diff --git a/scripts/bug_mining.py b/scripts/bug_mining.py index 2b1d0e9..89f63d6 100644 --- a/scripts/bug_mining.py +++ b/scripts/bug_mining.py @@ -117,8 +117,6 @@ def progress(msg): # global curtail curtail = int(sys.argv[4]) -panda_os_string = project.get('panda_os_string', 'linux-32-debian:3.2.0-4-686-pae') - lavadir = dirname(dirname(abspath(sys.argv[0]))) progress("Entering {}".format(project['output_dir'])) @@ -190,7 +188,7 @@ def progress(msg): 'g_debugpath': installdir, 'h_debugpath': installdir }) - +# pri_taint is almost same as Zhenghao's hypercall # Chaffx64 branch says these are needed? # if panda.arch != 'i386': # panda.load_plugin('hypercall') @@ -209,7 +207,8 @@ def progress(msg): 'pos': True, 'cache_process_details_on_basic_block': True, 'first_instr' : 1, - 'use_stdin' : proc_name + 'use_stdin' : proc_name, + 'verbose' : True }) else: panda.load_plugin("file_taint", @@ -217,8 +216,10 @@ def progress(msg): 'filename' : input_file_guest, 'pos': True, 'cache_process_details_on_basic_block': True, - 'enable_taint_on_open': True - }) + 'enable_taint_on_open': True, + 'verbose' : True + }) +panda.load_plugin("pri_taint") # Default name is 'recording' # https://github.com/panda-re/panda/blob/dev/panda/python/core/pandare/panda.py#L2595 @@ -259,6 +260,8 @@ def progress(msg): dprint("fbi invocation: [%s]" % (subprocess.list2cmdline(fbi_args))) sys.stdout.flush() +import sys +sys.exit(0) try: subprocess.check_call(fbi_args, stdout=sys.stdout, stderr=sys.stderr) except subprocess.CalledProcessError as e: diff --git a/scripts/competition.sh b/scripts/competition.sh index 0a8756b..f5f4df7 100755 --- a/scripts/competition.sh +++ b/scripts/competition.sh @@ -4,7 +4,6 @@ # Json file required params # # lava: directory of lava repository -# pandahost: what remote host to run panda on trap '' PIPE set -e # Exit on error diff --git a/scripts/docker-shell.sh b/scripts/docker-shell.sh index ffef8ca..91ba3c1 100755 --- a/scripts/docker-shell.sh +++ b/scripts/docker-shell.sh @@ -1,17 +1,22 @@ #!/bin/bash -# Single argument of project name will get container name +# Single argument of project name will get Docker name # from project config. Then 2nd optional argument is command to run # With no arguments, just give us a shell lava="$(dirname $(dirname $(readlink -f $0)))" -if [ "$#" -eq 0 ]; then - container="lava32" -else +# This project_name is a dummy value, we just want shell access +project_name="toy" +. `dirname $0`/vars.sh + +echo "You are connecting to the Docker container: ${dockername}" + +if [ "$#" -ne 0 ]; then project_name=$1 + echo "using project ${project_name}" cmd="${@:2}" -#Container name (lava32 or lava32debug) comes from config + # Docker name (lava32 or lava32debug) comes from config . `dirname $0`/vars.sh docker_map_args="-v $tarfiledir:$tarfiledir" @@ -19,13 +24,14 @@ else docker_map_args="$docker_map_args -v $directory:$directory" fi - if ! ( docker images ${container} | grep -q ${container} ); then - docker build -t ${container} "$(dirname $(dirname $(readlink -f $0)))/docker/debug" + if ! ( docker images ${dockername} | grep -q ${dockername} ); then + docker build -t ${dockername} "$(dirname $(dirname $(readlink -f $0)))/docker/debug" fi - - [ "$extradockerargs" = "null" ] && extradockerargs=""; +else + echo "No extra args" fi +[ "$extradockerargs" = "null" ] && extradockerargs=""; whoami="$(whoami)" path="" cmd="sudo -u $whoami bash -c -- \"$cmd\"" @@ -57,4 +63,4 @@ docker run --rm -it \ --cap-add=SYS_PTRACE \ $docker_map_args \ $extradockerargs \ - ${container} sh -c "trap '' PIPE; $cmd" + ${dockername} sh -c "trap '' PIPE; $cmd" diff --git a/scripts/inject.sh b/scripts/inject.sh index ae50e1e..365fef0 100755 --- a/scripts/inject.sh +++ b/scripts/inject.sh @@ -4,7 +4,7 @@ # Json file required params # # lava: directory of lava repository -# pandahost: what remote host to run panda on + trap '' PIPE set -e # Exit on error diff --git a/scripts/lava.py b/scripts/lava.py index cd3b3cf..970f07c 100644 --- a/scripts/lava.py +++ b/scripts/lava.py @@ -576,7 +576,7 @@ def __init__(self, project): tar_files = subprocess.check_output(['tar', 'tf', project['tarfile']], stderr=sys.stderr) - self.source_root = tar_files.splitlines()[0].split(os.path.sep)[0] + self.source_root = tar_files.decode().splitlines()[0].split(os.path.sep)[0] self.queries_build = join(self.top_dir, self.source_root) self.bugs_top_dir = join(self.top_dir, 'bugs') diff --git a/scripts/lava.sh b/scripts/lava.sh index 583b9c4..cd684ec 100755 --- a/scripts/lava.sh +++ b/scripts/lava.sh @@ -27,7 +27,6 @@ # name: a name for this project (used to create directories) # inputs: a list of inputs that will be used to find potential bugs (think coverage) # buildhost: what remote host to build source on -# pandahost: what remote host to run panda and postgres on # testinghost: what host to test injected bugs on # fixupscript: script to run after add_query to fix up src before make # @@ -132,9 +131,9 @@ RESET_DB() { lf="$logs/dbwipe.log" truncate "$lf" progress "everything" 1 "Resetting lava db -- logging to $lf" - run_remote "$buildhost" "dropdb -U postgres -h $dbhost $db || true" "$lf" - run_remote "$buildhost" "createdb -U postgres -h $dbhost $db || true" "$lf" - run_remote "$buildhost" "psql -d $db -h $dbhost -f $lava/tools/lavaODB/generated/lava.sql -U postgres" "$lf" + run_remote "$buildhost" "dropdb -U $pguser -h $dbhost $db || true" "$lf" + run_remote "$buildhost" "createdb -U $pguser -h $dbhost $db || true" "$lf" + run_remote "$buildhost" "psql -d $db -h $dbhost -f $lava/tools/lavaODB/generated/lava.sql -U $pguser" "$lf" run_remote "$buildhost" "echo dbwipe complete" "$lf" } @@ -146,6 +145,7 @@ if [ $reset -eq 1 ]; then deldir "$directory/$name/"'*rr-*' # remove all plog files in the directory deldir "$directory/$name/*.plog" + deldir "$directory/$name/*.json" progress "everything" 0 "Truncating logs..." for i in $(ls "$logs" | grep '.log$'); do truncate "$logs/$i" @@ -155,9 +155,6 @@ if [ $reset -eq 1 ]; then echo "reset complete $time_diff seconds" fi - - - if [ $add_queries -eq 1 ]; then tick progress "everything" 1 "Add queries step -- btrace lavatool and fixups" @@ -212,7 +209,7 @@ if [ $taint -eq 1 ]; then # If we didn't just reset the DB, we need clear out any existing taint labels before running FBI progress "everything" 1 "Clearing taint data from DB" lf="$logs/dbwipe_taint.log" - run_remote "$buildhost" "psql -U postgres -h $dbhost -c \"delete from dua_viable_bytes; delete from labelset;\" $db" "$lf" + run_remote "$buildhost" "psql -U $pguser -h $dbhost -c \"delete from dua_viable_bytes; delete from labelset;\" $db" "$lf" fi progress "everything" 1 "Taint step -- running panda and fbi" for input in $inputs @@ -221,16 +218,17 @@ if [ $taint -eq 1 ]; then lf="$logs/bug_mining-$i.log" truncate "$lf" progress "everything" 1 "PANDA taint analysis prospective bug mining -- input $input -- logging to $lf" - run_remote "$buildhost" "$python $scripts/bug_mining.py $hostjson $project_name $input $curtail" "$lf" + run_remote "$buildhost" "$python $scripts/bug_mining.py $hostjson $project_name $input $curtail" "$lf" + exit 0 echo -n "Num Bugs in db: " - bug_count=$(run_remote "$buildhost" "psql -At $db -U postgres -h $dbhost -c 'select count(*) from bug'") + bug_count=$(run_remote "$buildhost" "psql -At $db -U $pguser -h $dbhost -c 'select count(*) from bug'") if [ "$bug_count" = "0" ]; then echo "FATAL ERROR: no bugs found" exit 1 fi echo "Found $bug_count bugs" echo - run_remote "$buildhost" "psql $db -U postgres -h $dbhost -c 'select count(*), type from bug group by type order by type'" + run_remote "$buildhost" "psql $db -U $pguser -h $dbhost -c 'select count(*), type from bug group by type order by type'" done tock echo "bug_mining complete $time_diff seconds" diff --git a/scripts/reset_db.sh b/scripts/reset_db.sh new file mode 100644 index 0000000..1048dda --- /dev/null +++ b/scripts/reset_db.sh @@ -0,0 +1,43 @@ + +# Load lava-functions +. `dirname $0`/funcs.sh +lava=$(dirname $(dirname $(readlink -f "$0"))) + +# defaults +ok=0 +reset=0 +reset_db=0 +add_queries=0 +make=0 +taint=0 +inject=0 +num_trials=0 +kt="" +demo=0 +curtail=0 +ATP_TYPE="" +# default bugtypes +bugtypes="ptr_add,rel_write,malloc_off_by_one" +# default # of bugs to be injected at a time +many=50 + +# This is just a dummy values +project_name="toy" + +. `dirname $0`/vars.sh + +sourcedir="$directory/$name/$source" +bugsdir="$directory/$name/bugs" +logs="$directory/$name/logs" + +RESET_DB() { + lf="$logs/dbwipe.log" + truncate "$lf" + progress "everything" 1 "Resetting lava db -- logging to $lf" + run_remote "$buildhost" "dropdb -U $pguser -h $dbhost $db || true" "$lf" + run_remote "$buildhost" "createdb -U $pguser -h $dbhost $db || true" "$lf" + run_remote "$buildhost" "psql -d $db -h $dbhost -f $lava/tools/lavaODB/generated/lava.sql -U $pguser" "$lf" + run_remote "$buildhost" "echo dbwipe complete" "$lf" +} + +RESET_DB diff --git a/scripts/setup_postgres.sh b/scripts/setup_postgres.sh index 745dedb..e5be039 100755 --- a/scripts/setup_postgres.sh +++ b/scripts/setup_postgres.sh @@ -8,12 +8,10 @@ if [ $EUID -ne 0 ]; then fi PGPASS="${HOME}/.pgpass" +PG_VERSION=$(psql --version | awk '{print $3}' | cut -d '.' -f 1) if [ ! -f "${PGPASS}" ]; then - postgres_depends=$(dpkg-query -W -f='${depends}' 'postgresql') - postgres_pkg=$(echo "${postgres_depends}" | grep -oP 'postgresql-[0-9]+.?[0-9]+') - postgres_version=${postgres_pkg/postgresql-/} - pg_hba="/etc/postgresql/${postgres_version}/main/pg_hba.conf" + pg_hba="/etc/postgresql/${PG_VERSION}/main/pg_hba.conf" postgres_password='postgrespostgres' $SUDO sed -i.bak -E 's/^(local\s+all\s+postgres\s+)md5$/\1peer/' "${pg_hba}" @@ -30,7 +28,7 @@ if [ ! -f "${PGPASS}" ]; then fi # Define the PostgreSQL version -PG_VERSION=$(psql --version | awk '{print $3}' | cut -d '.' -f 1) + # Define the configuration file paths PG_CONF="/etc/postgresql/${PG_VERSION}/main/postgresql.conf" diff --git a/scripts/vars.sh b/scripts/vars.sh index a8eebb9..5182f57 100644 --- a/scripts/vars.sh +++ b/scripts/vars.sh @@ -25,6 +25,16 @@ output_dir="$(jq -r '.output_dir // ""' $hostjson)" config_dir="$(jq -r '.config_dir // ""' $hostjson)/$project_name" tar_dir="$(jq -r '.tar_dir // ""' $hostjson)" db_suffix="$(jq -r '.db_suffix // ""' $hostjson)" +buildhost="$(jq -r '.buildhost // "localhost"' $hostjson)" +testinghost="$(jq -r '.testinghost // "localhost"' $hostjson)" +dockername="$(jq -r '.docker // "lava32"' $hostjson)" +pguser="$(jq -r '.pguser // "postgres"' $hostjson)" +pgpass="$(jq -r '.pgpass // "postgrespostgres"' $hostjson)" +dbhost="$(jq -r '.host // "database"' $hostjson)" + +export PGUSER=$pguser +export PGPASS=$pgpass + json="${config_dir}/$project_name.json" if [ ! -f $json ]; then @@ -66,10 +76,6 @@ if [ "$(jq -r .injfixupsscript $json)" != "null" ]; then injfixupsscript="${injfixupsscript/\{bug_build\}/$bug_build}" fi -buildhost="$(jq -r '.buildhost // "docker"' $json)" -# buildhost="localhost" -pandahost="$(jq -r '.pandahost // "docker"' $json)" -testinghost="$(jq -r '.testinghost // "docker"' $json)" logs="$output_dir/$name/logs" makecmd="$(jq -r .make $json)" @@ -78,15 +84,8 @@ install="${install/\{config_dir\}/$config_dir}" # Format string replacement for post_install="$(jq -r .post_install $json)" install_simple=$(jq -r .install_simple $json) configure_cmd=$(jq -r '.configure // "/bin/true"' $json) -container="$(jq -r '.docker // "lava32"' $json)" # Constants scripts="$lava/scripts" -python="/usr/bin/python3" -pdb="/usr/bin/python3 -m pdb " -dockername="lava32" - -dbhost="database" -if [ "$buildhost" = "localhost" ]; then - dbhost="localhost" -fi +python="python3" +pdb="python3 -m pdb " diff --git a/tools/fbi/src/find_bug_inj.cpp b/tools/fbi/src/find_bug_inj.cpp index c483844..135151d 100644 --- a/tools/fbi/src/find_bug_inj.cpp +++ b/tools/fbi/src/find_bug_inj.cpp @@ -1092,9 +1092,9 @@ int main (int argc, char **argv) { update_liveness(ple); } else if (ple.isMember("attackPoint")) { attack_point_lval_usage(ple); - } else if (ple.isMember("dwarfCall")) { + } else if (ple.isMember("dwarf2Call")) { record_call(ple); - } else if (ple.isMember("dwarfRet")) { + } else if (ple.isMember("dwarf2Ret")) { record_ret(ple); } // pandalog_free_entry(ple);