Fix bugs on subprocesses killing

hxuhack · Nov 17, 2017 · c2ceb29 · c2ceb29
2 parents ab1745d + c4079db
commit c2ceb29
Show file tree

Hide file tree

Showing 41 changed files with 174 additions and 83 deletions.
diff --git a/.gitignore b/.gitignore
@@ -36,3 +36,4 @@ tmp/
 
 .vscode/
 .idea/
+sick/
diff --git a/README.md b/README.md
@@ -60,10 +60,14 @@ Below we list these programs and the conditions to trigger each bomb.
 | Buffer Overflow 		| stack_bo_l1.c | expected stdin: \`python -c 'print "AAAAAAAA\x01\x00\x00\x00"'\`|
 | 		 		| stack_bo_l2.c | expected stdin: TO FIGURE OUT |
 | 		 		| heap_bo_l1.c | expected stdin: TO FIGURE OUT|
-| External Function Call  	| rand_ef.c | rand()%100 == 7 |
-| 			  	| pow_ef.c | pow(i, 2) == 49 |
-| 			  	| sin_ef.c | sin(i * PI / 180) == 0.5 |
-| 			  	| ln_ef.c | 1.94 < log(i) && log(i) < 1.95 |
+| External Function Call  	| printint_ef_l1.c | expected stdin: 196 |
+| 			  	| printfloat_ef_l1.c | expected stdin: 196 |
+| 			  	| atoi_ef_l2.c | expected stdin: 199 |
+| 			  	| atof_ef_l2.c | expected stdin: 199 |
+|  				| rand_ef_l2.c | rand()%100 == 7 |
+| 			  	| pow_ef_l2.c | pow(i, 2) == 49 |
+| 			  	| sin_ef_l2.c | sin(i * PI / 180) == 0.5 |
+| 			  	| ln_ef_l2.c | 1.94 < log(i) && log(i) < 1.95 |
 | Crypto Function 		| sha_cf.c | if sha1(i) equals to a predefined value |
 | 		 		| aes_cf.c | if aes(i, plaintext) equals to a ciphertext |
 | Loop 				| collaz_lo_l1.c  | if it loops 25 times (example stdin:101) |

diff --git a/config/test_settings.py b/config/test_settings.py
@@ -2,22 +2,23 @@
 FUNC_NAME = 'logic_bomb'
 
 src_dirs = [
-    'src/buffer_overflow',
+    # 'src/buffer_overflow',
     'src/contextual_symbolic_value',
-    'src/covert_propogation',
-    'src/crypto_functions',
-    'src/data_overflow',
-    'src/external_functions',
-    'src/floating_point',
-    'src/loop',
-    'src/parallel_program',
-    'src/symbolic_jump',
-    'src/symbolic_memory',
+    # 'src/covert_propogation',
+    # 'src/crypto_functions',
+    # 'src/data_overflow',
+    # 'src/external_functions',
+    # 'src/floating_point',
+    # 'src/loop',
+    # 'src/parallel_program',
+    # 'src/symbolic_jump',
+    # 'src/symbolic_memory',
 
     # 'src_cpp/covert_propagation',
     # 'src_cpp/symbolic_jump',
     # 'src_cpp/symbolic_memory',
 
+    # 'sick/'
     # 'src/symbolic_variable_declaration',
 ]
 
@@ -49,8 +50,8 @@
     "python script/triton_caller.py -l%d -m%d -f%s -i%s -p triton/%s.out"
 ]
 
-angr_tp_path = 'templates/default.c'
-triton_tp_path = 'templates/default.c'
+angr_tp_path = 'templates/default_no_printf.c'
+triton_tp_path = 'templates/default_no_printf.c'
 klee_tp_path = 'templates/klee.c'
 
 switches = {

diff --git a/run_tests.py b/run_tests.py
@@ -5,10 +5,18 @@
 import script_runner as sr
 import shutil
 import json
+import psutil
 
 from config.test_settings import TRITON_INSTALLATION_PATH, FUNC_NAME
 
 
+def kill_all(process):
+    parent = psutil.Process(process.pid)
+    for child in parent.children(recursive=True):
+        child.kill()
+    parent.kill()
+
+
 def ATKrun(target , src_dirs, func_name='logic_bomb', default_stdin_len=10):
     def params_list_parser(params):
         if len(params.strip()) == 0:
@@ -41,7 +49,7 @@ def params_list_parser(params):
     TLE = 4
     RUNTIME_ERROR = 255
 
-    MAX_TIME = 1800
+    MAX_TIME = 60
     test_results = {}
 
     func_pattern = re.compile(r'int[ \t\n]+%s\(([^)]*)\);*' % func_name)
@@ -101,12 +109,13 @@ def params_list_parser(params):
                         continue
                     # Run test
                     p = subprocess.Popen(cmds[1].split(' '))
+                    print(p.pid)
                     try:
                         rt_vale = p.wait(timeout=MAX_TIME)
                         test_results[fp] = rt_vale
                     except subprocess.TimeoutExpired:
                         test_results[fp] = TLE
-                        p.kill()
+                        kill_all(p)
 
                 elif prefix == 'klee':
                     if not os.path.exists('klee'):
@@ -137,7 +146,7 @@ def params_list_parser(params):
                         rt_vale = p.wait(timeout=MAX_TIME)
                     except subprocess.TimeoutExpired:
                         test_results[fp] = TLE
-                        p.kill()
+                        kill_all(p)
                         continue
 
                     p = subprocess.Popen(cmds[2].split(' '))
@@ -146,7 +155,7 @@ def params_list_parser(params):
                         test_results[fp] = rt_vale
                     except subprocess.TimeoutExpired:
                         test_results[fp] = TLE
-                        p.kill()
+                        kill_all(p)
                     shutil.rmtree('klee')
                 elif prefix == 'triton':
                     cmds.append(cmds_tp[0] % outname)
@@ -163,6 +172,7 @@ def params_list_parser(params):
                         continue
 
                     # Run test
+                    print("=== Run test!", outname, "===")
                     p = subprocess.Popen(cmds[1].split(' '))
                     rt_vale = p.wait()
                     test_results[fp] = rt_vale

diff --git a/script/triton_caller.py b/script/triton_caller.py
@@ -4,6 +4,10 @@
 import re
 import sys
 import time
+import signal
+import psutil
+
+from threading import Timer
 
 
 parser = argparse.ArgumentParser()
@@ -32,7 +36,8 @@
 
 print(' '.join([TRITON_INSTALLATION_PATH, 'triton/triton_run.py', prog]))
 
-p = subprocess.Popen([TRITON_INSTALLATION_PATH, 'triton/triton_run.py', prog, '0' * args.length], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+p = subprocess.Popen([TRITON_INSTALLATION_PATH, 'triton/triton_run.py', prog, '0' * args.length], stdout=subprocess.PIPE, stderr=subprocess.PIPE, preexec_fn=os.setsid)
+print(p.pid)
 start = time.time()
 while time.time() - start < args.max_time:
     rt_value = p.poll()
@@ -42,7 +47,11 @@
     time.sleep(0.1)
 print(time.time() - start)
 if time.time() - start > args.max_time:
-    print(p.kill())
+    # p.kill()
+    parent = psutil.Process(p.pid)
+    for child in parent.children(recursive=True):
+        child.kill()
+    parent.kill()
     print('timeout!!!!')
     exit(4)
 
@@ -56,28 +65,34 @@
 for testcase in pt.finditer(out):
     tmp = case_pt.findall(out)
     tmp = ''.join(list(map(chr, map(int, tmp))))
-    print(repr(list(tmp)))
+    print("New test case:", repr(list(tmp)))
     tmp = tmp.replace('\x00', '')
     reses.append(tmp)
 
-print(reses)
+print "%d test case(s) generated" % len(reses)
 
 tests = set()
 for res in reses:
-    p = subprocess.Popen([prog, res])
+    p = subprocess.Popen([prog, res], preexec_fn=os.setsid)
     start = time.time()
     while time.time() - start < args.max_time:
         rt_value = p.poll()
         if rt_value is not None:
-            print(rt_value)
+            print("Return Value:", rt_value)
             break
         time.sleep(0.1)
     if time.time() - start > args.max_time:
         tests.add(0)
-        p.kill()
+        print(p.pid)
+        # p.kill()
+        parent = psutil.Process(p.pid)
+        for child in parent.children(recursive=True):
+            child.kill()
+        parent.kill()
+
         print('\nTest case timeout!!!!\n')
     else:
-        tests.add(0)
+        tests.add(rt_value)
 
 if args.expected is None:
     standard = {0, 1}

diff --git a/src/contextual_symbolic_value/pid_csv.c b/src/contextual_symbolic_value/pid_csv.c
@@ -7,7 +7,6 @@
 
 int logic_bomb(int symvar) {
    int pid = (int) getpid();
-   printf ("current pid is %d\n%", pid);
    if(pid == symvar)
     return BOMB_ENDING;
    else

diff --git a/src/contextual_symbolic_value/ping_csv.c b/src/contextual_symbolic_value/ping_csv.c
@@ -65,14 +65,14 @@ int ping_it(struct in_addr *dst)
     if (rc <= 0) {
         perror("recvfrom");
     } else if (rc < sizeof rcv_hdr) {
-        printf("Error, got short ICMP packet, %d bytes\n", rc);
+        //printf("Error, got short ICMP packet, %d bytes\n", rc);
     }
     memcpy(&rcv_hdr, data, sizeof rcv_hdr);
     if (rcv_hdr.type == ICMP_ECHOREPLY) {
-        printf("ICMP Reply, id=0x%x, sequence =  0x%x\n",
-                        icmp_hdr.un.echo.id, icmp_hdr.un.echo.sequence);
+        //printf("ICMP Reply, id=0x%x, sequence =  0x%x\n",
+                        //icmp_hdr.un.echo.id, icmp_hdr.un.echo.sequence);
     } else {
-        printf("Got ICMP packet with type 0x%x ?!?\n", rcv_hdr.type);
+        //printf("Got ICMP packet with type 0x%x ?!?\n", rcv_hdr.type);
     }
     return 1;
 }
@@ -85,7 +85,7 @@ int logic_bomb(char* s) {
 
     if (inet_aton(s, &dst) == 0) {
         perror("inet_aton");
-        printf("%s isn't a valid IP address\n", s);
+        //printf("%s isn't a valid IP address\n", s);
         return NORMAL_ENDING;
     }
 

diff --git a/src/contextual_symbolic_value/syscall_csv.c b/src/contextual_symbolic_value/syscall_csv.c
@@ -8,7 +8,11 @@
 
 // {"s":{"length": 16}}
 int logic_bomb(char* s) {
-    int trigger = 0;
+    if(s == NULL)
+	return NORMAL_ENDING;
+    if(s[0]=='\0')
+	return NORMAL_ENDING;
+    int trigger = -1;
     trigger = system(s);
     if(trigger == 0) {
         return BOMB_ENDING;

diff --git a/src/covert_propogation/file_cp.c b/src/covert_propogation/file_cp.c
@@ -14,15 +14,14 @@ int logic_bomb(int i) {
     FILE *fp = fopen(file, "ab+");
     if(fp == NULL)
     {
-        printf("Error!");   
+        //printf("Error!");   
         exit(1);             
     }
     fprintf(fp,"%d",i);
     fclose(fp);
 
     fp = fopen("tmp.covpro", "r");
     fscanf(fp,"%d",&j);
-    printf("i = %d, j = %d\n", i,j);   
     fclose(fp);
     remove(file);
     if(j == 7){

diff --git a/src/covert_propogation/socket_cp.c b/src/covert_propogation/socket_cp.c
@@ -23,7 +23,7 @@ int server(){
     bind(server_sockfd,(struct sockaddr *)&server_address,server_len);  
 
     listen(server_sockfd,5);  
-    printf("server waiting for connect\n");  
+    //printf("server waiting for connect\n");  
 
     client_len = sizeof(client_address);  
     client_sockfd = accept(server_sockfd,(struct sockaddr *)&client_address,(socklen_t *)&client_len);  
@@ -33,7 +33,7 @@ int server(){
         perror("recv");  
         exit(EXIT_FAILURE);  
     }  
-    printf("receive from client is %c\n",char_recv);  
+    //printf("receive from client is %c\n",char_recv);  
 
     char_send = char_recv;  
     if(btye = send(client_sockfd,&char_send,1,0) == -1)  
@@ -47,7 +47,7 @@ int server(){
 }
 
 int client_send(char char_send){
-    printf("client start\n");  
+    //printf("client start\n");  
     int sockfd;  
     int len;  
     struct sockaddr_in address;  
@@ -79,7 +79,7 @@ int client_send(char char_send){
         perror("recv");  
         exit(EXIT_FAILURE);  
     }  
-    printf("receive from server %c\n",char_recv);  
+    //printf("receive from server %c\n",char_recv);  
     close(sockfd);  
     return atoi(char_recv);
 }
@@ -97,7 +97,7 @@ int logic_bomb(char* s) {
         if(pid2 == 0){
             sleep(1);
             i=client_send(s[0]); 
-            printf("i=%d\n",i);
+            //printf("i=%d\n",i);
     	    if(i==7){
                 return BOMB_ENDING;
     	    }else{

diff --git a/src/covert_propogation/stack_cp.c b/src/covert_propogation/stack_cp.c
@@ -6,7 +6,6 @@ int logic_bomb(int i) {
     int j;
     __asm__ __volatile__("push %0" :: "m"(i));
     __asm__ __volatile__("pop %0" :: "m"(j));
-    printf("%d\n", j);
     if(j == 7){
         return BOMB_ENDING;
     } else{

diff --git a/src/crypto_functions/aes_cf.c b/src/crypto_functions/aes_cf.c
@@ -18,7 +18,7 @@ void aes_print(uint8_t* str) {
 // {"s":{"length": 32}}
 int logic_bomb(char* s) {
     if(strlen(s) != 32){
-        printf("please input the 128-bit keys\n");
+        //printf("please input the 128-bit keys\n");
 	return NORMAL_ENDING;
     }
 
@@ -42,15 +42,15 @@ int logic_bomb(char* s) {
     	&key[12],&key[13],
     	&key[14],&key[15]);
 
-    aes_print(key);
+    //aes_print(key);
 
     uint8_t decodetext[16];
     uint8_t ciphertext[] = {0x3a, 0xd7, 0x7b, 0xb4, 0x0d, 0x7a, 0x36, 0x60, 0xa8, 0x9e, 0xca, 0xf3, 0x24, 0x66, 0xef, 0x97};
     uint8_t plaintext[] = {0x6b, 0xc1, 0xbe, 0xe2, 0x2e, 0x40, 0x9f, 0x96, 0xe9, 0x3d, 0x7e, 0x11, 0x73, 0x93, 0x17, 0x2a};
 
     AES128_ECB_decrypt(ciphertext, key, decodetext);
 
-    aes_print(decodetext);
+    //aes_print(decodetext);
     if(0 == memcmp((char*) plaintext, (char*) decodetext, 16)){
         return BOMB_ENDING;
     }else{

diff --git a/src/external_functions/atof_ef_l2.c b/src/external_functions/atof_ef_l2.c
@@ -0,0 +1,17 @@
+/*
+TOY:
+*/
+#include <string.h> 
+#include <math.h>
+#include "utils.h"
+#include "a_tester.h"
+
+// {"s":{"length": 3}}
+int logic_bomb(char* symvar) {
+    float i = atof(symvar);
+    if(i - 199 == 0){
+        return BOMB_ENDING;
+    }else{
+        return NORMAL_ENDING;
+    }
+}
diff --git a/src/external_functions/atoi_ef_l2.c b/src/external_functions/atoi_ef_l2.c
@@ -0,0 +1,17 @@
+/*
+TOY:
+*/
+#include <string.h> 
+#include <math.h>
+#include "utils.h"
+#include "a_tester.h"
+
+// {"s":{"length": 3}}
+int logic_bomb(char* symvar) {
+    int i = atoi(symvar);
+    if(i==199){
+        return BOMB_ENDING;
+    }else{
+        return NORMAL_ENDING;
+    }
+}