ricardo-609 19
  • QSYM-AFL queue directory structure

    QSYM-AFL queue directory structure

    Hello,

    I've been testing QSYM + 1xAFL (slave) and noticed that the QSYM-generated inputs are being written to $OUTDIR/qsym/queue (and not our_dir/afl-slave/queue). Is this the intended output?

    Thanks, -Stefan

    opened by stevenagy 14
  • Interpreting QSYM output

    Interpreting QSYM output

    Hello,

    I've successfully got QSYM running with 1 AFL instance (slave). Can you please explain the meaning of the output information below?

    DEBUG:qsym.afl:Total=8 s, Emulation=8 s, Solver=0 s, Return=1
    DEBUG:qsym.afl:Generate 44 testcases
    DEBUG:qsym.afl:0 testcases are new
    

    Thanks, -Stefan

    opened by stevenagy 14
  • Can qsym run the instrumented program by afl-clang-fast?

    Can qsym run the instrumented program by afl-clang-fast?

    Hi, I notice the usage tells to use the non-instrumented binary for qsym. I wonder if I can run it on the instrumented binary? if so, will it cause any problems? Thank you.

    opened by 92wyunchao 9
  • Setup questions

    Setup questions

    Hello, I am currently trying to get QSYM to work and am facing a few questions regarding the setup, with which you can maybe help me out:

    1. Do the inputs AFL_CMDLINE and QSYM_CMDLINE have to be paths to a binary (QEMU mode AFL) or just the source code of the target program I want to fuzz?
    2. I guess AFL_CMDLINE and QSYM_CMDLINE have to point to the same program for it to make any sense, right? So AFL_CMDLINE would point to an instrumented target (compiled with afl-cc) and QSYM_CMDLINE to the same program but compiled normally? (or completely uncompiled? does qsym compile it itself?)
    3. How exactly would I go about running it via Docker? When builiding a container via the provided Dockerfile, there is no AFL installed inside this container and I cannot access an AFL installation outside of the container from within. Would I have to add to the Dockerfile to also install AFL inside the container, so I can follow the instructions under "Run hybrid fuzzing with AFL" in your ReadMe?
    4. What exactly do the commands listed under your point "Run for testing" in your ReadMe do? Is that just to test if QSYM was installed correctly or is this actually another way of fuzzing a target without the hybrid method with AFL master+slave explained in the chapter above that in your ReadMe?

    I am trying to understand how everything works, so I apologize for all the questions, but I would be very glad if you could help me.

    Thanks a lot and best wishes!

    opened by Elothis 8
  • Question about enabling optimistic solving

    Question about enabling optimistic solving

    Thanks for releasing qsym. This project is really awesome.

    We recently tried to run qsym on LAVA but we do not know how to turn on/off the optimistic solving. When running qsym with the default options, we obtained results that are more like those without optimistic solving (Fig. 11 in the paper of USENIX Security).

    Our settings: Ubuntu 16.04, 64bit, Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz, 16 GB memory afl 2.52b, one master and one slave.

    opened by tianxiaogu 8
  • Question about #AFL_CMDLINE

    Question about #AFL_CMDLINE

    Hello,

    I noticed this line in the environment variables: # AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)

    Is using an ASAN explicitly required?

    Also, what instrumentation is required? I'm guessing by this you mean afl-cc, but I'm also wondering if AFL-Dyninst and AFL-QEMU are supported?

    Thanks, -Stefan

    opened by stevenagy 8
  • All test cases failed and simple cases also failed

    All test cases failed and simple cases also failed

    I strictly follow the instructions in README, and successfully installed qsym in ubuntu(16.04.06/16.04.07), however all test cases (python -m pytest -n 4) failed. the scenario is as follow. And I also test a simple case, qsym always return 255. I doubt that the current installation instructions and source code is not suitable and need update.

    The installation steps:

    $ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope
    
    # install z3 and system deps
    $ ./setup.sh
    
    # install using virtual env
    $ virtualenv venv
    $ source venv/bin/activate
    $ pip install .
    

    The partial output of unit test:

    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-0OVJz7/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpmulld/input.bin -s 1 -o /tmp/qsym-0OVJz7/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpmulld/main
    ____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshufb] _____________
    [gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpshufb'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshufb')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-smZde8/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshufb/input.bin -s 1 -o /tmp/qsym-smZde8/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshufb/main
    ______________ test_functions[/home/sentosa/qsym/tests/avx2/vpor] ______________
    [gw1] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpor'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpor')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-e_55p7/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpor/input.bin -s 1 -o /tmp/qsym-e_55p7/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpor/main
    ____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshufhw] ____________
    [gw3] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpshufhw'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshufhw')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-MH8HJ2/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshufhw/input.bin -s 1 -o /tmp/qsym-MH8HJ2/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshufhw/main
    ____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshuflw] ____________
    [gw0] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpshuflw'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshuflw')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-hdhP_U/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshuflw/input.bin -s 1 -o /tmp/qsym-hdhP_U/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshuflw/main
    _____________ test_functions[/home/sentosa/qsym/tests/avx2/vpxor] ______________
    [gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpxor'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpxor')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-cj4pU4/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpxor/input.bin -s 1 -o /tmp/qsym-cj4pU4/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpxor/main
    _____________ test_functions[/home/sentosa/qsym/tests/avx2/vpsrad] _____________
    [gw1] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/avx2/vpsrad'
    
        def test_functions(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
            # if cpu does not support avx2, then return
            if not 'avx2' in open("/proc/cpuinfo").read():
                return
        
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpsrad')
    
    test_avx2.py:25: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-e37AII/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpsrad/input.bin -s 1 -o /tmp/qsym-e37AII/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpsrad/main
    ___________________ test_null_deref_DependencyForest_addNode ___________________
    [gw3] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
        def test_null_deref_DependencyForest_addNode():
            target = os.path.join(TESTS_DIR, "regress/null-deref-DependencyForest-addNode")
            assert os.path.exists(target)
        
            output_dir = tempfile.mkdtemp(prefix="qsym-")
            try:
                exe = os.path.join(target, MAIN)
                assert os.path.exists(exe)
        
                q = qsym.Executor([exe], os.path.join(target, "input.bin"), output_dir,
                        argv=["-l", "1"])
                res = q.run(30) # 30 seconds for timeout
    >           assert res.returncode == 0
    E           assert 255 == 0
    E            +  where 255 = <qsym.executor.ExecutorResult object at 0x7fd690bc8cd0>.returncode
    
    test_regress.py:28: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-P4M41w/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/regress/null-deref-DependencyForest-addNode/input.bin -s 1 -o /tmp/qsym-P4M41w/qsym-out-0 -l 1 -- /home/sentosa/qsym/tests/regress/null-deref-DependencyForest-addNode/main
    ___________________________________ test_dup ___________________________________
    [gw0] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
        def test_dup():
            testcases = get_all_testcases("dup")
            # default + 0xdeadbeef
    >       assert len(testcases) == 2
    E       AssertionError: assert 1 == 2
    E        +  where 1 = len(['\x00\x00\x00\x00\n'])
    
    test_schedule.py:79: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-zEa2Sq/qsym-out-0/pin.log -i /tmp/qsym-inw2JS -s 1 -o /tmp/qsym-zEa2Sq/qsym-out-0 -b /tmp/qsym-gAvKEU -- /home/sentosa/qsym/tests/schedule/dup/main
    ____________ test_syscall[/home/sentosa/qsym/tests/syscall/mremap] _____________
    [gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python
    
    target = '/home/sentosa/qsym/tests/syscall/mremap'
    
        def test_syscall(target):
            logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
    >       assert run_single_test(target)
    E       AssertionError: assert False
    E        +  where False = run_single_test('/home/sentosa/qsym/tests/syscall/mremap')
    
    test_syscall.py:21: AssertionError
    ------------------------------ Captured log call -------------------------------
    DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-bSH5pH/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/syscall/mremap/input.bin -s 1 -o /tmp/qsym-bSH5pH/qsym-out-0 -- /home/sentosa/qsym/tests/syscall/mremap/main
    ========================= 250 failed in 34.64 seconds ==========================
    
    
    opened by xupeng1231 7
  • Crash when running LAVA-M binaries

    Crash when running LAVA-M binaries

    A: Source/pin/vm_ia32_l/jit_region_ia32_linux.cpp: XlateSysCall: 33: Sysenter is supported on IA32 only and the expected location is inside Linux Gate
    
    ################################################################################
    ## STACK TRACE
    ################################################################################
    addr2line -C -f -e "/home/ju/tmp/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/ia32/bin/pinbin" 0x114128b 0x11420f6 0x11423e1 0x1384a63 0x1322b10 0x1323801 0x12642dd 0x126498f 0x126a190 0x1219cd6 0x121b2f0 0x121c280 0x12bd4ff 0x12a330f 0x12a3356 0x133584a 0xffcbc4a8
    LEVEL_BASE::MESSAGE_TYPE::DumpTrace()
    ??:?
    LEVEL_BASE::MESSAGE_TYPE::MessageInternal(std::string const&, bool, PIN_ERRTYPE, char*, int)
    ??:?
    LEVEL_BASE::MESSAGE_TYPE::MessageNoReturn(std::string const&, bool, PIN_ERRTYPE, int, ...)
    ??:?
    LEVEL_VM::REGION::XlateSysCall(LEVEL_CORE::INDEX<3>, LEVEL_CORE::INDEX<4>, LEVEL_CORE::INDEX<6>)
    ??:?
    LEVEL_VM::REGION::XlateControlFlow(LEVEL_CORE::INDEX<4>, LEVEL_CORE::INDEX<6>)
    ??:?
    LEVEL_VM::REGION::XlateBbl(LEVEL_CORE::INDEX<4>)
    ??:?
    LEVEL_VM::REGION::Xlate()
    ??:?
    LEVEL_VM::REGION::XlateAndInstrument()
    ??:?
    LEVEL_VM::REGION::MakeApplication(LEVEL_VM::SVT_FACTORY const&)
    ??:?
    LEVEL_VM::JIT::Initialize()
    ??:?
    LEVEL_VM::JIT::CompileInternal(LEVEL_CORE::ADDR<1>, LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_BASE::EXCEPTION_INFO*, unsigned int)
    ??:?
    LEVEL_VM::JIT::Compile(LEVEL_CORE::ADDR<1>, LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_BASE::EXCEPTION_INFO*)
    ??:?
    LEVEL_VM::IBRANCH_DISPATCHER::HandleIndirectXfer(LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_VM::PCTXT*, LEVEL_VM::XFER_INDIRECT_ARGS const*)
    ??:?
    LEVEL_VM::VM::Dispatch(LEVEL_VM::VMSVC_ARGS const*, LEVEL_VM::PCTXT*)
    ??:?
    VmDispatch
    ??:?
    VmEnter
    ??:?
    ??
    ??:0
    Detach Service Count: 14710
    Pin 2.14
    Copyright (c) 2003-2015, Intel Corporation. All rights reserved.
    @CHARM-VERSION: $Rev: 71293 $
    @CHARM-BUILDER: BUILDER
    @CHARM-COMPILER: gcc 4.4.7
    @CHARM-TARGET: ia32
    @CHARM-CFLAGS:  __OPTIMIZE__=1  __NO_INLINE__=__NO_INLINE__
    Aborted (core dumped)
    
    opened by chenju2k6 7
  • Trouble in using QSYM to find test inputs on some simple toy example

    Trouble in using QSYM to find test inputs on some simple toy example

    Hi, thank you for the great work and making it open source.

    I'm having a trouble while testing QSYM on some simple toy program.

    I wrote a simple toy program that reads in 8 byte input from file and compare it to magic value. Running it with input "DCBAabcd" will raise a segfault as follow.

    jason@debian-8:~/example$ cat test.c 
    #include <unistd.h>
    #include <fcntl.h>
    #include <stdint.h>
    
    int main(int argc, char** argv)
    {
      char buf[9];
      int fd;
    
      fd = open(argv[1], O_RDONLY);
      read(fd, buf, sizeof(buf) - 1);
      buf[8] = 0;
    
      if (*(int32_t*) &buf[0] == 0x41424344) {
        if(buf[4] == 'a') {
            *(int*) NULL = 0;
        }
      }
      return 0;
    }
    jason@debian-8:~/example$ gcc test.c  -o test.bin
    jason@debian-8:~/example$ echo "DCBAabcd" > file
    jason@debian-8:~/example$ ./test.bin file
    Segmentation fault
    

    When I tested QSYM on this program, it seems to fail in finding a test input that penetrates the branch condition. I followed the instructions in README to run one AFL master, one AFL slave and one QSYM. I provided 8 bytes of "A" as initial dummy seed of AFL. The standard output of QSYM looks as follow.

    ...
    (venv)jason@debian-8:~/example$ export QSYM_CMDLINE="/home/jason/example/test.bin /home/jason/example/file_qsym"
    (venv)jason@debian-8:~/example$ /home/jason/qsym/bin/run_qsym_afl.py -f /home/jason/example/file_qsym -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE
    DEBUG:qsym.afl:Temp directory=/tmp/tmpluyS8E
    DEBUG:qsym.afl:Run qsym: input=/home/jason/example/output/afl-slave/queue/id:000000,orig:empty
    DEBUG:qsym.Executor:Executing timeout -k 5 90 /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpluyS8E/qsym-out-0/pin.log -i /home/jason/example/file_qsym -s 1 -o /tmp/tmpluyS8E/qsym-out-0 -l 1 -b /home/jason/example/output/qsym/bitmap -- /home/jason/example/test.bin /home/jason/example/file_qsym
    DEBUG:qsym.afl:Total=4 s, Emulation=4 s, Solver=0 s, Return=0
    DEBUG:qsym.afl:Generate 0 testcases
    DEBUG:qsym.afl:0 testcases are new
    DEBUG:qsym.afl:Sleep for getting files
    DEBUG:qsym.afl:Sleep for getting files
    ...
    

    The content of input file to QSYM was 4 bytes of 'A', and I think concolic execution should be able to find a new test input "DCBA" that can flip the first if branch.

    jason@debian-8:~/example$ xxd output/afl-master/queue/id\:000000\,orig\:empty 
    0000000: 4141 4141                                AAAA
    

    Could you take a look at this problem, or point out my mistakes if I'm making some?

    I am using debian 8.11 OS, but its kernel version is same to Ubuntu 14.04, and the build succeeded without any error.

    Thank you.

    opened by jchoi2022 7
  • Incorrect parsing of SMT solving time

    Incorrect parsing of SMT solving time

    qsym always says that solving time is 0sec.

    DEBUG:qsym.afl:Total=90 s, Emulation=90 s, Solver=0 s, Return=124
    

    I found that qsym tries to find log lines starting with SMT: in pin.log, but the pintool saves SMT time logs with a prefix [STAT].

    https://github.com/sslab-gatech/qsym/blob/014cefb3357d4d2587a12d7853621c911a371bea/qsym/executor.py#L32

     [STAT] SMT: { "solving_time": 456074, "total_time": 256521223 }
     [STAT] SMT: { "solving_time": 456386 }
     [STAT] SMT: { "solving_time": 456386, "total_time": 256521872 }
     [STAT] SMT: { "solving_time": 456560 }
    

    and, one more really minor thing I want to point out is that I think this variable name MS_TO_S should be US_TO_S(microsecond). https://github.com/sslab-gatech/qsym/blob/014cefb3357d4d2587a12d7853621c911a371bea/qsym/executor.py#L13

    opened by tunz 7
  • Qsym package not found for python

    Qsym package not found for python

    Running the below command to install qsym gives an error:

    $ pip install qsym
    DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
    Defaulting to user installation because normal site-packages is not writeable
    ERROR: Could not find a version that satisfies the requirement qsym (from versions: none)
    ERROR: No matching distribution found for qsym
    

    I tried to find qsym on pypi but I didn't find it. Perhaps the repository is no longer available since Python 2.7 is now deprecated?

    I ran into this problem when trying to run the example in the vagrant/ folder. The file vagrant/qsym/bin/run_qsym.py imports qsym and that's when I ran into this problem.

    $ ./qsym/bin/run_qsym.py 
    Traceback (most recent call last):
      File "./qsym/bin/run_qsym.py", line 4, in <module>
        from qsym import Executor, utils
    ImportError: No module named qsym
    
    opened by Zaxeli 1
  • get error with  tests/build.py

    get error with tests/build.py

    CPU:Intel(R) Pentium(R) CPU G2030 @ 3.00GHZ

    ERROR is following:

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movhpd INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128d a = _mm_setzero_pd(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:192:1: error: inlining failed in call to always_inline ‘_mm_storeh_pd’: target specific option mismatch _mm_storeh_pd (double *__P, __m128d __A) ^ main.c:16:3: error: called from here _mm_storeh_pd(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:103:1: error: inlining failed in call to always_inline ‘_mm_setzero_pd’: target specific option mismatch _mm_setzero_pd (void) ^ main.c:9:15: error: called from here __m128d a = _mm_setzero_pd(); ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movlpd INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128d a = _mm_setzero_pd(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:185:1: error: inlining failed in call to always_inline ‘_mm_storel_pd’: target specific option mismatch _mm_storel_pd (double *__P, __m128d __A) ^ main.c:16:3: error: called from here _mm_storel_pd(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:103:1: error: inlining failed in call to always_inline ‘_mm_setzero_pd’: target specific option mismatch _mm_setzero_pd (void) ^ main.c:9:15: error: called from here __m128d a = _mm_setzero_pd(); ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movlps INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:10: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128 a = _mm_setzero_ps(); ^ main.c:11:9: warning: MMX vector return without MMX enabled changes the ABI [-Wpsabi] __m64 c = _mm_setzero_si64(); ^ In file included from main.c:4:0: /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:804:1: error: inlining failed in call to always_inline ‘_mm_storel_pi’: target specific option mismatch _mm_storel_pi (__m64 *__P, __m128 __A) ^ main.c:16:3: error: called from here _mm_storel_pi(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:31:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/mmintrin.h:869:1: error: inlining failed in call to always_inline ‘_mm_setzero_si64’: target specific option mismatch _mm_setzero_si64 (void) ^ main.c:11:13: error: called from here __m64 c = _mm_setzero_si64(); ^ In file included from main.c:4:0: /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:115:1: error: inlining failed in call to always_inline ‘_mm_setzero_ps’: target specific option mismatch _mm_setzero_ps (void) ^ main.c:9:14: error: called from here __m128 a = _mm_setzero_ps(); ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/pmovmskb INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:8:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1390:1: error: inlining failed in call to always_inline ‘_mm_movemask_epi8’: target specific option mismatch _mm_movemask_epi8 (__m128i __A) ^ main.c:10:7: error: called from here int b = _mm_movemask_epi8(a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:8:15: error: called from here __m128i a = _mm_setzero_si128(); ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/pminub INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:8:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1384:1: error: inlining failed in call to always_inline ‘_mm_min_epu8’: target specific option mismatch _mm_min_epu8 (__m128i __A, __m128i __B) ^ main.c:13:15: error: called from here __m128i c = _mm_min_epu8(a, b); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:9:15: error: called from here __m128i b = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:8:15: error: called from here __m128i a = _mm_setzero_si128(); ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/psub/psubb INFO:qsym.tests.build:stderr=In file included from main.c:1:0: main.c: In function ‘main’: ../psub.h:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128();
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1059:1: error: inlining failed in call to always_inline ‘_mm_sub_epi8’: target specific option mismatch _mm_sub_epi8 (__m128i __A, __m128i __B) ^ In file included from main.c:1:0: ../psub.h:15:15: error: called from here __m128i c = _mm_sub_epi8(a, b);
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:10:15: error: called from here __m128i b = _mm_setzero_si128();
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:9:15: error: called from here __m128i a = _mm_setzero_si128();
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ make: *** [main.o] Error 1

    INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/psub/psubw INFO:qsym.tests.build:stderr=In file included from main.c:1:0: main.c: In function ‘main’: ../psub.h:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128();
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1059:1: error: inlining failed in call to always_inline ‘_mm_sub_epi8’: target specific option mismatch _mm_sub_epi8 (__m128i __A, __m128i __B) ^ In file included from main.c:1:0: ../psub.h:15:15: error: called from here __m128i c = _mm_sub_epi8(a, b);
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:10:15: error: called from here __m128i b = _mm_setzero_si128();
    ^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: ...

    seems that '_mm_sub_epi8' '_mm_setzero_si128' '_mm_min_epu8' '_mm_setzero_ps' '_mm_setzero_pd' '_mm_setzero_pi' don't support

    opened by uucool 1
  • Floating point support

    Floating point support

    Hi, I'm working on a project about floating-point exceptions, so I wonder if Qsym can work on this job. I noticed that it is a limitation addressed in the qsym paper, but I still want to know if it still in progress. Thanks!

    enhancement 
    opened by Han0nly 1
  • Vagrant Cloud Box & local Vagrantfile failed to run

    Vagrant Cloud Box & local Vagrantfile failed to run

    I got the same error as in #57 when running the vagrant box pulled from https://app.vagrantup.com/jakkdu/boxes/qsym.

    zhangys@xx:/mnt/zhangys/vagrant-qsym$ vagrant up
    Bringing machine 'default' up with 'virtualbox' provider...
    ==> default: Box 'jakkdu/qsym' could not be found. Attempting to find and install...
        default: Box Provider: virtualbox
        default: Box Version: >= 0
    ==> default: Loading metadata for box 'jakkdu/qsym'
        default: URL: https://vagrantcloud.com/jakkdu/qsym
    ==> default: Adding box 'jakkdu/qsym' (v20191212) for provider: virtualbox
        default: Downloading: https://vagrantcloud.com/jakkdu/boxes/qsym/versions/20191212/providers/virtualbox.box
    ==> default: Successfully added box 'jakkdu/qsym' (v20191212) for 'virtualbox'!
    ==> default: Importing base box 'jakkdu/qsym'...
    ==> default: Matching MAC address for NAT networking...
    ==> default: Checking if box 'jakkdu/qsym' is up to date...
    ==> default: Setting the name of the VM: vagrant-qsym_default_1578118897156_8489
    ==> default: Clearing any previously set network interfaces...
    ==> default: Preparing network interfaces based on configuration...
        default: Adapter 1: nat
    ==> default: Forwarding ports...
        default: 22 (guest) => 2222 (host) (adapter 1)
    ==> default: Booting VM...
    #<Thread:0x00005607f68d2990@/usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:71 run> terminated with exception (report_on_exception is true):
    
    

    Exception details:

    #<Thread:0x00005607f68d2990@/usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:71 run> terminated with exception (report_on_exception is true):
    Traceback (most recent call last):
            125: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:82:in `block (2 levels) in run'
            124: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:188:in `action'
            123: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:188:in `call'
            122: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/environment.rb:592:in `lock'
            121: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:202:in `block in action'
            120: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:227:in `action_raw'
            119: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
            118: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
            117: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
            116: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
            115: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            114: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_virtualbox.rb:17:in `call'
            113: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            112: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
            111: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
            110: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
            109: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
            108: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
            107: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            106: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
            105: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            104: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/handle_box.rb:56:in `call'
            103: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            102: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
            101: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
            100: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/config_validate.rb:25:in `call'
             99: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             98: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
             97: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
             96: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
             95: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
             94: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
             93: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             92: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
             91: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             90: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_accessible.rb:18:in `call'
             89: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             88: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/customize.rb:40:in `call'
             87: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             86: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/prepare_clone.rb:15:in `call'
             85: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             84: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_clone_snapshot.rb:17:in `call'
             83: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             82: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/import.rb:13:in `call'
             81: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/import.rb:74:in `import'
             80: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             79: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/discard_state.rb:15:in `call'
             78: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             77: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/match_mac_address.rb:19:in `call'
             76: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             75: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
             74: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             73: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_virtualbox.rb:17:in `call'
             72: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             71: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/config_validate.rb:25:in `call'
             70: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             69: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/box_check_outdated.rb:79:in `call'
             68: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             67: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
             66: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
             65: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
             64: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
             63: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
             62: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             61: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
             60: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             59: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
             58: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
             57: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
             56: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
             55: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
             54: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             53: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
             52: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             51: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
             50: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
             49: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
             48: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
             47: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
             46: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             45: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
             44: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             43: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_accessible.rb:18:in `call'
             42: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             41: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clean_machine_folder.rb:17:in `call'
             40: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             39: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/set_name.rb:50:in `call'
             38: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             37: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clear_forwarded_ports.rb:15:in `call'
             36: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             35: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/provision.rb:80:in `call'
             34: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             33: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/env_set.rb:19:in `call'
             32: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             31: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_forwarded_port_collision_params.rb:30:in `call'
             30: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             29: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/handle_forwarded_port_collisions.rb:49:in `call'
             28: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             27: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_nfs_valid_ids.rb:12:in `call'
             26: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             25: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/synced_folders/nfs/action_cleanup.rb:25:in `call'
             24: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             23: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/synced_folder_cleanup.rb:28:in `call'
             22: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             21: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/synced_folders.rb:87:in `call'
             20: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             19: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_nfs_settings.rb:19:in `call'
             18: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             17: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clear_network_interfaces.rb:26:in `call'
             16: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             15: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/network.rb:123:in `call'
             14: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             13: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/network_fix_ipv6.rb:41:in `call'
             12: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
             11: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/forward_ports.rb:31:in `call'
             10: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
              9: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/set_hostname.rb:16:in `call'
              8: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
              7: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/sane_defaults.rb:38:in `call'
              6: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
              5: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/customize.rb:40:in `call'
              4: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
              3: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/boot.rb:16:in `call'
              2: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/driver/version_5_0.rb:704:in `start'
              1: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/retryable.rb:17:in `retryable'
    /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/driver/version_5_0.rb:714:in `block in start': There was an error while executing `VBoxManage`, a CLI used by Vagrant (Vagrant::Errors::VBoxManageError)
    for controlling VirtualBox. The command and stderr is shown below.
    
    Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]
    
    Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
    VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
    There was an error while executing `VBoxManage`, a CLI used by Vagrant
    for controlling VirtualBox. The command and stderr is shown below.
    
    Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]
    
    Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
    VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
    
    

    However, this time it shows in verbose:

    /version_5_0.rb:714:in `block in start': There was an error while executing `VBoxManage`, a CLI used by Vagrant (Vagrant::Errors::VBoxManageError)
    for controlling VirtualBox. The command and stderr is shown below.
    
    Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]
    
    Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
    VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
    There was an error while executing `VBoxManage`, a CLI used by Vagrant
    for controlling VirtualBox. The command and stderr is shown below.
    
    Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]
    
    Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
    VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
    

    It seems some information is missing in the box.

    bug 
    opened by zhangysh1995 4
  • Function wrappers for multi-byte comparison

    Function wrappers for multi-byte comparison

    QSYM can solve multi-byte comparisons such as strcmp or memcmp gradually. But unfortunately, these functions are usually. not instrumented by AFL. Even though they are instrumented, AFL will consider intermediate results as uninteresting due to its loop bucketization.

    This is not a big issue in fuzzing binary-formatted binaries that are main targets for AFL and QSYM. But we can still partially solve these cases by wrapping functions like angr did. For example, we can make strcmp wrapper and tries to generate a testcase that pass strcmp in one shot instead of intermediate results.

    enhancement 
    opened by insuyun 2
Owner
gts3.org (SSLab@Gatech)
https://gts3.org
gts3.org (SSLab@Gatech)
Hybrid CenterNet - Hybrid-supervised object detection / Weakly semi-supervised object detection

Hybrid-Supervised Object Detection System Object detection system trained by hybrid-supervision/weakly semi-supervision (HSOD/WSSOD): This project is

null 5 Dec 10, 2022
A denoising diffusion probabilistic model (DDPM) tailored for conditional generation of protein distograms

Denoising Diffusion Probabilistic Model for Proteins Implementation of Denoising Diffusion Probabilistic Model in Pytorch. It is a new approach to gen

Phil Wang 108 Nov 23, 2022
YoHa - A practical hand tracking engine.

YoHa - A practical hand tracking engine.

null 2k Jan 6, 2023
Differential fuzzing for the masses!

NEZHA NEZHA is an efficient and domain-independent differential fuzzer developed at Columbia University. NEZHA exploits the behavioral asymmetries bet

null 147 Dec 5, 2022
InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing

InsTrim The paper: InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing Build Prerequisite llvm-8.0-dev clang-8.0 cmake >= 3.2 Make git cl

null 75 Dec 23, 2022
ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing ProFuzzBench is a benchmark for stateful fuzzing of network protocols. It includes a suite of

null 155 Jan 8, 2023
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
A fuzzing framework for SMT solvers

yinyang A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang c

Project Yin-Yang for SMT Solver Testing 145 Jan 4, 2023
AntiFuzz: Impeding Fuzzing Audits of Binary Executables

AntiFuzz: Impeding Fuzzing Audits of Binary Executables Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf Usage: The python scri

Chair for Sys­tems Se­cu­ri­ty 88 Dec 21, 2022
Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques

About Fuzzification Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-

gts3.org (SSLab@Gatech) 55 Oct 25, 2022
Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems Paper Finding Semantic Bugs in File Systems with an Extensible Fuzzin

gts3.org (SSLab@Gatech) 129 Dec 15, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS an

Chair for Sys­tems Se­cu­ri­ty 541 Nov 27, 2022
PolyGlot, a fuzzing framework for language processors

PolyGlot, a fuzzing framework for language processors Build We tested PolyGlot on Ubuntu 18.04. Get the source code: git clone https://github.com/s3te

Software Systems Security Team at Penn State University 79 Dec 27, 2022
Fuzzing JavaScript Engines with Aspect-preserving Mutation

DIE Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details. Environmen

gts3.org (SSLab@Gatech) 190 Dec 11, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference

Ankou Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering t

SoftSec Lab 54 Dec 24, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
[ICSE2020] MemLock: Memory Usage Guided Fuzzing

MemLock: Memory Usage Guided Fuzzing This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing

Cheng Wen 54 Jan 7, 2023