Giter VIP home page Giter VIP logo

compdiff's Introduction

CompDiff

CompDiff is a tool that backends the research paper Finding Unstable Code via Compiler-Driven Differential Testing published in ASPLOS 2023.

Building CompDiff

Clone this repository and cd to the root directory, then run preinstall.sh to install necessary packages.

To build:

$ ./diff-build.sh

By default, this script will build 10 different compiler configurations clang-O0, -O1, -O2, -O3, -Os, and gcc-O0, -O1, -O2, -O3, -Os. You can edit the configuration in ./compilers/config to specify compiler configurations. For example,

    {
        "CC": "/usr/bin/clang", // CC path
        "CXX": "/usr/bin/clang++",  // CXX path
        "configs": [
            "-O0",  // compiler flags
            "-O1"
        ]
    },

Now, you will find 10 different C/C++ compiler instances (diff-cc-* / diff-cxx-*) in ./compilers/. Next, you will need to use them to instrument your target.

Instrumenting Binaries

We provide diff-instrument.sh for instrumenting with different compiler configurations built from last step. It requires the building script for the target as the parameter.

We provide two example scripts in examples/xpdf and examples/libtiff. For example, to build pdftotext, run

$ ./diff-instrument.sh ./examples/xpdf/build.sh

After instrumenting, you will find 10 binaries in examples/xpdf/bin/ , where pdftotext is the normal AFL intrumented binary and pdftotext-* are CompDiff instrumented binaries. Please refer to these example building scripts for a detailed explanation. It's importance to make sure that these binaries are located in the same path and have such format.

Fuzzing

To fuzz xpdf with CompDiff, run

$ ./aflpp/afl-fuzz -y 10 -i examples/xpdf/seeds -o examples/xpdf/findings -- ./examples/xpdf/bin/pdftotext @@ -

-y means the number of compiler configurations will be used. All found bug-triggering inputs will be saved to examples/xpdf/findings/default/diffs. Since pdftotext emits output to stdout, CompDiff automatically catch them. For those that outputs are written to files, one need to use -Y to specify the output file name.

For example, to fuzz libtiff, run

$ ./aflpp/afl-fuzz -y 10 -i examples/libtiff/seeds -o examples/libtiff/findings -Y "out.file" -- ./examples/libtiff/bin/tiffcp -M -i @@ out.file

where -Y "out.file" tells CompDiff that the target will use "out.file" as the output file.

Post-processing

There might be many input files that are saved due to small timeouts or randomness in program outputs. We provide a python script to filter our these cases. For example, the following scirpt is to filter inputs found in xpdf

$ python3 diff-post.py --bin ./examples/xpdf/bin/pdftotext --args "@@ -" -y 10 -r 1 -i examples/xpdf/findings/diffs -o ./out

and this scirpt for libtiff

$ python3 diff-post.py --bin ./examples/libtiff/bin/tiffcp --args "-M -i @@ out.file" --out_file "out.file" -y 10 -r 1 -i examples/libtiff/findings/diffs -o ./out

The inputs that indeed trigger bugs will be saved to ./out/diffs/ and their outputs are available in ./out/outputs/. Timeout intputs will be saved to ./out/timeouts. Please run python3 diff-post.py -h for help information.

compdiff's People

Contributors

shao-hua-li avatar

Stargazers

Ben Wibking avatar Kelly Kaoudis avatar Bruno Garcia avatar WasmDiff avatar 김동건 avatar kenan_xiao avatar avatar avatar avatar XiaoWu avatar Yingwei Zheng avatar Jack Williamson avatar Yuancheng Jiang avatar George Xanthakis avatar Ted Mostly avatar Chengyu Zhang avatar avatar Thodoris Sotiropoulos avatar Dominik Winterer avatar Zuming Jiang avatar avatar Daedalus avatar avatar Jiawei Liu avatar Zhendong Su avatar avatar avatar Evan Cofsky avatar Viet Nguyen avatar Jevin Sweval avatar Jonas avatar avatar

Watchers

Jevin Sweval avatar James Cloos avatar avatar

Forkers

gbdngb12 e-vananderson

compdiff's Issues

fails to build with XCode 15

With macOS 14 and XCode 15, I get the following compiler errors when attempting to build ./diff-build.sh:

$ CompDiff git:(main) ✗ ./diff-build.sh
[*] Compiling afl++ for OS Darwin on ARCH arm64
[!] Note: skipping x86 compilation checks (AFL_NO_X86 set).
[+] shmat seems to be working.
[-] You seem to need to install the package python3-dev, python2-dev or python-dev (and perhaps python[23]-apt), but it is optional so we continue
[+] Everything seems to be working, ready to compile.
clang -O3 -funroll-loops  -g -Wno-pointer-sign -Wno-variadic-macros -Wall -Wextra -Wpointer-arith -I include/ -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DDOC_PATH=\"/usr/local/share/doc/afl\"  -flto=full src/afl-fuzz-bitmap.c src/afl-fuzz-cmplog.c src/afl-fuzz-extras.c src/afl-fuzz-init.c src/afl-fuzz-mutators.c src/afl-fuzz-one.c src/afl-fuzz-python.c src/afl-fuzz-queue.c src/afl-fuzz-redqueen.c src/afl-fuzz-run.c src/afl-fuzz-state.c src/afl-fuzz-stats.c src/afl-fuzz-statsd.c src/afl-fuzz.c src/diff-afl-forkserver.c src/diff-afl-fuzz-init.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o afl-fuzz  -L/opt/homebrew/opt/qt@5/lib -lcrypto -lssl -lm
src/afl-fuzz-init.c:2634:19: warning: expression which evaluates to zero treated as a null pointer constant of type 'u8 *' (aka 'unsigned char *') [-Wnon-literal-null-conversion]
        laf_loc = '\0';
                  ^~~~
1 warning generated.
src/afl-fuzz-redqueen.c:1563:20: warning: variable 'cons_0' set but not used [-Wunused-but-set-variable]
  u8  cons_ff = 0, cons_0 = 0;
                   ^
1 warning generated.
src/afl-fuzz.c:1534:7: error: call to undeclared function 'pthread_set_qos_class_self_np'; ISO C99 and later do not support implicit function declarations [-Wimplicit-function-declaration]
  if (pthread_set_qos_class_self_np(QOS_CLASS_USER_INTERACTIVE, 0) != 0) {
      ^
1 error generated.
src/diff-afl-forkserver.c:54:10: fatal error: 'openssl/md5.h' file not found
#include <openssl/md5.h>
         ^~~~~~~~~~~~~~~
1 error generated.
src/diff-afl-fuzz-init.c:54:31: warning: comparison of integers of different signs: 'int' and 'u32' (aka 'unsigned int') [-Wsign-compare]
  for (int idx_com=0; idx_com < afl->diff_num; idx_com++) {
                      ~~~~~~~ ^ ~~~~~~~~~~~~~
src/diff-afl-fuzz-init.c:66:31: warning: comparison of integers of different signs: 'int' and 'u32' (aka 'unsigned int') [-Wsign-compare]
  for (int idx_com=0; idx_com < afl->diff_num; idx_com++) {
                      ~~~~~~~ ^ ~~~~~~~~~~~~~
2 warnings generated.
make: *** [afl-fuzz] Error 1

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.