vusec / vuzzer64 Goto Github PK

This implements a 64-bit version of vusec/vuzzer fuzzing tool.

License: Apache License 2.0

Python 28.68% C++ 65.99% C 4.93% Shell 0.12% Makefile 0.29%

vuzzer64's Introduction

VUzzer(64) Version 1.0

About

This VUzzer is basically a 64-bit version of the original VUzzer (https://github.com/vusec/vuzzer). We have made several changes to make it work on 64-bit. Main efforts are made by Vivek (githubID: vivek425ster) to lift LibDFT to work on 64-bit. This part is still in testing/development phase (which means taint analysis may have bugs!). Functionality wise, this version of VUzzer is same as the original 32-bit VUzzer (with few bugs fixed!).

Originally (in turn), this Project depends heavily on a modified version of DataTracker, which in turn depends on LibDFT pintool. It has some extra tags added in libdft. DataTracker original repo https://github.com/m000/dtracker. The modified code is included with this distribution.

Running the VUzzer:

Please see wikiHOWTO.md for a step-by-step procedure to run the VUzzer. This file also contains explanation for most of the options. Also read "datatemp/REDME-dataSet.md" for more information about the datasets and configurations that we used in original VUzzer paper. We have provided seed inputs for several applications in "datatemp" folder.

NOTE: VUzzer's taintflow analysis does not work on binaries compiled with sanitizers pass (e.g. address sanitizer). Therefore, do not involve VUzzer in an experiment where sanitizer enabled binaries are used.

Requirements

The requirements for running VUzzer64 are:

A C++11 compiler and unix build utilities (e.g. GNU Make).
Version 3.20 of Intel Pin.
EWAGBoolArray 0.4.0: https://github.com/lemire/EWAHBoolArray/releases/tag/0.4.0 - To install it in your system just copy headers file(/path/to/EWAHBoolArray-0.4.0/headers) in /usr/include folder.
BitMagic: http://bmagic.sourceforge.net/ - To install it in your system do sudo apt-get install bmagic
BitVector module for python.
Ghidra RE tool -OR- IDA disassembler to run static analysis part of VUzzer -OR- Ashley (a MS student from Grenoble) visited VUSec as intern and developed a 'angr' (http://angr.io/) based static analysis module. The code can be found at https://github.com/ash09/angr-static-analysis-for-vuzzer64 (yet to be populated!). However, it should be noted that we have not tested this script much and one can expect some glitches specially on large complex applications! If you have questions on this script, please direct them to Ashley.

We have tested VUzzer by running it on Ubuntu 18.04 LTS, Linux 4.15.0 image.

Installation

Follow the steps to install VUzzer64:

0. cd vuzzer64
1. export PIN_HOME=path_to_pin_directory
2. export PIN_ROOT=path_to_pin_directory
3. export DFT_HOME=$(pwd)/libdft64
4. cd fuzzer-code
5. make
6. cd ../libdft64
7. make
9. cd ..

Follow wikiHOWTO.md to run VUzzer.

vuzzer64's People

Contributors

Stargazers

Watchers

Forkers

explife0011 fuzzamos gavz sasqwatch richinseattle ralex1975 heruix kursh killvxk attackgithub wendy23git l9sk daydayup40 plmon modulexcite weizhunsun 0x6b7966 aheroine dns43 seabreg zjuchenyuan lockone yoshikitakashima hobama longjohncoder 5l1v3r1 functfan gsongx whereisr0da syacer frankenstein-bit tosanjay olivierh59500 rkx1209 pbearson apurva-cuj cyberflamego retinadb microsvuln fengjixuchui giver139 debach rycbar77 jjang3 irene-ml

vuzzer64's Issues

vuzzer64 cannot detect crash

Hi, I really appreciate your work on VUzzer and VUzzer64. However, when I use VUzzer64 to fuzz some programs such as mp3gain, exiv2, LAVA-M on Ubuntu 16.04, 64 bits, I haven't found any crash on them. I think the code which determine whether an input cause a crash may be wrong in VUzzer64.
In runfuzzer.py,
the code:
if retc < 0 and retc != -2:
may should be changed into:
if retc <0 or (retc>128 and retc<(128+64))
Thanks.

Installation / Running Problems (+ Dockerfile maybe?)

Hey there,
I have to get this fuzzer running for a university project group where we are trying to compare different fuzzers under the same conditions.

So far I have had great problems while installing it, even though I believe to have managed to make it work by copying files from all over the places manually and commenting some stuff out.

Now when I try to run it on the 'who' example it gave me some errors that directories are missing. I copied them from the 32-bit version and didn't get the errors again. Until now where it is looking for /fuzzer-code/outd/bbc.out . There is no such file and there is no such file in the 32-bit version. Can you tell me how to fix that problem?

Also: It would be great if there was a way for you to provide a Dockerfile for the fuzzer for us to play around with.

Best regards

EDIT: I am using pin 2.14 since I couldn't find 2.13 anywhere on the internet. Hopefully that is not causing the problems.

libdft cannot generate cmp.out on certain input

leads to early crash when fuzzing who (LAMA-M)

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/13.who /vuzzer64/fuzzer-code/vutemp/special/ex-211."', 'ex-211.', '1200']
[*] Run complete..

Empty cmp.out file! Perhaps taint analysis did not run...
========================================
431503:55:03.089 - End Program
Elapsed time: 0:15:11.845
========================================

Pin Version: pin-3.7-97619-0d0c92f4f

Kernel: 4.15.0-46-generic

files:

files.zip

Update README that pin-3.7 is supported and that EWAHBoolArray-0.4.0 is needed

Maybe redundant calling for gau.prepareBBOffsets()

I found the gau.prepareBBOffsets () was called twice in runfuzzer.py, one in line 724 and the other in line 780. Maybe a redundant?

vuzzer generate a huge bbc.out file when fuzzing ffmpeg

fuzzing command:

python runfuzzer.py -s '/d/p/normal/15.ffmpeg -y -i %s -c:v mpeg4 -c:a copy -f mp4 /dev/null' -i /d/seed/avi/ -w /d/p/vbin/pkl/15.ffmpeg.pkl -n /d/p/vbin/names/15.ffmpeg.names -o '0x00000000'

Parallel running 30 instances for about 6 days, I found that some of the bbc.out is very big:

# ls -alh */bbc.out
-rw-r--r-- 1 root root 136K May 30 23:51 vuzzer15_10/bbc.out
-rw-r--r-- 1 root root 136K May 31 04:47 vuzzer15_11/bbc.out
-rw-r--r-- 1 root root 136K May 31 01:44 vuzzer15_12/bbc.out
-rw-r--r-- 1 root root  36K Jun  1 00:32 vuzzer15_13/bbc.out
-rw-r--r-- 1 root root 136K May 31 20:53 vuzzer15_14/bbc.out
-rw-r--r-- 1 root root 136K May 31 00:19 vuzzer15_15/bbc.out
-rw-r--r-- 1 root root 136K May 31 23:06 vuzzer15_16/bbc.out
-rw-r--r-- 1 root root 136K Jun  1 00:17 vuzzer15_17/bbc.out
-rw-r--r-- 1 root root  34G Jun  1 00:19 vuzzer15_18/bbc.out
-rw-r--r-- 1 root root    0 Jun  1 00:32 vuzzer15_19/bbc.out
-rw-r--r-- 1 root root 136K Jun  1 00:28 vuzzer15_1/bbc.out
-rw-r--r-- 1 root root  44G May 31 07:54 vuzzer15_20/bbc.out
-rw-r--r-- 1 root root 136K May 30 19:05 vuzzer15_21/bbc.out
-rw-r--r-- 1 root root 136K May 31 16:39 vuzzer15_22/bbc.out
-rw-r--r-- 1 root root 136K May 31 14:41 vuzzer15_23/bbc.out
-rw-r--r-- 1 root root    0 Jun  1 00:32 vuzzer15_24/bbc.out
-rw-r--r-- 1 root root 136K May 31 14:10 vuzzer15_25/bbc.out
-rw-r--r-- 1 root root 136K May 30 22:59 vuzzer15_26/bbc.out
-rw-r--r-- 1 root root 136K May 31 23:10 vuzzer15_27/bbc.out
-rw-r--r-- 1 root root  67G May 29 17:55 vuzzer15_28/bbc.out
-rw-r--r-- 1 root root 136K May 30 05:59 vuzzer15_29/bbc.out
-rw-r--r-- 1 root root 136K May 30 22:41 vuzzer15_2/bbc.out
-rw-r--r-- 1 root root 136K May 30 06:22 vuzzer15_30/bbc.out
-rw-r--r-- 1 root root    0 May 26 16:01 vuzzer15_3/bbc.out
-rw-r--r-- 1 root root 136K May 31 14:55 vuzzer15_4/bbc.out
-rw-r--r-- 1 root root 136K May 31 23:35 vuzzer15_5/bbc.out
-rw-r--r-- 1 root root  42G May 26 18:36 vuzzer15_6/bbc.out
-rw-r--r-- 1 root root 136K May 31 00:38 vuzzer15_7/bbc.out
-rw-r--r-- 1 root root 136K May 31 02:17 vuzzer15_8/bbc.out
-rw-r--r-- 1 root root 136K May 31 23:55 vuzzer15_9/bbc.out

Is this expected? By looking the file, I found some addresses occur periodly, like:

# grep '0x9a322d' bbc.out |wc -l
68287706

Maybe the program is in a dead loop state?

Error when running Vuzzer using example command

I have setup Vuzzer on a VirtualBox following all the instructions as mentioned in the README. I tried running runfuzzer.py as mentioned in the wikiHOWTO.md file but received the following error:

$ python runfuzzer.py -s '/home/osboxes/vuzzer/vuzzer64/bin/who %s' -i 'datatemp/utmp/' -w 'idafiles/who.pkl' -n idafiles/who.names -o '0x00000000'

[*] Starting dry run now...
[*] Just about to run  ['BBOUT=/home/osboxes/vuzzer/vuzzer64/fuzzer-code/outd/bbc.out ./run_bb.sh', '/home/osboxes/vuzzer/vuzzer64/bin/who', '/home/osboxes/vuzzer/vuzzer64/fuzzer-code/datatemp/utmp/f1.utmp']
[*] Run complete..

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 810, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 763, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 716, in main
    gbb,bbb=dry_run()
  File "runfuzzer.py", line 545, in dry_run
    (bbs,retc)=execute(tfl)
  File "runfuzzer.py", line 186, in execute
    bbs = bbdict(config.BBOUT)
  File "runfuzzer.py", line 83, in bbdict
    with open(config.BBOUT,"r") as bbFD:
IOError: [Errno 2] No such file or directory: '/home/osboxes/vuzzer/vuzzer64/fuzzer-code/outd/bbc.out'

Any idea why this might be happening?

OSError: [Errno 8] Exec format error

Hello,
I am trying to use VUzzer and ran into an error, that I don't know how to fix myself. I also did not find an issue addressing the same issue:

I start VUzzer with this command: python2 runfuzzer.py -s '/home/kali/SUT/mjs/build/mjs %s' -i 'tests/01/seeds/' -w 'tests/01/mjs.pkl' -n 'tests/01/mjs.names' -o '0x00000000'

Then I get the following error:

Traceback (most recent call last):
File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
self.run()
File "/usr/lib/python2.7/threading.py", line 754, in run
self.__target(*self.__args, **self.__kwargs)
File "runfuzzer.py", line 721, in main
(ibbs,iretc)=execute(tfl)
File "runfuzzer.py", line 176, in execute
retc = run(runcmd)
File "runfuzzer.py", line 74, in run
proc = subprocess.Popen(cmd, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=False)
File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 8] Exec format error

I then printed out, what the variable cmd in line 74 contains and it is the following:
['/home/kali/tools/vuzzer/pin/pin', '-t', '/home/kali/tools/vuzzer/vuzzer64/fuzzer-code/obj-intel64/bbcounts2.so', '-o', '/home/kali/tools/vuzzer/vuzzer64/fuzzer-code/vutemp/bbc.out', '-x', '0', '-libc', '0', '-l', '', '--', '/home/kali/SUT/mjs/build/mjs', '/home/kali/tools/vuzzer/vuzzer64/fuzzer-code/tests/01/seeds/test_1.js']

I am really not sure how to continue from this and would appreciate help a lot.

can vuzzer fuzzing a binary whose input is given by command line?

Suppose I have a binary BIN and a input file IP1, and command to run BIN is :
./BIN IP1
I follow the command given by wikiHOWTO.md:
python runfuzzer.py -s '/PATH_TO_vuzzer-code/bin/BIN %s IP1' -i 'datatemp/IPs/' -w 'idafiles/BIN.pkl' -n 'idafiles/BIN.names' -o '0x00000000'
It seems vuzzer keeps using IP1 as input all the time. So, can vuzzer fuzzing a binary whose input is given by command line? If vuzzer can, how to do that?

Where is the module simplept defined

I found Vuzzer may supports Intel PT, and uses simplept.simplept(). However, I can't find any defination of the module simplept, or other related python package. What is it?

where set $(TOOLS_ROOT)

vuzzer64/fuzzer-code/makefile

Line 15 in 2b1b0ed

include $(TOOLS_ROOT)/Config/makefile.default.rules

Error: fuzzer-code/obj-intel64/bbcounts2.so: undefined symbol

I compiled this project.
And this error happen when I started the fuzzer:

E:Unable to load fuzzer-code/obj-intel64/bbcounts2.so:

fuzzer-code/obj-intel64/bbcounts2.so: undefined symbol: _ZN10LEVEL_BASE9StringDecB5cxx11Emjc

cmd is:

python fuzzer-code/runfuzzer.py -s "lava_corpus/LAVA-M/base64/coreutils-8.24-lava-safe/bin/base64 -d %s" -i datatemp/base/ -w fuzzer-code/idafiles/base64.pkl -n fuzzer-code/idafiles/base64.names -l 1 -o "0x0000000000000000"

Any one konw this?
Thanks

libdft64 terminates early?

I'm trying to use libdft-dta tool for taint tracking. But, I'm having issues with running it with flags. This is the command I'm using:

$PIN_HOME/pin -follow_execv -t $DFT_HOME/tools/libdft-dta.so -s 1 -- ./hw.o

Here is hw.c:

#include <stdio.h>

int main () {
   char str1[20], str2[30];

   printf("Enter name: ");
   scanf("%s", str1);

   printf("Enter your website name: ");
   scanf("%s", str2);

   printf("Entered Name: %s\n", str1);
   printf("Entered Website:%s", str2);
   
   return(0);
}

compiled with:
gcc hw.c -o hw.o

However, cmp.out and lea.out are empty. pintool.log says "died":

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 died

It does not even prompt me for stdin as per hw.c.

However, when not using the -s 1 flag, it prompt me for stdin as expected and the pintool.log looks like it ran (?):

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
 In open
 in_dtracker_whitelist /etc/ld.so.cache
 Info ignoring fd 3
 In mmap 3 0
 close 3
 In open
 in_dtracker_whitelist /lib/x86_64-linux-gnu/libc-2.27.so
 Info ignoring fd 3
 In mmap -1 0
 In mmap 3 0
 In mmap 3 1994752
 In mmap -1 0
 close 3

But, pin.log reports "missing application":

Pin: pin-3.7-97619-0d0c92f4f
Copyright (c) 2003-2018, Intel Corporation. All rights reserved.
E:  Missing application name

Also, cmp.out and lea.out are empty.

Any ideas? Thanks in advance!

Source Code for 64-bit

I am looking for the 64-bit version of vuzzer but only found the code for the 32-bit one. Any idea when the 64-bit version will be available?
Thanks!

VUzzer64 couldn't generate bbc.out

Hi! When I start VUzzer64 to test the base64 from LAVA-M, the runfuzzer.py crashes and notice that the bbc.out is not found.

The version of PIN is 3.7. The initial three seeds is provided by vuzzer32. And all depency has been built as README.md says. The information is showed below:

root@moonlight:~/vuzzer64/fuzzer-code# python vuzzer_control.py 5 base64 vuzzer 1 1
fuzz will exec 5.0 hours.
fuzz target base64.
fuzz tool base64.
begin exec python runfuzzer.py -s '/root/target_of_lava/LAVA-M/base64 -d %s' -i '/root/vuzzer64/fuzzer-code/datatemp/b64' -w '/root/vuzzer64/fuzzer-code/idafiles_new/base64.pkl' -n '/root/vuzzer64/fuzzer-code/idafiles_new/base64.names'
[*] Starting dry run now...
[*] Just about to run  ['BBOUT=/root/vuzzer64/fuzzer-code/outd/bbc.out', 'LIBS=#', './run_bb.sh', '/root/target_of_lava/LAVA-M/base64', '-d', '/root/vuzzer64/fuzzer-code/datatemp/b64/f2.b64']
[*] Run complete..

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 717, in main
    gbb,bbb=dry_run()
  File "runfuzzer.py", line 545, in dry_run
    (bbs,retc)=execute(tfl)
  File "runfuzzer.py", line 186, in execute
    bbs = bbdict(config.BBOUT)
  File "runfuzzer.py", line 83, in bbdict
    with open(config.BBOUT,"r") as bbFD:
IOError: [Errno 2] No such file or directory: '/root/vuzzer64/fuzzer-code/outd/bbc.out'

init error and end exec

`Filename for which we need to track taint`

vuzzer64/libdft64/tools/libdft-dta.cpp

Line 64 in 2b1b0ed

"4", "Filename for which we need to track taint"

Filesize for which we need to track taint?

`make tools` failed in libdft64

vuzzer64/libdft64/INSTALL

Line 28 in 2b1b0ed

4. Type `make tools' to compile the accompanying tools (e.g., nullpin,

get the error "make: Nothing to be done for 'tools' ", when make tools

There was an error when VUzzer reads the .names and .pkl files.

When I start VUzzer to fuzz base64 from LAVA-M, it shows that:

root@moonlight:~/vuzzer64/fuzzer-code# python runfuzzer.py -s '/root/target_of_lava/LAVA-M/base64 -d %s' -i '/root/vuzzer64/fuzzer-code/datatemp/b64' -w '/root/idafiles/base64.pkl' -n '/root/idafiles/base64.names'
Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 704, in main
    gau.prepareBBOffsets()
  File "/root/vuzzer64/fuzzer-code/gautils.py", line 394, in prepareBBOffsets
    tdata=pickle.load(tFD)
  File "/usr/lib/python2.7/pickle.py", line 1384, in load
    return Unpickler(file).load()
  File "/usr/lib/python2.7/pickle.py", line 864, in load
    dispatch[key](self)
  File "/usr/lib/python2.7/pickle.py", line 1096, in load_global
    klass = self.find_class(module, name)
  File "/usr/lib/python2.7/pickle.py", line 1130, in find_class
    __import__(module)
ImportError: No module named __builtin__

After my analysis, the reason is that the base64.names and base64.pkl are generated by IDA using text mode on Windows. In this mode on Windows, \n will be transferred as \r\n.

According to https://stackoverflow.com/questions/46350566/pickle-importerror-no-module-named-builtin, we just need to convert the \r\n into \n in the *.names and *.pkl.

Vuzzer does not consider programs reading stdin

when command does not contain %s, vuzzer cannot run

We need write code to introduce is_stdin, and use subprocess pipe to send to the program.

Ideally, it would be better when in is_stdin mode, not each file need to be written to disk, reducing IO overhead.

vuzzer report 'Empty cmp.out file! Perhaps taint analysis did not run...'

I follow the instruction in README and wikiHOWTO to run vuzzer, using following command:

cd vuzzer64-master
export PIN_HOME=/home/lzy/pin-3.20/pin-3.20-98437-gf02b61307-gcc-linux
export PIN_ROOT=/home/lzy/pin-3.20/pin-3.20-98437-gf02b61307-gcc-linux
export DFT_HOME=/home/lzy/vuzzer/vuzzer64-master/libdft64
cd fuzzer-code
echo 0 |sudo tee /proc/sys/kernel/randomize_va_space
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
python runfuzzer.py -s '/home/lzy/vuzzer/vuzzer64-master/fuzzer-code/lava-m-binaries/who %s' -i 'datatemp/utmp/' -w 'lava-m-binaries/who.pkl' -n 'lava-m-binaries/who.names' -o '0x00000000'

and I got:

0
0
[*] Starting dry run now...
[*] Finished good inputs (3605)
[*] Starting bad inputs..
[*] finished common BB. TOtal such BB: 0
========================================
463091:47:57.819 - Start Program
========================================

[*] taintflow finished.
[**] Gen: 0. Executed 10 of 100.**
[**] Gen: 0. Executed 20 of 100.**
[**] Gen: 0. Executed 30 of 100.**
[**] Gen: 0. Executed 40 of 100.**
[**] Gen: 0. Executed 50 of 100.**
[**] Gen: 0. Executed 60 of 100.**
[**] Gen: 0. Executed 70 of 100.**
[**] Gen: 0. Executed 80 of 100.**
[**] Gen: 0. Executed 90 of 100.**
[**] Gen: 0. Executed 100 of 100.**
[*] Done with all input in Gen, starting SPECIAL. 

[*] Wrote to stat.log

Empty cmp.out file! Perhaps taint analysis did not run...
========================================
463091:49:35.877 - End Program
Elapsed time: 0:01:38.057
========================================

cmp.out is not empty when vuzzer is running, but when vuzzer stops,cmp.out became empty. I'd like to know if I used Vuzzer correctly? If not, what should I do to correct it?
Thank you!

So when will the source code be available?

.

vuzzer early exit due to exception in function bbdict

[*] Just about to run  ['BBOUT=/vuzzer64/fuzzer-code/outd/bbc.out', 'LIBS=#', './run_bb.sh', '/d/p/normal/15.ffmpeg', '-y', '-i', '/vuzzer64/fuzzer-code/vutemp/data/avi-textinfo.avi', '-c:v', 'mpeg4', '-c:a', 'copy', '-f', 'mp4', '/dev/null']
[*] Run complete..

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 805, in main
    (bbs,retc)=execute(tfl)
  File "runfuzzer.py", line 186, in execute
    bbs = bbdict(config.BBOUT)
  File "runfuzzer.py", line 88, in bbdict
    bbfr=int(tLine[1],0)
IndexError: list index out of range

this may be related to issue #13 , where bbc.out is 35GB

libdft64 is following taint not correctly

I compiled libdft with pin-3.7 and EWAHBoolArray-0.4.0.

As the command line options to watch file descriptions etc have been removed I added just this to the code:

diff --git a/libdft64/syscall_desc.cpp b/libdft64/syscall_desc.cpp
index 22bcc7f..16949b5 100644
--- a/libdft64/syscall_desc.cpp
+++ b/libdft64/syscall_desc.cpp
@@ -951,12 +951,12 @@ post_open_hook(THREADID tid, syscall_ctx_t *ctx)
        LOG("In open\n");
        const std::string fdn = fdname(fd);
 
-       if( !in_dtracker_whitelist(fdn) && !path_isdir(fdn)){
+       if(fdn.find("/tmp/", 0) == 0 || ( !in_dtracker_whitelist(fdn) && !path_isdir(fdn))){
                fdset.insert(fd);
                flag = 1;
                LOG("Inserted " + fdn + " " + decstr(fd) + ".\n");
        }else{
-               LOG("Info ignoring fd " + decstr(fd) + "\n");
+               LOG("Info ignoring fd " + decstr(fd) + " " + fdn + "\n");
        }
 }

Some output excerpts of "pin -follow_execv -t ./obj-intel64/libdft-dta.so -- unrar x /tmp/test.rar ":

It taints stuff it should not:

 In open
 in_dtracker_whitelist /lib/x86_64-linux-gnu/libm-2.28.so
 Info ignoring fd 3 /lib/x86_64-linux-gnu/libm-2.28.so
 Setting taint 3 832 bytes

it specifically says "ignoring fd" but still setting taint. this happens all over the place

however it also taints correctly:

 In open
 Inserted /tmp/test.rar 3.
 Setting taint 3 7 bytes
 Setting taint 3 7 bytes
 Setting taint 3 6 bytes
 Setting taint 3 7 bytes
 Setting taint 3 35 bytes

this looks good

but then never follows the taint:

 In open
 in_dtracker_whitelist /prg/tmp/vuzzer64/libdft64/test.txt
 Info ignoring fd 4 /prg/tmp/vuzzer64/libdft64/test.txt
 In mmap -1 0 bytes
 Setting taint 3 14 bytes
 close 4
 Setting taint 3 7 bytes
 close 3
(end of pintool.log)

that fd 4 should have tainted bytes written is not reported.

same if "md5sum /tmp/test.rar" is done, it should show tainted writes to stdout.

some mutators exceptions like wrong randint

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/120.pdf /dev/null"', '120.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/138.pdf /dev/null"', '138.pdf', '0']
[*] Run complete..

Exception in thread Thread-1:
Traceback (most recent call last):
  File "/usr/lib/python2.7/threading.py", line 801, in __bootstrap_inner
    self.run()
  File "/usr/lib/python2.7/threading.py", line 754, in run
    self.__target(*self.__args, **self.__kwargs)
  File "runfuzzer.py", line 753, in main
    gau.create_files(config.POPSIZE - filenum)
  File "/vuzzer64/fuzzer-code/gautils.py", line 230, in create_files
    ch1= ga.mutate(p1,fl)
  File "/vuzzer64/fuzzer-code/operators.py", line 296, in mutate
    result=self.r.choice(self.mutators)(self, original,fl)
  File "/vuzzer64/fuzzer-code/operators.py", line 258, in double_fuzz
    return self.r.choice(self.mutators)(self, result,fl)
  File "/vuzzer64/fuzzer-code/operators.py", line 170, in change_random_full
    cut_pos = self.r.randint(0, size - add_size)
  File "/usr/lib/python2.7/random.py", line 242, in randint
    return self.randrange(a, b+1)
  File "/usr/lib/python2.7/random.py", line 218, in randrange
    raise ValueError, "empty range for randrange() (%d,%d, %d)" % (istart, istop, width)
ValueError: empty range for randrange() (0,0, 0)

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/193.pdf /dev/null"', '193.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/192.pdf /dev/null"', '192.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/108.pdf /dev/null"', '108.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/125.pdf /dev/null"', '125.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/114.pdf /dev/null"', '114.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/184.pdf /dev/null"', '184.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/158.pdf /dev/null"', '158.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/104.pdf /dev/null"', '104.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/180.pdf /dev/null"', '180.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/119.pdf /dev/null"', '119.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/134.pdf /dev/null"', '134.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/148.pdf /dev/null"', '148.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/179.pdf /dev/null"', '179.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/127.pdf /dev/null"', '127.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/199.pdf /dev/null"', '199.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/128.pdf /dev/null"', '128.pdf', '0']
[*] Run complete..

[*] Just about to run  ['./run_2.sh', '"/d/p/normal/5.pdftotext /d/seed/pdf/183.pdf /dev/null"', '183.pdf', '0']
[*] Run complete..

computing MOSTCOM calculation...
[*] taintflow finished.
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
[*] 0 offset set
========================================
433099:17:48.174 - End Program
Elapsed time: 1:16:38.147
========================================

How to use libdft from vuzzer64 to get the relation of input bytes and branch under execution?

what should I do if I want to use libdft from vuzzer64 for getting the relation of input bytes and branch under execution? Can anyone help me？