QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Last update: Dec 30, 2022

Overview

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

Environment

Tested on Ubuntu 14.04 64bit and 16.04 64bit

Installation

# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

# install z3 and system deps
$ ./setup.sh

# install using virtual env
$ virtualenv venv
$ source venv/bin/activate
$ pip install .

Installation using Docker

# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

# build docker image
$ docker build -t qsym ./

# run docker image
$ docker run --cap-add=SYS_PTRACE -it qsym /bin/bash

Installation using vagrant

Since QSYM is dependent on underlying kernel because of its old PIN, we decided to provide a convenient way to install QSYM with VM. Please take a look our vagrant directory.

Run hybrid fuzzing with AFL

# require to set the following environment variables
#   AFL_ROOT: afl directory (http://lcamtuf.coredump.cx/afl/)
#   INPUT: input seed files
#   OUTPUT: output directory
#   AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)
#   QSYM_CMDLINE: command line for a testing program for QSYM (Non-instrumented)

# run AFL master
$ $AFL_ROOT/afl-fuzz -M afl-master -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run AFL slave
$ $AFL_ROOT/afl-fuzz -S afl-slave -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run QSYM
$ bin/run_qsym_afl.py -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE

Run for testing

$ cd tests
$ python build.py
$ python -m pytest -n $(nproc)

Troubleshooting

If you find that you can't get QSYM to work and you get the undefined symbol: Z3_is_seq_sort error in pin.log file, please make sure that you compile and make the target when you're in the virtualenv (env) environment. When you're out of this environment and you compile the target, QSYM can't work with the target binary and issues the mentioned error in pin.log file. This will save your time a lot to compile and make the target from env and then run QSYM on the target, then QSYM will work like a charm!

Authors

Insu Yun [email protected]
Sangho Lee [email protected]
Meng Xu [email protected]
Yeongjin Jang [email protected]
Taesoo Kim [email protected]

Publications

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

@inproceedings{yun:qsym,
  title        = {{QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing}},
  author       = {Insu Yun and Sangho Lee and Meng Xu and Yeongjin Jang and Taesoo Kim},
  booktitle    = {Proceedings of the 27th USENIX Security Symposium (Security)},
  month        = aug,
  year         = 2018,
  address      = {Baltimore, MD},
}

Comments

`DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255`the return value of output is invalid.

Tested in docker . The output is below. Is the qsym seem not work ? the return value is 255 and -9. What should I do to solve the error? Thanks!

DEBUG:qsym.afl:Run qsym: input=output/afl-slave/queue/id:000214,src:000096+000063,op:splice,rep:32,+cov
DEBUG:qsym.Executor:Executing timeout -k 5 90 /usr/local/lib/python2.7/dist-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /usr/local/lib/python2.7/dist-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpDVwaLZ/qsym-out-214/pin.log -i /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input -f 1 -o /tmp/tmpDVwaLZ/qsym-out-214 -l 1 -b output/qsym/bitmap -- ./bsdtar_vanilla -tf /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input
DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255
DEBUG:qsym.afl:Generate 0 testcases
DEBUG:qsym.afl:0 testcases are new
DEBUG:qsym.afl:Run qsym: input=output/afl-slave/queue/id:000215,src:000096+000183,op:splice,rep:4
DEBUG:qsym.Executor:Executing timeout -k 5 90 /usr/local/lib/python2.7/dist-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /usr/local/lib/python2.7/dist-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpDVwaLZ/qsym-out-215/pin.log -i /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input -f 1 -o /tmp/tmpDVwaLZ/qsym-out-215 -l 1 -b output/qsym/bitmap -- ./bsdtar_vanilla -tf /workdir/K-Scheduler/qsym_integration/test_programs/libarchive/qsym_vanilla/output/qsym/.cur_input
DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=255
DEBUG:qsym.afl:Generate 0 testcases
DEBUG:qsym.afl:0 testcases are new
DEBUG:qsym.afl:Sleep for getting files

opened by Ricardo-609 19

QSYM-AFL queue directory structure

Hello,

I've been testing QSYM + 1xAFL (slave) and noticed that the QSYM-generated inputs are being written to $OUTDIR/qsym/queue (and not our_dir/afl-slave/queue). Is this the intended output?

Thanks, -Stefan

opened by stevenagy 14
Interpreting QSYM output
Hello,

I've successfully got QSYM running with 1 AFL instance (slave). Can you please explain the meaning of the output information below?

DEBUG:qsym.afl:Total=8 s, Emulation=8 s, Solver=0 s, Return=1 DEBUG:qsym.afl:Generate 44 testcases DEBUG:qsym.afl:0 testcases are new

Thanks, -Stefan
opened by stevenagy 14
Can qsym run the instrumented program by afl-clang-fast？

Hi, I notice the usage tells to use the non-instrumented binary for qsym. I wonder if I can run it on the instrumented binary? if so, will it cause any problems? Thank you.

opened by 92wyunchao 9
Setup questions
Hello, I am currently trying to get QSYM to work and am facing a few questions regarding the setup, with which you can maybe help me out:

Do the inputs AFL_CMDLINE and QSYM_CMDLINE have to be paths to a binary (QEMU mode AFL) or just the source code of the target program I want to fuzz?

I guess AFL_CMDLINE and QSYM_CMDLINE have to point to the same program for it to make any sense, right? So AFL_CMDLINE would point to an instrumented target (compiled with afl-cc) and QSYM_CMDLINE to the same program but compiled normally? (or completely uncompiled? does qsym compile it itself?)

How exactly would I go about running it via Docker? When builiding a container via the provided Dockerfile, there is no AFL installed inside this container and I cannot access an AFL installation outside of the container from within. Would I have to add to the Dockerfile to also install AFL inside the container, so I can follow the instructions under "Run hybrid fuzzing with AFL" in your ReadMe?

What exactly do the commands listed under your point "Run for testing" in your ReadMe do? Is that just to test if QSYM was installed correctly or is this actually another way of fuzzing a target without the hybrid method with AFL master+slave explained in the chapter above that in your ReadMe?

I am trying to understand how everything works, so I apologize for all the questions, but I would be very glad if you could help me.

Thanks a lot and best wishes!
opened by Elothis 8
Question about enabling optimistic solving

Thanks for releasing qsym. This project is really awesome.

We recently tried to run qsym on LAVA but we do not know how to turn on/off the optimistic solving. When running qsym with the default options, we obtained results that are more like those without optimistic solving (Fig. 11 in the paper of USENIX Security).

Our settings: Ubuntu 16.04, 64bit, Intel(R) Core(TM) i7-7700 CPU @ 3.60GHz, 16 GB memory afl 2.52b, one master and one slave.

opened by tianxiaogu 8
Question about #AFL_CMDLINE

Hello,

I noticed this line in the environment variables: # AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)

Is using an ASAN explicitly required?

Also, what instrumentation is required? I'm guessing by this you mean afl-cc, but I'm also wondering if AFL-Dyninst and AFL-QEMU are supported?

Thanks, -Stefan

opened by stevenagy 8

All test cases failed and simple cases also failed

I strictly follow the instructions in README, and successfully installed qsym in ubuntu(16.04.06/16.04.07), however all test cases (python -m pytest -n 4) failed. the scenario is as follow. And I also test a simple case, qsym always return 255. I doubt that the current installation instructions and source code is not suitable and need update.

The installation steps:

$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope

# install z3 and system deps
$ ./setup.sh

# install using virtual env
$ virtualenv venv
$ source venv/bin/activate
$ pip install .

The partial output of unit test:

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-0OVJz7/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpmulld/input.bin -s 1 -o /tmp/qsym-0OVJz7/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpmulld/main
____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshufb] _____________
[gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpshufb'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshufb')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-smZde8/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshufb/input.bin -s 1 -o /tmp/qsym-smZde8/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshufb/main
______________ test_functions[/home/sentosa/qsym/tests/avx2/vpor] ______________
[gw1] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpor'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpor')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-e_55p7/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpor/input.bin -s 1 -o /tmp/qsym-e_55p7/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpor/main
____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshufhw] ____________
[gw3] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpshufhw'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshufhw')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-MH8HJ2/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshufhw/input.bin -s 1 -o /tmp/qsym-MH8HJ2/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshufhw/main
____________ test_functions[/home/sentosa/qsym/tests/avx2/vpshuflw] ____________
[gw0] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpshuflw'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpshuflw')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-hdhP_U/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpshuflw/input.bin -s 1 -o /tmp/qsym-hdhP_U/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpshuflw/main
_____________ test_functions[/home/sentosa/qsym/tests/avx2/vpxor] ______________
[gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpxor'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpxor')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-cj4pU4/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpxor/input.bin -s 1 -o /tmp/qsym-cj4pU4/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpxor/main
_____________ test_functions[/home/sentosa/qsym/tests/avx2/vpsrad] _____________
[gw1] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/avx2/vpsrad'

    def test_functions(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
        # if cpu does not support avx2, then return
        if not 'avx2' in open("/proc/cpuinfo").read():
            return
    
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/avx2/vpsrad')

test_avx2.py:25: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-e37AII/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/avx2/vpsrad/input.bin -s 1 -o /tmp/qsym-e37AII/qsym-out-0 -- /home/sentosa/qsym/tests/avx2/vpsrad/main
___________________ test_null_deref_DependencyForest_addNode ___________________
[gw3] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

    def test_null_deref_DependencyForest_addNode():
        target = os.path.join(TESTS_DIR, "regress/null-deref-DependencyForest-addNode")
        assert os.path.exists(target)
    
        output_dir = tempfile.mkdtemp(prefix="qsym-")
        try:
            exe = os.path.join(target, MAIN)
            assert os.path.exists(exe)
    
            q = qsym.Executor([exe], os.path.join(target, "input.bin"), output_dir,
                    argv=["-l", "1"])
            res = q.run(30) # 30 seconds for timeout
>           assert res.returncode == 0
E           assert 255 == 0
E            +  where 255 = <qsym.executor.ExecutorResult object at 0x7fd690bc8cd0>.returncode

test_regress.py:28: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-P4M41w/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/regress/null-deref-DependencyForest-addNode/input.bin -s 1 -o /tmp/qsym-P4M41w/qsym-out-0 -l 1 -- /home/sentosa/qsym/tests/regress/null-deref-DependencyForest-addNode/main
___________________________________ test_dup ___________________________________
[gw0] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

    def test_dup():
        testcases = get_all_testcases("dup")
        # default + 0xdeadbeef
>       assert len(testcases) == 2
E       AssertionError: assert 1 == 2
E        +  where 1 = len(['\x00\x00\x00\x00\n'])

test_schedule.py:79: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-zEa2Sq/qsym-out-0/pin.log -i /tmp/qsym-inw2JS -s 1 -o /tmp/qsym-zEa2Sq/qsym-out-0 -b /tmp/qsym-gAvKEU -- /home/sentosa/qsym/tests/schedule/dup/main
____________ test_syscall[/home/sentosa/qsym/tests/syscall/mremap] _____________
[gw2] linux2 -- Python 2.7.12 /home/sentosa/qsym/venv/bin/python

target = '/home/sentosa/qsym/tests/syscall/mremap'

    def test_syscall(target):
        logging.getLogger('qsym.Executor').setLevel(logging.DEBUG)
>       assert run_single_test(target)
E       AssertionError: assert False
E        +  where False = run_single_test('/home/sentosa/qsym/tests/syscall/mremap')

test_syscall.py:21: AssertionError
------------------------------ Captured log call -------------------------------
DEBUG    qsym.Executor:executor.py:109 Executing timeout -k 5 30 /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/sentosa/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/qsym-bSH5pH/qsym-out-0/pin.log -i /home/sentosa/qsym/tests/syscall/mremap/input.bin -s 1 -o /tmp/qsym-bSH5pH/qsym-out-0 -- /home/sentosa/qsym/tests/syscall/mremap/main
========================= 250 failed in 34.64 seconds ==========================

opened by xupeng1231 7

Crash when running LAVA-M binaries

A: Source/pin/vm_ia32_l/jit_region_ia32_linux.cpp: XlateSysCall: 33: Sysenter is supported on IA32 only and the expected location is inside Linux Gate

################################################################################
## STACK TRACE
################################################################################
addr2line -C -f -e "/home/ju/tmp/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/ia32/bin/pinbin" 0x114128b 0x11420f6 0x11423e1 0x1384a63 0x1322b10 0x1323801 0x12642dd 0x126498f 0x126a190 0x1219cd6 0x121b2f0 0x121c280 0x12bd4ff 0x12a330f 0x12a3356 0x133584a 0xffcbc4a8
LEVEL_BASE::MESSAGE_TYPE::DumpTrace()
??:?
LEVEL_BASE::MESSAGE_TYPE::MessageInternal(std::string const&, bool, PIN_ERRTYPE, char*, int)
??:?
LEVEL_BASE::MESSAGE_TYPE::MessageNoReturn(std::string const&, bool, PIN_ERRTYPE, int, ...)
??:?
LEVEL_VM::REGION::XlateSysCall(LEVEL_CORE::INDEX<3>, LEVEL_CORE::INDEX<4>, LEVEL_CORE::INDEX<6>)
??:?
LEVEL_VM::REGION::XlateControlFlow(LEVEL_CORE::INDEX<4>, LEVEL_CORE::INDEX<6>)
??:?
LEVEL_VM::REGION::XlateBbl(LEVEL_CORE::INDEX<4>)
??:?
LEVEL_VM::REGION::Xlate()
??:?
LEVEL_VM::REGION::XlateAndInstrument()
??:?
LEVEL_VM::REGION::MakeApplication(LEVEL_VM::SVT_FACTORY const&)
??:?
LEVEL_VM::JIT::Initialize()
??:?
LEVEL_VM::JIT::CompileInternal(LEVEL_CORE::ADDR<1>, LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_BASE::EXCEPTION_INFO*, unsigned int)
??:?
LEVEL_VM::JIT::Compile(LEVEL_CORE::ADDR<1>, LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_BASE::EXCEPTION_INFO*)
??:?
LEVEL_VM::IBRANCH_DISPATCHER::HandleIndirectXfer(LEVEL_VM::SCT_ATTRIBUTES const*, LEVEL_VM::PCTXT*, LEVEL_VM::XFER_INDIRECT_ARGS const*)
??:?
LEVEL_VM::VM::Dispatch(LEVEL_VM::VMSVC_ARGS const*, LEVEL_VM::PCTXT*)
??:?
VmDispatch
??:?
VmEnter
??:?
??
??:0
Detach Service Count: 14710
Pin 2.14
Copyright (c) 2003-2015, Intel Corporation. All rights reserved.
@CHARM-VERSION: $Rev: 71293 $
@CHARM-BUILDER: BUILDER
@CHARM-COMPILER: gcc 4.4.7
@CHARM-TARGET: ia32
@CHARM-CFLAGS:  __OPTIMIZE__=1  __NO_INLINE__=__NO_INLINE__
Aborted (core dumped)

opened by chenju2k6 7

Trouble in using QSYM to find test inputs on some simple toy example

Hi, thank you for the great work and making it open source.

I'm having a trouble while testing QSYM on some simple toy program.

I wrote a simple toy program that reads in 8 byte input from file and compare it to magic value. Running it with input "DCBAabcd" will raise a segfault as follow.

jason@debian-8:~/example$ cat test.c 
#include <unistd.h>
#include <fcntl.h>
#include <stdint.h>

int main(int argc, char** argv)
{
  char buf[9];
  int fd;

  fd = open(argv[1], O_RDONLY);
  read(fd, buf, sizeof(buf) - 1);
  buf[8] = 0;

  if (*(int32_t*) &buf[0] == 0x41424344) {
    if(buf[4] == 'a') {
        *(int*) NULL = 0;
    }
  }
  return 0;
}
jason@debian-8:~/example$ gcc test.c  -o test.bin
jason@debian-8:~/example$ echo "DCBAabcd" > file
jason@debian-8:~/example$ ./test.bin file
Segmentation fault

When I tested QSYM on this program, it seems to fail in finding a test input that penetrates the branch condition. I followed the instructions in README to run one AFL master, one AFL slave and one QSYM. I provided 8 bytes of "A" as initial dummy seed of AFL. The standard output of QSYM looks as follow.

...
(venv)jason@debian-8:~/example$ export QSYM_CMDLINE="/home/jason/example/test.bin /home/jason/example/file_qsym"
(venv)jason@debian-8:~/example$ /home/jason/qsym/bin/run_qsym_afl.py -f /home/jason/example/file_qsym -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE
DEBUG:qsym.afl:Temp directory=/tmp/tmpluyS8E
DEBUG:qsym.afl:Run qsym: input=/home/jason/example/output/afl-slave/queue/id:000000,orig:empty
DEBUG:qsym.Executor:Executing timeout -k 5 90 /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/../../../../third_party/pin-2.14-71313-gcc.4.4.7-linux/pin.sh -ifeellucky -t /home/jason/qsym/venv/lib/python2.7/site-packages/qsym/pintool/obj-intel64/libqsym.so -logfile /tmp/tmpluyS8E/qsym-out-0/pin.log -i /home/jason/example/file_qsym -s 1 -o /tmp/tmpluyS8E/qsym-out-0 -l 1 -b /home/jason/example/output/qsym/bitmap -- /home/jason/example/test.bin /home/jason/example/file_qsym
DEBUG:qsym.afl:Total=4 s, Emulation=4 s, Solver=0 s, Return=0
DEBUG:qsym.afl:Generate 0 testcases
DEBUG:qsym.afl:0 testcases are new
DEBUG:qsym.afl:Sleep for getting files
DEBUG:qsym.afl:Sleep for getting files
...

The content of input file to QSYM was 4 bytes of 'A', and I think concolic execution should be able to find a new test input "DCBA" that can flip the first if branch.

jason@debian-8:~/example$ xxd output/afl-master/queue/id\:000000\,orig\:empty 
0000000: 4141 4141                                AAAA

Could you take a look at this problem, or point out my mistakes if I'm making some?

I am using debian 8.11 OS, but its kernel version is same to Ubuntu 14.04, and the build succeeded without any error.

Thank you.

opened by jchoi2022 7

Incorrect parsing of SMT solving time
qsym always says that solving time is 0sec.

DEBUG:qsym.afl:Total=90 s, Emulation=90 s, Solver=0 s, Return=124

I found that qsym tries to find log lines starting with SMT: in pin.log, but the pintool saves SMT time logs with a prefix [STAT].

https://github.com/sslab-gatech/qsym/blob/014cefb3357d4d2587a12d7853621c911a371bea/qsym/executor.py#L32

[STAT] SMT: { "solving_time": 456074, "total_time": 256521223 } [STAT] SMT: { "solving_time": 456386 } [STAT] SMT: { "solving_time": 456386, "total_time": 256521872 } [STAT] SMT: { "solving_time": 456560 }

and, one more really minor thing I want to point out is that I think this variable name MS_TO_S should be US_TO_S(microsecond). https://github.com/sslab-gatech/qsym/blob/014cefb3357d4d2587a12d7853621c911a371bea/qsym/executor.py#L13
opened by tunz 7

Qsym package not found for python

Running the below command to install qsym gives an error:

$ pip install qsym
DEPRECATION: Python 2.7 reached the end of its life on January 1st, 2020. Please upgrade your Python as Python 2.7 is no longer maintained. pip 21.0 will drop support for Python 2.7 in January 2021. More details about Python 2 support in pip can be found at https://pip.pypa.io/en/latest/development/release-process/#python-2-support pip 21.0 will remove support for this functionality.
Defaulting to user installation because normal site-packages is not writeable
ERROR: Could not find a version that satisfies the requirement qsym (from versions: none)
ERROR: No matching distribution found for qsym

I tried to find qsym on pypi but I didn't find it. Perhaps the repository is no longer available since Python 2.7 is now deprecated?

I ran into this problem when trying to run the example in the vagrant/ folder. The file vagrant/qsym/bin/run_qsym.py imports qsym and that's when I ran into this problem.

$ ./qsym/bin/run_qsym.py 
Traceback (most recent call last):
  File "./qsym/bin/run_qsym.py", line 4, in <module>
    from qsym import Executor, utils
ImportError: No module named qsym

opened by Zaxeli 1

get error with tests/build.py

CPU:Intel(R) Pentium(R) CPU G2030 @ 3.00GHZ

ERROR is following:

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movhpd INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128d a = _mm_setzero_pd(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:192:1: error: inlining failed in call to always_inline ‘_mm_storeh_pd’: target specific option mismatch _mm_storeh_pd (double *__P, __m128d __A) ^ main.c:16:3: error: called from here _mm_storeh_pd(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:103:1: error: inlining failed in call to always_inline ‘_mm_setzero_pd’: target specific option mismatch _mm_setzero_pd (void) ^ main.c:9:15: error: called from here __m128d a = _mm_setzero_pd(); ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movlpd INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128d a = _mm_setzero_pd(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:185:1: error: inlining failed in call to always_inline ‘_mm_storel_pd’: target specific option mismatch _mm_storel_pd (double *__P, __m128d __A) ^ main.c:16:3: error: called from here _mm_storel_pd(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:103:1: error: inlining failed in call to always_inline ‘_mm_setzero_pd’: target specific option mismatch _mm_setzero_pd (void) ^ main.c:9:15: error: called from here __m128d a = _mm_setzero_pd(); ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/movlps INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:9:10: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128 a = _mm_setzero_ps(); ^ main.c:11:9: warning: MMX vector return without MMX enabled changes the ABI [-Wpsabi] __m64 c = _mm_setzero_si64(); ^ In file included from main.c:4:0: /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:804:1: error: inlining failed in call to always_inline ‘_mm_storel_pi’: target specific option mismatch _mm_storel_pi (__m64 *__P, __m128 __A) ^ main.c:16:3: error: called from here _mm_storel_pi(&c, a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:31:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/mmintrin.h:869:1: error: inlining failed in call to always_inline ‘_mm_setzero_si64’: target specific option mismatch _mm_setzero_si64 (void) ^ main.c:11:13: error: called from here __m64 c = _mm_setzero_si64(); ^ In file included from main.c:4:0: /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:115:1: error: inlining failed in call to always_inline ‘_mm_setzero_ps’: target specific option mismatch _mm_setzero_ps (void) ^ main.c:9:14: error: called from here __m128 a = _mm_setzero_ps(); ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/pmovmskb INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:8:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1390:1: error: inlining failed in call to always_inline ‘_mm_movemask_epi8’: target specific option mismatch _mm_movemask_epi8 (__m128i __A) ^ main.c:10:7: error: called from here int b = _mm_movemask_epi8(a); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:8:15: error: called from here __m128i a = _mm_setzero_si128(); ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/pminub INFO:qsym.tests.build:stderr=main.c: In function ‘main’: main.c:8:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1384:1: error: inlining failed in call to always_inline ‘_mm_min_epu8’: target specific option mismatch _mm_min_epu8 (__m128i __A, __m128i __B) ^ main.c:13:15: error: called from here __m128i c = _mm_min_epu8(a, b); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:9:15: error: called from here __m128i b = _mm_setzero_si128(); ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from main.c:4: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ main.c:8:15: error: called from here __m128i a = _mm_setzero_si128(); ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/psub/psubb INFO:qsym.tests.build:stderr=In file included from main.c:1:0: main.c: In function ‘main’: ../psub.h:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128();
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1059:1: error: inlining failed in call to always_inline ‘_mm_sub_epi8’: target specific option mismatch _mm_sub_epi8 (__m128i __A, __m128i __B) ^ In file included from main.c:1:0: ../psub.h:15:15: error: called from here __m128i c = _mm_sub_epi8(a, b);
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:10:15: error: called from here __m128i b = _mm_setzero_si128();
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:9:15: error: called from here __m128i a = _mm_setzero_si128();
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubb) ^ make: *** [main.o] Error 1

INFO:qsym.tests.build:dir=/home/grz/Downloads/qsym-master/tests/assembly/psub/psubw INFO:qsym.tests.build:stderr=In file included from main.c:1:0: main.c: In function ‘main’: ../psub.h:9:11: warning: SSE vector return without SSE enabled changes the ABI [-Wpsabi] __m128i a = _mm_setzero_si128();
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:1059:1: error: inlining failed in call to always_inline ‘_mm_sub_epi8’: target specific option mismatch _mm_sub_epi8 (__m128i __A, __m128i __B) ^ In file included from main.c:1:0: ../psub.h:15:15: error: called from here __m128i c = _mm_sub_epi8(a, b);
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: target specific option mismatch _mm_setzero_si128 (void) ^ In file included from main.c:1:0: ../psub.h:10:15: error: called from here __m128i b = _mm_setzero_si128();
^ main.c:3:1: note: in expansion of macro ‘TEST_PUSB’ TEST_PUSB(psubw) ^ In file included from /usr/lib/gcc/i686-linux-gnu/5/include/xmmintrin.h:1249:0, from ../psub.h:4, from main.c:1: /usr/lib/gcc/i686-linux-gnu/5/include/emmintrin.h:753:1: error: inlining failed in call to always_inline ‘_mm_setzero_si128’: ...

seems that '_mm_sub_epi8' '_mm_setzero_si128' '_mm_min_epu8' '_mm_setzero_ps' '_mm_setzero_pd' '_mm_setzero_pi' don't support

opened by uucool 1
Floating point support

Hi, I'm working on a project about floating-point exceptions, so I wonder if Qsym can work on this job. I noticed that it is a limitation addressed in the qsym paper, but I still want to know if it still in progress. Thanks!
enhancement

opened by Han0nly 1

Vagrant Cloud Box & local Vagrantfile failed to run

I got the same error as in #57 when running the vagrant box pulled from https://app.vagrantup.com/jakkdu/boxes/qsym.

zhangys@xx:/mnt/zhangys/vagrant-qsym$ vagrant up
Bringing machine 'default' up with 'virtualbox' provider...
==> default: Box 'jakkdu/qsym' could not be found. Attempting to find and install...
    default: Box Provider: virtualbox
    default: Box Version: >= 0
==> default: Loading metadata for box 'jakkdu/qsym'
    default: URL: https://vagrantcloud.com/jakkdu/qsym
==> default: Adding box 'jakkdu/qsym' (v20191212) for provider: virtualbox
    default: Downloading: https://vagrantcloud.com/jakkdu/boxes/qsym/versions/20191212/providers/virtualbox.box
==> default: Successfully added box 'jakkdu/qsym' (v20191212) for 'virtualbox'!
==> default: Importing base box 'jakkdu/qsym'...
==> default: Matching MAC address for NAT networking...
==> default: Checking if box 'jakkdu/qsym' is up to date...
==> default: Setting the name of the VM: vagrant-qsym_default_1578118897156_8489
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
    default: Adapter 1: nat
==> default: Forwarding ports...
    default: 22 (guest) => 2222 (host) (adapter 1)
==> default: Booting VM...
#<Thread:0x00005607f68d2990@/usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:71 run> terminated with exception (report_on_exception is true):

Exception details:

#<Thread:0x00005607f68d2990@/usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:71 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
        125: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/batch_action.rb:82:in `block (2 levels) in run'
        124: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:188:in `action'
        123: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:188:in `call'
        122: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/environment.rb:592:in `lock'
        121: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:202:in `block in action'
        120: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/machine.rb:227:in `action_raw'
        119: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
        118: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
        117: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
        116: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
        115: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        114: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_virtualbox.rb:17:in `call'
        113: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        112: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
        111: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
        110: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
        109: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
        108: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
        107: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        106: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
        105: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        104: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/handle_box.rb:56:in `call'
        103: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        102: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
        101: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
        100: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/config_validate.rb:25:in `call'
         99: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         98: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
         97: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
         96: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
         95: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
         94: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
         93: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         92: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
         91: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         90: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_accessible.rb:18:in `call'
         89: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         88: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/customize.rb:40:in `call'
         87: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         86: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/prepare_clone.rb:15:in `call'
         85: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         84: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_clone_snapshot.rb:17:in `call'
         83: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         82: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/import.rb:13:in `call'
         81: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/import.rb:74:in `import'
         80: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         79: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/discard_state.rb:15:in `call'
         78: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         77: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/match_mac_address.rb:19:in `call'
         76: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         75: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
         74: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         73: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_virtualbox.rb:17:in `call'
         72: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         71: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/config_validate.rb:25:in `call'
         70: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         69: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/box_check_outdated.rb:79:in `call'
         68: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         67: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
         66: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
         65: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
         64: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
         63: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
         62: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         61: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
         60: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         59: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
         58: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
         57: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
         56: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
         55: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
         54: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         53: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
         52: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         51: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/call.rb:53:in `call'
         50: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `run'
         49: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/busy.rb:19:in `busy'
         48: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/runner.rb:66:in `block in run'
         47: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builder.rb:116:in `call'
         46: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         45: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:95:in `block in finalize_action'
         44: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         43: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/check_accessible.rb:18:in `call'
         42: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         41: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clean_machine_folder.rb:17:in `call'
         40: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         39: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/set_name.rb:50:in `call'
         38: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         37: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clear_forwarded_ports.rb:15:in `call'
         36: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         35: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/provision.rb:80:in `call'
         34: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         33: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/env_set.rb:19:in `call'
         32: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         31: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_forwarded_port_collision_params.rb:30:in `call'
         30: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         29: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/handle_forwarded_port_collisions.rb:49:in `call'
         28: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         27: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_nfs_valid_ids.rb:12:in `call'
         26: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         25: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/synced_folders/nfs/action_cleanup.rb:25:in `call'
         24: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         23: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/synced_folder_cleanup.rb:28:in `call'
         22: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         21: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/synced_folders.rb:87:in `call'
         20: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         19: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/prepare_nfs_settings.rb:19:in `call'
         18: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         17: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/clear_network_interfaces.rb:26:in `call'
         16: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         15: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/network.rb:123:in `call'
         14: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         13: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/network_fix_ipv6.rb:41:in `call'
         12: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
         11: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/forward_ports.rb:31:in `call'
         10: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
          9: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/builtin/set_hostname.rb:16:in `call'
          8: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
          7: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/sane_defaults.rb:38:in `call'
          6: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
          5: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/customize.rb:40:in `call'
          4: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/action/warden.rb:34:in `call'
          3: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/action/boot.rb:16:in `call'
          2: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/driver/version_5_0.rb:704:in `start'
          1: from /usr/share/rubygems-integration/all/gems/vagrant-2.0.2/lib/vagrant/util/retryable.rb:17:in `retryable'
/usr/share/rubygems-integration/all/gems/vagrant-2.0.2/plugins/providers/virtualbox/driver/version_5_0.rb:714:in `block in start': There was an error while executing `VBoxManage`, a CLI used by Vagrant (Vagrant::Errors::VBoxManageError)
for controlling VirtualBox. The command and stderr is shown below.

Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]

Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
There was an error while executing `VBoxManage`, a CLI used by Vagrant
for controlling VirtualBox. The command and stderr is shown below.

Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]

Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole

However, this time it shows in verbose:

/version_5_0.rb:714:in `block in start': There was an error while executing `VBoxManage`, a CLI used by Vagrant (Vagrant::Errors::VBoxManageError)
for controlling VirtualBox. The command and stderr is shown below.

Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]

Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole
There was an error while executing `VBoxManage`, a CLI used by Vagrant
for controlling VirtualBox. The command and stderr is shown below.

Command: ["startvm", "2557df91-ac03-44dc-9d4e-227949dfbdd9", "--type", "headless"]

Stderr: VBoxManage: error: RawFile#0 failed to create the raw output file /home/insu/projects/qsym/vagrant/ubuntu-xenial-16.04-cloudimg-console.log (VERR_FILE_NOT_FOUND)
VBoxManage: error: Details: code NS_ERROR_FAILURE (0x80004005), component ConsoleWrap, interface IConsole

It seems some information is missing in the box.

bug

opened by zhangysh1995 4

Function wrappers for multi-byte comparison

QSYM can solve multi-byte comparisons such as strcmp or memcmp gradually. But unfortunately, these functions are usually. not instrumented by AFL. Even though they are instrumented, AFL will consider intermediate results as uninteresting due to its loop bucketization.

This is not a big issue in fuzzing binary-formatted binaries that are main targets for AFL and QSYM. But we can still partially solve these cases by wrapping functions like angr did. For example, we can make strcmp wrapper and tries to generate a testcase that pass strcmp in one shot instead of intermediate results.
enhancement

opened by insuyun 2