-
Notifications
You must be signed in to change notification settings - Fork 98
Basic Tutorial
A basic tutorial of testing a real-world DeepState harness with fuzzing and symbolic execution.
From deepstate-test-suite
, let's check out the tweetnacl
test case. This harness exposes a bug in carry mis-propagation from an earlier version, specifically in the pack25519
function. Since tweetnacl
is especially portable, we instead integrate the functionality we need from the library to the test case, without the need of compiling the whole seperate library with the test case.
Let's start by compiling the harness normally, linking it with an uninstrumented DeepState static library:
$ clang++ test_tweetnacl_bug.cpp -ldeepstate -o test
With test
, we can now run it under our supported symbolic executors:
$ deepstate-angr ./test
$ deepstate-manticore ./test
TODO: crash deduplication
Symbolic executors may not seem like the optimal technique for even seemingly small test cases like the one aforementioned, so let's try a different strategy: fuzzing.
With DeepState and our executors installed, let's compile it using our executors:
# compile with AFL instrumentation
$ deepstate-afl --compile_test test_tweetnacl_bug.cpp
With little effort, we have created an instrumented binary ready for fuzzing:
# initialize seeds
$ mkdir seeds/
$ echo 000000000000000000000000 >& seeds/seed
# start fuzzing
$ deepstate-afl -i seeds ./out.afl
Hmmm, fuzzing with AFL seems like the usual modus operandi, so what about using a smarter fuzzer? Let's try fuzzing again, but this time with Angora:
# compile our instrumented binaries
$ deepstate-angora --compile_test test_tweetnacl_bug.cpp
# start fuzzing
$ deepstate-angora -i seeds ./out.taint ./out.fast
The Angora frontend executor is a great example of how we can simplify our fuzzing workflow tremendously, as it does a lot of the heavy lifting for configuring taint tracking (i.e generating an list of black-boxed ABI calls).
TODO