hexhive / igor Goto Github PK

The link to the benchmark in README.md is empty.

Here are the links to our ground-truth benchmark:
benchmark

I tried to test my own program following the provided tutorial. However, the are inconsistencies between the program parameters and the description in README. Besides, I also have some questions. Therefore, I am looking forward to a more complete tutorial as soon as possible.

For example, the trace_pruner.py run sample given in the README pointed out that -a parameter is a hexadecimal number indicating the address of "the breakpoint in the ASAN enabled environment" here in an ASAN disabled environment.

You can prune redundant trace entries(those recorded after the binary's crashing address) by using:

$ python3 trace_pruner.py -i /path/to/trace/files -c /breakpoint/hit/count/dir -o /path/to/result/dir -a $breakpoint_addr
Hint:

The /breakpoint/hit/count/dir is produced by breakpoint_hit_counter.py in an ASAN enabled environment.
The -a parameter is a hexadecimal number indicating the address of "the breakpoint in the ASAN enabled environment" here in an ASAN disabled environment.

But the help text of trace_pruner.py points out that -a points to the argument file path.

usage: trace_pruner.py [-h] [-i I] [-c C] [-o O] [-b B] [-a A]

Prune trace files according to a designated address and its breakpoint hit
count

optional arguments:
  -h, --help  show this help message and exit
  -i I        trace file dir
  -c C        breakpoint hit count file
  -o O        result output dir (auto create if not exists)
  -b B        target binary
  -a A        the path of argument file

According to my rough understanding, find_crashing_addr.py runs PoC to get the crash and analyze the crash point. breakpoint_hit_counter.py parses the call stack recovered from the error dump and counts the hit count of each address in the call stack. So, I want to know where the Debug the binary under test, find the last function the binary calls before crashing, take down its caller's address(usually, the call instruction's address). mentioned in README has been executed. Do I have to do this step manually? Where should I store the results for use in the subsequent processes?

trace_pruner.py finds the address of the next call instruction through self._find_call_ins_addrs(breakpoint_addrs), and then writes trace_file_lines[:stop_idx] to output_file, which does not seem to reduce the trace.

I'm not sure if I have correctly interpreted the tutorial and documents, so I am looking forward to your help to make this process work.

When using the smart tracer tool with the latest IntelPin 3.30 toolkit I get the following error.
dlopen failed: library "libpin3dwarf.so" not found

I also cannot find the mentioned library in the IntelPin 3.30 toolkit.
However, I do find it in IntelPin 3.20.

$ find ./pin-3.20-98437-gf02b61307-gcc-linux | grep -i libpin3dwarf
./pin-3.20-98437-gf02b61307-gcc-linux/intel64/lib-ext/libpin3dwarf.so.sig
./pin-3.20-98437-gf02b61307-gcc-linux/intel64/lib-ext/libpin3dwarf.so
./pin-3.20-98437-gf02b61307-gcc-linux/ia32/lib-ext/libpin3dwarf.so.sig
./pin-3.20-98437-gf02b61307-gcc-linux/ia32/lib-ext/libpin3dwarf.so

Unfortunately, when using IntelPin 3.20, I get another error.
dlopen failed: cannot locate symbol "xed_encoder_request_operands_const" referenced by "/magma/fuzzers/aflplusplus/smart_tracer/pintool/calltrace.so"

What version of IntelPin should I use and is there any additional setup required?

Thanks!

How did you implement the cleaning of constraint expressions mentioned in your work and ultimately compare their similarity in the form of AST? I couldn't find it in the complex warehouse code, and if possible, I hope you can give me a chance to learn this part of the code.Thanks!