Merge pull request #193 from aaron-suarez/dockerize-this

Dockerize the repository

.travis.yml

@@ -3,6 +3,8 @@ sudo: true
 language: python
 python:
   - 3.6.5
+services:
+- docker
 install:
 - sudo apt-get -y update
 - sudo apt-get -y install build-essential gcc-multilib cmake python3-pip python3-setuptools libffi-dev python3-nose
@@ -42,4 +44,6 @@ script:
 - if [ $TASK = PRIMES ]; then nosetests3 tests/test_primes.py ; fi
 #- if [ $TASK = STREAMINGANDFORMATTING ]; then nosetests3 tests/test_streamingandformatting.py ; fi
 - if [ $TASK = TAKEOVER ]; then nosetests3 tests/test_takeover.py ; fi
+after_success:
+- bash push/run.sh
 

README.md

@@ -2,7 +2,7 @@
 
 [![Slack Chat](http://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com/)
 
-[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate) 
+[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate)
 
 DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. Read more about the goals and design of DeepState in our [paper](https://agroce.github.io/bar18.pdf).
 
@@ -131,6 +131,22 @@ argument to see all DeepState options.
 
 If you want to use DeepState in C/C++ code, you will likely want to run `sudo make install` from the `$DEEPSTATE/build` directory as well.  The examples mentioned below (file system, databases) assume this has already been done.
 
+### Docker
+
+You can also try out Deepstate with Docker, which is the easiest way
+to get all the fuzzers and tools up and running on any system.
+
+```bash
+$ docker build -t deepstate . -f docker/Dockerfile
+$ docker run -it deepstate bash
+user@0f7cccd70f7b:~/deepstate/build/examples$ cd deepstate/build/examples
+user@0f7cccd70f7b:~/deepstate/build/examples$ deepstate-angr ./Runlen
+user@0f7cccd70f7b:~/deepstate/build/examples$ deepstate-eclipser ./Runlen --timeout 30
+user@0f7cccd70f7b:~/deepstate/build/examples$ ./Runlen_LF -max_total_time=30
+user@0f7cccd70f7b:~/deepstate/build/examples$ mkdir foo; echo foo > foo/foo
+user@0f7cccd70f7b:~/deepstate/build/examples$ afl-fuzz -i foo -o afl_Runlen -- ./Runlen_AFL --input_test_file @@ --no_fork --abort_on_fail
+```
+
 ## Usage
 
 DeepState consists of a static library, used to write test harnesses,
@@ -297,8 +313,8 @@ DeepState where to put the generated tests, and if you want the
 (totally random and unlikely to be high-quality) passing tests, you
 need to add `--fuzz_save_passing`.
 
-Note that while symbolic execution only works on Linux, without a 
-fairly complex cross-compilation process, the brute force fuzzer works 
+Note that while symbolic execution only works on Linux, without a
+fairly complex cross-compilation process, the brute force fuzzer works
 on macOS or (as far as we know) any Unix-like system.
 
 ## A Note on MacOS and Forking
@@ -350,7 +366,7 @@ CC=/usr/local/opt/llvm\@7/bin/clang CXX=/usr/local/opt/llvm\@7/bin/clang++ BUILD
 make install
 ```
 
-Other ways of getting an appropriate LLVM may also work. 
+Other ways of getting an appropriate LLVM may also work.
 
 On macOS, libFuzzer's normal output is not visible.  Because libFuzzer
 does not fork to execute tests, there is no issue with fork speed on
@@ -486,7 +502,7 @@ with some of the advantages of symbolic execution, but with more scalability.  D
 
 After that, you can use Eclipser like this:
 
-`deepstate-eclisper <binary> --timeout <how long to test> --output_test_dir <where to put generated tests>`
+`deepstate-eclipser <binary> --timeout <how long to test> --output_test_dir <where to put generated tests>`
 
 In our experience, Eclipser is quite effective, often better than
 libFuzzer and sometimes better than AFL, despite having a much slower

bin/setup.py.in

@@ -30,7 +30,7 @@ setuptools.setup(
     author_email="peter@trailofbits.com",
     license="Apache-2.0",
     keywords="tdd testing symbolic execution",
-    install_requires=[], #'claripy==7.8.6.16','angr==7.8.7.1', 'manticore'],
+    install_requires=['angr', 'manticore'],
     entry_points={
         'console_scripts': [
             'deepstate = deepstate.main_manticore:main',

docker/.dockerignore

@@ -0,0 +1,11 @@
+.dockerignore
+Dockerfile
+__pycache__
+*.pyc
+*.pyo
+*.pyd
+.Python
+pip-log.txt
+pip-delete-this-directory.txt
+*.log
+.git

docker/Dockerfile

@@ -0,0 +1,82 @@
+FROM ubuntu:18.04
+
+# Set up the non-root user
+RUN apt-get update \
+    &&  apt-get -y install sudo \
+    && useradd -ms /bin/bash user && echo "user:user" | chpasswd && adduser user sudo
+
+ADD /docker/sudoers.txt /etc/sudoers
+
+ENV ECLIPSER_HOME /home/user/Eclipser
+
+WORKDIR /home/user
+
+COPY . /home/user/deepstate
+
+# Eclipser requires deb-src entries
+RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ bionic main restricted \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic universe \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates universe \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic multiverse \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse \n\
+deb-src http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse \n\
+deb-src http://archive.canonical.com/ubuntu bionic partner \n\
+deb-src http://security.ubuntu.com/ubuntu/ bionic-security main restricted \n\
+deb-src http://security.ubuntu.com/ubuntu/ bionic-security universe \n\
+deb-src http://security.ubuntu.com/ubuntu/ bionic-security multiverse' >> /etc/apt/sources.list
+
+# Install Eclipser dependencies
+RUN apt-get update \
+    && apt-get -y build-dep qemu \
+    && apt-get install -y libtool \
+    libtool-bin wget automake autoconf \
+    bison gdb git \
+    && wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb \
+    && dpkg -i packages-microsoft-prod.deb \
+    && apt-get install -y apt-transport-https \
+    && apt-get update \
+    && apt-get install -y dotnet-sdk-2.2
+
+# Install DeepState/AFL/libFuzzer dependencies
+RUN apt-get update \
+    && apt-get install -y build-essential \
+    && apt-get install -y clang \
+    gcc-multilib g++-multilib cmake \
+    python3-setuptools libffi-dev z3 python3-pip \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN chown -R user:user /home/user
+
+USER user
+
+# Install AFL
+RUN wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz \
+    && tar -xzvf afl-latest.tgz \
+    && cd afl-2.52b/ \
+    && make \
+    && sudo make install
+
+# Install Eclipser
+RUN git clone https://github.com/SoftSec-KAIST/Eclipser \
+    && cd Eclipser \
+    && make \
+    && cd ../
+
+# Install DeepState using a few different compilers for AFL/libFuzzer/Eclipser+normal
+RUN cd deepstate \
+    && mkdir build \
+    && cd build \
+    && CXX=clang++ CC=clang BUILD_LIBFUZZER=TRUE cmake ../ \
+    && sudo make install \
+    && rm -rf CMakeFiles CMakeCache.txt \
+    && CXX=afl-clang++ CC=afl-clang BUILD_AFL=TRUE cmake ../ \
+    && sudo make install \
+    && rm -rf CMakeFiles CMakeCache.txt \
+    && cmake ../ \
+    && sudo make install \
+    && cd .. \
+    && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr 'manticore==0.2.5' \
+    && sudo python3 ./build/setup.py install
+
+CMD ["/bin/bash"]

docker/sudoers.txt

@@ -0,0 +1,4 @@
+root ALL=(ALL) ALL
+user ALL=(ALL) NOPASSWD: ALL
+Defaults    env_reset
+Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

push/build_image

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -eu
+
+IMAGE_NAME="deepstate"
+echo "IMAGE_NAME $IMAGE_NAME"
+
+echo "Building Docker image..."
+docker build -t $IMAGE_NAME -f docker/Dockerfile . || exit $?

push/publish

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+
+# Publishes the most recent web container to docker hubs repo.
+# This script assumes docker push works.
+# You must set up docker push on your own.
+
+set -eu
+
+
+DOCKER_REPO="trailofbits/deepstate"
+IMAGE_NAME="deepstate"
+echo "IMAGE_NAME $IMAGE_NAME"
+
+IMAGE_ID=$(docker images $IMAGE_NAME:latest --format "{{.ID}}")
+
+if [ -n "$DOCKER_USERNAME" ]; then echo "Found username"; fi
+if [ -n "$DOCKER_PASSWORD" ]; then echo "Found password"; fi
+
+if [ -n "$DOCKER_USERNAME" ] && [ -n "$DOCKER_PASSWORD" ]; then
+  echo "Logging in using ENV creds"
+  docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
+fi
+
+echo "Pushing image $IMAGE_NAME:$TRAVIS_BRANCH"
+docker tag $IMAGE_ID $DOCKER_REPO
+docker tag $IMAGE_ID ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER}
+docker push $DOCKER_REPO
+docker push ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER}

push/run.sh

@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+
+set -eu
+
+IMAGE_NAME="deepstate"
+DEPLOY_BRANCHES="master"
+
+# Only process first job in matrix (TRAVIS_JOB_NUMBER ends with ".1")
+if [[ ! $TRAVIS_JOB_NUMBER =~ \.1$ ]]; then
+  echo "Skipping deploy since it's not the first job in matrix"
+  exit 0
+fi
+
+# Don't process pull requests
+# $TRAVIS_PULL_REQUEST will be the PR number or "false" if not a PR
+if [[ -n "$TRAVIS_PULL_REQUEST" ]] && [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then
+  echo "Skipping deploy because it's a pull request"
+  exit 0
+fi
+
+# Only process branches listed in DEPLOY_BRANCHES
+BRANCHES_TO_DEPLOY=($DEPLOY_BRANCHES)
+if [[ ! " ${BRANCHES_TO_DEPLOY} " =~ " ${TRAVIS_BRANCH} " ]]; then
+  # whatever you want to do when arr contains value
+  echo "Branches to deploy: ${DEPLOY_BRANCHES}"
+  echo "Travis Branch: ${TRAVIS_BRANCH}"
+
+  echo "Skipping deploy, not a branch to be deployed"
+  exit 0
+fi
+
+if [ $? = 0 ]; then
+
+  # Get absolute path of dir where run.sh is located
+  SOURCE="${BASH_SOURCE[0]}"
+  while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink
+    DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+    SOURCE="$(readlink "$SOURCE")"
+    [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located
+  done
+  export SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )"
+
+  bash ${SCRIPTDIR}/build_image &&
+  bash ${SCRIPTDIR}/publish
+
+fi