Seeding fuzzers with symbolic execution
http://bit.ly/download_kleefl_box
sudo apt-get install vagrant
vagrant box add kleefl package.box
vagrant init kleefl
vagrant up
vagrant ssh
mkdir project_xyz
cd project_xyz
python /vagrant/tools/kleefl_init -- sets up two directories called 'klee' and 'fuzz' in your root project directory
cp -r /vagrant/example source
cd source
/vagrant/tools/kleefl_build_make make
./kleefl_pick target_binary_name
The previous script will add a file called app.bc within the klee directory.
Change into the klee folder and run:
./run_klee.sh
python /vagrant/tools/kleefl_prepare_afl
../fuzz/run_afl.sh
./kleefl_crash_inspector fuzz/out
(fuzz/out is the afl sync dir, report saved by default in vagrant shared dir /vagrant/crash_report/)
python kleefl_cov_inspector {make, binary fuzz/sync_dir}
zcov genhtml coverage.zcov cov_report