driller
driller copied to clipboard
shellphish
How to solve a Tracer(aslr=False)
I'm testing Driller with Angr on the binaries of the Angr testsuit. The following error messages are returned for most of the binaries in the x86_64 directory, such as cat. Could you provide some suggestions to solve them?
#########################
### test_drilling_cgc ###
#########################
DEBUG | 2024-04-24 22:15:47,586 | driller.driller | [echo] drilling started on Wed Apr 24 22:15:47 2024.
WARNING | 2024-04-24 22:15:47,587 | driller.driller | Debug directory is not set. Will not log fuzzing bitmap.
Traceback (most recent call last):
File "/home/lily/Desktop/Driller/driller/test_driller.py", line 74, in <module>
run_all()
File "/home/lily/Desktop/Driller/driller/test_driller.py", line 65, in run_all
all_functions[f]()
File "/home/lily/Desktop/Driller/driller/test_driller.py", line 26, in test_drilling_cgc
new_inputs = d.drill()
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 85, in drill
list(self._drill_input())
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 131, in _drill_input
simgr.use_technique(t)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 248, in use_technique
tech.setup(self)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 303, in setup
self._identify_aslr_slides()
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 255, in _identify_aslr_slides
raise AngrTracerError(
angr.errors.AngrTracerError: Trace does not seem to contain object initializers for <ELF Object libc.so.6, maps [0x700000:0xac42bf]>. Do you want to have a Tracer(aslr=False)?
Are you making sure that the same libraries are being loaded in angr and qemu? I believe angr will privilege libraries in the current directory, while qemu will need LD_LIBRARY_PATH=. to do the same.
Are you making sure that the same libraries are being loaded in angr and qemu? I believe angr will privilege libraries in the current directory, while qemu will need LD_LIBRARY_PATH=. to do the same.
I solved the issue as you suggested. After setting fast_forward_to_entry=False, I'm facing new issues as follows. How do I solve them? I really like your tool and urgently need a working example. Thanks!
DEBUG | 2024-04-25 01:52:47,380 | driller.driller | Drilling into b'AAAA'.
DEBUG | 2024-04-25 01:52:47,380 | driller.driller | Input is b'AAAA'.
Traceback (most recent call last):
File "test_driller.py", line 74, in <module>
run_all()
File "test_driller.py", line 65, in run_all
all_functions[f]()
File "test_driller.py", line 26, in test_drilling_cgc
new_inputs = d.drill()
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 85, in drill
list(self._drill_input())
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 141, in _drill_input
simgr.step()
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 356, in step
return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 43, in step
simgr.step(stash=stash, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 101, in __call__
return self.func(*args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 469, in step
successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 422, in step_state
self._update_state_tracking(succs[0])
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 569, in _update_state_tracking
raise TracerDesyncError(
angr.exploration_techniques.tracer.TracerDesyncError: Oops! angr did not follow the trace
Trace divergence is a known problem in hybrid fuzzing that is often caused by unmatched environments between concrete execution and symbolic execution. Expecting Driller to "drill" through modern glibc might be a tall order to ask. Note that Driller has test cases on CGC binaries. You may want to run them first.
Trace divergence is a known problem in hybrid fuzzing that is often caused by unmatched environments between concrete execution and symbolic execution. Expecting Driller to "drill" through modern glibc might be a tall order to ask. Note that Driller has test cases on CGC binaries. You may want to run them first.
Yes, it works on CGC binaries and meets my needs. Also, I know that concolic tracing does not work well on real binaries. Thanks.
I know that concolic tracing does not work well on real binaries.
It does not work well unless some proper engineering effort is spent. For example, we can totally trace after libc's initialization code, which eliminates a lot of headaches for aligning traces inside libc.