sqlab / craxplusplus Goto Github PK

The exploit generator CRAX++ is CRAX with a plugin system, s2e 2.0 upgrade, dynamic ROP, code selection, and I/O states (HITCON 2022)

License: Other

C++ 74.37% Makefile 0.22% C 3.42% Shell 6.68% Lua 15.31%

aeg exploit symbolic-execution s2e crax concolic-execution

craxplusplus's Introduction

CRAXplusplus (CRAX++)

current version: 0.2.1

Being inspired by AFL++, the exploit generator CRAX++ is CRAX with x86_64 ROP techniques, s2e 2.0 upgrade, code selection, I/O states, dynamic ROP, and more. Given a x86_64 binary program and a PoC input, our system leverages dynamic symbolic execution (i.e. concolic execution) to collect the path constraints determined by the PoC input, add exploit constraints to the crashing states, and query the constraint solver for exploit script generation. Our system supports custom exploitation techniques and modules with the aim of maximizing its extensibility. We implement several binary exploitation techniques in our system, and design two ROP payload chaining algorithms to build ROP payload from multiple techniques.

Conference Talk

HITCON 2022 [YouTube] [Slides]

System Architecture

Evaluation

Experimental Environment

Binaries are compiled as 64-bit x86_64 ELF with gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04)
Binaries are concolically executed in S2E guest (Debian 9.2.1 x86_64, 4.9.3-s2e) using libc/ld 2.24
All generated exploit scripts are verified in host (Ubuntu 20.04.1 x86_64, 5.11.0-46-generic) using libc/ld 2.24

Quick Start [WIP]

Introduction

Building CRAX++
Usage
Reproducing experiments from the examples directory
What is a Module?
What is a Technique?

Extending CRAX++

Register API
Memory API
Virtual Memory Map API
Disassembler API
Logging API
Instruction hooks
Syscall hooks
How to add a Module
How to add a Technique

Special Thanks (Listed Lexicographically)

This project is impossible without:

Balsn CTF Team and Network Security Lab, NTU
S2E: Vitaly Chipounov and all the S2E authors/contributors
Software Quality Lab, NYCU

Reference

[1] Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. “S2E: A platform for in-vivo multi-path analysis of software systems”. Acm Sigplan Notices 46.3 (2011), pp. 265–278. [Paper] [Repo] [Docs]

[2] Shih-Kun Huang et al. “Crax: Software crash analysis for automatic exploit generation by modeling attacks as symbolic continuations”. In: 2012 IEEE Sixth International Conference on Software Security and Reliability. IEEE. 2012, pp. 78–87. [Paper] [Repo] [Article]

[3] W.-L. Mow, S.-K. Huang, H.-C. Hsiao. "LAEG: Leak-based AEG using Dynamic Binary Analysis to Defeat ASLR". In The 6th International Workshop on Privacy, data Assurance, Security Solutions for Internet of Things, June 2022. [Paper]

[4] Wang Guan-Zhong and Huang Shih-Kun. "CRAXplusplus: Modular Exploit Generator using Symbolic Execution" (2022). [Thesis] [Slides]

License

craxplusplus's People

Contributors

Stargazers

Watchers

Forkers

craxplusplus's Issues

5 [State 0] HostFiles: could not open /home/fuzz/s2e/projects/sym_stdin/guest-tools64/s2eget(errno 2)

This time I encountered this problem.

$ ./launch-crax.sh

Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/fuzz/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-1"
Revision: 96dc4d88d7661d7a415ddcb67cd378ff15e74c40
Config date: Mon 29 Aug 2022 12:44:14 AM PDT

Current data layout: e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128
Current target triple: x86_64-unknown-linux-gnu
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
1 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7fb26800a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 336 (ro=1)
s2e-block: wasted sectors: 0
5 [State 0] HostFiles: could not open /home/fuzz/s2e/projects/sym_stdin/guest-tools64/s2eget(errno 2)
5 [State 0] BaseInstructions: Killing state 0
5 [State 0] Terminating state: State was terminated by opcode
            message: "Could not get s2eget from the host. Make sure that guest tools are installed properly."
            status: 0x0
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 11081 (/home/fuzz/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:336
Terminating node id 0 (instance slot 0)

Missing s2eget in /home/fuzz/s2e/projects/sym_stdin/guest-tools64

CRAX++ exits immediately after executing aslr-nx sample binary without generating an exploit

Description

CRAX++ exits immediately after executing aslr-nx sample binary that is introduced in BUILD.md, without producing an exploit for aslr-nx sample binary.

Any clues to working properly?

./launch-crax.sh

Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/keis/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-0"
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
2 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7f420400a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 3984 (ro=1)
s2e-block: wasted sectors: 0
CRAX: Cannot resolve gadget: pop rax ; ret
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: s2ecmd
11 [State 0] CRAX: onProcessLoad: chmod
11 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f93c1f3a000 elf_entry=0x7f93c1f3a000 interp_load_addr=0x7f93c1f3a000
11 [State 0] CRAX: onProcessLoad: sym_stdin
11 [State 0] BaseInstructions: Message from guest (0xffffc90000477a18): elf_interpreter=/lib64/ld-linux-x86-64.so.2 interp_map_addr=7f4a47ae7000 elf_entry=0x7f4a47ae7000 interp_load_addr=0x7f4a47ae7000
11 [State 0] BaseInstructions: Inserted symbolic data @0x55cb5f982040 of size 0x400: CRAX='AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' pc=0x55cb5f97f280
12 [State 0] BaseInstructions: Killing state 0
12 [State 0] Terminating state: State was terminated by opcode
            message: "program terminated"
            status: 0x0
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 612401 (/home/keis/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:3984
Terminating node id 0 (instance slot 0)

How To Reproduce

Follow BUILD.md instructions and apply some workarounds.

Use s2ecmd get and s2ecmd put instead of s2eget and s2eput in bootstrap.sh

Fix libs2eplugins.patch to make it applicable to the latest S2E/s2e

diff --git a/patches/libs2eplugins.patch b/patches/libs2eplugins.patch
index 637874c..6a869c6 100644
--- a/patches/libs2eplugins.patch
+++ b/patches/libs2eplugins.patch
@@ -68,10 +68,8 @@ index e3b2d37..973c267 100644
      # Core plugins
      s2e/Plugins/Core/BaseInstructions.cpp
      s2e/Plugins/Core/HostFiles.cpp
-@@ -163,7 +196,7 @@ set(WERROR_FLAGS "-Werror -Wno-zero-length-array -Wno-c99-extensions          \
-                   -Wno-zero-length-array")
-
- set(COMMON_FLAGS "-D__STDC_FORMAT_MACROS -D_GNU_SOURCE -DNEED_CPU_H  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DTARGET_PHYS_ADDR_BITS=64")
+@@ -165,5 +198,5 @@ set(COMMON_FLAGS "-D__STDC_FORMAT_MACROS -D_GNU_SOURCE -DNEED_CPU_H  -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -DTARGET_PHYS_ADDR_BITS=64")
+ set(COMMON_FLAGS "${COMMON_FLAGS} -DLIBS2E_PLUGINS")
 -set(COMMON_FLAGS "${COMMON_FLAGS} -Wall -fPIC -fno-strict-aliasing -fexceptions -std=c++17")
 +set(COMMON_FLAGS "${COMMON_FLAGS} -Wall -fPIC -fno-strict-aliasing -fexceptions -fsized-deallocation -std=c++17")

Use debian-11.3-x86_64 image instead of debian-9.2.1-x86_64
- fix baseDirs in proxies/sym_stdin/s2e-config.template.lua accordingly
Build sym_stdin in debian:11.3 container image

Environment

host OS: Ubuntu 20.04.05

each technique should contain an assessment method to check whether it is viable

偷跑 bad

繼續跑 good !!!

s2e-linux-kernel: mm/util.c:vm_mmap_pgoff(): pass image pathname to s2e

https://github.com/S2E/s2e-linux-kernel/blob/aafc80621960891b36021aac1f512c33a227d8ad/linux-4.9.3/mm/util.c#L297-L323

Decouple pwnlib and pybind11 from CRAX

Currently CRAX relies on pwnlib (and thus on pybind11) for ELF parsing, so some changes are made to S2E's makefiles. Maybe we could decouple pwnlib (and thus pybind11) from CRAXplusplus, so that this repo doesn't have to hold the entire s2e.

Missing debian-9.2.1-x86 image.

Hello,
After entering command s2e image_build linux,the terminal display:
INFO: [image_build] The following images will be built: INFO: [image_build] * ubuntu-22.04-x86_64 INFO: [image_build] * debian-11.3-i386 INFO: [image_build] * cgc_debian-9.2.1-i386 INFO: [image_build] * debian-11.3-x86_64
Missing the debian-9.2.1-x86 image,how do i download this image to complete the next steps?

Thanks!

pybind11-dev was not found

sudo apt-get install pybind11-dev=2.4.3-2build2
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Version '2.4.3-2build2' for 'pybind11-dev' was not found.

Why does this happen and how should I solve it

./launch-crax.sh

Does this require a qemu version change? Am I just one step away from successDoes this require a qemu version change? Am I just one step away from success?
please !thk!

ting module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
2 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7fa65c00a760, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
Modification timestamp of 'json:{"driver": "s2e"}' changed since the creation of the snapshot 'ready' (st_mtime 1669361554 != 1658661755).
Please recreate a new snapshot.
qemu-system-x86_64: Could not load snapshot 'ready' on 'ide0-hd0': Failed to load snapshot: Operation not permitted
Does this require a qemu version change? Am I just one step away from success?

Can not build CRAXplusplus in ubuntu20.04

I tried to build this project following the documentation but got the following error (This is just part of the log):

...

make -C libs2e
make[3]: Entering directory '/home/pt/s2e/build/libs2e-release/i386-softmmu/libs2e'                                                                         make[3]: *** No targets specified and no makefile found.  Stop.
make[3]: Leaving directory '/home/pt/s2e/build/libs2e-release/i386-softmmu/libs2e'                                                                          make[2]: *** [Makefile:59: libs2e/src/libs2e.so] Error 2
make[2]: Leaving directory '/home/pt/s2e/build/libs2e-release/i386-softmmu'
make[1]: *** [Makefile:27: i386-softmmu] Error 2

...

make -C libs2e
make[3]: Entering directory '/home/pt/s2e/build/libs2e-release/x86_64-softmmu/libs2e'
make[3]: *** No targets specified and no makefile found.  Stop.
make[3]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-softmmu/libs2e'
make[2]: *** [Makefile:59: libs2e/src/libs2e.so] Error 2
make[2]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-softmmu' make[1]: *** [Makefile:27: x86_64-softmmu] Error 2

...

make -C libs2eplugins
make[3]: Entering directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e-softmmu/libs2eplugins'                                                            make[3]: *** No targets specified and no makefile found.  Stop.
make[3]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e-softmmu/libs2eplugins'
make[2]: *** [Makefile:51: libs2eplugins/src/libs2eplugins.a] Error 2
make[2]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e-softmmu'
make[1]: *** [Makefile:27: x86_64-s2e-softmmu] Error 2

...

make -C libs2eplugins
make[3]: Entering directory '/home/pt/s2e/build/libs2e-release/i386-s2e_sp-softmmu/libs2eplugins'
make[3]: *** No targets specified and no makefile found.  Stop.
make[3]: Leaving directory '/home/pt/s2e/build/libs2e-release/i386-s2e_sp-softmmu/libs2eplugins'                                                            make[2]: *** [Makefile:51: libs2eplugins/src/libs2eplugins.a] Error 2
make[2]: Leaving directory '/home/pt/s2e/build/libs2e-release/i386-s2e_sp-softmmu'
make[1]: *** [Makefile:27: i386-s2e_sp-softmmu] Error 2

...

make -C libs2eplugins
make[3]: Entering directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e_sp-softmmu/libs2eplugins'
make[3]: *** No targets specified and no makefile found.  Stop.
make[3]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e_sp-softmmu/libs2eplugins'
make[2]: *** [Makefile:51: libs2eplugins/src/libs2eplugins.a] Error 2
make[2]: Leaving directory '/home/pt/s2e/build/libs2e-release/x86_64-s2e_sp-softmmu'
make[1]: *** [Makefile:27: x86_64-s2e_sp-softmmu] Error 2
make[1]: Leaving directory '/home/pt/s2e/build/libs2e-release'
make: *** [/home/pt/s2e/source/scripts//..//s2e/Makefile:210: stamps/libs2e-release-make] Error 2
make: Leaving directory '/home/pt/s2e/build'
ERROR: [build]

  RAN: /usr/bin/make --directory=/home/pt/s2e/build --file=/home/pt/s2e/source/Makefile install

  STDOUT:


  STDERR:

I think the problem is that cmake is not working properly. The following log appears before the above error log:

CMake Error at CMakeLists.txt:92 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:                                                     
    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2e
CMake Error at CMakeLists.txt:92 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:

    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2e
CMake Error at CMakeLists.txt:106 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:

    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2eplugins
CMake Error at CMakeLists.txt:106 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:

    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2eplugins
CMake Error at CMakeLists.txt:106 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:

    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2eplugins
CMake Error at CMakeLists.txt:106 (find_package):
  By not providing "Findpybind11.cmake" in CMAKE_MODULE_PATH this project has
  asked CMake to find a package configuration file provided by "pybind11",
  but CMake did not find one.

  Could not find a package configuration file provided by "pybind11" with any
  of the following names:

    pybind11Config.cmake
    pybind11-config.cmake

  Add the installation prefix of "pybind11" to CMAKE_PREFIX_PATH or set
  "pybind11_DIR" to a directory containing one of the above files.  If
  "pybind11" provides a separate development package or SDK, be sure it has
  been installed.


Failed to configure libs2eplugins

The first time I build this project isn't in home directory. But this time I build this in home directory and the error message is the same as before.

CRAX/API: make Memory/Register API stateful

e.g., reg(state).readSymbolic(xxx) instead of reg().readSymbolic(xxx)

For now, this doesn't seem necessary, but maybe it will become helpful in the future?

crax

How much capacity crax++ requires，I had a problem after I implemented build

CRAX: Add support for symbolic pointer and symbolic array index

See master thesis: Exploiting Symbolic Locations for Abnormal Execution Paths

CRAX: properly handle plugin dependency

See libs2ecore/include/s2e/Plugin.h for S2E_DEFINE_PLUGIN()

How to obtain Thesis

I cannot access the links for "Mow Wei-Loon and Hsiao Hsu-Chun. “Bypassing ASLR with Dynamic Binary Analysis for Automated Exploit Generation” (2021). " and "Wang Guan-Zhong and Huang Shih-Kun. "CRAXplusplus: Modular Exploit Generator using Symbolic Execution" (2022)."
Can I get these two thesis from other sources?
Thanks

Assertion `guestDataSize == m_commandSize' failed in state 0: Invalid command size 60 != 84 from pagedir=0xf3c2000 pc=0xffffffffa00020eb

I built CRAX++ on a VMware Ubuntu 20.04 environment following the BUILD.md instructions. I used debian-9.2.1-x86_64. I made the following modifications to ~/s2e/projects/sym_stdin/bootstrap.sh
（我在VMware Ubuntu20.04环境下按照BUILD.md构建CRAX++，使用debian-9.2.1-x86_64，对~/s2e/projects/sym_stdin/bootstrap.sh做了如下修改）：

- COMMON_TOOLS="s2ecmd s2eget s2eput"
+ COMMON_TOOLS="s2ecmd"

I encounted the error blow when running launch-cran.sh（在运行launch-crax.sh的时候遇到了如下错误）：
/home/alter/s2e/source/s2e/libs2eplugins/src/s2e/Plugins/OSMonitors/Linux/BaseLinuxMonitor.cpp:37: bool s2e::plugins::BaseLinuxMonitor::verifyLinuxCommand(s2e::S2EExecutionState *, uint64_t, uint64_t, uint8_t *): Assertion `guestDataSize == m_commandSize' failed in state 0: Invalid command size 60 != 84 from pagedir=0xf3c2000 pc=0xffffffffa00020eb。

What should I do to solve the problem（我应该如何解决这个问题，具体错误信息如下）：

./launch-crax.sh 
Starting libs2e...
Opening /dev/kvm
Initializing qemu64-s2e cpu
Using module /home/alter/s2e/install/share/libs2e/op_helper.bc.x86_64
S2E: output directory = "./s2e-out-2"
Revision: 571ac0e4be7f8253e115a338a4d3c9cfcfff0a3b
Config date: Wed 04 Oct 2023 08:26:50 PM PDT

Current data layout: e-m:e-p270:32:32-p271:32:32-p272:64:64-i64:64-f80:128-n8:16:32:64-S128
Current target triple: x86_64-unknown-linux-gnu
KLEE: WARNING: unsupported intrinsic llvm.rint.f64
KLEE: WARNING: unsupported intrinsic llvm.fmuladd.f64
Using log level override 'info'
Setting console level to 'info'
Creating plugin CorePlugin
Creating plugin BaseInstructions
Creating plugin HostFiles
Creating plugin Vmi
Creating plugin MemUtils
Creating plugin WebServiceInterface
Creating plugin ExecutionTracer
Creating plugin ModuleTracer
Creating plugin KeyValueStore
Creating plugin TranslationBlockCoverage
Creating plugin ModuleExecutionDetector
Creating plugin ForkLimiter
Creating plugin ProcessExecutionDetector
Creating plugin ModuleMap
Creating plugin MemoryMap
Creating plugin MultiSearcher
Creating plugin CUPASearcher
Creating plugin FunctionModels
Creating plugin LinuxMonitor
Creating plugin LuaBindings
Creating plugin LuaCoreEvents
Creating plugin CRAX
Initializing LuaBindings
Initializing LuaCoreEvents
LuaCoreEvents: Registering instrumentation for core signals
Initializing MultiSearcher
Initializing ForkLimiter
Initializing KeyValueStore
Initializing ExecutionTracer
Initializing WebServiceInterface
WebServiceInterface: SeedSearcher not present, seed statistics will not be available
WebServiceInterface: Recipe plugin not present, recipe statistics will not be available
Initializing Vmi
Initializing HostFiles
Initializing BaseInstructions
Initializing LinuxMonitor
Initializing ModuleMap
Initializing ProcessExecutionDetector
Initializing MemoryMap
Initializing CRAX
CRAX: Creating module: GuestOutput
CRAX: Creating module: IOStates
CRAX: Creating module: DynamicRop
CRAX: Creating technique: Ret2csu
CRAX: Creating technique: BasicStackPivoting
CRAX: Creating technique: Ret2syscall
Initializing MemUtils
Initializing FunctionModels
Initializing ModuleExecutionDetector
Initializing CUPASearcher
CUPASearcher: CUPASearcher is now active
Initializing TranslationBlockCoverage
Initializing ModuleTracer
Initializing CorePlugin
[Z3] Initializing
4 [State 0] Created initial state
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-nopiodelay [bit 1]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock [bit 3]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-asyncpf [bit 4]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-steal-time [bit 5]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvm-pv-eoi [bit 6]
qemu-system-x86_64: warning: host doesn't support requested feature: CPUID.40000001H:EAX.kvmclock-stable-bit [bit 24]
Adding CPU (addr = 0x7f006c00a750, size = 0x36ea0)
qemu-system-x86_64: warning: hub 0 is not connected to host network
s2e-block: dirty sectors on close:0
s2e-block: dirty after restore: 336 (ro=1)
s2e-block: wasted sectors: 0
/home/alter/s2e/source/s2e/libs2eplugins/src/s2e/Plugins/OSMonitors/Linux/BaseLinuxMonitor.cpp:37: bool s2e::plugins::BaseLinuxMonitor::verifyLinuxCommand(s2e::S2EExecutionState *, uint64_t, uint64_t, uint8_t *): Assertion `guestDataSize == m_commandSize' failed in state 0: Invalid command size 60 != 84 from pagedir=0xf3c2000 pc=0xffffffffa00020eb

Printing stack trace (state assertion failed)
  [0x7f009dec7be8] /home/alter/s2e/install/share/libs2e/libs2e-x86_64-s2e.so : ???()+0x386be8
  [0x7f009deca16c] /home/alter/s2e/install/share/libs2e/libs2e-x86_64-s2e.so : ???()+0x38916c
  [0x7f009de906af] /home/alter/s2e/install/share/libs2e/libs2e-x86_64-s2e.so : ???()+0x34f6af
  [0x7f009e085086] /home/alter/s2e/install/share/libs2e/libs2e-x86_64-s2e.so : ???()+0x544086
  [0x7f007a375c79]
26 [State 0] Terminating state: state assertion failed
All states were terminated
qemu-system-x86_64: terminating on signal 15 from pid 2702 (/home/alter/s2e/install/bin/qemu-system-x86_64)
s2e-block: dirty sectors on close:336
Terminating node id 0 (instance slot 0)

顺便一提，我按照BUILD.md构建CRAX++时，CRAX++插件并没有参与编译，项目中没有对应的CMakeList.txt，需要自己添加

libs2eplugins: MemoryMap: stack mapping not tracked

Perhaps the stack is not mapped via sys_mmap?

A workaround is to perform binary search on [0x7f524a14afff + 1, RSP - 1] which gives us the "Start" address of [stack], and then linear search (+= TARGET_PAGE_SIZE) until the "End" address of [stack].

To test whether a virtual address v is mapped, we can use state->mem()->getHostAddress(v).

---------- [REGISTERS] ----------
RAX     0xb
RCX     0x7f5249c62970
RDX     0x7f5249f22760
RBX     0x0
RSP     0x7fff09907970
RBP     (symbolic)
RSI     0x7f5249f21683
RDI     0x0
R8      0x7f524a140440
R9      0x2
R10     0x37b
R11     0x246
R12     0x4005b0
R13     0x7fff09907a50
R14     0x0
R15     0x0
RIP     (symbolic)
--------------- [VMMAP] ---------------
Start           End             Perm
0x400000        0x400fff        R-X
0x600000        0x600fff        R--
0x601000        0x601fff        RW-
0x7f5249b87000  0x7f5249d1bfff  R-X
0x7f5249d1c000  0x7f5249f1bfff  ---
0x7f5249f1c000  0x7f5249f1ffff  R--
0x7f5249f20000  0x7f5249f25fff  RW-
0x7f5249f26000  0x7f5249f48fff  R-X
0x7f524a13f000  0x7f524a140fff  RW-
0x7f524a149000  0x7f524a149fff  R--
0x7f524a14a000  0x7f524a14afff  RW-