I compiled libdft with Pin 2.13, Linux kernel 3.13.0 and 32-bit 14.04 ubuntu. When I tried the nullpin.so with "../../../../pin -follow_execv -t nullpin.so -- ls". I got an error:

E: Unable to load ./nullpin.so: ./nullpin.so: undefined symbol: _Z27FindColumnLineInfoByAddressSsjPjS_PPKc

Is there any issue with my environment or setting?

Thanks!

Hi,

I cannot successfully run the command python runfuzzer.py -s '/PATH_TO_vuzzer-code/bin/who %s' -i 'datatemp/utmp/' -w 'idafiles/who.pkl' -n idafiles/who.names -o '0x00000000', which is provided in the wikiHOWTO.md.

The error is

Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "runfuzzer.py", line 631, in main
gbb,bbb=dry_run()
File "runfuzzer.py", line 475, in dry_run
(bbs,retc)=execute(tfl)
File "runfuzzer.py", line 155, in execute
bbs = bbdict(config.BBOUT)
File "runfuzzer.py", line 77, in bbdict
with open(config.BBOUT,"r") as bbFD:
IOError: [Errno 2] No such file or directory: '/xxx/vuzzer/outd/bbc.out'

I think bbc.out should be an output file, so any hint on how this happen and how to fix it?

Thanks.

When I run this,

make support-libdft

got a error

/vuzzer/pin/source/include/pin/foundation.PLH:52:26: fatal error: types_marker.h: No such file or directory
 #include "types_marker.h"

but I fount "types_marker.h" in the path /vuzzer/pin/extras/crt/include

Hi,
I 've run the example"who" on vuzzer.and it works out fine.
however, I pick out the origin 'who' on system (which is 8.21).And generate the .pkl ,.names file with IDA6.6 as requested
.then I use these two and the seed file provided in the vuzzer/datatemp(I assume 8.24'seed can work out for 8.21).try to vuzzer the origin who (8.21).with command:
-----@ubuntu ----/vuzzer$ python runfuzzer.py -s '/usr/bin/who %s' -i 'datatemp/utmp/' -w '../generated/who.pkl' -n ../generated/who.names -o '0x00000000'
vuzzer stop at once with
File "runfuzzer.py", line 626, in main gau.prepareBBOffsets() ImportError: No module named __builtin__
after check the code . wrong occured while opening the who.names.
Is there something wrong in my generating .names with IDA?
If so,what should i focus on while generating them?
(like

)

After i generate .pkl .names for "who" 8.24(the provided one in vuzzer/bin),replace the .pkl .names in vuzzer/idafiles .run the same command in wikiHOWTO. the same problem occur again.
After use linux diff to compare my .pkl with the provided .pkl. They vary a lot....

Therefore there must be something wrong with mine generating.

Thanks for any reply!

the following is my walkthrough，do you known the reason of the problem？

xupeng@ubuntu:~/vuzzerdir/vuzzer$ python runfuzzer.py -s '/home/xupeng/vuzzerdir/vuzzer/bin/who %s' -i 'datatemp/utmp/' -w 'idafiles/who.pkl' -n idafiles/who.names -o '0x00000000'
[] Starting dry run now...
[] Just about to run ['/home/xupeng/vuzzerdir/pin2.14//pin', '-tool_exit_timeout', '1', '-t', '/home/xupeng/vuzzerdir/vuzzer/obj-ia32/bbcounts2.so', '-o', '/home/xupeng/vuzzerdir/vuzzer/outd/bbc.out', '-x', '0', '-libc', '0', '-l', '', '--', '/home/xupeng/vuzzerdir/vuzzer/bin/who', '/home/xupeng/vuzzerdir/vuzzer/datatemp/utmp/f2.utmp']
[*] Run complete..

Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "runfuzzer.py", line 631, in main
gbb,bbb=dry_run()
File "runfuzzer.py", line 475, in dry_run
(bbs,retc)=execute(tfl)
File "runfuzzer.py", line 155, in execute
bbs = bbdict(config.BBOUT)
File "runfuzzer.py", line 77, in bbdict
with open(config.BBOUT,"r") as bbFD:
IOError: [Errno 2] No such file or directory: '/home/xupeng/vuzzerdir/vuzzer/outd/bbc.out'

xupeng@ubuntu:~/vuzzerdir/vuzzer$

I am trying to generate the names and pkl files of the binary with BB-weight4.py.
I got this error:

Traceback (most recent call last):
File "fuzzer-code/BB-weight4.py", line 10, in
import idaapi
ImportError: No module named idaapi

Anyone konw how to do this?

I am a fresh in IDA. Thanks

Hi,
(1) Some types of instruction, for example movdqu, which would influence the taint analysis result , are ignored by libdft, so how can you get the right taint result?
(2) XADD instruction, source operand could be a memory operand?(xadd_m2r)
Thanks for your reply!

It seems that the required component modified dft is unaccessible. I cannot get it for compiling Vuzzer.

Hi, great work the Vuzzer.
When I read the paper published in the NDSS'17, the figure 2 which is a high-level CFG of the code shown in Listing 3 makes me a little confused. From the code you have given, the sentence 'if (buf[1]==0xEF && buf[0]==0xFD)' shown in the same block but the sentence 'if (buf[10]=='%' && buf[11]=='@')' shown in the different block - block E and F. And from the block E, one side is to check the word '@'. Does it mean that the check of the word '%' has passed. The other side goes to the block H. What does the 'some task' means? I couldn't find it in the code. And why the block F and G can go to the same error handle block? I couldn't correspond the figure with the code.
Thank you so mush for reading that.

Hi,

I installed Vuzzer following the guide. I am using Ubuntu 14.04.1 so the kernel version is compatible with pin 2.14.

I have tried the /bin/who example, and it works perfectly.

I use gcc 4.8 to compile an easy .c program (only contain printf and if-else and gets). And I use Ida pro 6.8 with the python script to generate .names and .pkl files. I put four txt files under datatemp/fuzzme_32bit/.

But I get the following errors:

rd@ubuntu:~/Desktop/vuzzer$ python runfuzzer.py -s '/home/rd/Desktop/vuzzer/bin/fuzzme_32bit' -i 'datatemp/fuzzme_32bit/' -w 'idafiles/fuzzme_32bit.pkl' -n idafiles/fuzzme_32bit.names
[*] Starting dry run now...
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "runfuzzer.py", line 631, in main
gbb,bbb=dry_run()
File "runfuzzer.py", line 475, in dry_run
(bbs,retc)=execute(tfl)
File "runfuzzer.py", line 136, in execute
args=config.SUT % tfl
TypeError: not all arguments converted during string formatting

Can anyone help?
Thank you!

computing MORECOM calculation...
[*] taintflow finished.
[*] Going for new generation creation.

in get_cut

offset 677
in get_cut

offset 51
[*] 0 offset set
in get_cut

offset 402
in get_cut

random offset 0
[*] 0 offset set
in get_cut

random offset 279
in get_cut

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 818, in main
    gau.createNextGeneration3(fitnes,genran)
  File "/vuzzer/gautils.py", line 455, in createNextGeneration3
    mch1= ga.mutate(ch1,sin1)
  File "/vuzzer/operators.py", line 294, in mutate
    result=self.r.choice(self.mutators)(self, original,fl)
  File "/vuzzer/operators.py", line 256, in double_fuzz
    return self.r.choice(self.mutators)(self, result,fl)
  File "/vuzzer/operators.py", line 256, in double_fuzz
    return self.r.choice(self.mutators)(self, result,fl)
  File "/vuzzer/operators.py", line 228, in eliminate_double_null
    cut_pos = original.find('\0\0', self.r.randint(0, size))
  File "/usr/lib/python2.7/random.py", line 240, in randint
    return self.randrange(a, b+1)
  File "/usr/lib/python2.7/random.py", line 216, in randrange
    raise ValueError, "empty range for randrange() (%d,%d, %d)" % (istart, istop, width)
ValueError: empty range for randrange() (0,0, 0)

the function eliminate_double_null is:

    def eliminate_double_null(self, original, fl,replacement = 'AA'):
        size = len(original) - 1
        cut_pos = original.find('\0\0', self.r.randint(0, size))
        if (cut_pos != -1):
            result = ''.join([original[:cut_pos], replacement, original[cut_pos + 2:]])
        else:
            return original
        #assert len(original) == len(result), "size changed on a null elmination change %d %d" % (len(original), len(result))
        return result

maybe, we should add a line:

if size <=0:
    return original

Hi,
I met a problem when run with multiple libs. I follow wikiHOWTO.md, use command
python runfuzzer.py -s "~/libxml2/bin/xmllint --noout --valid %s" -i "input" -w "../wn/xmllint.pkl,../wn/libc.pkl" -n "../wn/xmllint.names,../wn/libc.names" -l 2 -o "0x0,0x0" -b "libc"
teminal shows

load address changed..run again!

but there is only Main func in the imageOffset.txt
So I add a code in runfuzzer.py print(hex(liboffsetcur)) before gau.die("load address changed..run again!")
terminal shows

0xb6553000L

but when I change the command to python runfuzzer.py -s "~/libxml2/bin/xmllint --noout --valid %s" -i "input" -w "../wn/xmllint.pkl,../wn/libxml2.pkl" -n "../wn/xmllint.names,../wn/libxml2.names" -l 2 -o "0x0,0x0" -b "libxml2" to grab the addr of libxml2
terminal shows the same addr as above

thanks for reply

error like this, but it's ok when i run the sample bin "who".
files generate by BB-weightv4.py

rg@rg-virtual-machine:~/vuzzer$ python runfuzzer.py -s '/home/rg/vuzzer/bin/vlc %s' -i 'datatemp/vlc/' -w 'idafiles/vlc.pkl' -n idafiles/vlc.names -o '0x00000000'
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 623, in main
    gau.prepareBBOffsets()
  File "/home/rg/vuzzer/gautils.py", line 523, in prepareBBOffsets
    tdata=pickle.load(tFD)
  File "/usr/lib/python2.7/pickle.py", line 1378, in load
    return Unpickler(file).load()
  File "/usr/lib/python2.7/pickle.py", line 858, in load
    dispatch[key](self)
  File "/usr/lib/python2.7/pickle.py", line 1090, in load_global
    klass = self.find_class(module, name)
  File "/usr/lib/python2.7/pickle.py", line 1124, in find_class
    __import__(module)
ImportError: No module named __builtin__

and i can "import builtin " in the python command.

Hi, all.
For testing, I created a simple Dockerfile to build vuzzer.
If you have interested in, please include this in your repo.
Thanks.

Dockerfile

FROM i386/ubuntu:trusty
ENTRYPOINT ["linux32", "--"]

COPY build.sh /build.sh

RUN /build.sh

build.sh

#!/bin/bash
apt-get update
apt-get install -y build-essential bmagic git python python-pip wget

# Install BitVector module
pip install BitVector

# Install vuzzer
git clone https://github.com/vusec/vuzzer.git /vuzzer
cd /vuzzer

# Install EWAHBoolArray
git clone https://github.com/lemire/EWAHBoolArray.git
ln -s $(pwd)/EWAHBoolArray/headers/* /usr/include

# Download pin
wget http://software.intel.com/sites/landingpage/pintool/downloads/pin-2.14-71313-gcc.4.4.7-linux.tar.gz
tar -zxvf pin-2.14-71313-gcc.4.4.7-linux.tar.gz
ln -s $(pwd)/pin-2.14-71313-gcc.4.4.7-linux $(pwd)/pin

# Build vuzzer
export HOST_ARCH=ia32
export PIN_ROOT=$(pwd)/pin
make support-libdft
make
make -f mymakefile

hi, everyone,
I set up the env for vuzzer and successfully test it with bin/who binary ,
but I use vuzzer to fuzz a new binary, cb, but I got the errors as follows:

$ python runfuzzer.py -s "../cb %s " -i "../input/" -w idafiles/cb.pkl -n idafiles/cb.names
Exception in thread Thread-1:
Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 763, in run
self.__target(*self.__args, **self.__kwargs)
File "runfuzzer.py", line 625, in main
gau.prepareBBOffsets()
File "/home/windhl/vuzzer/vuzzer/gautils.py", line 523, in prepareBBOffsets
tdata=pickle.load(tFD)
File "/usr/lib/python2.7/pickle.py", line 1378, in load
return Unpickler(file).load()
File "/usr/lib/python2.7/pickle.py", line 858, in load
dispatchkey
File "/usr/lib/python2.7/pickle.py", line 1090, in load_global
klass = self.find_class(module, name)
File "/usr/lib/python2.7/pickle.py", line 1124, in find_class
import(module)
ImportError: No module named builtin

While using Vuzzer fuzzing tcpdump using the command

python runfuzzer.py -s './bin/tcpdump -r %s' \
-i './datatemp/tcpdump/' \
-w './idafiles/tcpdump.pkl' \
-n './idafiles/tcpdump.names'

I got exceptions as below:

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 628, in main
    gau.prepareBBOffsets()
  File "/home/jshuang/vuzzer/gautils.py", line 523, in prepareBBOffsets
    tdata=pickle.load(tFD)
  File "/usr/lib/python2.7/pickle.py", line 1378, in load
    return Unpickler(file).load()
  File "/usr/lib/python2.7/pickle.py", line 858, in load
    dispatch[key](self)
  File "/usr/lib/python2.7/pickle.py", line 1090, in load_global
    klass = self.find_class(module, name)
  File "/usr/lib/python2.7/pickle.py", line 1124, in find_class
    __import__(module)
ImportError: No module named __builtin__

How can I fix this? I did not encouter this problem with other test programs?
the tcpdump version is 4.5.1

Has anyone encountered this situation?

[*] Run complete..

computing MOSTCOM calculation...
[*] taintflow finished.
MOst common offsets and values: {}
something went wrong. number of files is not right!

447244:26:41.615 - End Program
Elapsed time: 0:00:18.282

Hey, great work on Vuzzer!

With regards to tags, perhaps it would be beneficial to add a sentence describing each tag type in the ReadMe file?

libdft_tag_set_fdoff
libdft_tag_bitset
libdft_tag_ewah
libdft_tag_bvector