Giters

ercoppa / debug-ce

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Testing Concolic Execution Through Consistency Checks

Fetch this repository

git clone https://github.com/ercoppa/debug-ce.git

Fetch our forks of the three concolic executors

  • SymCC:
git clone -b debug-ce https://github.com/ercoppa/symcc-debug-ce.git
cd symcc && git submodule init && git submodule update && cd ..
  • SymQEMU
git clone -b debug-ce https://github.com/ercoppa/debug-ce-symqemu.git
  • Fuzzolic:
git clone -b debug-ce https://github.com/season-lab/fuzzolic.git
cd fuzzolic && git submodule init && git submodule update && cd ..

Enable/disable our fixes

Edit config.h to enable or disable a fix.

Build a container

To build the container:

cd runner && docker build -t ercoppa/debug-ce -f ./Dockerfile ../

Runner script

We devised a script run.py in tests/ for launching the experiments. The script has the following syntax:

$ ./run.py --help
usage: run.py [-h] [-n] [-e] [-f] [-o {eval,smt}] [-p {eval,smt}] [-i] [-c] [-w WORKDIR] [-b] [-g] -t {symcc,symqemu,fuzzolic} -s {simple,real} <program>

Run benchmarks for debug-ce

positional arguments:
  <program>             Program to run during the experiment

optional arguments:
  -h, --help            show this help message and exit
  -n, --count           Count checks and inconsistencies
  -e, --expr            Check expression consistency
  -f, --fuzz            Fuzz expressions
  -o {eval,smt}, --opt {eval,smt}
                        Check optimizations
  -p {eval,smt}, --path {eval,smt}
                        Check path constraints
  -i, --input           Check generated inputs
  -c, --cont            Do not abort on inconsistency
  -w WORKDIR, --workdir WORKDIR
                        Workir
  -b, --build           (Re)Build tool
  -g, --gdb             Run under GDB
  -t {symcc,symqemu,fuzzolic}, --tool {symcc,symqemu,fuzzolic}
                        Concolic executor to use during the experiment
  -s {simple,real}, --scenario {simple,real}
                        Simpliefied programs or real-world programs

The strategies can selected by following this mapping:

  • C1A: -e
  • C1B: -f
  • C2A: -p eval (or -p smt to use the variant based on the SMT solver)
  • C2B: -i
  • C3A: -o eval
  • C3B: -o smt

Replay simplified scenario

$ docker run -ti --cap-add SYS_ADMIN --rm -w /debug-ce --name debug-ce-run-`date "+%y%m%d-%H%M"` bash
$ cd tests
$ ./run.py -t <tool> -s simple <check strategy> <program>

where:

  • <tool> is one of {symcc, fuzzolic, symqemu}
  • <check strategy> is one of the option described in the previous section
  • <program> is one of {S1A, S1B, S2A, S2B, S3, S4, S4A, S4B, S5, S6, S7}

Replay real-world scenario

$ docker run -ti --cap-add SYS_ADMIN --rm -w /debug-ce --name debug-ce-run-`date "+%y%m%d-%H%M"` bash
$ cd tests/benchmarks
$ ./rebuild.sh # build programs
$ ./run.py -t <tool> -s real <check strategy> <program>

where:

  • <tool> is one of {symcc, fuzzolic, symqemu}
  • <check strategy> is one of the option described in the previous section
  • <program> is one of {01-objdump, 02-readelf, 03-tcpdump, 04-bsdtar, 05-libpng, 06-libtiff}

About

Languages

Language:C 80.8%Language:Python 8.1%Language:Shell 6.3%Language:Dockerfile 3.0%Language:Makefile 1.8%