forked from RiS3-Lab/muse
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbuild_jpeg.sh
More file actions
executable file
·42 lines (30 loc) · 1.48 KB
/
build_jpeg.sh
File metadata and controls
executable file
·42 lines (30 loc) · 1.48 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#! /bin/bash
# get source code
wget https://www.ijg.org/files/jpegsrc.v9c.tar.gz
tar zxf jpegsrc.v9c.tar.gz
pushd jpeg-9c
# generate whole program bc
CC=wllvm LLVM_COMPILER=clang CFLAGS="-fsanitize=undefined -g" ./configure --enable-shared=no --enable-static=yes
LLVM_COMPILER=clang make -j$(nproc)
# extract bc
extract-bc djpeg
#set up fuzzing work dir
mkdir obj-muse && pushd obj-muse && cp ../djpeg.bc .
# get binary for qsym
cp ../djpeg .
#generate binary to be fuzzed
~/work/muse/AFL/afl-clang-fast djpeg.bc -o afl-djpeg -fsanitize=undefined -lm
#generate instrumented binary to replay by coordinator
~/work/muse/DynInstr/dyn-instr-clang djpeg.bc -o dyninst-djpeg -fsanitize=undefined -lm
#run svf analyzer (llvm-4.0) on the target bc
# running this command gives the following output files
# -PROG.edge file records each basic block and its outgoing edge IDs
# -PROG.reach.cov file records each BB ID and how many basic blocks it can reach
# -PROG.reach.bug file records each BB ID and how many Sanitizer Lbales it can reach
python ~/work/muse/svf/SVF/dma_wrapper.py -fspta dyninst-djpeg.bc -o djpeg.reach -edge djpeg.edge
echo "Preparation done, please edit the config file and prepare the seeding inputs for fuzzing"
cp ~/work/muse/coordinator/configs/fuzz.djpeg.cfg fuzz.cfg
sed -i -- "s#~/work/muse/AFL/#$(realpath ~/work/muse/AFL)/#g" fuzz.cfg
cp -a ~/work/muse/AFL/testcases/images/jpeg/ in
echo "target direction: jpeg-9c/obj-muse"
echo "config template: jpeg-9c/obj-muse/fuzz.cfg"