KLEE
#需要一条条的执行,shell脚本中会出错
sudo apt-get update
sudo apt-get upgrade
#安装各种工具和库
sudo apt-get install g++ curl python-minimal git bison flex bc libcap-dev build-essential libboost-all-dev ncurses-dev cmake
#下载llvm-gcc包
wget http://llvm.org/releases/2.9/llvm-gcc4.2-2.9-x86_64-linux.tar.bz2
tar -jxvf llvm-gcc4.2-2.9-x86_64-linux.tar.bz2
#声明一些环境变量,以免后面找不到安装的库或者工具
export C_INCLUDE_PATH=/usr/include/x86_64-linux-gnu
export CPLUS_INCLUDE_PATH=/usr/include/x86_64-linux-gnu
export PATH=$PATH:$HOME/llvm-gcc4.2-2.9-x86_64-linux/bin
#把环境变量添加到文件中以免下次开机找不到了
echo "export C_INCLUDE_PATH=/usr/include/x86_64-linux-gnu" >> .bashrc
echo "export CPLUS_INCLUDE_PATH=/usr/include/x86_64-linux-gnu" >> .bashrc
echo "export PATH=$PATH:$HOME/llvm-gcc4.2-2.9-x86_64-linux/bin" >> .bashrc
#下载llvm2.9包
wget http://llvm.org/releases/2.9/llvm-2.9.tgz
tar -zxvf llvm-2.9.tgz
cd llvm-2.9
#可以拷贝,需要翻墙,是一个补丁一样的东西
wget http://www.mail-archive.com/klee-dev@imperial.ac.uk/msg01302/unistd-llvm-2.9-jit.patch
cp ~/unistd-llvm-2.9-jit.patch ~/llvm-2.9/
patch -p1 < unistd-llvm-2.9-jit.patch #一定要加,否则报错
#使用configure编译生成makefile文件
./configure --enable-optimized --enable-assertions
Make #使用make编译
cd $HOME
#这个也需要安装,很多教程都没有说到,官网上却是要求安装的,否则下一步出错
git clone https://github.com/stp/minisat.git
cd minisat
mkdir build
cd build
cmake ../
make
sudo make install
git clone https://github.com/stp/stp.git #有时候下载很慢
cd stp
mkdir build && cd build
cmake -G 'Unix Makefiles' $HOME/stp
Make #这边会比较慢,会有很多警告,不用管
sudo make install
sudo ldconfig
ulimit -s unlimited
cd $HOME
git clone --depth 1 --branch klee_0_9_29 https://github.com/klee/klee-uclibc.git
cd klee-uclibc/
./configure --with-llvm-config $HOME/llvm-2.9/Release+Asserts/bin/llvm-config --make-llvm-lib
make -j`nproc`
cd $HOME
#开始安装klee
git clone https://github.com/klee/klee.git
cd klee
#使用llvm编译klee
./configure --enable-posix-runtime --with-stp=/usr/local --with-llvm=$HOME/llvm-2.9/ --with-uclibc=$HOME/klee-uclibc/
make ENABLE_OPTIMIZED=1
make check #这边会有两个错误,不用管
make unittests
sudo make install #到这里应该就安装完成了
cd $HOME
#下面是一个自带的示例文件,如果安装正确,应该是可以正常运行的
cd $HOME/klee/examples/get_sign #进入示例文件所在目录
llvm-gcc -I ../../include --emit-llvm -c -g get_sign.c #使用llvm编译
klee get_sign.o #使用klee分析编译好的文件
使用KLEE分析GNC工具
#参考http://klee.github.io/tutorials/testing-coreutils/官网教程,有些官网正确的步骤将会省略
# Ubuntu声明环境变量
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/lib/x86_64-linux-gnu
#在ftp://alpha.gnu.org/gnu/coreutils/上下载这边的示例用的GNC工具coreutils-6.11
coreutils-6.11$ mkdir obj-gcovcoreutils-6.11
$ cd obj-gcovobj-gcov
$ ../configure --disable-nls CFLAGS="-g -fprofile-arcs -ftest-coverage"
#这边configure 就完成了工作应该没有报错
obj-gcov$ make
obj-gcov$ make -C src arch hostname
#这边应该也没有报错
obj-gcov$ cd src
src$ ls -l ls echo cat
-rwxr-xr-x 1 ddunbar ddunbar 164841 2009-07-25 20:58 cat
-rwxr-xr-x 1 ddunbar ddunbar 151051 2009-07-25 20:59 echo
-rwxr-xr-x 1 ddunbar ddunbar 439712 2009-07-25 20:58 ls
src$ ./cat --version
cat (GNU coreutils) 6.11
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Torbjorn Granlund and Richard M. Stallman.
src$ rm -f *.gcda # 清除 gcov 文件
src$ ./echo**
src$ ls -l echo.gcda
-rw-r--r-- 1 ddunbar ddunbar 1832 2009-08-04 21:14 echo.gcda
src$ gcov echo
#官网上显示的如下内容,但是我自己的机器上只有两个,并没有影响
File '../../src/system.h'
Lines executed:0.00% of 47
../../src/system.h:creating 'system.h.gcov'
File '../../lib/timespec.h'
Lines executed:0.00% of 2
../../lib/timespec.h:creating 'timespec.h.gcov'
File '../../lib/gettext.h'
Lines executed:0.00% of 32
../../lib/gettext.h:creating 'gettext.h.gcov'
File '../../lib/openat.h'
Lines executed:0.00% of 8
../../lib/openat.h:creating 'openat.h.gcov'
File '../../src/echo.c'
Lines executed:18.81% of 101
../../src/echo.c:creating 'echo.c.gcov'
coreutils-6.11$ mkdir obj-llvm
coreutils-6.11$ cd obj-llvm
obj-llvm$ ../configure --disable-nls CFLAGS="-g"
obj-llvm$ make CC=/你自己的路径/klee/scripts/klee-gcc
obj-llvm$ make -C src arch hostname CC=/你自己的路径/klee/scripts/klee-gcc
#这边可能还会报错,说第39行报错,llvm-ld找不到,这个时候需要添加/你自己的路径/llvm2.9/Release+Asserts/bin这个目录添加到环境变量里面,
#另外还会说一个'crypt'包找不到,报错llvm-ld: error: Cannot find library 'crypt',这个时候我们需要声明环境变量:
export C_INCLUDE_PATH=/usr/include/x86_64-linux-gnu
export CPLUS_INCLUDE_PATH=/usr/include/x86_64-linux-gnu
obj-llvm$ cd src
src$ ls -l ls echo cat
-rwxr-xr-x 1 ddunbar ddunbar 65 2009-07-25 23:40 cat
-rwxr-xr-x 1 ddunbar ddunbar 66 2009-07-25 23:43 echo
-rwxr-xr-x 1 ddunbar ddunbar 94 2009-07-25 23:38 ls
src$ ./cat --version
cat (GNU coreutils) 6.11
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
LLVM ERROR: JIT does not support inline asm!
src$ cat ls
#!/bin/sh
lli=${LLVMINTERP-lli}
exec $lli \
-load=/usr/lib/librt.so \
ls.bc ${1+"$@"}
src$ ls -l ls.bc
-rwxr-xr-x 1 ddunbar ddunbar 643640 2009-07-25 23:38 ls.bc
src$ klee --libc=uclibc --posix-runtime ./cat.bc --version
KLEE: NOTE: Using model: /home/ddunbar/public/klee/Release/lib/libkleeRuntimePOSIX.bca
KLEE: output directory = "klee-out-3"
KLEE: WARNING: undefined reference to function: __signbitl
KLEE: WARNING: executable has module level assembly (ignoring)
KLEE: WARNING: calling external: syscall(54, 0, 21505, 177325672)
KLEE: WARNING: calling __user_main with extra arguments.
KLEE: WARNING: calling external: getpagesize()
KLEE: WARNING: calling external: vprintf(177640072, 183340048)
cat (GNU coreutils) 6.11
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Written by Torbjorn Granlund and Richard M. Stallman.
KLEE: WARNING: calling close_stdout with extra arguments.
Copyright (C) 2008 Free Software Foundation, Inc.
KLEE: done: total instructions = 259357
KLEE: done: completed paths = 1
KLEE: done: generated tests = 1
src$ klee --libc=uclibc --posix-runtime ./echo.bc --help
...
usage: (klee_init_env) [options] [program arguments]
-sym-arg - Replace by a symbolic argument with length N
-sym-args - Replace by at least MIN arguments and at most
MAX arguments, each with maximum length N
-sym-files - Make stdin and up to NUM symbolic files, each
with maximum size N.
-sym-stdout - Make stdout symbolic.
-max-fail - Allow up to injected failures
-fd-fail - Shortcut for '-max-fail 1'
...
#以下跳过官网上没有问题的若干步骤,后面还会报错:Error: Package "tabulate" required for table
#这个时候我们需要安装一个tabulate包,需要先安装pip包管理器,直接apt即可,然后pip install tabulate