Fastgen (forked from Angora) is a continous concolic exection driver with a FIFO seed queue. In the front-end, it uses SymSan to collect the constraints. In the backend, it uses Z3 or JIGSAW as its solver.
cd usenix
docker build -t usenix .
Run docker image interactively and disable SymCC solving
docker run -it --ulimit core=0 usenix /bin/bash
cd /symcc
patch -p1 < /src/symcc_nosolve.patch
cd build
rm -rf libSymbolize.so
ninja
- Run Native
cd /src/nbench_native
./nbench
- Run SymSan
cd /src/nbench_symsan
./nbench
- Run SymCC
cd /src/nbench_symcc
SYMCC_NO_SYMBOLIC_INPUT=1 ./nbench
- Run SymQEMU
cd /src/nbench_native
SYMCC_NO_SYMBOLIC_INPUT=1 /symqemu/build/x86_64-linux-user/symqemu-x86_64 ./nbench
- Run Native
cd /src/cgc_programs/build
./run_native.sh
2.1 Run SymSan (No solve)
cd /src/cgc_programs/build_symsannosolve
./run_symsan.sh
2.2 Run SymSan (Pure Taint) - Apply the pure taint patch, and rebuild symsan
cd /symsan
git reset --hard
patch -p1 < /src/ablation_symsan.patch
./build/build.sh
cd /src/
rm -rf build_symsannosolve
./build_symsannosolve.sh
cd /src/cgc_programs/build_symsannosolve
./run_symsan.sh
3.1 Run SymCC (No solve)
cd /src/cgc_programs/build_symcc
./run_symcc.sh
3.2 Run SymCC (Pure Taint) - Apply the pure taint patch, and rerun
cd /symcc
git reset --hard
patch -p1 < /src/ablation.patch
cd build
ninja
cd /src/cgc_programs/build_symcc
./run_symcc.sh
- Run SymQEMU
cd /src/cgc_programs/build
/src/cgc_programs/build/run_symqemu.sh
- Run Native (objdump)
cd /src/build-programs-native
./run_native_time.sh /out/real_seeds/objdump_reduced objdump -D
- Run SymSan (objdump)
cd /src/build-programs-symsannosolve
./run_symsan_time.sh /out/real_seeds/objdump_reduced objdump -D
2.2 Run SymSan - Pure Taint, apply the patch and rebuild
cd /symsan
git reset --hard
patch -p1 < /src/ablation_symsan.patch
./build/build.sh
git clone https://github.com/chenju2k6/build-programs.git /src/build-programs-symsanpuretaint
cd /src/build-programs-symsanpuretaint && ./build_symsan.sh
./run_symsan_time.sh /out/real_seeds/objdump_reduced objdump -D
3.1 Run SymCC (objdump)
cd /src/build-programs-symcc
./run_symcc_time.sh /out/real_seeds/objdump_reduced objdump -D
3.2 Run SymCC (Pure Taint) - Apply the pure taint patch, and rerun
cd /symcc
git reset --hard
patch -p1 < /src/ablation.patch
cd build
ninja
cd /src/cgc_programs/build_symcc
./run_symcc.sh
cd /src/build-programs-symcc
./run_symcc_time.sh /out/real_seeds/objdump_reduced objdump -D
- Run SymQEMU (objdump)
cd /src/build-programs-native
./run_symqemu_time.sh /out/real_seeds/objdump_reduced objdump -D
- Run Native
cd /src/build-programs-native
./run_native_mem.sh /out/real_seeds/objdump_reduced objdump -D
2.1 Run SymSan
cd /src/build-programs-symsannosolve
./run_symsan_mem.sh /out/real_seeds/objdump_reduced objdump -D
2.2 Run SymSan - with QSYM backend (rebuild)
cd /symsan
git reset --hard
patch -p1 < /src/qsym.patch
./build/build.sh
git clone https://github.com/chenju2k6/build-programs.git /src/build-programs-symsanqsym
cd /src/build-programs-symsanqsym && ./build_symsan.sh
./run_symsan_mem.sh /out/real_seeds/objdump_reduced objdump -D
- Run SymCC
Don't forget to re-apply symcc_nosolve.patch
cd /symcc
git reset --hard
patch -p1 < /src/symcc_nosolve.patch
cd build
ninja
cd /src/build-programs-symcc
./run_symcc_mem.sh /out/real_seeds/objdump_reduced objdump -D
Re-enable SymCC's solving
cd /symcc
git reset --hard
cd build
rm -rf libSymbolize.so
ninja
- Run SymSan
cd /src/cgc_programs/build_symsan
./run_symsan.sh
- Run SymCC
cd /src/cgc_programs/build_symcc
./run_symcc.sh
- Run SymCC (objdump)
cd /src/build-programs-symcc
./run_symcc_time.sh /out/real_seeds/objdump_reduced objdump -D
- Run SymSan
Patch SymSan
cd /symsan && git reset && patch -p1 < /src/symsan_cov.patch
./build/build.sh
cp target/release/fastgen /src/build-programs
Run objdump (560 is the number of inputs, see paper's Table 3 for all other programs)
cd /src/build-programs
./fuzzer.sh 560 objdump -D &> objdump.log
Other programs
./fuzzer.sh 604 readelf -a &> readelf.log
./fuzzer.sh 249 nm -C &> nm.log
./fuzzer.sh 207 size &> size.log
./fuzzer.sh 1952 xml &> xml.log
./fuzzer.sh 770 proj &> proj.log
./fuzzer.sh 526 vorbis &> vorbis.log
./fuzzer.sh 1073 re2 &> re2.log
./fuzzer.sh 548 woff2 &> woff2.log
./fuzzer.sh 218 libpng &> libpng.log
./fuzzer.sh 846 libjpeg &> libjpeg.log
./fuzzer.sh 157 lcms &> lcms.log
./fuzzer.sh 4789 freetype &> freetype.log
./fuzzer.sh 2955 harfbuzz &> harfbuzz.log
./fuzzer.sh 450 json &> json.log
./fuzzer.sh 268 openthread &> openthread.log
./fuzzer.sh 1577 openssl &> openssl.log
./fuzzer.sh 491 dtls &> dtls.log
./fuzzer.sh 5253 sqlite &> sqlite.log
./fuzzer.sh 1343 curl &> curl.log
Run the forked magma with SymSan added
https://github.com/chenju2k6/magma
The below link contains the SymSan patch we sent to Google's Fuzzbench team
https://drive.google.com/file/d/1fQTCzWJJkzc6QK1q-m7aIfyQWGtp85bJ/view?usp=sharing