KleeFL - Seeding Fuzzers With Symbolic Execution
Prepare dependencies or simply grab the provisioned vagrant box
http://bit.ly/download_kleefl_box
Setup a project structure like this:
mkdir project_xyz
cd project_xyz
python /vagrant/tools/kleefl_init
Select your source code, e.g.:
cp -r /vagrant/example source
Build source using wllvm & afl-clang
cd source
python /vagrant/tools/kleefl_build make
Run klee symbolic execution, using the default setup
Prepare klee's findings for afl-fuzz
python /vagrant/tools/kleefl_prepare_fuzzing
Finally: Fuzz, fuzz, fuzz!
./kleefl_crash_inspector fuzz/out
(fuzz/out is the afl sync dir, report saved by default in vagrant shared dir /vagrant/crash_report/)
Analyze coverage & generate report
python kleefl_cov_inspector {make, binary fuzz/sync_dir}
zcov genhtml coverage.zcov cov_report