[klee-dev] Prevent klee from terminating a state upon facing an error
Cristian Cadar
c.cadar at imperial.ac.uk
Fri Aug 19 14:47:12 BST 2016
Hi Randolph,
If a path exposes an error only for some values, KLEE reports the error,
and then continues execution on that path for the other values that
don't expose this error.
If a buffer overflow always occurs on a certain path, as in your
example, what would you like the semantics of the continued execution to
be? There is research on continued execution in face of memory errors,
but combining it with the kind of bug finding performed by KLEE would
require a lot of care.
Best,
Cristian
On 18/08/16 10:40, Randolph Wong wrote:
> Hello,
>
> I'm wondering if there is an option to prevent klee from terminating a state
> upon facing an error. Here's a toy example to motivate my question:
>
> int main(int argc, char **argv)
> {
> char a[10];
>
> /* An illegal memory read. Klee will terminate here. */
> fputc(a[10], stderr);
>
> /*
> * Since klee terminated due to the illegal memory read, we don't get
> * to find this exploitable bug.
> */
> strcpy(a, argv[1]);
> }
>
> If there isn't an option for it, is there a simple/straight forward way
> to implement this?
>
> My hacky attempt at implementing was to make a copy of
> Executor::terminateStateOnError and just remove the line that does
> terminateState(state). When a memory error happens, I'll just make it
> call my new function. I thought that this would help to at least produce
> a test case when the first error happens. However, I'm sure this isn't
> the right way. Indeed, running the modified klee on the above code
> caused a seg fault.
>
> Would appreciate if someone could give me some directions or feedback on
> this. Thanks.
>
> Randolph
>
>
> _______________________________________________
> klee-dev mailing list
> klee-dev at imperial.ac.uk
> https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
>
More information about the klee-dev
mailing list