{"id":19927252,"url":"https://github.com/hexhive/evocatio","last_synced_at":"2025-05-03T09:32:11.602Z","repository":{"id":63954073,"uuid":"533355473","full_name":"HexHive/Evocatio","owner":"HexHive","description":null,"archived":false,"fork":false,"pushed_at":"2023-07-21T07:04:23.000Z","size":3008,"stargazers_count":57,"open_issues_count":0,"forks_count":6,"subscribers_count":11,"default_branch":"main","last_synced_at":"2025-04-12T09:18:40.900Z","etag":null,"topics":["bug-capability","exploit","fuzzing","patch-testing","program-analysis","sanitizer","security","severity"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/HexHive.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":"CITATION.cff","codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-09-06T14:12:09.000Z","updated_at":"2025-01-16T14:55:21.000Z","dependencies_parsed_at":"2024-11-19T20:48:17.242Z","dependency_job_id":null,"html_url":"https://github.com/HexHive/Evocatio","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2FEvocatio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2FEvocatio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2FEvocatio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/HexHive%2FEvocatio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/HexHive","download_url":"https://codeload.github.com/HexHive/Evocatio/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252169030,"owners_count":21705368,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bug-capability","exploit","fuzzing","patch-testing","program-analysis","sanitizer","security","severity"],"created_at":"2024-11-12T22:32:54.068Z","updated_at":"2025-05-03T09:32:07.729Z","avatar_url":"https://github.com/HexHive.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Evocatio\n\n## Overview\n\nEvocatio is a bug analyzer built on top of AFL++ and AddressSanitizer. It automatically discovers a bug’s capabilities: analyzing a crashing test case (i.e., an input exposing a bug) to understand the full extent of how an attacker can exploit a bug. Evocatio leverages a capability-guided fuzzer to efficiently uncover new bug capabilities (rather than only generating a single crashing test case for a given bug, as a traditional greybox fuzzer does).\n\nIn this repo, we present 5 function module of Evocatio:\n\n- **POC Minimization**: to get a poc with smaller size like afl-tmin.\n- **Critical Bytes Inference**: to infer which bytes of poc are critical, so as to mutate them first.\n- **CapFuzz**: to explore new capabilities of a bug. In this module, each new poc found by CapFuzz represents a new capability.\n- **Bug Capability Scaning**: to summurize all capabilities found by CapFuzz.\n- **Severity Score**: to calculate severity score of the bug from bug capabilities.\n\nYou can use these modules either sequentially or seperately.\n\nWe also present CapSan based on AddressSanitizer to detect bug capabilities.\n\nMore details about the project can be found at the [paper](https://hexhive.epfl.ch/publications/files/22CCS.pdf). Our presentation about Evocatio can be found at the [slide](https://hexhive.epfl.ch/publications/files/22CCS-presentation.pdf).\n\n## Components\n\nThis repository is structured as follows:\n\n- bug-severity-AFLplusplus (POC Minimization, Critical Bytes Inference, CapFuzz, CapSan)\n- scripts (Bug Capability Scaning, SeverityScore)\n\nWe developed *bug-severity-AFLplusplus* based on [AFLplusplus](https://github.com/AFLplusplus/AFLplusplus). What's more, our *CapSan* was developed by leveraging the convenience of [`__asan_*` public interface](https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/include/sanitizer/asan_interface.h#L263) provided by [AddressSanitizer](https://github.com/google/sanitizers/wiki/AddressSanitizer).\n\n## Dependencies\n\n### For *scripts*\n\nNeed *Python 3.x*. (Just Python's standard library is enough.)\n\n### For *bug-severity-AFLplusplus*\n\nGenerally, requirement of *bug-severity-AFLplusplus* is just same as [AFLplusplus](https://github.com/AFLplusplus/AFLplusplus).\n\nHowever, you should pay more attention to the availability of *asan_interface.h*. AddressSanitizer is implemented by your compiler suite (such as *gcc* and *clang*), [which works by](https://github.com/google/sanitizers/wiki/AddressSanitizerAlgorithm) instrumenting during the compilation phase and linking its run-time library into the final binary. *`__asan_*` public interface* is provided by its run-time library and declared in *asan_interface.h*. So make sure that your compiler suite provides this header.\n\n## Building\n\nThe two python scripts in `./scripts` is out-of-the-box. Just build *bug-severity-AFLplusplus* like what is needed for *afl++*:\n\n```bash\ncd ./bug-severity-AFLplusplus\nmake source-only NO_SPLICING=1\n```\n\n:warning: Warning:\n\n - Ensure that `NO_SPLICING=1` is always used there.\n\n - Never use `ASAN_BUILD=1`. Otherwise our *bug-severity run-time dependency* may confuse your compiler and linker, as well as AddressSanitizer.\n\n - Since *afl++ 3.0* there is only one compiler *afl-cc* works for instrumenting your target, all previous compilers now symlink to it. We have hacked it so that our *bug-severity run-time dependency* can be linked into the target binary. If *afl-cc* couldn't be built and work properly, then all is over.\n\n## Usage Example\n\nFor a quick start with *Evocatio*, you can follow these steps to start from scratch:\n\n1. Download *Evocatio* into your system. Install dependencies and build Evocatio.\n\n2. Get your target program and POC.\n\n3. Compile and instrument your target program with *AddressSanitizer* enabled just as same as when using *afl++*.\n\n   :warning: Ensure that *AddressSanitizer* is applied for your target. It is strongly recommended that set the environment variable `AFL_USE_ASAN=1` to tell  *afl-cc* do everything for you. Manually using compiler flag `-fsanitize=address` as [the doc says](https://github.com/google/sanitizers/wiki/AddressSanitizer) is also an alternative. \n\n4. **Evocatio Function Module** :one: : **POC Minimization**\n\n    ```bash\n    ./bug-severity-AFLplusplus/afl-tmin-lazy -m none -i /path/to/original/poc -o /path/to/minimized/poc -- /path/to/target/program @@\n    ```\n\n    \"@@\" is a placeholder like in AFL++. If there are any commands surrounding \"@@\", keep them.\n\n5. **Evocatio Function Module** :two: : **Critical Bytes Inference**\n\n    ```bash\n    mkdir \u003cyour_path\u003e/seeds\n    ./bug-severity-AFLplusplus/cd-bytes-identifier -m none -i /path/to/poc -o /tmp/foo -g -c /tmp/constraints.res -k \u003cyour_path\u003e/seeds -- /path/to/target/program @@\n    ```\n\n    The output will be in `\u003cyour_path\u003e/seeds/`. If you'd like to use another fuzzer later, you may use seeds in `\u003cyour_path\u003e/seeds/` as your fuzzer's original seeds.\n\n6. **Evocatio Function Module** :three: : **CapFuzz**\n\n    Start CapFuzz:\n\n    ```bash\n    ./bug-severity-AFLplusplus/afl-fuzz -m none -C -i /path/to/input/seeds/ -o /path/to/output/ -k /path/to/original/poc -- /path/to/target/program @@\n    ```\n\n7. **Evocatio Function Module** :four: : **Bug Capability Scaning**\n\n    Scan capabilities of poc:\n\n    ```bash\n    python3 ./scripts/gen_raw_data_for_cve.py -i /path/to/new/crashes -o /path/to/bug/capability/json -b /path/to/target/program -a /path/to/commmands/file\n    ```\n\n    -i argument receives path to new pocs found by CapFuzz;  \n    -o argument determines the output path of bug capability json file;  \n    -b argument receives path to the target program(binary);  \n    -a argument receives path to commands file(which means you should write commands surrounding \"@@\" to a file first).\n\n8.  **Evocatio Function Module** :five: : **Severity Score**\n\n    ```bash\n    python3 ./scripts/calculate_severity_score.py -i /path/to/bug/capability/json\n    ```\n\n    This will calulate bug severity score from bug capability json file. The severity score consists of reading score and writing score.\n\nFor detailed example, please refer to README in each subdirectory.\n\n## Development\n\nEvocatio provides users with a flexible framework that allows developers to flexibly adjust CapSan, CapFuzz and scoring system according to their own needs. For everyone who wants to contribute (and send pull requests), please read our [contributing guidelines](https://github.com/HexHive/Evocatio/blob/main/CONTRIBUTING.md) before you submit.\n\n## Contact\n\nQuestions? Concerns? Feel free to ping me via [E-mail](supermolejzy@gmail.com) for general questions and academic discussion.\n\nFor recent update and new features implementation：\n- CapSan related issue/usage/feature: ping Sonic via [E-mail](observer000@qq.com)\n- Next generation of Evocatio: ping Zhao via [E-mail](zhaowei_1999@qq.com)\n- Installation, environment or other Evocatio questions: ping Mao via [E-mail](maolc93@126.com).\n\n## Cite\n\nIf you use Evocatio in scientific work, consider citing our [paper](https://doi.org/10.1145/3548606.3560575) presented at ACM CCS.\n\n\u003cdetails\u003e\n\n\u003csummary\u003eBibTeX\u003c/summary\u003e\n\n```bibtex\n@inproceedings{10.1145/3548606.3560575,\nauthor = {Jiang, Zhiyuan and Gan, Shuitao and Herrera, Adrian and Toffalini, Flavio and Romerio, Lucio and Tang, Chaojing and Egele, Manuel and Zhang, Chao and Payer, Mathias},\ntitle = {Evocatio: Conjuring Bug Capabilities from a Single PoC},\nyear = {2022},\nisbn = {9781450394505},\npublisher = {Association for Computing Machinery},\naddress = {New York, NY, USA},\nurl = {https://doi.org/10.1145/3548606.3560575},\ndoi = {10.1145/3548606.3560575},\nbooktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},\npages = {1599–1613},\nnumpages = {15},\nkeywords = {bug triaging, fuzzing, bug capability},\nlocation = {Los Angeles, CA, USA},\nseries = {CCS '22}\n}\n```\n\u003c/details\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhexhive%2Fevocatio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhexhive%2Fevocatio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhexhive%2Fevocatio/lists"}