tum-i4/macke tum-i4/macke

  • Stars
    star
    113
  • Rank 310,115 (Top 7 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created about 9 years ago
  • Updated almost 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
tum-i4/macke
github

tum-i4

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Modular And Compositional analysis with KLEE Engine

MACKE - Modular and Compositional Analysis with KLEE (and AFL) Engine

MACKE is a wrapper around AFL and KLEE, that decomposes the analyzed programs into several smaller units, analyze these seperately and finally merge all found errors to one interactive report. Please read the MACKE-paper for more details.

Installation guide

Requirements

Step 1: LLVM and KLEE with targeted search

Building KLEE can be a complicated task and there are multiple strategies for it. We suggest the setup described in our Step-by-Step manual. But whatever way you choose, MACKE needs a special search mode, that is not part of the official KLEE code, yet. We aim to merge it into KLEE someday, but till then, you need to use our fork of KLEE.

For our step-by-step manual, this means, that you have to adapt one command. Instead of:

git clone --depth 1 --branch v1.3.0 https://github.com/klee/klee.git

in Step 6, you must use:

git clone --depth 1 https://github.com/tum-i22/klee22.git

In addition to the above, you also need to install LLVM 6.0 if you want the ability to fuzz in phase 1 of Macke.

For our step-by-step manual, this means that you must repeat Step 1 for LLVM 6.0, i.e. replace RELEASE_342 with RELEASE_600 in all links.

Step 2: Building the macke-llvm-opt passes

MACKE performs several modifications on LLVM bitcode level. Doing this inside python requires a lot more effort, than directly writing the operations in C++ - especially if you are forced to use the same, old version of LLVM as KLEE uses. Therefore, we decide to seperate all low level operations into two other repositories - one for LLVM 3.4 for KLEE-related stuff and another one for LLVM 6.0 for AFL-related stuff.

If you choose a different directory structure than suggested in our Step-by-Step manual, please adapt the pathes to match your needs.

git clone --depth 1 https://github.com/tum-i22/macke-opt-llvm 
cd macke-opt-llvm
make LLVM_SRC_PATH=~/build/llvm3.4/ KLEE_BUILDDIR=~/build/klee/Release+Asserts KLEE_INCLUDES=~/build/klee/include/

Now repeat the above step for macke-fuzzer-opt-llvm

git clone --depth 1 https://github.com/tum-i22/macke-fuzzer-opt-llvm 
cd macke-fuzzer-opt-llvm
make LLVM_SRC_PATH=~/build/llvm6.0/ KLEE_BUILDDIR=~/build/klee/Release+Asserts KLEE_INCLUDES=~/build/klee/include/

Step 3: Building MACKE

We are done with the dependencies - now to the main project.

# You might have to change the branch in repository below, depending on the version you want to build
git clone --depth 1 https://github.com/tum-i22/macke
cd macke
make dev

Step 4: Running MACKE

Before you can actually start using MACKE, you have to modify the ./config.ini with your favorite text editor. Please adapt the pathes there to the directories, you have created earlier in this guide.

First switch your virtual environment to Macke

source .venv/bin/activate # Note: just needed once per open shell

If you want to analyze the isolated functions with symbolic execution then run the following:

macke 2beAnalyzed.bc

Otherwise if you want to analyze the isolated functions with fuzzing (AFL) then run the following:

macke --use-fuzzer=1 --fuzz-bc=2beAnalyzedCompiledWithClang6.0.bc 2beAnalyzed.bc

Finally, if you want to analyze the isolated functions with flipper (switch between KLEE and AFL, whenever one of them saturates) then run the following:

macke --flipper=1 --fuzz-bc=2beAnalyzedCompiledWithClang6.0.bc 2beAnalyzed.bc

We wish you happy testing! If you have problems converting existing source code bases to bitcode files, you should have a look at this tool for improving make.

Troubleshooting

Getting around the issue of cgroups

Linux control groups, or Cgroups in short, are a kernel feature that allows user space processes to have limited (and exclusive) access to certain system resources, such as CPU. We leverage cgroups to isolate parallel fuzzing processes so that they don't interfere.

Therefore, before using Macke, you need to create these cgroups partitions. There are two alternative ways to do this.

Alternative 1: Using Macke

  1. Change as root
sudo -s
  1. Load macke (with source command) virtual environment and create cgroups
macke --initialize-cgroups --cgroup-name=<user>:<group>

If the warning about limiting swap memory shows up, then run the following

macke --initialize-cgroups --cgroup-name=<user>:<group> --ignore-swap

and in all subsequent macke commands, also add --ignore-swap

Alternative 2: Manually on command-line:

  1. Run cgroups command. If your CPU has x cores, then run the following command x times replacing the index i with the CPU number, i.e. mackefuzzer_1, mackefuzzer_2... mackefuzzer_x.
cgcreate -s 775 -d 775 -f 775 -a <usergroup> -t <usergroup> -g memory: mackefuzzer_<i>

You almost certainly might need to run this command as root or with sudo.

Then, in all subsequent macke commands, also add --ignore-swap, if your operating system does not allow partitioning swap memory resource.

Author's note

For current issues, suggestions, datasets and gratitude please email me. Big thanks to HuTo and Fabian Kilger for much of the development effort.

Saahil Ognawala

More Repositories

1

obfuscation-benchmarks

A set of programs used for benchmarking the strength of obfuscation
C
83
star
2

indistinguishability-obfuscation

Implementation of indistinguishability obfuscation constructions from scientific literature
Python
43
star
3

vot4cs

A Virtualization Obfuscation Tool for C# programs
C#
38
star
4

munch

Greybox fuzzer for optimizing function coverage and finding low-level vulnerabilities in C programs
Makefile
37
star
5

attack-graph-generator

Python
30
star
6

klee-install

Step by step manual for building KLEE
Shell
18
star
7

dta-vs-osc

Dynamic Taint Analysis versus Obfuscated Self-Checking
16
star
8

Repackman

A Tool for the Automatic Repackaging of Android Apps
13
star
9

deadlines

Deadline countdowns for academic conferences relevant to the SSE chair.
JavaScript
11
star
10

Oedipus

A Python framework that uses machine learning algorithms to implement the metadata recovery attack against obfuscated programs.
Python
10
star
11

self-checksumming

C++
10
star
12

sip-toolchain

A toolchain for software integrity protection including self-checksumming, control flow integrity, result checking, oblivious hashing and a sample program protected using Intel SGX
8
star
13

sip-oblivious-hashing

LLVM
7
star
14

JTeC

JTeC: Java Testwise Coverage
Java
7
star
15

input-dependency-analyzer

C++
7
star
16

dirts

DIRTS: Dependency Injection Aware Regression Test Selection
Java
7
star
17

Maat

Maat is a framework that mines VirusTotal scan reports to extract various information about the correctness, completeness, and consistency of scanners. It can also be used to train threshold-based and ML-based labeling strategies to label (Android) apps according to their VirusTotal scan reports and much more. Maat also refers to the ancient Egyptian concepts of truth, balance, order, harmony.
Python
7
star
18

Pairika

C++
6
star
19

nequivack

Non-equivalence checker for C programs
C
6
star
20

binary-rts

BinaryRTS is a research tool for regression test selection of C++ binaries based on dynamic binary instrumentation
Python
5
star
21

Aletheia

HTML
4
star
22

macke-opt-llvm

Passes for LLVM operations inside MACKE
C++
4
star
23

CIS-Benchmark-Evaluation

This repository is part of the paper Automated Implementation of Windows-related Security-Configuration Guides presented at the 35th IEEE/ACM International Conference on Automated Software Engineering.
HTML
3
star
24

inverse-transparency

Connected infrastructure to automatically log and display accesses to employees' data
Python
3
star
25

macke-fuzzer-opt-llvm

C++
3
star
26

green-fuzzing-artifacts

Artifacts for the paper: "Green Fuzzing: A Saturation-Based Stopping Criterion using Vulnerability Prediction"
Jupyter Notebook
3
star
27

what-the-func

A simple C++ function parser/tagger based on tree-sitter
TypeScript
2
star
28

rritbed

Real-Time Remote Intrusion Detection Testbed
Python
2
star
29

localizing-android-malicious-behaviors

Initial implementation of a method to localize malicious behaviors from API call traces of Android apps
Python
2
star
30

SACPS-evaluation-framework

Python
2
star
31

disa-windows-server-2016

This repository is part of the paper Automated Implementation of Windows-related Security-Configuration Guides presented at the 35th IEEE/ACM International Conference on Automated Software Engineering.
2
star
32

ssacps_packages

Contains ROS packages to run the use cases in the ssacps_simulation repository.
C++
2
star
33

troutcatchers

A framework for the extraction of malicious behaviors from Android (repackaged) malware
Python
1
star
34

kovacs

Go
1
star
35

sipvsml

Software Integrity Protection Versus Machine Learning
Jupyter Notebook
1
star
36

CodeMapExtractor

Python
1
star
37

survey-tools

A bunch of text and pdf analysis tools that may be useful for literature surveys and mapping studies
Python
1
star
38

MakeAdditions

Add magic to your make command
Python
1
star
39

disa-windows-server-2019

This repository is part of the paper Automated Implementation of Windows-related Security-Configuration Guides presented at the 35th IEEE/ACM International Conference on Automated Software Engineering.
1
star
40

Better-Safe-Than-Sorry

This repository is part of the paper "Better Safe Than Sorry! Automated Identification of Breaking Security-Configuration Rules" accepted at the "4th ACM/IEEE International Conference on Automation of Software Test (AST)". https://conf.researchr.org/home/ast-2023
Python
1
star
41

CODASPY2022

This repository is part of the paper "Hardening with Scapolite: a DevOps-based Approach for Improved Authoring and Testing of Security-Configuration Guides in Large-Scale Organizations" presented at the 12th ACM Conference on Data and Application Security and Privacy (CODASPY). http://www.codaspy.org/2022/
1
star
42

Automated-Identification-of-Security-Relevant-Configuration-Settings-Using-NLP

This repository is part of the paper "Automated Identification of Security-Relevant Configuration Settings Using NLP" accepted at the Industry Showcase track at the 37th IEEE/ACM International Conference on Automated Software Engineering (ASE). https://conf.researchr.org/track/ase-2022/ase-2022-industry-showcase.
Jupyter Notebook
1
star