Home

Awesome

LTL-Fuzzer

LTL-Fuzzer is a greybox fuzzer to find violations of arbitrary Linear-time Temporal Logic(LTL) properties. It is built on top of the AFL fuzzer and involves additional program instrumentation to check if a particular execution trace is accepted by the Büchi automaton representing the negation of the given LTL property. Our framework takes as input a sequential program written in C/C++, and an LTL property. It finds violations, or counterexample traces, of the LTL property in stateful software systems.

LTL-Fuzzer substantially extends directed greybox fuzzing to witness arbitrarily complex event orderings. We note that existing directed greybox fuzzing approaches are limited to witnessing reaching a location or witnessing simple event orderings such as crashes or use-after-free. This is the main contribution of our work: algorithms and an implementation of our ideas in a tool that is able to validate any LTL property, thereby covering a much more expressive class of properties than crashes or use-after-free. Our work adapts directed greybox fuzzing (which directs the search towards specific program locations) to find violations of temporal logic formulae.

Publication

The paper PDF can be found at https://arxiv.org/abs/2109.02312.

	@InProceedings{ltlfuzzer,
	 title={Linear-time Temporal Logic guided Greybox Fuzzing},
	 author={Meng, Ruijie and Dong, Zhen and Li, Jialin and Beschastnikh, Ivan and Roychoudhury, Abhik},
	 booktitle={proceedings of the 37th IEEE International Conference on Software Engineering (ICSE 2022)},
	 year={2022},
	 publisher={ACM}
	}

Building

Requirements

Installing dependencies

   sudo apt install -y build-essential make cmake ninja-build git binutils-gold binutils-dev curl wget
   sudo apt install libboost-all-dev libboost-dev
   sudo cp /usr/lib/llvm-11/lib/libLTO.so /usr/lib/bfd-plugins/
   sudo cp /usr/lib/llvm-11/lib/LLVMgold.so /usr/lib/bfd-plugins/ 
   wget -q -O - https://www.lrde.epita.fr/repo/debian.gpg | sudo apt-key add -
   sudo echo 'deb http://www.lrde.epita.fr/repo/debian/ stable/' >> /etc/apt/sources.list
   sudo apt update
   sudo apt install -y spot libspot-dev libgtest-dev
   sudo install python3 python3-dev python3-pip
   sudo pip3 install --upgrade pip
   sudo pip3 install networkx pydot pydotplus

Installing LTL-Fuzzer

  cd LTL-Fuzzer 
  mkdir build
  cd build
  cmake ../
  make
  cd ../AFLGo
  make 
  cd llvm-mode
  make
  cd ../distance_calculator
  cmake -G Ninja ./
  cmake --build ./

Example Usage

RERS Example

Testing Framework Introduction

  LTL-Fuzzer/experiment/Problem1/src
  LTL-Fuzzer/experiment/Problem1/all_event_dir/all_events.txt
  LTL-Fuzzer/experiment/Problem1/target/targets.txt
  LTL-Fuzzer/experiment/Problem1/build_dir
  LTL-Fuzzer/experiment/Problem1/ltl_dir
  LTL-Fuzzer/experiment/Problem1/input_folder
  LTL-Fuzzer/experiment/Problem1/output_folder

Preparing for Instrumentation

  export LTLFuzzer=~/LTL-Fuzzer/
  export SUBJECT=$LTLFuzzer/experiment/Problem1/
  export EXECName=Problem1
  export LTL="!(! (true U oU) | (! oU U ((oZ & ! oU) & X (! oU U oP))))"

Starting Instrumentation

  cd $LTLFuzzer/scripts/
  ./instrument-problem1.sh $SUBJECT/target/targets.txt $SUBJECT/src $SUBJECT/build_dir 

Launching Fuzzing

  cd LTL-Fuzzer/build/src
  ./ltlfuzz 0

Protocol Example

Testing Framework Introduction

  LTL-Fuzzer/experiment/testTelnet/telnet.dict

Preparing for Instrumentation

  export LTLFuzzer=~/LTL-Fuzzer/
  export SUBJECT=$LTLFuzzer/experiment/testTelnet/
  export EXECName=telnet-server.minimal-net
  export LTL="!(G((WILL_DISABLED)->(X(G((DO)|(DONT))))))"

Starting Instrumentation

  cd $LTLFuzzer/scripts/
  ./instrument-telnet.sh $SUBJECT/targets/targets.txt $SUBJECT/contiki $SUBJECT/build_dir 

Launching Fuzzing

  cd LTL-Fuzzer/build/src
  ./ltlfuzz 1

Contributions

Contributors

Other Contributors

We use AFLGo as one component to direct fuzzing towards a particular program location. Thanks to AFLGo's developers. We also welcome other contributors to improve and extend LTL-Fuzzer.

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.