From e3fdc25ce5d03ab400c83b752336ea416e69febc Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:12:02 -0500 Subject: [PATCH 01/15] Dockerize the repository --- .dockerignore | 11 +++++++++++ Dockerfile | 20 ++++++++++++++++++++ README.md | 31 ++++++++++++++++++++++++++----- bin/setup.py.in | 2 +- push/publish | 28 ++++++++++++++++++++++++++++ push/run.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 132 insertions(+), 6 deletions(-) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 push/publish create mode 100644 push/run.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..f740282 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,11 @@ +.dockerignore +Dockerfile +__pycache__ +*.pyc +*.pyo +*.pyd +.Python +pip-log.txt +pip-delete-this-directory.txt +*.log +.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7eaa488 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM python:3.7-slim + +WORKDIR /deepstate + +COPY . /deepstate + +RUN apt-get update \ + && apt-get install -y build-essential \ + gcc-multilib g++-multilib cmake \ + python3-setuptools libffi-dev z3 \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir build \ + && cd build \ + && cmake ../ \ + && make \ + && cd .. \ + && pip install claripy angr manticore \ + && python ./build/setup.py install + +CMD ["/bin/bash"] diff --git a/README.md b/README.md index d00e719..2aba31a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Slack Chat](http://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com/) -[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate) +[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate) DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. Read more about the goals and design of DeepState in our [paper](https://agroce.github.io/bar18.pdf). @@ -131,6 +131,27 @@ argument to see all DeepState options. If you want to use DeepState in C/C++ code, you will likely want to run `sudo make install` from the `$DEEPSTATE/build` directory as well. The examples mentioned below (file system, databases) assume this has already been done. +### Docker + +You can also try out Deepstate with Docker. + +```bash +# Run container with a shared examples/ directory +# Note that `--rm` will make the container be deleted if you exit it +# (if you want to persist data from the container, use docker volumes) +# (we need to increase maximum stack size, so we use ulimit for that) +$ docker run --rm -it --ulimit stack=100000000:100000000 trailofbits/deepstate bash + +# Change to examples directory +root@b7e7bffce292:/deepstate# cd build/examples + +# Fuzz the Runlen example +root@b7e7bffce292:/deepstate/build/examples# deepstate-angr ./Runlen + +# Alternative Runlen example +root@b7e7bffce292:/deepstate/build/examples# ./Runlen --fuzz --exit_on_fail +``` + ## Usage DeepState consists of a static library, used to write test harnesses, @@ -297,8 +318,8 @@ DeepState where to put the generated tests, and if you want the (totally random and unlikely to be high-quality) passing tests, you need to add `--fuzz_save_passing`. -Note that while symbolic execution only works on Linux, without a -fairly complex cross-compilation process, the brute force fuzzer works +Note that while symbolic execution only works on Linux, without a +fairly complex cross-compilation process, the brute force fuzzer works on macOS or (as far as we know) any Unix-like system. ## A Note on MacOS and Forking @@ -350,7 +371,7 @@ CC=/usr/local/opt/llvm\@7/bin/clang CXX=/usr/local/opt/llvm\@7/bin/clang++ BUILD make install ``` -Other ways of getting an appropriate LLVM may also work. +Other ways of getting an appropriate LLVM may also work. On macOS, libFuzzer's normal output is not visible. Because libFuzzer does not fork to execute tests, there is no issue with fork speed on @@ -486,7 +507,7 @@ with some of the advantages of symbolic execution, but with more scalability. D After that, you can use Eclipser like this: -`deepstate-eclisper --timeout --output_test_dir ` +`deepstate-eclipser --timeout --output_test_dir ` In our experience, Eclipser is quite effective, often better than libFuzzer and sometimes better than AFL, despite having a much slower diff --git a/bin/setup.py.in b/bin/setup.py.in index 3bf0a14..e375d51 100644 --- a/bin/setup.py.in +++ b/bin/setup.py.in @@ -30,7 +30,7 @@ setuptools.setup( author_email="peter@trailofbits.com", license="Apache-2.0", keywords="tdd testing symbolic execution", - install_requires=[], #'claripy==7.8.6.16','angr==7.8.7.1', 'manticore'], + install_requires=['claripy', 'angr', 'manticore'], entry_points={ 'console_scripts': [ 'deepstate = deepstate.main_manticore:main', diff --git a/push/publish b/push/publish new file mode 100644 index 0000000..c29c7d3 --- /dev/null +++ b/push/publish @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +# Publishes the most recent web container to docker hubs repo. +# This script assumes docker push works. +# You must set up docker push on your own. + +set -eu + + +DOCKER_REPO="trailofbits/deepstate" +IMAGE_NAME="deepstate" +echo "IMAGE_NAME $IMAGE_NAME" + +IMAGE_ID=$(docker images $IMAGE_NAME:latest --format "{{.ID}}") + +if [ -n "$DOCKER_USERNAME" ]; then echo "Found username"; fi +if [ -n "$DOCKER_PASSWORD" ]; then echo "Found password"; fi + +if [ -n "$DOCKER_USERNAME" ] && [ -n "$DOCKER_PASSWORD" ]; then + echo "Logging in using ENV creds" + docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" +fi + +echo "Pushing image $IMAGE_NAME:$TRAVIS_BRANCH" +docker tag $IMAGE_ID $DOCKER_REPO +docker tag $IMAGE_ID ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER} +docker push $DOCKER_REPO +docker push ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER} diff --git a/push/run.sh b/push/run.sh new file mode 100644 index 0000000..e0c7c78 --- /dev/null +++ b/push/run.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -eu + +IMAGE_NAME="deepstate" +DEPLOY_BRANCHES="master" + +# Only process first job in matrix (TRAVIS_JOB_NUMBER ends with ".1") +if [[ ! $TRAVIS_JOB_NUMBER =~ \.1$ ]]; then + echo "Skipping deploy since it's not the first job in matrix" + exit 0 +fi + +# Don't process pull requests +# $TRAVIS_PULL_REQUEST will be the PR number or "false" if not a PR +if [[ -n "$TRAVIS_PULL_REQUEST" ]] && [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then + echo "Skipping deploy because it's a pull request" + exit 0 +fi + +# Only process branches listed in DEPLOY_BRANCHES +BRANCHES_TO_DEPLOY=($DEPLOY_BRANCHES) +if [[ ! " ${BRANCHES_TO_DEPLOY} " =~ " ${TRAVIS_BRANCH} " ]]; then + # whatever you want to do when arr contains value + echo "Branches to deploy: ${DEPLOY_BRANCHES}" + echo "Travis Branch: ${TRAVIS_BRANCH}" + + echo "Skipping deploy, not a branch to be deployed" + exit 0 +fi + +if [ $? = 0 ]; then + + # Get absolute path of dir where run.sh is located + SOURCE="${BASH_SOURCE[0]}" + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + export SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + bash ${SCRIPTDIR}/build && + bash ${SCRIPTDIR}/publish + +fi From 729409328afbeae4176b0e65d8a9fe58de0a60df Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:49:34 -0500 Subject: [PATCH 02/15] Add docker build file --- push/build_image | 9 +++++++++ push/run.sh | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 push/build_image diff --git a/push/build_image b/push/build_image new file mode 100644 index 0000000..0e51a4c --- /dev/null +++ b/push/build_image @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -eu + +IMAGE_NAME="deepstate" +echo "IMAGE_NAME $IMAGE_NAME" + +echo "Building Docker image..." +docker build -t $IMAGE_NAME -f Dockerfile . || exit $? diff --git a/push/run.sh b/push/run.sh index e0c7c78..7710c1e 100644 --- a/push/run.sh +++ b/push/run.sh @@ -40,7 +40,7 @@ if [ $? = 0 ]; then done export SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" - bash ${SCRIPTDIR}/build && + bash ${SCRIPTDIR}/build_image && bash ${SCRIPTDIR}/publish fi From 9b28c98dca9f6819fcbbc0200e095396628ab10c Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:52:16 -0500 Subject: [PATCH 03/15] Add travis changes --- .travis.yml | 4 ++++ bin/setup.py.in | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7c79441..160f387 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,6 +3,8 @@ sudo: true language: python python: - 3.6.5 +services: +- docker install: - sudo apt-get -y update - sudo apt-get -y install build-essential gcc-multilib cmake python3-pip python3-setuptools libffi-dev python3-nose @@ -42,4 +44,6 @@ script: - if [ $TASK = PRIMES ]; then nosetests3 tests/test_primes.py ; fi #- if [ $TASK = STREAMINGANDFORMATTING ]; then nosetests3 tests/test_streamingandformatting.py ; fi - if [ $TASK = TAKEOVER ]; then nosetests3 tests/test_takeover.py ; fi +after_success: +- bash push/run.sh diff --git a/bin/setup.py.in b/bin/setup.py.in index e375d51..1bcb41f 100644 --- a/bin/setup.py.in +++ b/bin/setup.py.in @@ -30,7 +30,7 @@ setuptools.setup( author_email="peter@trailofbits.com", license="Apache-2.0", keywords="tdd testing symbolic execution", - install_requires=['claripy', 'angr', 'manticore'], + install_requires=['angr', 'manticore'], entry_points={ 'console_scripts': [ 'deepstate = deepstate.main_manticore:main', From d3fa5911f1fd6cf98512b7a2bd9c306d627b2b87 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Mon, 27 May 2019 21:47:07 -0500 Subject: [PATCH 04/15] Add support for Eclipser --- Dockerfile | 62 +++++++++++++++++++++++++++++++++++++++++++++++------ sudoers.txt | 4 ++++ 2 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 sudoers.txt diff --git a/Dockerfile b/Dockerfile index 7eaa488..01ae2c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,68 @@ -FROM python:3.7-slim +FROM ubuntu:18.04 -WORKDIR /deepstate +# Set up the non-root user +RUN apt-get update \ + && apt-get -y install sudo \ + && useradd -ms /bin/bash user && echo "user:user" | chpasswd && adduser user sudo -COPY . /deepstate +ADD /sudoers.txt /etc/sudoers +ENV ECLIPSER_HOME /home/user/Eclipser + +WORKDIR /home/user + +COPY . /home/user/deepstate + +# Eclipser requires deb-src entries +RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ bionic main restricted \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic universe \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates universe \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic multiverse \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse \n\ +deb-src http://archive.canonical.com/ubuntu bionic partner \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security main restricted \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security universe \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security multiverse' >> /etc/apt/sources.list + +# # Install Eclipser dependencies +RUN apt-get update \ + && apt-get -y build-dep qemu \ + && apt-get install -y libtool \ + libtool-bin wget automake autoconf \ + bison gdb git \ + && wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb \ + && dpkg -i packages-microsoft-prod.deb \ + && apt-get install -y apt-transport-https \ + && apt-get update \ + && apt-get install -y dotnet-sdk-2.2 + +# Install DeepState dependencies RUN apt-get update \ && apt-get install -y build-essential \ gcc-multilib g++-multilib cmake \ - python3-setuptools libffi-dev z3 \ - && rm -rf /var/lib/apt/lists/* \ + python3-setuptools libffi-dev z3 python3-pip \ + && rm -rf /var/lib/apt/lists/* + +RUN chown -R user:user /home/user + +USER user + +# Install Eclipser +RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ + && cd Eclipser \ + && make \ + && cd ../ + +# Install DeepState +RUN cd deepstate \ && mkdir build \ && cd build \ && cmake ../ \ && make \ && cd .. \ - && pip install claripy angr manticore \ - && python ./build/setup.py install + && pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo python3 ./build/setup.py install CMD ["/bin/bash"] diff --git a/sudoers.txt b/sudoers.txt new file mode 100644 index 0000000..c478710 --- /dev/null +++ b/sudoers.txt @@ -0,0 +1,4 @@ +root ALL=(ALL) ALL +user ALL=(ALL) NOPASSWD: ALL +Defaults env_reset +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" From ccc75d49b0ab4cdbb6515abfd10d93c772759fae Mon Sep 17 00:00:00 2001 From: agroce Date: Thu, 30 May 2019 09:20:09 -0700 Subject: [PATCH 05/15] Dockerfile now builds DeepState with libFuzzer and AFL support --- Dockerfile | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 01ae2c8..609e4a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ deb-src http://security.ubuntu.com/ubuntu/ bionic-security main restricted \n\ deb-src http://security.ubuntu.com/ubuntu/ bionic-security universe \n\ deb-src http://security.ubuntu.com/ubuntu/ bionic-security multiverse' >> /etc/apt/sources.list -# # Install Eclipser dependencies +# Install Eclipser dependencies RUN apt-get update \ && apt-get -y build-dep qemu \ && apt-get install -y libtool \ @@ -38,9 +38,11 @@ RUN apt-get update \ && apt-get update \ && apt-get install -y dotnet-sdk-2.2 -# Install DeepState dependencies +# Install DeepState/AFL/libFuzzer dependencies RUN apt-get update \ && apt-get install -y build-essential \ + && apt-get install -y wget \ + && apt-get install -y clang \ gcc-multilib g++-multilib cmake \ python3-setuptools libffi-dev z3 python3-pip \ && rm -rf /var/lib/apt/lists/* @@ -49,20 +51,31 @@ RUN chown -R user:user /home/user USER user -# Install Eclipser +# Install AFL +RUN wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz \ + && tar -xzvf afl-latest.tgz \ + && cd afl-2.52b/ \ + && make \ + && sudo make install + + Install Eclipser RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ && cd Eclipser \ && make \ && cd ../ -# Install DeepState +# Install DeepState using a few different compilers for AFL/libFuzzer/Eclipser+normal RUN cd deepstate \ && mkdir build \ && cd build \ + && CXX=clang++ CC=clang BUILD_LIBFUZZER=TRUE cmake ../ \ + && sudo make install \ + && CXX=afl-clang++ CC=afl-clang BUILD_AFL=TRUE cmake ../ \ + && sudo make install \ && cmake ../ \ - && make \ + && sudo make install \ && cd .. \ - && pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ && sudo python3 ./build/setup.py install CMD ["/bin/bash"] From 15d93d6ab719ef47acaae25a82c73d9eef007dcb Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Thu, 30 May 2019 12:20:35 -0500 Subject: [PATCH 06/15] Put docker related files in docker/ directory --- .dockerignore => docker/.dockerignore | 0 Dockerfile => docker/Dockerfile | 7 +++---- sudoers.txt => docker/sudoers.txt | 0 push/build_image | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) rename .dockerignore => docker/.dockerignore (100%) rename Dockerfile => docker/Dockerfile (94%) rename sudoers.txt => docker/sudoers.txt (100%) diff --git a/.dockerignore b/docker/.dockerignore similarity index 100% rename from .dockerignore rename to docker/.dockerignore diff --git a/Dockerfile b/docker/Dockerfile similarity index 94% rename from Dockerfile rename to docker/Dockerfile index 609e4a5..6659c1c 100644 --- a/Dockerfile +++ b/docker/Dockerfile @@ -5,7 +5,7 @@ RUN apt-get update \ && apt-get -y install sudo \ && useradd -ms /bin/bash user && echo "user:user" | chpasswd && adduser user sudo -ADD /sudoers.txt /etc/sudoers +ADD /docker/sudoers.txt /etc/sudoers ENV ECLIPSER_HOME /home/user/Eclipser @@ -41,7 +41,6 @@ RUN apt-get update \ # Install DeepState/AFL/libFuzzer dependencies RUN apt-get update \ && apt-get install -y build-essential \ - && apt-get install -y wget \ && apt-get install -y clang \ gcc-multilib g++-multilib cmake \ python3-setuptools libffi-dev z3 python3-pip \ @@ -58,7 +57,7 @@ RUN wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz \ && make \ && sudo make install - Install Eclipser +# Install Eclipser RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ && cd Eclipser \ && make \ @@ -75,7 +74,7 @@ RUN cd deepstate \ && cmake ../ \ && sudo make install \ && cd .. \ - && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr 'manticore==0.2.5' \ && sudo python3 ./build/setup.py install CMD ["/bin/bash"] diff --git a/sudoers.txt b/docker/sudoers.txt similarity index 100% rename from sudoers.txt rename to docker/sudoers.txt diff --git a/push/build_image b/push/build_image index 0e51a4c..9e3b745 100644 --- a/push/build_image +++ b/push/build_image @@ -6,4 +6,4 @@ IMAGE_NAME="deepstate" echo "IMAGE_NAME $IMAGE_NAME" echo "Building Docker image..." -docker build -t $IMAGE_NAME -f Dockerfile . || exit $? +docker build -t $IMAGE_NAME -f docker/Dockerfile . || exit $? From 890e8b21369801875097e934bae1cacbe2df5c80 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:12:02 -0500 Subject: [PATCH 07/15] Dockerize the repository --- .dockerignore | 11 +++++++++++ Dockerfile | 20 ++++++++++++++++++++ README.md | 31 ++++++++++++++++++++++++++----- bin/setup.py.in | 2 +- push/publish | 28 ++++++++++++++++++++++++++++ push/run.sh | 46 ++++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 132 insertions(+), 6 deletions(-) create mode 100644 .dockerignore create mode 100644 Dockerfile create mode 100644 push/publish create mode 100644 push/run.sh diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..f740282 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,11 @@ +.dockerignore +Dockerfile +__pycache__ +*.pyc +*.pyo +*.pyd +.Python +pip-log.txt +pip-delete-this-directory.txt +*.log +.git diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7eaa488 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,20 @@ +FROM python:3.7-slim + +WORKDIR /deepstate + +COPY . /deepstate + +RUN apt-get update \ + && apt-get install -y build-essential \ + gcc-multilib g++-multilib cmake \ + python3-setuptools libffi-dev z3 \ + && rm -rf /var/lib/apt/lists/* \ + && mkdir build \ + && cd build \ + && cmake ../ \ + && make \ + && cd .. \ + && pip install claripy angr manticore \ + && python ./build/setup.py install + +CMD ["/bin/bash"] diff --git a/README.md b/README.md index d00e719..2aba31a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ [![Slack Chat](http://empireslacking.herokuapp.com/badge.svg)](https://empireslacking.herokuapp.com/) -[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate) +[![Build Status](https://travis-ci.org/trailofbits/deepstate.svg?branch=master)](https://travis-ci.org/trailofbits/deepstate) DeepState is a framework that provides C and C++ developers with a common interface to various symbolic execution and fuzzing engines. Users can write one test harness using a Google Test-like API, then execute it using multiple backends without having to learn the complexities of the underlying engines. It supports writing unit tests and API sequence tests, as well as automatic test generation. Read more about the goals and design of DeepState in our [paper](https://agroce.github.io/bar18.pdf). @@ -131,6 +131,27 @@ argument to see all DeepState options. If you want to use DeepState in C/C++ code, you will likely want to run `sudo make install` from the `$DEEPSTATE/build` directory as well. The examples mentioned below (file system, databases) assume this has already been done. +### Docker + +You can also try out Deepstate with Docker. + +```bash +# Run container with a shared examples/ directory +# Note that `--rm` will make the container be deleted if you exit it +# (if you want to persist data from the container, use docker volumes) +# (we need to increase maximum stack size, so we use ulimit for that) +$ docker run --rm -it --ulimit stack=100000000:100000000 trailofbits/deepstate bash + +# Change to examples directory +root@b7e7bffce292:/deepstate# cd build/examples + +# Fuzz the Runlen example +root@b7e7bffce292:/deepstate/build/examples# deepstate-angr ./Runlen + +# Alternative Runlen example +root@b7e7bffce292:/deepstate/build/examples# ./Runlen --fuzz --exit_on_fail +``` + ## Usage DeepState consists of a static library, used to write test harnesses, @@ -297,8 +318,8 @@ DeepState where to put the generated tests, and if you want the (totally random and unlikely to be high-quality) passing tests, you need to add `--fuzz_save_passing`. -Note that while symbolic execution only works on Linux, without a -fairly complex cross-compilation process, the brute force fuzzer works +Note that while symbolic execution only works on Linux, without a +fairly complex cross-compilation process, the brute force fuzzer works on macOS or (as far as we know) any Unix-like system. ## A Note on MacOS and Forking @@ -350,7 +371,7 @@ CC=/usr/local/opt/llvm\@7/bin/clang CXX=/usr/local/opt/llvm\@7/bin/clang++ BUILD make install ``` -Other ways of getting an appropriate LLVM may also work. +Other ways of getting an appropriate LLVM may also work. On macOS, libFuzzer's normal output is not visible. Because libFuzzer does not fork to execute tests, there is no issue with fork speed on @@ -486,7 +507,7 @@ with some of the advantages of symbolic execution, but with more scalability. D After that, you can use Eclipser like this: -`deepstate-eclisper --timeout --output_test_dir ` +`deepstate-eclipser --timeout --output_test_dir ` In our experience, Eclipser is quite effective, often better than libFuzzer and sometimes better than AFL, despite having a much slower diff --git a/bin/setup.py.in b/bin/setup.py.in index 3bf0a14..e375d51 100644 --- a/bin/setup.py.in +++ b/bin/setup.py.in @@ -30,7 +30,7 @@ setuptools.setup( author_email="peter@trailofbits.com", license="Apache-2.0", keywords="tdd testing symbolic execution", - install_requires=[], #'claripy==7.8.6.16','angr==7.8.7.1', 'manticore'], + install_requires=['claripy', 'angr', 'manticore'], entry_points={ 'console_scripts': [ 'deepstate = deepstate.main_manticore:main', diff --git a/push/publish b/push/publish new file mode 100644 index 0000000..c29c7d3 --- /dev/null +++ b/push/publish @@ -0,0 +1,28 @@ +#!/usr/bin/env bash + +# Publishes the most recent web container to docker hubs repo. +# This script assumes docker push works. +# You must set up docker push on your own. + +set -eu + + +DOCKER_REPO="trailofbits/deepstate" +IMAGE_NAME="deepstate" +echo "IMAGE_NAME $IMAGE_NAME" + +IMAGE_ID=$(docker images $IMAGE_NAME:latest --format "{{.ID}}") + +if [ -n "$DOCKER_USERNAME" ]; then echo "Found username"; fi +if [ -n "$DOCKER_PASSWORD" ]; then echo "Found password"; fi + +if [ -n "$DOCKER_USERNAME" ] && [ -n "$DOCKER_PASSWORD" ]; then + echo "Logging in using ENV creds" + docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" +fi + +echo "Pushing image $IMAGE_NAME:$TRAVIS_BRANCH" +docker tag $IMAGE_ID $DOCKER_REPO +docker tag $IMAGE_ID ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER} +docker push $DOCKER_REPO +docker push ${DOCKER_REPO}:${TRAVIS_BUILD_NUMBER} diff --git a/push/run.sh b/push/run.sh new file mode 100644 index 0000000..e0c7c78 --- /dev/null +++ b/push/run.sh @@ -0,0 +1,46 @@ +#!/usr/bin/env bash + +set -eu + +IMAGE_NAME="deepstate" +DEPLOY_BRANCHES="master" + +# Only process first job in matrix (TRAVIS_JOB_NUMBER ends with ".1") +if [[ ! $TRAVIS_JOB_NUMBER =~ \.1$ ]]; then + echo "Skipping deploy since it's not the first job in matrix" + exit 0 +fi + +# Don't process pull requests +# $TRAVIS_PULL_REQUEST will be the PR number or "false" if not a PR +if [[ -n "$TRAVIS_PULL_REQUEST" ]] && [[ "$TRAVIS_PULL_REQUEST" != "false" ]]; then + echo "Skipping deploy because it's a pull request" + exit 0 +fi + +# Only process branches listed in DEPLOY_BRANCHES +BRANCHES_TO_DEPLOY=($DEPLOY_BRANCHES) +if [[ ! " ${BRANCHES_TO_DEPLOY} " =~ " ${TRAVIS_BRANCH} " ]]; then + # whatever you want to do when arr contains value + echo "Branches to deploy: ${DEPLOY_BRANCHES}" + echo "Travis Branch: ${TRAVIS_BRANCH}" + + echo "Skipping deploy, not a branch to be deployed" + exit 0 +fi + +if [ $? = 0 ]; then + + # Get absolute path of dir where run.sh is located + SOURCE="${BASH_SOURCE[0]}" + while [ -h "$SOURCE" ]; do # resolve $SOURCE until the file is no longer a symlink + DIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + SOURCE="$(readlink "$SOURCE")" + [[ $SOURCE != /* ]] && SOURCE="$DIR/$SOURCE" # if $SOURCE was a relative symlink, we need to resolve it relative to the path where the symlink file was located + done + export SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" + + bash ${SCRIPTDIR}/build && + bash ${SCRIPTDIR}/publish + +fi From 7a786f3a72a3aa128db13ffb7e47789d9e9cec51 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:49:34 -0500 Subject: [PATCH 08/15] Add docker build file --- push/build_image | 9 +++++++++ push/run.sh | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 push/build_image diff --git a/push/build_image b/push/build_image new file mode 100644 index 0000000..0e51a4c --- /dev/null +++ b/push/build_image @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -eu + +IMAGE_NAME="deepstate" +echo "IMAGE_NAME $IMAGE_NAME" + +echo "Building Docker image..." +docker build -t $IMAGE_NAME -f Dockerfile . || exit $? diff --git a/push/run.sh b/push/run.sh index e0c7c78..7710c1e 100644 --- a/push/run.sh +++ b/push/run.sh @@ -40,7 +40,7 @@ if [ $? = 0 ]; then done export SCRIPTDIR="$( cd -P "$( dirname "$SOURCE" )" && pwd )" - bash ${SCRIPTDIR}/build && + bash ${SCRIPTDIR}/build_image && bash ${SCRIPTDIR}/publish fi From e520f80499cac3fab8c329e6bb91a7fd4053cde6 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Sun, 26 May 2019 00:52:16 -0500 Subject: [PATCH 09/15] Add travis changes --- .travis.yml | 4 ++++ bin/setup.py.in | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 7c79441..160f387 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,6 +3,8 @@ sudo: true language: python python: - 3.6.5 +services: +- docker install: - sudo apt-get -y update - sudo apt-get -y install build-essential gcc-multilib cmake python3-pip python3-setuptools libffi-dev python3-nose @@ -42,4 +44,6 @@ script: - if [ $TASK = PRIMES ]; then nosetests3 tests/test_primes.py ; fi #- if [ $TASK = STREAMINGANDFORMATTING ]; then nosetests3 tests/test_streamingandformatting.py ; fi - if [ $TASK = TAKEOVER ]; then nosetests3 tests/test_takeover.py ; fi +after_success: +- bash push/run.sh diff --git a/bin/setup.py.in b/bin/setup.py.in index e375d51..1bcb41f 100644 --- a/bin/setup.py.in +++ b/bin/setup.py.in @@ -30,7 +30,7 @@ setuptools.setup( author_email="peter@trailofbits.com", license="Apache-2.0", keywords="tdd testing symbolic execution", - install_requires=['claripy', 'angr', 'manticore'], + install_requires=['angr', 'manticore'], entry_points={ 'console_scripts': [ 'deepstate = deepstate.main_manticore:main', From e40088a7ea943b2c27857bf7c941a56834b91b35 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Mon, 27 May 2019 21:47:07 -0500 Subject: [PATCH 10/15] Add support for Eclipser --- Dockerfile | 62 +++++++++++++++++++++++++++++++++++++++++++++++------ sudoers.txt | 4 ++++ 2 files changed, 59 insertions(+), 7 deletions(-) create mode 100644 sudoers.txt diff --git a/Dockerfile b/Dockerfile index 7eaa488..01ae2c8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,20 +1,68 @@ -FROM python:3.7-slim +FROM ubuntu:18.04 -WORKDIR /deepstate +# Set up the non-root user +RUN apt-get update \ + && apt-get -y install sudo \ + && useradd -ms /bin/bash user && echo "user:user" | chpasswd && adduser user sudo -COPY . /deepstate +ADD /sudoers.txt /etc/sudoers +ENV ECLIPSER_HOME /home/user/Eclipser + +WORKDIR /home/user + +COPY . /home/user/deepstate + +# Eclipser requires deb-src entries +RUN echo 'deb-src http://archive.ubuntu.com/ubuntu/ bionic main restricted \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates main restricted \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic universe \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates universe \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic multiverse \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-updates multiverse \n\ +deb-src http://archive.ubuntu.com/ubuntu/ bionic-backports main restricted universe multiverse \n\ +deb-src http://archive.canonical.com/ubuntu bionic partner \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security main restricted \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security universe \n\ +deb-src http://security.ubuntu.com/ubuntu/ bionic-security multiverse' >> /etc/apt/sources.list + +# # Install Eclipser dependencies +RUN apt-get update \ + && apt-get -y build-dep qemu \ + && apt-get install -y libtool \ + libtool-bin wget automake autoconf \ + bison gdb git \ + && wget -q https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb \ + && dpkg -i packages-microsoft-prod.deb \ + && apt-get install -y apt-transport-https \ + && apt-get update \ + && apt-get install -y dotnet-sdk-2.2 + +# Install DeepState dependencies RUN apt-get update \ && apt-get install -y build-essential \ gcc-multilib g++-multilib cmake \ - python3-setuptools libffi-dev z3 \ - && rm -rf /var/lib/apt/lists/* \ + python3-setuptools libffi-dev z3 python3-pip \ + && rm -rf /var/lib/apt/lists/* + +RUN chown -R user:user /home/user + +USER user + +# Install Eclipser +RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ + && cd Eclipser \ + && make \ + && cd ../ + +# Install DeepState +RUN cd deepstate \ && mkdir build \ && cd build \ && cmake ../ \ && make \ && cd .. \ - && pip install claripy angr manticore \ - && python ./build/setup.py install + && pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo python3 ./build/setup.py install CMD ["/bin/bash"] diff --git a/sudoers.txt b/sudoers.txt new file mode 100644 index 0000000..c478710 --- /dev/null +++ b/sudoers.txt @@ -0,0 +1,4 @@ +root ALL=(ALL) ALL +user ALL=(ALL) NOPASSWD: ALL +Defaults env_reset +Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" From 38bed6386426eff8a7b9a7d8223ef601548931a8 Mon Sep 17 00:00:00 2001 From: agroce Date: Thu, 30 May 2019 09:20:09 -0700 Subject: [PATCH 11/15] Dockerfile now builds DeepState with libFuzzer and AFL support --- Dockerfile | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 01ae2c8..609e4a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,7 +26,7 @@ deb-src http://security.ubuntu.com/ubuntu/ bionic-security main restricted \n\ deb-src http://security.ubuntu.com/ubuntu/ bionic-security universe \n\ deb-src http://security.ubuntu.com/ubuntu/ bionic-security multiverse' >> /etc/apt/sources.list -# # Install Eclipser dependencies +# Install Eclipser dependencies RUN apt-get update \ && apt-get -y build-dep qemu \ && apt-get install -y libtool \ @@ -38,9 +38,11 @@ RUN apt-get update \ && apt-get update \ && apt-get install -y dotnet-sdk-2.2 -# Install DeepState dependencies +# Install DeepState/AFL/libFuzzer dependencies RUN apt-get update \ && apt-get install -y build-essential \ + && apt-get install -y wget \ + && apt-get install -y clang \ gcc-multilib g++-multilib cmake \ python3-setuptools libffi-dev z3 python3-pip \ && rm -rf /var/lib/apt/lists/* @@ -49,20 +51,31 @@ RUN chown -R user:user /home/user USER user -# Install Eclipser +# Install AFL +RUN wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz \ + && tar -xzvf afl-latest.tgz \ + && cd afl-2.52b/ \ + && make \ + && sudo make install + + Install Eclipser RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ && cd Eclipser \ && make \ && cd ../ -# Install DeepState +# Install DeepState using a few different compilers for AFL/libFuzzer/Eclipser+normal RUN cd deepstate \ && mkdir build \ && cd build \ + && CXX=clang++ CC=clang BUILD_LIBFUZZER=TRUE cmake ../ \ + && sudo make install \ + && CXX=afl-clang++ CC=afl-clang BUILD_AFL=TRUE cmake ../ \ + && sudo make install \ && cmake ../ \ - && make \ + && sudo make install \ && cd .. \ - && pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ && sudo python3 ./build/setup.py install CMD ["/bin/bash"] From 183b4b7ee31c7d029e96add1e4c03ac7ebd9e739 Mon Sep 17 00:00:00 2001 From: Aaron Suarez Date: Thu, 30 May 2019 12:20:35 -0500 Subject: [PATCH 12/15] Put docker related files in docker/ directory --- .dockerignore => docker/.dockerignore | 0 Dockerfile => docker/Dockerfile | 7 +++---- sudoers.txt => docker/sudoers.txt | 0 push/build_image | 2 +- 4 files changed, 4 insertions(+), 5 deletions(-) rename .dockerignore => docker/.dockerignore (100%) rename Dockerfile => docker/Dockerfile (94%) rename sudoers.txt => docker/sudoers.txt (100%) diff --git a/.dockerignore b/docker/.dockerignore similarity index 100% rename from .dockerignore rename to docker/.dockerignore diff --git a/Dockerfile b/docker/Dockerfile similarity index 94% rename from Dockerfile rename to docker/Dockerfile index 609e4a5..6659c1c 100644 --- a/Dockerfile +++ b/docker/Dockerfile @@ -5,7 +5,7 @@ RUN apt-get update \ && apt-get -y install sudo \ && useradd -ms /bin/bash user && echo "user:user" | chpasswd && adduser user sudo -ADD /sudoers.txt /etc/sudoers +ADD /docker/sudoers.txt /etc/sudoers ENV ECLIPSER_HOME /home/user/Eclipser @@ -41,7 +41,6 @@ RUN apt-get update \ # Install DeepState/AFL/libFuzzer dependencies RUN apt-get update \ && apt-get install -y build-essential \ - && apt-get install -y wget \ && apt-get install -y clang \ gcc-multilib g++-multilib cmake \ python3-setuptools libffi-dev z3 python3-pip \ @@ -58,7 +57,7 @@ RUN wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz \ && make \ && sudo make install - Install Eclipser +# Install Eclipser RUN git clone https://github.com/SoftSec-KAIST/Eclipser \ && cd Eclipser \ && make \ @@ -75,7 +74,7 @@ RUN cd deepstate \ && cmake ../ \ && sudo make install \ && cd .. \ - && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr manticore \ + && sudo pip3 install 'z3-solver==4.5.1.0.post2' angr 'manticore==0.2.5' \ && sudo python3 ./build/setup.py install CMD ["/bin/bash"] diff --git a/sudoers.txt b/docker/sudoers.txt similarity index 100% rename from sudoers.txt rename to docker/sudoers.txt diff --git a/push/build_image b/push/build_image index 0e51a4c..9e3b745 100644 --- a/push/build_image +++ b/push/build_image @@ -6,4 +6,4 @@ IMAGE_NAME="deepstate" echo "IMAGE_NAME $IMAGE_NAME" echo "Building Docker image..." -docker build -t $IMAGE_NAME -f Dockerfile . || exit $? +docker build -t $IMAGE_NAME -f docker/Dockerfile . || exit $? From d63db6bc4aa07fd199d4b2e67b3214a36748f7cb Mon Sep 17 00:00:00 2001 From: agroce Date: Thu, 30 May 2019 11:57:07 -0700 Subject: [PATCH 13/15] fix dockerfile and readme --- README.md | 23 ++++++++--------------- 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 2aba31a..a03c80f 100644 --- a/README.md +++ b/README.md @@ -133,23 +133,16 @@ If you want to use DeepState in C/C++ code, you will likely want to run `sudo ma ### Docker -You can also try out Deepstate with Docker. +You can also try out Deepstate with Docker, which is the easiest way +to get all the fuzzers and tools up and running on any system. ```bash -# Run container with a shared examples/ directory -# Note that `--rm` will make the container be deleted if you exit it -# (if you want to persist data from the container, use docker volumes) -# (we need to increase maximum stack size, so we use ulimit for that) -$ docker run --rm -it --ulimit stack=100000000:100000000 trailofbits/deepstate bash - -# Change to examples directory -root@b7e7bffce292:/deepstate# cd build/examples - -# Fuzz the Runlen example -root@b7e7bffce292:/deepstate/build/examples# deepstate-angr ./Runlen - -# Alternative Runlen example -root@b7e7bffce292:/deepstate/build/examples# ./Runlen --fuzz --exit_on_fail +$ docker build -t deepstate . -f docker/Dockerfile +$ docker run -it deepstate bash +user@0f7cccd70f7b$ cd deepstate/build/examples +user@0f7cccd70f7b$ deepstate-angr ./Runlen +user@0f7cccd70f7b:$ deepstate-eclipser ./Runlen --timeout 30 +user@0f7cccd70f7b:$ ./Runlen_LF -max_total_time=30 ``` ## Usage From e389aa316ce0a49a4c02cfac73bef12780e5a13c Mon Sep 17 00:00:00 2001 From: agroce Date: Thu, 30 May 2019 11:58:16 -0700 Subject: [PATCH 14/15] actually fix the Dockerfile to blow away the cmake cache --- docker/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docker/Dockerfile b/docker/Dockerfile index 6659c1c..a2de23a 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -69,8 +69,10 @@ RUN cd deepstate \ && cd build \ && CXX=clang++ CC=clang BUILD_LIBFUZZER=TRUE cmake ../ \ && sudo make install \ + && rm -rf CMakeFiles CMakeCache.txt \ && CXX=afl-clang++ CC=afl-clang BUILD_AFL=TRUE cmake ../ \ && sudo make install \ + && rm -rf CMakeFiles CMakeCache.txt \ && cmake ../ \ && sudo make install \ && cd .. \ From 32531c0749f27a20112c1b56a0e6f85b451fd9e7 Mon Sep 17 00:00:00 2001 From: agroce Date: Thu, 30 May 2019 12:15:30 -0700 Subject: [PATCH 15/15] README change --- README.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index a03c80f..8afe402 100644 --- a/README.md +++ b/README.md @@ -139,10 +139,12 @@ to get all the fuzzers and tools up and running on any system. ```bash $ docker build -t deepstate . -f docker/Dockerfile $ docker run -it deepstate bash -user@0f7cccd70f7b$ cd deepstate/build/examples -user@0f7cccd70f7b$ deepstate-angr ./Runlen -user@0f7cccd70f7b:$ deepstate-eclipser ./Runlen --timeout 30 -user@0f7cccd70f7b:$ ./Runlen_LF -max_total_time=30 +user@0f7cccd70f7b:~/deepstate/build/examples$ cd deepstate/build/examples +user@0f7cccd70f7b:~/deepstate/build/examples$ deepstate-angr ./Runlen +user@0f7cccd70f7b:~/deepstate/build/examples$ deepstate-eclipser ./Runlen --timeout 30 +user@0f7cccd70f7b:~/deepstate/build/examples$ ./Runlen_LF -max_total_time=30 +user@0f7cccd70f7b:~/deepstate/build/examples$ mkdir foo; echo foo > foo/foo +user@0f7cccd70f7b:~/deepstate/build/examples$ afl-fuzz -i foo -o afl_Runlen -- ./Runlen_AFL --input_test_file @@ --no_fork --abort_on_fail ``` ## Usage