1 files changed, 63 insertions, 30 deletions

diff --git a/fix.m4 b/fix.m4
index 065f91e..3425e53 100644
--- a/fix.m4
+++ b/fix.m4
@@ -20,30 +20,40 @@
 set -eux -o pipefail
 save_exit_code() {
   set +e
-  # TODO: make timeout configurable
-  timeout -k 1 5 $@ 2>&1 1>/dev/null
+  timeout -k 1 $1 ${@:2} 1>/dev/null 2>&1
   exit_code=$?
   set -e
 }
 
-if test $# -lt 3
+bad() {
+  save_exit_code $@
+  test $exit_code -gt 128 ||
+    test $exit_code -ge 124 -a $exit_code -le 127 # timeout
+}
+
+if test $# -lt 4
 then
-  echo Usage: taosc-fix WORKDIR EXECUTABLE OPTION...
+  echo Usage: taosc-fix WORKDIR TIMEOUT EXECUTABLE PROOFS-OF-CONCEPT [OPTION]...
   exit 1
 fi
 wd="$(realpath $1)"
 test -d "$wd"
-bin="$wd/$(basename $2)"
-binary="$(realpath $2)"
+timeout=$2
+bin="$wd/$(basename $3)"
+binary="$(realpath $3)"
 test -x "$binary"
-opts="${@:3}" # TODO: interpolation
+poc="$(realpath $4)"
+test -d "$poc"
+test "$(ls -A "$poc")"
+options="${@:5}" # TODO: interpolation
 
-test -d "$wd/exploits"
-test -n "$(ls -A "$wd/exploits")"
-for exploit in "$wd/exploits"/*
+mkdir -p "$wd"
+rm -fr "$wd/poc"
+cp -r "$poc" "$wd/poc"
+for exploit in "$wd"/poc/*
 do
   gdb --batch --ex run --ex backtrace --args\
-    "$binary" "$opts" "$exploit" 2>/dev/null |
+    "$binary" $options "$exploit" 2>/dev/null |
     grep '^#[0-9]\+ \+0x[0-9a-f]\+' |
     awk '!$7 || $7 == bin {print $1, $2}' "bin=$binary" |
     sed 's/^#//'
@@ -58,8 +68,8 @@ grep -v '^0 0x[0-9a-f]\+$' "$wd/stack-trace" |
   taosc-trace-call "$binary" >> "$wd/call-trace"
 
 rm -f "$wd/patch-location"
-pushd DATA_DIR > /dev/null
-trap 'popd > /dev/null' EXIT
+pushd DATA_DIR 1>/dev/null
+trap 'popd 1>/dev/null' EXIT
 taosc-scout "$binary" < "$wd/call-trace" |
   while read loc destinations && test ! -f "$wd/patch-location"
   do
@@ -67,11 +77,12 @@ taosc-scout "$binary" < "$wd/call-trace" |
     rm -f "$wd/destinations"
     for dest in $destinations
     do
-      for exploit in "$wd/exploits"/*
+      # In case $wd/poc got poluted
+      rm -fr "$wd/poc"
+      cp -r "$poc" "$wd/poc"
+      for exploit in "$wd/poc"/*
       do
-        save_exit_code env TAOSC_DEST=0x$dest "$bin.jump" "$opts" "$exploit"
-        if test $exit_code -gt 128 ||
-          test $exit_code -ge 124 -a $exit_code -le 127 # timeout
+        if bad $timeout env TAOSC_DEST=0x$dest "$bin.jump" $options "$exploit"
         then
           continue 2 # next destination
         fi
@@ -79,27 +90,49 @@ taosc-scout "$binary" < "$wd/call-trace" |
       echo $loc > "$wd/patch-location"
       echo $dest >> "$wd/destinations"
     done
-  done 2>&1 1>/dev/null
+  done 1>/dev/null 2>&1
 test -s "$wd/patch-location"
 test -s "$wd/destinations"
 
+stack_size=$(taosc-measure-stack "$binary" < "$wd/patch-location")
 patch_loc=0x$(< "$wd/patch-location")
 e9tool -100 -M addr=$patch_loc -P 'report()@cover' -o "$bin.covered" "$binary"
 e9tool -100 -M addr=$patch_loc -P 'log(state)@collect'\
   -o "$bin.collect" "$binary"
 e9tool -100 -M addr=$patch_loc -P 'if dest(state)@patch goto'\
   -o "$bin.patched" "$binary"
-exit
-stack_size=$(taosc-measure-stack "$binary" < "$wd/patch-location")
 
-afl-dyninst -x "$binary" "$bin.fuzzee"
-install -Dm 644 DATA_DIR/collection "$wd/vars/list"
-# TODO: augment number of executions
-afl-dyninst-env afl-fuzz -i "$wd/fuzz/exploits" -o "$wd/fuzz/crashes"\
-  -CE 10000 -- "$bin.fuzzee" $opts @@
-install -d "$wd/vars/neg"
-find "$wd/fuzz/crashes/default/crashes" -name id:* | parallel\
-  TAOSC_OUTPUT="$wd/vars/neg/"'$(basename {})' "$bin.collect" $opts {} || true
-taosc-synth "$wd/vars" > "$wd/predicates"
-taosc-scout "$binary" "$address" > "$wd/destinations"
+# TODO: FUZZOLIC's options
+fuzzolic -kmprst 90000 -i "$poc" -o "$wd/fuzzolic" -- "$binary" $option @@
+rm -fr "$wd/input"
+mkdir -p "$wd/input/benign"
+cp -r "$poc" "$wd/input/malicious"
+# TODO: use parallel
+for dat in "$wd"/fuzzolic/fuzzolic-*/test_case_*.dat
+do
+  if taosc-reach $timeout "$bin.covered" $options "$dat" 1>/dev/null 2>&1
+  then
+    if bad $timeout "$binary" $options "$dat"
+    then
+      cp $dat "$wd/input/malicious"
+    else
+      cp $dat "$wd/input/benign"
+    fi
+  fi
+done
+
+rm -fr "$wd/values"
+for input_dir in "$wd"/input/*
+do
+  output_dir="$wd/values/$(basename "$input_dir")"
+  mkdir -p "$output_dir"
+  # TODO: use parallel
+  for input in "$input_dir"/*
+  do
+    output="$output_dir/$(basename "$input")"
+    save_exit_code $timeout\
+      env TAOSC_STACK_SIZE=$stack_size TAOSC_OUTPUT=$output\
+      "$bin.collect" $options "$input"
+  done
+done
 # vim: filetype=sh.m4