How to solve a Tracer(aslr=False) #97
Comments
|
Are you making sure that the same libraries are being loaded in angr and qemu? I believe angr will privilege libraries in the current directory, while qemu will need LD_LIBRARY_PATH=. to do the same. |
I solved the issue as you suggested. After setting fast_forward_to_entry=False, I'm facing new issues as follows. How do I solve them? I really like your tool and urgently need a working example. Thanks! DEBUG | 2024-04-25 01:52:47,380 | driller.driller | Drilling into b'AAAA'.
DEBUG | 2024-04-25 01:52:47,380 | driller.driller | Input is b'AAAA'.
Traceback (most recent call last):
File "test_driller.py", line 74, in <module>
run_all()
File "test_driller.py", line 65, in run_all
all_functions[f]()
File "test_driller.py", line 26, in test_drilling_cgc
new_inputs = d.drill()
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 85, in drill
list(self._drill_input())
File "/home/lily/Desktop/Driller/driller/driller/driller_main.py", line 141, in _drill_input
simgr.step()
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/driller_core.py", line 39, in step
simgr.step(stash=stash, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 356, in step
return simgr.step(stash=stash, syscall_data=self._syscall_data, fd_bytes=self._fd_bytes, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/suggestions.py", line 43, in step
simgr.step(stash=stash, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 101, in __call__
return self.func(*args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/sim_manager.py", line 469, in step
successors = self.step_state(state, successor_func=successor_func, error_list=error_list, **run_args)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/misc/hookset.py", line 96, in __call__
result = current_hook(self.func.__self__, *args, **kwargs)
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 422, in step_state
self._update_state_tracking(succs[0])
File "/home/lily/anaconda3/envs/driller/lib/python3.8/site-packages/angr/exploration_techniques/tracer.py", line 569, in _update_state_tracking
raise TracerDesyncError(
angr.exploration_techniques.tracer.TracerDesyncError: Oops! angr did not follow the trace
|
|
Trace divergence is a known problem in hybrid fuzzing that is often caused by unmatched environments between concrete execution and symbolic execution. Expecting Driller to "drill" through modern glibc might be a tall order to ask. Note that Driller has test cases on CGC binaries. You may want to run them first. |
Yes, it works on CGC binaries and meets my needs. Also, I know that concolic tracing does not work well on real binaries. Thanks. |
It does not work well unless some proper engineering effort is spent. For example, we can totally trace after libc's initialization code, which eliminates a lot of headaches for aligning traces inside libc. |
I'm testing Driller with Angr on the binaries of the Angr testsuit. The following error messages are returned for most of the binaries in the x86_64 directory, such as cat. Could you provide some suggestions to solve them?
The text was updated successfully, but these errors were encountered: