Giter Club home page Giter Club logo

vulnfix's Introduction

VulnFix

License: GPL v3 docker pull docker build

VulnFix - An automated program repair technique for fixing security vulnerabilities via inductive inference.

VulnFix targets security vulnerabilities in C/C++ programs, such as buffer overflows, integer overflows, and NULL dereferences. It works by first exploring the states at the patch location with a combination of input-level fuzzing and state-level mutations, and then generalizing a patch invariant from the observed states. A patch invariant is a formula that evaluates to true for the benign states and false for the vulnerable states, which can be used to generate a patch later on.

Getting started

New changes has been added to VulnFix since the ISSTA22 publication. To get the version during ISSTA22 period and steps for using that version, please refer to ISSTA22.md.

TODO: Add getting started instruction for the new tool version.

Firstly, certain OS configurations are required to be set for VulnFix and its dependencies (e.g. AFL). To set these, run:

echo core | sudo tee /proc/sys/kernel/core_pattern
cd /sys/devices/system/cpu
echo performance | sudo tee cpu*/cpufreq/scaling_governor

echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

The VulnFix tool and its dependencies are available in docker container. (Please refer to doc/INSTALL.md for instructions on building it from source.)

To start:

docker pull yuntongzhang/vulnfix:latest-manual
docker run -it --memory=30g --name vulnfix yuntongzhang/vulnfix:latest-manual

Once inside the container, invoke it on one example (e.g. CVE-2012-5134) with:

# clone and build the target project
cd /home/yuntong/vulnfix/data/libxml2/cve_2012_5134
./setup.sh
# run vulnfix to repair
cd /home/yuntong/vulnfix
vulnfix data/libxml2/cve_2012_5134/config

After VulnFix finishes, the results (generated invariants and patches) can be found in /home/yuntong/vulnfix/data/libxml2/cve_2012_5134/runtime/result/.

Documentation

More details can be found in the documentation in the doc folder. MANUAL.md describes how to use VulnFix in more detail; DEVELOP.md contains useful information for hacking and extending VulnFix.

Bugs

VulnFix should be considered alpha-quality software. Bugs can be reported here.

vulnfix's People

Contributors

yuntongzhang avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar

Forkers

40ngx dhguswns23 astean1001 ly-dora nice994

vulnfix's Issues

Allow Vulnfix to take in Multiple Fault Locations

Maybe this should be done in the Cerberus driver. But it would be nice if we could feed the tool multiple locations to conform to other repair tool APIs.

It could even just cycle through them each sequentially or in parallel with the current approach

Previous snapshot/mutate run did not produce snapshot file

Dear authors,

I would like appreciate for your valuable work and contributions to the academic community. I am currently facing challenges experimenting with your artifact and would appreciate your assistance in resolving them.

I attempted to integrate a custom benchmark set into your tool; however, most of the runs encountered failures due to the following errors:

==============================first case==============================

[run_bin_snapshot] Return code from the run: 54
[cleanup_snapshot_file] Previous snapshot/mutate run did not produce snapshot file

the following error is reproducible with
setup.sh

#!/bin/bash
git clone https://github.com/mdadams/jasper.git source
cd source/
git checkout e5463624837d08d404dc64bba74eca8ce0ded9a3

autoreconf -i
CC=clang CXX=clang++ CFLAGS="-fsanitize=address,integer,unsigned-integer-overflow -g" CXXFLAGS="-fsanitize=address,integer,unsigned-integer-overflow -g" ./configure --disable-shared
make -j10

cp src/appl/imginfo ../

and config file

binary=.../imginfo
cmd=-f <exploit>
exploit=.../exploit
fix-location=jpc_dec.c:1244
crash-location=jpc_dec.c:1244
runtime-dir=.../runtime
source-dir=.../source
fix-file-path=src/libjasper/jpc/jpc_dec.c
fix-line=1244
build-cmd=make clean && make 
# CFLAGS="-static -fsanitize=address -g" CXXFLAGS="-static -fsanitize=address -g" -j10

The target program terminates with logs as the following.

jpc_dec.c:1244:19: runtime error: unsigned integer overflow: 1 - 2147483647 cannot be represented in type 'unsigned long'
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior jpc_dec.c:1244:19 in 
error: cannot decode code stream
cannot load image

==============================second case==============================
while analyzing the logs, I suspect that the tool failed to generate invariants, as indicated by the following log entries:

[DEBUG] [post_process_of_initial_snapshots] Final vars in each snapshot : {'p_manager->m_info_data', 'l_cp->tx0', ...}
[DEBUG] [generate_input_from_snapshots] BEFORE BACKEND: # passing: 0; # failing: 100
[INFO] [run] Running Daikon for inference. This make take a while ...
[DEBUG] [run] Raw daikon output is: 
[INFO] [main] --- Initial patch invariants - #(0) : [] ---
[INFO] [main] --- Final patch invariants - #(0) : [] ---
[INFO] [main] Could not infer a patch invariant with the current invariant templates/grammar.
[INFO] [main] Attempting to generate patches from 0 patch invariant(s) ...
[INFO] [main] No patches generated.
[INFO] [main] VulnFix finished. Please find results at  .../runtime/result.

The following message is found at vulnfix.log.debug

I suspect that these issues might be due to incorrect configuration settings. Could you kindly provide guidance on how to resolve these issues? Additionally, if further details regarding the setup are required for a more thorough diagnosis, please let me know.

Thank you.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.