News
Solving the evofuzz - Hints
Written on 14.12.2017 19:27 by Rahul Gopinath
Note that in `evofuzz.py` you have this TODO:
# TODO for STUDENTS: Change example.cgi_decode to the given function
import example
ffn.capture_coverage(lambda: example.cgi_decode(term))
cov_arcs = {(i,j) for f,i,j,src,l in ffn.cdata_arcs}
There are two things to notice here. The first is that you are collecting the coverage only for the `cgi_decode` or the corresponding function. However, if you trace how the branch coverage gets called, you will see that the branch coverage includes lines from evofuzz.py. Your first job is to filter that. (This is why the cov_arcs assignment is left as a statement there.) Filter the cov_arcs to contain only those lines that belong to `cgi_decode` or whichever function you are using. You can query the CFG (cfg variable) which is a hashmap with lines as keys for those lines that belong to a specific function.
Second, you do not need the sentinel node. You will get errors saying node '0' is not present in branch_cov. You can safely delete the node 0 by
del ffn.branch_cov[0]
You will need to do the same while collecting the covered/not-covered nodes. That is, choose only those nodes such that both parent and child are in cfg, and has function `cgi_decode`.
Here is another piece of the puzzle. You need to only look for uncovered nodes within the function cgi_decode and check_triangle. That is, you can safely filter out the nodes from the main when you look for un-covered nodes. The following fragment will do that for you.
def useful(p): return ffn.cfg[p]['function'] not in ['', 'main']
def not_covered_nodes(cfg):
not_covered = set()
for l in ffn.cfg:
if not useful(l): continue
for p in ffn.cfg[l]['parents']:
if not useful(p): continue
if (p, l) not in cov_arcs: not_covered.add((p, l))
return not_covered
not_covered = not_covered_nodes(ffn.cfg)
You are welcome to ping me or come to my office if you are completely stuck.