├── docs ├── doc │ └── html │ │ ├── bap_wp │ │ └── Bap_wp │ │ │ └── .dummy │ │ └── index.html ├── .gitignore ├── cbat_logo.png ├── exercises │ ├── 01 │ │ └── binary │ │ │ ├── main │ │ │ └── Makefile │ ├── 02 │ │ └── binary │ │ │ ├── main │ │ │ └── Makefile │ ├── 03 │ │ └── binary │ │ │ ├── main_1 │ │ │ ├── main_2 │ │ │ └── Makefile │ └── 04 │ │ └── binary │ │ ├── main_1 │ │ ├── main_2 │ │ └── Makefile └── tutorial │ ├── 01 │ └── binary │ │ ├── main │ │ ├── main.c │ │ └── Makefile │ ├── 02 │ └── binary │ │ ├── main │ │ └── Makefile │ ├── 03 │ └── binary │ │ ├── main │ │ ├── main_fixed │ │ ├── main.c │ │ ├── main_fixed.c │ │ └── Makefile │ ├── 04 │ └── binary │ │ ├── main_1 │ │ ├── main_2 │ │ ├── Makefile │ │ └── main_2.c │ ├── 05 │ └── binary │ │ ├── main_1 │ │ ├── main_2 │ │ └── Makefile │ ├── 06 │ └── binary │ │ ├── main │ │ ├── main.c │ │ └── Makefile │ ├── 07 │ └── binary │ │ ├── main │ │ ├── main.c │ │ └── Makefile │ └── 08 │ └── binary │ ├── main_1 │ ├── main_2 │ ├── Makefile │ └── main_2.c ├── vsa ├── value_set │ ├── .gitignore │ ├── lib │ │ ├── dune-project │ │ ├── src │ │ │ └── dune │ │ └── Makefile │ ├── unit_tests │ │ └── Makefile │ ├── plugin │ │ └── Makefile │ └── Makefile └── explicit_edge │ ├── .merlin │ └── Makefile ├── wp ├── lib │ └── bap_wp │ │ ├── .gitignore │ │ ├── dune-project │ │ ├── tests │ │ ├── unit │ │ │ └── dune │ │ └── performance │ │ │ └── dune │ │ └── src │ │ └── dune ├── resources │ ├── sample_binaries │ │ ├── cbat-multicompiler-samples │ │ │ ├── Makefile │ │ │ ├── csmith │ │ │ │ ├── bin │ │ │ │ │ ├── csmith-10684 │ │ │ │ │ ├── csmith-16812 │ │ │ │ │ ├── csmith-17669 │ │ │ │ │ ├── csmith-5635 │ │ │ │ │ └── csmith-7545 │ │ │ │ ├── run_wp.sh │ │ │ │ └── run_wp_inline.sh │ │ │ ├── equiv_argc │ │ │ │ ├── bin │ │ │ │ │ ├── equiv_argc-15688 │ │ │ │ │ ├── equiv_argc-17506 │ │ │ │ │ ├── equiv_argc-25706 │ │ │ │ │ ├── equiv_argc-6404 │ │ │ │ │ └── equiv_argc-6487 │ │ │ │ ├── src │ │ │ │ │ └── equiv_argc.c │ │ │ │ └── run_wp.sh │ │ │ ├── switch_case_assignments │ │ │ │ ├── bin │ │ │ │ │ ├── switch_case_assignments-8458 │ │ │ │ │ ├── switch_case_assignments-23908 │ │ │ │ │ ├── switch_case_assignments-26471 │ │ │ │ │ ├── switch_case_assignments-27596 │ │ │ │ │ └── switch_case_assignments-28527 │ │ │ │ └── run_wp.sh │ │ │ └── build-helper.sh │ │ ├── loop_invariant │ │ │ ├── non_terminating │ │ │ │ ├── loop_invariant.smt │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── run_wp_no_invariant.sh │ │ │ │ └── run_wp.sh │ │ │ ├── break │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── run_wp_unroll.sh │ │ │ │ ├── run_wp_no_invariant.sh │ │ │ │ ├── run_wp.sh │ │ │ │ └── loop_invariant.smt │ │ │ ├── do_while │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── run_wp.sh │ │ │ │ ├── run_wp_unroll.sh │ │ │ │ └── run_wp_no_invariant.sh │ │ │ ├── on_stack │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── run_wp.sh │ │ │ │ ├── run_wp_unroll.sh │ │ │ │ └── run_wp_no_invariant.sh │ │ │ ├── in_registers │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── loop_invariant.smt │ │ │ │ ├── run_wp.sh │ │ │ │ ├── run_wp_unroll.sh │ │ │ │ └── run_wp_no_invariant.sh │ │ │ ├── nondet_iters │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── loop_invariant.smt │ │ │ │ ├── run_wp.sh │ │ │ │ ├── run_wp_no_invariant.sh │ │ │ │ └── run_wp_unroll.sh │ │ │ └── Makefile │ │ ├── diff_ret_val │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── pointer_input │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── double_dereference │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── equiv_argc │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── init_var │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── Makefile │ │ │ ├── run_wp.sh │ │ │ └── run_wp_sat.sh │ │ ├── malloc │ │ │ ├── compare_simple │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ ├── bin │ │ │ │ │ ├── main_1.o │ │ │ │ │ └── main_2.o │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_sat.sh │ │ │ │ └── run_wp_unsat.sh │ │ │ └── Makefile │ │ ├── nqueens │ │ │ ├── bin │ │ │ │ ├── main_4 │ │ │ │ ├── main_5 │ │ │ │ ├── main_6 │ │ │ │ ├── main_7 │ │ │ │ ├── main_8 │ │ │ │ ├── main_9 │ │ │ │ ├── main_10 │ │ │ │ ├── main_11 │ │ │ │ ├── main_12 │ │ │ │ ├── main_13 │ │ │ │ ├── main_14 │ │ │ │ ├── main_15 │ │ │ │ ├── main_16 │ │ │ │ ├── main_17 │ │ │ │ ├── main_18 │ │ │ │ └── main_19 │ │ │ ├── run_wp.sh │ │ │ └── Makefile │ │ ├── return_argc │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── simple_wp │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ ├── main.c │ │ │ │ └── main_with_struct.c │ │ │ ├── Makefile │ │ │ ├── run_wp.sh │ │ │ └── run_wp_pre.sh │ │ ├── debruijn │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ ├── run_wp_8bit.sh │ │ │ ├── run_wp_16bit.sh │ │ │ └── run_wp_32bit.sh │ │ ├── goto_string │ │ │ ├── bin │ │ │ │ └── main │ │ │ └── Makefile │ │ ├── init_rodata │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.c │ │ │ └── Makefile │ │ ├── linked_list │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ ├── src │ │ │ │ └── main.c │ │ │ └── run_wp.sh │ │ ├── nested_ifs │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ └── run_wp_inline.sh │ │ ├── null_deref │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── Makefile │ │ │ ├── run_wp.sh │ │ │ └── run_wp_null_deref.sh │ │ ├── ogre_files │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ ├── main_2 │ │ │ │ ├── main_1_stripped │ │ │ │ └── main_2_stripped │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── README.md │ │ │ ├── run_wp1.sh │ │ │ ├── run_wp2.sh │ │ │ ├── run_wp3.sh │ │ │ ├── run_wp5.sh │ │ │ ├── run_wp6.sh │ │ │ ├── run_wp4.sh │ │ │ └── Makefile │ │ ├── same_signs │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── src │ │ │ │ └── main_2.c │ │ ├── function_call │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── run_wp_inline_all.sh │ │ │ └── run_wp_inline_foo.sh │ │ ├── function_spec │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── Makefile │ │ │ ├── run_wp_inline_all.sh │ │ │ ├── run_wp_inline_garbage.sh │ │ │ └── run_wp_inline_foo.sh │ │ ├── hash_function │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── pointer_flag │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ └── Makefile │ │ ├── sudoku_2_by_2 │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── sudoku_3_by_3 │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── switch_cases │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ └── Makefile │ │ ├── arm │ │ │ ├── function_spec │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── Makefile │ │ │ │ └── run_wp_inline.sh │ │ │ ├── mem_comparison │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ ├── Makefile │ │ │ │ └── run_wp.sh │ │ │ ├── simple_compare │ │ │ │ ├── bin │ │ │ │ │ └── main.o │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_r1.sh │ │ │ │ └── run_wp_r2.sh │ │ │ └── Makefile │ │ ├── conditional_call │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ ├── run_wp.sh │ │ │ └── src │ │ │ │ └── main.asm │ │ ├── non_null_check │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.S │ │ │ │ └── main_2.S │ │ │ └── Makefile │ │ ├── pointer_flag_rsp │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.S │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── retrowrite_stub │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ └── main_1.S │ │ │ ├── Makefile │ │ │ └── run_wp_inline_all.sh │ │ ├── same_null_deref │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ └── run_wp.sh │ │ ├── diff_pointer_val │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── equiv_null_check │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── init_var_compare │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.S │ │ │ │ └── main_2.S │ │ │ └── Makefile │ │ ├── loop │ │ │ ├── loop_depth_two │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ └── src │ │ │ │ │ └── main.c │ │ │ ├── loop_depth_one │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_2.c │ │ │ │ │ └── main_1.c │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_single.sh │ │ │ │ ├── run_wp_compare.sh │ │ │ │ └── run_wp_less_loop.sh │ │ │ ├── loop_with_assert │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ └── run_wp.sh │ │ │ └── Makefile │ │ ├── pointer_flag_single │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── Makefile │ │ │ ├── run_wp_sat.sh │ │ │ └── run_wp_unsat.sh │ │ ├── unconditional_call │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ ├── run_wp.sh │ │ │ └── src │ │ │ │ └── main.asm │ │ ├── floating_point │ │ │ ├── single │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp.sh │ │ │ │ └── run_wp_no_init.sh │ │ │ ├── comparison │ │ │ │ ├── sat │ │ │ │ │ ├── bin │ │ │ │ │ │ ├── main_1 │ │ │ │ │ │ └── main_2 │ │ │ │ │ ├── src │ │ │ │ │ │ ├── main_1.c │ │ │ │ │ │ └── main_2.c │ │ │ │ │ ├── Makefile │ │ │ │ │ └── run_wp.sh │ │ │ │ ├── unsat │ │ │ │ │ ├── bin │ │ │ │ │ │ ├── main_1 │ │ │ │ │ │ └── main_2 │ │ │ │ │ ├── src │ │ │ │ │ │ ├── main_1.c │ │ │ │ │ │ └── main_2.c │ │ │ │ │ ├── run_wp.sh │ │ │ │ │ └── Makefile │ │ │ │ └── Makefile │ │ │ └── Makefile │ │ ├── indirect_call_return │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_2.S │ │ │ │ └── main_1.S │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── memcpy │ │ │ ├── memcpy_example │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ └── src │ │ │ │ │ └── main.c │ │ │ ├── memcpy_example_2 │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ └── src │ │ │ │ │ └── main.c │ │ │ └── Makefile │ │ ├── memory_samples │ │ │ ├── name_matching │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp.sh │ │ │ │ └── run_wp_addr_rewrite.sh │ │ │ ├── arrays │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ └── Makefile │ │ │ ├── diff_data │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── Makefile │ │ │ │ └── run_wp.sh │ │ │ ├── diff_stack │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp.sh │ │ │ │ └── src │ │ │ │ │ ├── main_1.S │ │ │ │ │ └── main_2.S │ │ │ ├── mem_hooks │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.S │ │ │ │ │ └── main_2.S │ │ │ │ └── Makefile │ │ │ ├── data_bss_sections │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ └── Makefile │ │ │ ├── diff_data_location │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ └── Makefile │ │ │ └── Makefile │ │ ├── nested_function_calls │ │ │ ├── bin │ │ │ │ └── main │ │ │ ├── Makefile │ │ │ ├── src │ │ │ │ └── main.c │ │ │ ├── run_wp.sh │ │ │ ├── run_wp_inline_regex.sh │ │ │ └── run_wp_inline_all.sh │ │ ├── no_stack_protection │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── run_wp.sh │ │ │ └── Makefile │ │ ├── retrowrite_stub_no_ret │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ └── main_1.S │ │ │ └── Makefile │ │ ├── switch_cases_diff_ret │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ └── Makefile │ │ ├── user_func_spec │ │ │ ├── sub_spec_6 │ │ │ │ ├── bin │ │ │ │ │ ├── mod │ │ │ │ │ └── orig │ │ │ │ ├── README.md │ │ │ │ ├── Makefile │ │ │ │ └── run_wp_3.sh │ │ │ ├── sub_spec_1 │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── run_wp_1.sh │ │ │ │ ├── run_wp_2.sh │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_3.sh │ │ │ │ ├── README.md │ │ │ │ └── run_wp_4.sh │ │ │ ├── sub_spec_2 │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── run_wp_2.sh │ │ │ │ ├── run_wp_1.sh │ │ │ │ ├── Makefile │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ └── README.md │ │ │ ├── sub_spec_3 │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── run_wp_single_2.sh │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_single_1.sh │ │ │ │ ├── run_wp_comp.sh │ │ │ │ └── run_wp_single_3.sh │ │ │ ├── sub_spec_4 │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_2.c │ │ │ │ │ └── main_1.c │ │ │ │ ├── Makefile │ │ │ │ └── run_wp_1.sh │ │ │ ├── sub_spec_5 │ │ │ │ ├── bin │ │ │ │ │ └── main │ │ │ │ ├── Makefile │ │ │ │ ├── run_wp_1.sh │ │ │ │ ├── src │ │ │ │ │ └── main.c │ │ │ │ ├── run_wp_2.sh │ │ │ │ └── README.md │ │ │ └── Makefile │ │ ├── indirect_call_no_return │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── src │ │ │ │ ├── main_2.S │ │ │ │ └── main_1.S │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── position_independent │ │ │ ├── bin │ │ │ │ ├── main_1.so │ │ │ │ └── main_2.so │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ ├── switch_case_assignments │ │ │ ├── bin │ │ │ │ ├── main_1 │ │ │ │ └── main_2 │ │ │ ├── Makefile │ │ │ └── src │ │ │ │ └── main_2.c │ │ ├── verifier_calls │ │ │ ├── bin │ │ │ │ ├── verifier_nondet │ │ │ │ ├── verifier_assume_sat │ │ │ │ └── verifier_assume_unsat │ │ │ ├── src │ │ │ │ ├── verifier_assume_sat.c │ │ │ │ ├── verifier_nondet.c │ │ │ │ └── verifier_assume_unsat.c │ │ │ ├── run_wp_assume_sat.sh │ │ │ ├── Makefile │ │ │ ├── run_wp_assume_unsat.sh │ │ │ └── run_wp_nondet.sh │ │ ├── func_name_map │ │ │ ├── compare_calls │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ └── Makefile │ │ │ ├── nested_calls │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ └── Makefile │ │ │ ├── toplevel_func │ │ │ │ ├── bin │ │ │ │ │ ├── main_1 │ │ │ │ │ └── main_2 │ │ │ │ ├── src │ │ │ │ │ ├── main_1.c │ │ │ │ │ └── main_2.c │ │ │ │ └── Makefile │ │ │ └── Makefile │ │ ├── no_position_independent │ │ │ ├── bin │ │ │ │ ├── main_1.so │ │ │ │ └── main_2.so │ │ │ ├── src │ │ │ │ ├── main_1.c │ │ │ │ └── main_2.c │ │ │ ├── Makefile │ │ │ └── run_wp.sh │ │ └── Makefile │ └── images │ │ └── process_status_diff.png └── plugin │ ├── README.md │ ├── .merlin │ └── tests │ ├── unit │ └── dune │ ├── integration │ └── dune │ └── test_libs │ └── dune ├── bildb ├── .gitignore ├── resources │ ├── main.c │ ├── Makefile │ └── README.md ├── init.yml ├── example.yml └── lib │ └── screens │ ├── bildb_architecture.mli │ └── bildb_initialization.mli ├── bap_angr └── README.md └── .gitignore /docs/doc/html/bap_wp/Bap_wp/.dummy: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /vsa/value_set/.gitignore: -------------------------------------------------------------------------------- 1 | .merlin 2 | *.install 3 | _build 4 | -------------------------------------------------------------------------------- /wp/lib/bap_wp/.gitignore: -------------------------------------------------------------------------------- 1 | .merlin 2 | *.install 3 | _build 4 | -------------------------------------------------------------------------------- /docs/.gitignore: -------------------------------------------------------------------------------- 1 | *.bpj 2 | *.o 3 | *.swp 4 | *~ 5 | .DS_Store 6 | -------------------------------------------------------------------------------- /wp/lib/bap_wp/dune-project: -------------------------------------------------------------------------------- 1 | (lang dune 1.7) 2 | (name bap_wp) 3 | -------------------------------------------------------------------------------- /vsa/value_set/lib/dune-project: -------------------------------------------------------------------------------- 1 | (lang dune 1.7) 2 | (name cbat_value_set) 3 | -------------------------------------------------------------------------------- /bildb/.gitignore: -------------------------------------------------------------------------------- 1 | resources/main 2 | resources/*.o 3 | _build 4 | *.plugin 5 | .merlin 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/Makefile: -------------------------------------------------------------------------------- 1 | all: ; 2 | 3 | clean: ; 4 | -------------------------------------------------------------------------------- /wp/lib/bap_wp/tests/unit/dune: -------------------------------------------------------------------------------- 1 | (test 2 | (name test) 3 | (libraries bap z3 ounit2 bap_wp)) 4 | -------------------------------------------------------------------------------- /docs/cbat_logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/cbat_logo.png -------------------------------------------------------------------------------- /wp/lib/bap_wp/tests/performance/dune: -------------------------------------------------------------------------------- 1 | (test 2 | (name test) 3 | (libraries bap z3 ounit2 bap_wp)) 4 | -------------------------------------------------------------------------------- /bildb/resources/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main (int argc, char* argv[]) { 4 | return 1; 5 | } 6 | -------------------------------------------------------------------------------- /docs/exercises/01/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/01/binary/main -------------------------------------------------------------------------------- /docs/exercises/02/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/02/binary/main -------------------------------------------------------------------------------- /docs/tutorial/01/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/01/binary/main -------------------------------------------------------------------------------- /docs/tutorial/02/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/02/binary/main -------------------------------------------------------------------------------- /docs/tutorial/03/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/03/binary/main -------------------------------------------------------------------------------- /docs/tutorial/04/binary/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/04/binary/main_1 -------------------------------------------------------------------------------- /docs/tutorial/04/binary/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/04/binary/main_2 -------------------------------------------------------------------------------- /docs/tutorial/05/binary/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/05/binary/main_1 -------------------------------------------------------------------------------- /docs/tutorial/05/binary/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/05/binary/main_2 -------------------------------------------------------------------------------- /docs/tutorial/06/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/06/binary/main -------------------------------------------------------------------------------- /docs/tutorial/07/binary/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/07/binary/main -------------------------------------------------------------------------------- /docs/tutorial/08/binary/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/08/binary/main_1 -------------------------------------------------------------------------------- /docs/tutorial/08/binary/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/08/binary/main_2 -------------------------------------------------------------------------------- /docs/exercises/03/binary/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/03/binary/main_1 -------------------------------------------------------------------------------- /docs/exercises/03/binary/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/03/binary/main_2 -------------------------------------------------------------------------------- /docs/exercises/04/binary/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/04/binary/main_1 -------------------------------------------------------------------------------- /docs/exercises/04/binary/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/exercises/04/binary/main_2 -------------------------------------------------------------------------------- /docs/tutorial/03/binary/main_fixed: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/docs/tutorial/03/binary/main_fixed -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/loop_invariant.smt: -------------------------------------------------------------------------------- 1 | (((address 0xb) 2 | (invariant "(assert true)"))) 3 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | 5 | return 2; 6 | 7 | } 8 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | 5 | return 5; 6 | 7 | } 8 | -------------------------------------------------------------------------------- /bap_angr/README.md: -------------------------------------------------------------------------------- 1 | This directory contains the data pertaining to the paper:"Using Binary 2 | Analysis Frameworks: The Case for BAP and angr" 3 | -------------------------------------------------------------------------------- /wp/resources/images/process_status_diff.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/images/process_status_diff.png -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | return *argv; 5 | } 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | return *argv; 5 | } 6 | -------------------------------------------------------------------------------- /wp/plugin/README.md: -------------------------------------------------------------------------------- 1 | # WP plugin 2 | 3 | To get started with this plugin, follow the build/install/test instructions in the parent [README](./../README.md). -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | return **argv; 5 | } 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | return **argv; 5 | } 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | 5 | return argc; 6 | 7 | } 8 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/init_var/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void* foo(size_t size) { 4 | return malloc(size); 5 | } 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void* foo(size_t size) { 4 | return malloc(size); 5 | } 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_4 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_5 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_6 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_7 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_8 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_9 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/return_argc/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | 5 | return argc; 6 | 7 | } 8 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/simple_wp/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/debruijn/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/debruijn/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/equiv_argc/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/equiv_argc/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/goto_string/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/goto_string/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_rodata/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/init_rodata/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/linked_list/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/linked_list/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_ifs/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nested_ifs/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_10 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_11 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_12 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_13: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_13 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_14: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_14 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_15: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_15 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_16: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_16 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_17: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_17 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_18: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_18 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/bin/main_19: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nqueens/bin/main_19 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/null_deref/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/null_deref/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/ogre_files/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/ogre_files/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/return_argc/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/return_argc/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_signs/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/same_signs/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_signs/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/same_signs/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/diff_ret_val/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/diff_ret_val/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_call/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/function_call/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/function_spec/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/hash_function/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/hash_function/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/src/main_1.c: -------------------------------------------------------------------------------- 1 | 2 | int f1() { 3 | return 1; 4 | } 5 | 6 | int main() { 7 | int x = f1(); 8 | return x; 9 | } 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_flag/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_flag/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_2_by_2/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/sudoku_2_by_2/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_3_by_3/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/sudoku_3_by_3/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_cases/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_cases/bin/main_2 -------------------------------------------------------------------------------- /docs/tutorial/06/binary/main.c: -------------------------------------------------------------------------------- 1 | /* The main entry point into the program. */ 2 | int main() { 3 | 4 | // Return my lucky number. 5 | return 7; 6 | 7 | } 8 | 9 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/function_spec/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/arm/function_spec/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/conditional_call/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/conditional_call/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/non_null_check/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/non_null_check/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/non_null_check/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/non_null_check/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_rsp/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_flag_rsp/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_input/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_input/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/retrowrite_stub/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/retrowrite_stub/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/same_null_deref/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/same_null_deref/bin/main_2 -------------------------------------------------------------------------------- /bildb/resources/Makefile: -------------------------------------------------------------------------------- 1 | exe = main 2 | 3 | all: exe.clean exe.build 4 | 5 | exe.build: 6 | gcc -Wall -g -o $(exe) main.c 7 | 8 | exe.clean: 9 | rm -rf $(exe) 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/diff_pointer_val/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/diff_pointer_val/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/equiv_null_check/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/equiv_null_check/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var_compare/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/init_var_compare/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var_compare/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/init_var_compare/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_two/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop/loop_depth_two/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_single/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/pointer_flag_single/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/unconditional_call/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/unconditional_call/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/arm/mem_comparison/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/arm/mem_comparison/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/simple_compare/bin/main.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/arm/simple_compare/bin/main.o -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/double_dereference/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/double_dereference/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/single/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/floating_point/single/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/indirect_call_return/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/indirect_call_return/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop/loop_depth_one/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop/loop_depth_one/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_with_assert/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop/loop_with_assert/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/break/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memcpy/memcpy_example/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int x = 1; 4 | 5 | int main(void) { 6 | 7 | return x; 8 | 9 | } 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/nested_function_calls/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/no_stack_protection/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/no_stack_protection/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/bin/main_1_stripped: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/ogre_files/bin/main_1_stripped -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/bin/main_2_stripped: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/ogre_files/bin/main_2_stripped -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_rsp/src/main.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | mov 1(%rdi), %rsi 7 | 8 | _start: 9 | call main 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/do_while/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/on_stack/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example_2/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memcpy/memcpy_example_2/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/arrays/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/arrays/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/arrays/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/arrays/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub_no_ret/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/retrowrite_stub_no_ret/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub_no_ret/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/retrowrite_stub_no_ret/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases_diff_ret/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_cases_diff_ret/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases_diff_ret/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_cases_diff_ret/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_6/bin/mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_6/bin/mod -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/indirect_call_no_return/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/indirect_call_no_return/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/in_registers/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/nondet_iters/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/bin/main_1.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/malloc/compare_simple/bin/main_1.o -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/bin/main_2.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/malloc/compare_simple/bin/main_2.o -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_data/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_data/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_stack/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_stack/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/mem_hooks/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/mem_hooks/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/mem_hooks/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/mem_hooks/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/bin/main_1.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/position_independent/bin/main_1.so -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/bin/main_2.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/position_independent/bin/main_2.so -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_case_assignments/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_case_assignments/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_case_assignments/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/switch_case_assignments/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_1/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_2/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_3/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_3/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_4/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_4/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_5/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_6/bin/orig: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/user_func_spec/sub_spec_6/bin/orig -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/bin/verifier_nondet: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/verifier_calls/bin/verifier_nondet -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/compare_calls/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/compare_calls/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/compare_calls/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/compare_calls/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/nested_calls/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/nested_calls/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/nested_calls/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/nested_calls/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/toplevel_func/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/toplevel_func/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/toplevel_func/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/func_name_map/toplevel_func/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/bin/main_1.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/no_position_independent/bin/main_1.so -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/bin/main_2.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/no_position_independent/bin/main_2.so -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/bin/verifier_assume_sat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/verifier_calls/bin/verifier_assume_sat -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/floating_point/comparison/sat/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/floating_point/comparison/sat/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/bin/main: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/loop_invariant/non_terminating/bin/main -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/name_matching/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/name_matching/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/bin/verifier_assume_unsat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/verifier_calls/bin/verifier_assume_unsat -------------------------------------------------------------------------------- /vsa/explicit_edge/.merlin: -------------------------------------------------------------------------------- 1 | PKG core_kernel 2 | PKG bap 3 | PKG ocamlgraph 4 | PKG cbat_value_set 5 | 6 | FLG -short-paths 7 | FLG -w 8 | 9 | B _build 10 | B _build/plugin 11 | 12 | S plugin 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int *x; 4 | 5 | int main(int argc, char *argv[]) { 6 | 7 | *x = 5; 8 | 9 | return *x; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int *x; 4 | 5 | int main(int argc, char *argv[]) { 6 | 7 | *x = 6; 8 | 9 | return *x; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/floating_point/comparison/unsat/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/floating_point/comparison/unsat/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_rodata/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void){ 4 | 5 | char* str = "Hello, world!"; 6 | 7 | assert(str[0] == 'H'); 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/data_bss_sections/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/data_bss_sections/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/data_bss_sections/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/data_bss_sections/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | indirect_call: 6 | ret 7 | 8 | 9 | main: 10 | ret 11 | 12 | _start: 13 | call main 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data_location/bin/main_1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_data_location/bin/main_1 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data_location/bin/main_2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/memory_samples/diff_data_location/bin/main_2 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc,char ** argv) { 4 | 5 | 6 | if(argc == 3) 7 | assert(0); 8 | 9 | 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /docs/tutorial/01/binary/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char** argv) { 4 | 5 | if (argc == 0xdeadbeef) { 6 | assert(0); 7 | } 8 | 9 | return 0; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/plugin/.merlin: -------------------------------------------------------------------------------- 1 | S ./wp.ml 2 | S ./tests/** 3 | S ./lib/** 4 | 5 | PKG bap 6 | PKG core 7 | PKG core_unix 8 | PKG z3 9 | PKG ounit2 10 | PKG bap_wp 11 | PKG re 12 | PKG ppx_jane 13 | 14 | B _build/** 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/data_bss_sections/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int x = 1; 4 | int y; 5 | int z = 2; 6 | 7 | int main(void) { 8 | 9 | return x + y; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/src/main_2.c: -------------------------------------------------------------------------------- 1 | 2 | int f2() { 3 | return 7; 4 | } 5 | 6 | int f1() { 7 | return 2; 8 | } 9 | 10 | int main() { 11 | int x = f1(); 12 | return x; 13 | } 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc,char ** argv) { 5 | int x = 0x0000000000000067; 6 | return x; 7 | } 8 | -------------------------------------------------------------------------------- /docs/tutorial/07/binary/main.c: -------------------------------------------------------------------------------- 1 | /* The main entry point into the program. */ 2 | int main(int argc, char **argv) { 3 | if (argc < 10) { 4 | return 7; 5 | } else { 6 | return 254; 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /wp/lib/bap_wp/src/dune: -------------------------------------------------------------------------------- 1 | (library 2 | (name bap_wp) 3 | (public_name bap_wp) 4 | (libraries bap bap-x86-cpu bap-arm z3 ounit2 re str findlib.dynload threads) 5 | (preprocess (pps ppx_sexp_conv ppx_bin_prot))) 6 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-10684: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-10684 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-16812: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-16812 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-17669: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-17669 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-5635: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-5635 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-7545: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/bin/csmith-7545 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | 5 | if(argc == 2) { 6 | return 1; 7 | } 8 | 9 | return argc; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void) { 4 | 5 | char * p = malloc(10); 6 | 7 | * (p + 3) = 0; 8 | 9 | return * (p + 3); 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/toplevel_func/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int foo(int x) { 5 | return x; 6 | } 7 | 8 | int main(void) { 9 | return foo(3); 10 | } 11 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int x_1234 = 1; 4 | int x1_1234 = 1; 5 | int y = 1; 6 | 7 | int main(void) { 8 | 9 | return x_1234; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, const char **argv) { 4 | 5 | char buffer[10]; 6 | strcpy(buffer, argv[0]); 7 | 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, const char **argv) { 4 | 5 | char buffer[10]; 6 | strcpy(buffer, argv[0]); 7 | 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_single/src/main.c: -------------------------------------------------------------------------------- 1 | int foo(int * x){ 2 | int y = 3; 3 | *x = 0xdeadbeef; 4 | return y; 5 | } 6 | 7 | int main(int argc, char* argv[]) 8 | { 9 | return 0; 10 | } 11 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-15688: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-15688 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-17506: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-17506 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-25706: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-25706 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-6404: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-6404 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-6487: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/bin/equiv_argc-6487 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/nested_calls/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int bar(int x) { 5 | return x + 1; 6 | } 7 | 8 | int foo(int x) { 9 | return x + bar(x); 10 | } 11 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/toplevel_func/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int test_foo(int x) { 5 | return x; 6 | } 7 | 8 | int main(void) { 9 | return test_foo(3); 10 | } 11 | -------------------------------------------------------------------------------- /docs/exercises/01/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /docs/exercises/02/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /docs/tutorial/01/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /docs/tutorial/02/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /docs/tutorial/06/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /docs/tutorial/07/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | 3 | all: x86-64 4 | 5 | x86-64: $(BASE) 6 | 7 | $(BASE): $(BASE).c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(BASE) 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | uint64_t foo(uint64_t x) { 4 | return x + 1; 5 | } 6 | 7 | int main(int argc,char ** argv) { 8 | 9 | foo(argc); 10 | 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/data_bss_sections/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int y; 4 | int a; 5 | int x = 1; 6 | int b; 7 | int z = 2; 8 | 9 | int main(void) { 10 | 11 | return x + y; 12 | 13 | } 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/null_deref/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc,char ** argv) { 4 | 5 | int x; 6 | 7 | if (argc == 3) { 8 | x = *((int *) NULL); 9 | } 10 | 11 | return x; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/src/verifier_assume_sat.c: -------------------------------------------------------------------------------- 1 | #include "../../../../plugin/api/c/cbat.h" 2 | 3 | void 4 | main(void) 5 | { 6 | int x; 7 | 8 | if(x <= 0) { 9 | __VERIFIER_error(); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | offset: 6 | ret 7 | 8 | indirect_call: 9 | ret 10 | 11 | 12 | main: 13 | ret 14 | 15 | _start: 16 | call main 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | indirect_call: 6 | callq *%rdi 7 | mov (%rsp), %rax 8 | ret 9 | 10 | 11 | main: 12 | ret 13 | 14 | _start: 15 | call main 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int8_t init(){ 5 | return 0; 6 | } 7 | 8 | int8_t example(){ 9 | int8_t err = init(); 10 | return err; 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int8_t init(){ 5 | return 1; 6 | } 7 | 8 | int8_t example(){ 9 | int8_t err = init(); 10 | return err; 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | unsigned int foo[10]; 4 | 5 | unsigned int foo_get(int x) { 6 | return foo[x]; 7 | } 8 | 9 | int main(void) { 10 | 11 | return 0; 12 | 13 | } 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/nested_calls/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int test_bar(int x) { 5 | return x + 2; 6 | } 7 | 8 | int test_foo(int x) { 9 | return x + test_bar(x); 10 | } 11 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | unsigned int foo[10]; 4 | 5 | unsigned int foo_get(int x) { 6 | return foo[x + 1]; 7 | } 8 | 9 | int main(void) { 10 | 11 | return 0; 12 | 13 | } 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | nop 7 | ret 8 | 9 | _start: 10 | call main 11 | mov $0x0, %rbx 12 | mov $0x1, %rax 13 | int $0x80 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_6/README.md: -------------------------------------------------------------------------------- 1 | This folder contains six tests that exercise our ability to give user-provided 2 | function summaries that are _different_ in the original and modified binaries 3 | for the same function. 4 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub_no_ret/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | nop 7 | ret 8 | 9 | _start: 10 | call main 11 | mov $0x0, %rbx 12 | mov $0x1, %rax 13 | int $0x80 14 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | /**/_build 2 | /**/_tags 3 | /**/META 4 | /**/setup.log 5 | /**/setup.data 6 | /**/setup.ml 7 | myocamlbuild.ml 8 | *.mldylib 9 | *.mllib 10 | *.plugin 11 | *.cmi 12 | *.cmo 13 | *.native 14 | *.byte 15 | *.bpj 16 | oUnit-All* 17 | *.DS_Store 18 | -------------------------------------------------------------------------------- /bildb/init.yml: -------------------------------------------------------------------------------- 1 | Variables: 2 | R8: 0x0000000 3 | R9: 0x7fffffff 4 | RAX: 0x00000abc 5 | RCX: 0x00000000 6 | RDI: 0x00000000 7 | RDX: 0x00000000 8 | RSI: 0x00000000 9 | Locations: 10 | 0x3ffffff1: 0x00000123 11 | 0x3ffffff9: 0x00000abc 12 | -------------------------------------------------------------------------------- /docs/exercises/03/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | PROG1=$(BASE)_1 3 | PROG2=$(BASE)_2 4 | 5 | all: $(PROG1) $(PROG2) 6 | 7 | %: %.c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(PROG1) $(PROG2) 12 | -------------------------------------------------------------------------------- /docs/exercises/04/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | PROG1=$(BASE)_1 3 | PROG2=$(BASE)_2 4 | 5 | all: $(PROG1) $(PROG2) 6 | 7 | %: %.c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(PROG1) $(PROG2) 12 | -------------------------------------------------------------------------------- /docs/tutorial/04/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | PROG1=$(BASE)_1 3 | PROG2=$(BASE)_2 4 | 5 | all: $(PROG1) $(PROG2) 6 | 7 | %: %.c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(PROG1) $(PROG2) 12 | -------------------------------------------------------------------------------- /docs/tutorial/05/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | PROG1=$(BASE)_1 3 | PROG2=$(BASE)_2 4 | 5 | all: $(PROG1) $(PROG2) 6 | 7 | %: %.c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(PROG1) $(PROG2) 12 | -------------------------------------------------------------------------------- /docs/tutorial/08/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | PROG1=$(BASE)_1 3 | PROG2=$(BASE)_2 4 | 5 | all: $(PROG1) $(PROG2) 6 | 7 | %: %.c 8 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 9 | 10 | clean: 11 | rm -f $(PROG1) $(PROG2) 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/src/equiv_argc.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | 5 | if(argc == 2) { 6 | return 1; 7 | } 8 | 9 | return argc; 10 | 11 | } 12 | 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int foo(int x) { 4 | return 3; 5 | } 6 | 7 | int main(int argc, char **argv) { 8 | 9 | if(foo(argc) == 5){ 10 | assert(0); 11 | } 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/src/verifier_nondet.c: -------------------------------------------------------------------------------- 1 | #include "../../../../plugin/api/c/cbat.h" 2 | 3 | void 4 | main(void) 5 | { 6 | int x = __VERIFIER_nondet_int(); 7 | 8 | if(x > 0) { 9 | __VERIFIER_error(); 10 | } 11 | } 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/function_spec/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int foo(int x) { 4 | return 3; 5 | } 6 | 7 | int main(int argc, char **argv) { 8 | 9 | if(foo(argc) == 5){ 10 | assert(0); 11 | } 12 | 13 | return 0; 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/non_null_check/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | mov (%rdi), %rsi 7 | ret 8 | 9 | _start: 10 | call main 11 | mov $0x0, %rbx 12 | mov $0x1, %rax 13 | int $0x80 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/non_null_check/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | mov 1(%rdi), %rsi 7 | ret 8 | 9 | _start: 10 | call main 11 | mov $0x0, %rbx 12 | mov $0x1, %rax 13 | int $0x80 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag/src/main_1.c: -------------------------------------------------------------------------------- 1 | int deref(int *num_1) { 2 | int num_2 = 12; 3 | if(*num_1 > num_2){ 4 | return -1; 5 | } 6 | return 0; 7 | } 8 | 9 | int main(int argc, char** argv){ 10 | return 0; 11 | } 12 | -------------------------------------------------------------------------------- /wp/plugin/tests/unit/dune: -------------------------------------------------------------------------------- 1 | (tests 2 | (names test) 3 | (libraries 4 | bap 5 | ounit2 6 | z3 7 | findlib.dynload 8 | threads 9 | re 10 | str 11 | core_unix 12 | wp-plugin-tests) 13 | (flags -w -A-48-44-70) 14 | (ocamlopt_flags -O3)) 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/src/verifier_assume_unsat.c: -------------------------------------------------------------------------------- 1 | #include "../../../../plugin/api/c/cbat.h" 2 | 3 | void 4 | main(void) 5 | { 6 | int x; 7 | __VERIFIER_assume(x > 0); 8 | 9 | if(x <= 0) { 10 | __VERIFIER_error(); 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /docs/tutorial/03/binary/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | 5 | // Allocate a byte of memory, at address `addr` 6 | char *addr = malloc(sizeof(char)); 7 | 8 | // Store the character 'z' at that address 9 | *addr = 'z'; 10 | 11 | } 12 | -------------------------------------------------------------------------------- /wp/plugin/tests/integration/dune: -------------------------------------------------------------------------------- 1 | (tests 2 | (names test) 3 | (libraries 4 | bap 5 | ounit2 6 | z3 7 | findlib.dynload 8 | threads 9 | re 10 | str 11 | core_unix 12 | wp-plugin-tests) 13 | (flags -w -A-48-44-70) 14 | (ocamlopt_flags -O3)) 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(void) { 5 | 6 | char * p = malloc(10); 7 | 8 | if( p == NULL ) assert(0); 9 | 10 | * (p + 3) = 0; 11 | 12 | return * (p + 3); 13 | 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/linked_list/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_ifs/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /vsa/value_set/lib/src/dune: -------------------------------------------------------------------------------- 1 | (library 2 | (name cbat_value_set) 3 | (public_name cbat_value_set) 4 | (libraries bap) 5 | (preprocess 6 | (pps 7 | ppx_deriving 8 | ppx_bin_prot 9 | ppx_sexp_conv 10 | ppx_compare 11 | ppx_fields_conv))) 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-8458: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-8458 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/compare_calls/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int bar(int x) { 5 | return x + 1; 6 | } 7 | 8 | int baz(int x) { 9 | return x + 2; 10 | } 11 | 12 | int foo(int x) { 13 | return bar(x); 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_call/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_call/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int foo(int x) { 4 | if(x == 5) { 5 | assert(0); 6 | } 7 | 8 | return 1; 9 | } 10 | 11 | int main(int argc, char **argv) { 12 | 13 | foo(argc); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/hash_function/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int foo(uint8_t i){ 7 | return i; 8 | } 9 | 10 | int main(int argc, char** argv) { 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /bildb/resources/README.md: -------------------------------------------------------------------------------- 1 | # Resources 2 | 3 | This folder contains a simple C program one can use to try out BILDB. 4 | 5 | To clean and build: 6 | 7 | make 8 | 9 | To build: 10 | 11 | make exe.build 12 | 13 | To clean: 14 | 15 | make exe.clean 16 | 17 | 18 | -------------------------------------------------------------------------------- /vsa/value_set/unit_tests/Makefile: -------------------------------------------------------------------------------- 1 | .PHONY: test clean 2 | 3 | all: test 4 | 5 | test: 6 | ocamlbuild -r -use-ocamlfind -pkgs 'bap, cbat_value_set,oUnit' -tag 'warn(A-48-44),debug,thread' test.native 7 | ./test.native 8 | 9 | clean: 10 | rm -rf _build 11 | rm -f test.native 12 | -------------------------------------------------------------------------------- /wp/plugin/tests/test_libs/dune: -------------------------------------------------------------------------------- 1 | (library 2 | (name wp_plugin_tests) 3 | (public_name wp-plugin-tests) 4 | (flags -w -A-44-70) 5 | (libraries 6 | bap 7 | z3 8 | bap_wp 9 | ounit2 10 | re 11 | str 12 | core_unix 13 | findlib.dynload 14 | threads)) 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-23908: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-23908 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-26471: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-26471 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-27596: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-27596 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-28527: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/draperlaboratory/cbat_tools/HEAD/wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/bin/switch_case_assignments-28527 -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | offset: 6 | ret 7 | 8 | indirect_call: 9 | callq *%rdi 10 | mov (%rsp), %rax 11 | ret 12 | 13 | 14 | main: 15 | ret 16 | 17 | _start: 18 | call main 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var_compare/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | movq %rdi, %rax 7 | inc %rax 8 | ret 9 | 10 | _start: 11 | call main 12 | mov $0x3c, %rax 13 | xor %rdi, %rdi 14 | syscall 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var_compare/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | inc %rdi 7 | movq %rdi, %rax 8 | ret 9 | 10 | _start: 11 | call main 12 | mov $0x3c, %rax 13 | xor %rdi, %rdi 14 | syscall 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | clang -O0 -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int g() { 5 | return 0x0000000000000067; 6 | } 7 | 8 | int main(int argc,char ** argv) { 9 | argc = g(); 10 | int x = g(); 11 | return x ; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/single/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | float foo(void) { 4 | register float x asm ("xmm0") = 1.25; 5 | return x; 6 | } 7 | 8 | int main(int argc,char ** argv) { 9 | 10 | printf("%f\n", foo()); 11 | 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | clang -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example_2/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | clang -O0 -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag/src/main_2.c: -------------------------------------------------------------------------------- 1 | int deref(int *num_1) { 2 | int num_2 = 12; 3 | int local = 42; 4 | if(*num_1 > num_2){ 5 | return -1; 6 | } 7 | return 0; 8 | } 9 | 10 | int main(int argc, char** argv){ 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | clang -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/src/main_1.c: -------------------------------------------------------------------------------- 1 | float foo(void) { 2 | register float x asm ("xmm0") = 1.0; 3 | register float y asm ("xmm1") = 2.0; 4 | return x + y; 5 | } 6 | 7 | int main(int argc,char ** argv) { 8 | 9 | foo(); 10 | 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/src/main_2.c: -------------------------------------------------------------------------------- 1 | float foo(void) { 2 | register float x asm ("xmm0") = 1.0; 3 | register float y asm ("xmm1") = 3.0; 4 | return x + y; 5 | } 6 | 7 | int main(int argc,char ** argv) { 8 | 9 | foo(); 10 | 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/src/main_1.c: -------------------------------------------------------------------------------- 1 | float foo(void) { 2 | register float x asm ("xmm0") = 1.0; 3 | register float y asm ("xmm1") = 2.0; 4 | return x + y; 5 | } 6 | 7 | int main(int argc,char ** argv) { 8 | 9 | foo(); 10 | 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/src/main_2.c: -------------------------------------------------------------------------------- 1 | float foo(void) { 2 | register float x asm ("xmm0") = 1.0; 3 | register float y asm ("xmm1") = 2.0; 4 | return x + y; 5 | } 6 | 7 | int main(int argc,char ** argv) { 8 | 9 | foo(); 10 | 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | clang -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | int x = 0; 5 | while (true) { 6 | x++; 7 | } 8 | return x; 9 | } 10 | 11 | int main(int argc, char **argv) { 12 | 13 | loop(); 14 | 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/arrays/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int x = 1; 4 | int y; 5 | int z = 2; 6 | 7 | unsigned int foo[10]; 8 | 9 | unsigned int foo_get(int x) { 10 | return foo[x]; 11 | } 12 | 13 | int main(void) { 14 | 15 | return 0; 16 | 17 | } 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/function_spec/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | arm-linux-gnueabi-gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/simple_compare/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main.o 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%.o: $(SRC_DIR)/%.asm $(BIN_DIR) 10 | arm-linux-gnueabi-as -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_cases_diff_ret/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_2_by_2/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O2 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_3_by_3/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O3 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | clang $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_case_assignments/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/compare_calls/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/compare_calls/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int test_bar(int x) { 5 | return x + 1; 6 | } 7 | 8 | int test_baz(int x) { 9 | return x + 2; 10 | } 11 | 12 | int test_foo(int x) { 13 | return test_bar(x) + test_baz(x); 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/toplevel_func/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -Wall -g -o $@ -c $< 11 | 12 | clean: 13 | rm -rf $(BIN_DIR) 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_two/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O0 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int8_t init(){ 5 | return 0; 6 | } 7 | 8 | int8_t example(){ 9 | int8_t err = init(); 10 | return err; 11 | } 12 | 13 | int main(int argc, void * argv[]) { 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int8_t init(){ 5 | return 1; 6 | } 7 | 8 | int8_t example(){ 9 | int8_t err = init(); 10 | return err; 11 | } 12 | 13 | int main(int argc, void * argv[]) { 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_single/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O0 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_with_assert/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O0 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/README.md: -------------------------------------------------------------------------------- 1 | # Ogre file test 2 | 3 | This is intended to test the support for using ogre files to lift only parts of 4 | the binary. 5 | 6 | The `run_wp` scripts test various combinations of single-program and comparative 7 | analysis, along with stripped and unstripped binaries. 8 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_rsp/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | int x = 0; 5 | int y = 5; 6 | while (x < 5) { 7 | x++; 8 | y--; 9 | } 10 | return x; 11 | } 12 | 13 | int main(int argc, char **argv) { 14 | 15 | loop(); 16 | 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/conditional_call/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.asm $(BIN_DIR) 10 | nasm -f elf64 -o $@.o $< 11 | gcc -Wall -g -o $@ $@.o 12 | rm -rf $@.o 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -fno-stack-protector -z execstack 5 | 6 | all: $(BIN_DIR)/main 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/non_null_check/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/unconditional_call/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%: $(SRC_DIR)/%.asm $(BIN_DIR) 10 | nasm -f elf64 -o $@.o $< 11 | gcc -Wall -g -o $@ $@.o 12 | rm -rf $@.o 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/unconditional_call/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A very simple example that tests a function call to __assert_fail. 4 | 5 | # Should return SAT. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --show=paths,bir \ 11 | --trip-asserts \ 12 | -- ./bin/main 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/simple_compare/run_wp_r1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests that a comparison of the same ARM binary. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --postcond="(assert (= R1_orig R1_mod))" \ 11 | -- ./bin/main.o ./bin/main.o 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/simple_compare/run_wp_r2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests that a comparison of the same ARM binary. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --postcond="(assert (= R2_orig R2_mod))" \ 11 | -- ./bin/main.o ./bin/main.o 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/build-helper.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | rand_build () 4 | { 5 | local seed=${1} 6 | local target=${2} 7 | clang -frandom-seed=$1 -mllvm -shuffle-stack-frames -mllvm -max-stack-pad-size=64 -mllvm -randomize-machine-registers ${target}.c -o ${target}-${seed} 8 | } 9 | 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/goto_string/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%.s: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -S -g -o $@ $< 11 | 12 | $(BIN_DIR)/%: $(BIN_DIR)/%.s 13 | gcc -g -o $@ -c $< 14 | 15 | clean: 16 | rm -rf $(BIN_DIR) 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_rodata/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/%.s: $(SRC_DIR)/%.c $(BIN_DIR) 10 | gcc -S -g -o $@ $< 11 | 12 | $(BIN_DIR)/%: $(BIN_DIR)/%.s 13 | gcc -g -o $@ -c $< 14 | 15 | clean: 16 | rm -rf $(BIN_DIR) 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int foo(uint8_t i){ 7 | int k = 0; 8 | while(k < 3){ 9 | k++; 10 | } 11 | return i; 12 | } 13 | 14 | int main(int argc, char** argv) { 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | int i = 0; 5 | int j = 5; 6 | while (i < j) { 7 | if (i == 3) { 8 | break; 9 | } 10 | i++; 11 | } 12 | return i; 13 | } 14 | 15 | int main(int argc, char **argv) { 16 | return loop(); 17 | } 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | $(CC) $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /bildb/example.yml: -------------------------------------------------------------------------------- 1 | Variables: 2 | R8: 0x0000000000000000 3 | R9: 0x00007fffffff0000 4 | RAX: 0x0000000000000abc 5 | RCX: 0x0000000000000000 6 | RDI: 0x0000000000000000 7 | RDX: 0x0000000000000000 8 | RSI: 0x0000000000000000 9 | Locations: 10 | 0x000003FFFFFF8: 0x000000000000123 11 | 0x000003FFFFFF1: 0x000000000000abc 12 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var_compare/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib -no-pie 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | int x = 0; 5 | int y = 5; 6 | 7 | do { 8 | x++; 9 | y--; 10 | } while (x < 5); 11 | 12 | return x; 13 | } 14 | 15 | int main(int argc, char **argv) { 16 | 17 | loop(); 18 | 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test compiles the same C file with and without stack protection. 4 | 5 | # Should return SAT 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --compare-post-reg-values=RSI,RAX \ 11 | -- ./bin/main_1 ./bin/main_2 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub_no_ret/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | $(CC) $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/src/main_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | bool null_deref(int x, int y) { 6 | int * null = 0x0; 7 | if (*null) { 8 | return x + y; 9 | } 10 | return x + y; 11 | } 12 | 13 | int main(int argc, char ** argv) { 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | bool null_deref(int x, int y) { 6 | int * null = 0x0; 7 | if (*null) { 8 | return x + y; 9 | } 10 | return x + y; 11 | } 12 | 13 | int main(int argc, char ** argv) { 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/nested_calls/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -shared 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ -c $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/mem_hooks/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | mov (val), %rax 7 | ret 8 | 9 | _start: 10 | call main 11 | mov $0x3c, %rax 12 | xor %rdi, %rdi 13 | syscall 14 | 15 | 16 | .data 17 | 18 | val: 19 | .int 1 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -o0 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | arm-linux-gnueabi-gcc $(FLAGS) -Wall -g -o $@ -c $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. 4 | 5 | # Should return SAT. 6 | 7 | run () { 8 | bap wp \ 9 | --num-unroll=0 \ 10 | --func=loop \ 11 | --postcond="(assert false)" \ 12 | -- ./bin/main 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib -no-pie 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib -no-pie 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/mem_hooks/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib -no-pie 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | MAKEFLAGS += -j$(shell nproc) 5 | 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | clean: $(CLEAN_DIRS) 11 | $(CLEAN_DIRS): 12 | $(MAKE) -C $(@:clean-%=%) clean 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -O1 -funroll-loops -fno-stack-protector 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_with_assert/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int main(int argc, char** argv) { 6 | int counter = 0; 7 | for (int i = 0; i < 2; i++) { 8 | counter += 1; 9 | } 10 | 11 | if (counter == 2) { 12 | assert(0); 13 | } 14 | return counter; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/run_wp_unroll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests WP's ability to unroll a simple loop. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --num-unroll=5 \ 10 | --func=loop \ 11 | --postcond="(assert (= RAX #x0000000000000003))" \ 12 | -- ./bin/main 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | register int x asm ("rdi") = 0; 5 | register int y asm ("rsi") = 5; 6 | while (x < 5) { 7 | x++; 8 | y--; 9 | } 10 | return x; 11 | } 12 | 13 | int main(int argc, char **argv) { 14 | loop(); 15 | return 0; 16 | } 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/arrays/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | MAKEFLAGS += -j$(shell nproc) 5 | 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | clean: $(CLEAN_DIRS) 11 | $(CLEAN_DIRS): 12 | $(MAKE) -C $(@:clean-%=%) clean 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | MAKEFLAGS += -j$(shell nproc) 5 | 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | clean: $(CLEAN_DIRS) 11 | $(CLEAN_DIRS): 12 | $(MAKE) -C $(@:clean-%=%) clean 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. 4 | 5 | # Should return SAT. 6 | 7 | run () { 8 | bap wp \ 9 | --num-unroll=0 \ 10 | --func=loop \ 11 | --postcond="(assert (= RAX #x0000000000000003))" \ 12 | -- ./bin/main 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | MAKEFLAGS += -j$(shell nproc) 5 | 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | clean: $(CLEAN_DIRS) 11 | $(CLEAN_DIRS): 12 | $(MAKE) -C $(@:clean-%=%) clean 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data_location/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -nostdlib -no-pie 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.S $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -fno-stack-protector 5 | 6 | all: $(BIN_DIR)/main_1.so $(BIN_DIR)/main_2.so 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%.so: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_signs/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -Wpedantic -fno-stack-protector -z execstack 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/run_wp_assume_sat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests the function spec for __VERIFIER_error, which should result in a 4 | # precondition of false. 5 | 6 | # Should return SAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --trip-asserts \ 12 | -- ./bin/verifier_assume_sat 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /docs/tutorial/03/binary/main_fixed.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | 5 | // Allocate a byte of memory, at address `addr` 6 | char *addr = malloc(sizeof(char)); 7 | 8 | // Don't proceed if we got no address 9 | if (addr == NULL) { return 0; } 10 | 11 | // Store the character 'z' at that address 12 | *addr = 'z'; 13 | 14 | } 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/hash_function/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # Trips an assert if a password hashes to the "special" value in a hashtable. 3 | 4 | # Should return SAT 5 | 6 | run() { 7 | bap wp \ 8 | --func=perform_hash \ 9 | --inline=bad_hash \ 10 | --trip-asserts \ 11 | --show=diagnostics \ 12 | -- ./bin/main 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/data_bss_sections/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int bar(int x) { 4 | if(x < 5) { 5 | assert(0); 6 | } 7 | return 2; 8 | } 9 | 10 | int foo(int x) { 11 | if(x > 3) { 12 | bar(x); 13 | } 14 | return 1; 15 | } 16 | 17 | int main(int argc, char **argv) { 18 | 19 | foo(argc); 20 | 21 | return 0; 22 | } 23 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | FLAGS = -fPIC -fno-stack-protector -shared 5 | 6 | all: $(BIN_DIR)/main_1.so $(BIN_DIR)/main_2.so 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%.so: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/run_wp_2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return UNSAT: since when RAX is not 0x67, we can't trigger assert(0) 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000061))" \ 9 | --trip-assert \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/null_deref/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/run_wp_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return UNSAT, since (true /\ (false => false)) is true, which is UNSAT 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --postcond="(assert false)" \ 9 | --user-func-specs="g,(assert true),(assert false)" \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/run_wp_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT: Since when RAX is 0x67, RDI will then trigger the assert(0) 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000067))" \ 9 | --trip-assert \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | -------------------------------------------------------------------------------- /docs/tutorial/04/binary/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | bool same_signs(int x, int y) { 6 | return !((x ^ y) < 0); 7 | } 8 | 9 | int main() { 10 | 11 | // Try it out 12 | int x = 10; 13 | int y = -10; 14 | fputs(same_signs(x, y) ? "true\n" : "false\n", stdout); 15 | 16 | return 0; 17 | 18 | } 19 | -------------------------------------------------------------------------------- /docs/tutorial/08/binary/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | bool same_signs(int x, int y) { 6 | return !((x ^ y) < 0); 7 | } 8 | 9 | int main() { 10 | 11 | // Try it out 12 | int x = 10; 13 | int y = -10; 14 | fputs(same_signs(x, y) ? "true\n" : "false\n", stdout); 15 | 16 | return 0; 17 | 18 | } 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/non_terminating/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --func=loop \ 11 | --postcond="(assert false)" \ 12 | --loop-invariant="$(cat loop_invariant.smt)" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_signs/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | bool same_signs(int x, int y) { 6 | return !((x ^ y) < 0); 7 | } 8 | 9 | int main() { 10 | // Try it out 11 | int x = 10; 12 | int y = -10; 13 | fputs(same_signs(x, y) ? "true\n" : "false\n", stdout); 14 | return 0; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/unconditional_call/src/main.asm: -------------------------------------------------------------------------------- 1 | global __assert_fail:function (__assert_fail.end - __assert_fail) 2 | global main:function (main.end - main) 3 | 4 | fmt: db `- %s\n` 5 | 6 | __assert_fail: 7 | mov rax, 60 8 | mov rdi, 3 9 | syscall 10 | ret 11 | .end: 12 | 13 | main: 14 | jmp __assert_fail 15 | ret 16 | .end: 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/conditional_call/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a conditional function call to __assert_fail. It is impossible to 4 | # reach __assert_fail in this case. 5 | 6 | # Should return UNSAT. 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --show=paths,bir \ 12 | --trip-asserts \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/arrays/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int y; 4 | int a; 5 | int x = 1; 6 | int b; 7 | int z = 2; 8 | 9 | unsigned int bar[10] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}; 10 | 11 | unsigned int foo[10]; 12 | 13 | unsigned int foo_get(int x) { 14 | return foo[x]; 15 | } 16 | 17 | int main(void) { 18 | 19 | return 0; 20 | 21 | } 22 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test compares csmith.c compiled with different compilers 4 | 5 | # Should return UNSAT 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --compare-post-reg-values=RAX \ 11 | --use-fun-input-regs \ 12 | -- ./bin/csmith-10684 ./bin/csmith-16812 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/double_dereference/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This binary returns a double dereference to argv. This test 4 | # compares the binary with itself. 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --compare-post-reg-values=RAX \ 12 | --mem-offset \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/loop_invariant.smt: -------------------------------------------------------------------------------- 1 | (((address 0x1E) 2 | (invariant 3 | "(assert 4 | (let ((x ((_ zero_extend 32) ((_ extract 31 0) RDI))) 5 | (y ((_ zero_extend 32) ((_ extract 31 0) RSI)))) 6 | (and (= (bvadd x y) #x0000000000000005) 7 | (bvule x #x0000000000000005) 8 | (bvuge y #x0000000000000000))))"))) 9 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/mem_hooks/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | mov (val), %rax 7 | nop 8 | ret 9 | 10 | _start: 11 | call main 12 | mov $0x3c, %rax 13 | xor %rdi, %rdi 14 | syscall 15 | 16 | 17 | .data 18 | 19 | foo: 20 | .int 2 21 | 22 | val: 23 | .int 1 24 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/return_argc/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --func=loop \ 11 | --postcond="(assert (= RAX #x0000000000000005))" \ 12 | --loop-invariant="$(cat loop_invariant.smt)" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int loop(void) { 4 | register int z asm ("rdx"); 5 | register int x asm ("rdi") = 0; 6 | register int y asm ("rsi") = z; 7 | 8 | while (x < z) { 9 | x++; 10 | y--; 11 | } 12 | return x; 13 | } 14 | 15 | int main(int argc, char **argv) { 16 | loop(); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --func=loop \ 11 | --postcond="(assert (= RAX #x0000000000000005))" \ 12 | --loop-invariant="$(cat loop_invariant.smt)" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Checks return value of f1 in unstripped main_1. 4 | # Uses ogre file to lift only relevant function. 5 | # 6 | # Should be UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=f1 \ 11 | --ogre=main1.ogre \ 12 | --postcond="(assert (= R0 (_ bv1 32)))" \ 13 | -- ./bin/main_1 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/run_wp_2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT, since (true /\ (true => false)) is false, which is SAT 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --show=precond-smtlib \ 9 | --postcond="(assert false)" \ 10 | --user-func-specs="g,(assert true),(assert true)" \ 11 | -- ./bin/main 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/src/main.c: -------------------------------------------------------------------------------- 1 | //Idea: 2 | // Tests that our code sees and uses g's pre and post-conditions. 3 | // Should return UNSAT 4 | 5 | #include 6 | 7 | // pre : (true) 8 | int g() { 9 | return 4; 10 | } 11 | // post : (RAX = 4) 12 | 13 | 14 | int main(int argc, char ** argv) { 15 | return g(); 16 | } 17 | // post : (RAX = 3) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --func=loop \ 11 | --postcond="(assert (= RAX #x0000000000000005))" \ 12 | --loop-invariant="$(cat loop_invariant.smt)" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_input/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This binary returns a pointer that was passed in as an argument. This test 4 | # compares the binary with itself. 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --compare-post-reg-values=RAX \ 12 | --mem-offset \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/Makefile: -------------------------------------------------------------------------------- 1 | include ../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | all: $(BIN_DIR)/verifier_assume_unsat $(BIN_DIR)/verifier_assume_sat $(BIN_DIR)/verifier_nondet 7 | 8 | $(BIN_DIR): 9 | mkdir -p $@ 10 | 11 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 12 | gcc $(FLAGS) -Wall -g -o $@ $< 13 | 14 | clean: 15 | rm -rf $(BIN_DIR) 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/single/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -O0 -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/linked_list/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef struct ll_node { 5 | int content; 6 | struct ll_node *next; 7 | } node; 8 | 9 | node* create_linked_list(){ 10 | node* tail = NULL; 11 | tail->content = 1; 12 | return tail; 13 | } 14 | 15 | int main(int argc, char **argv) { 16 | create_linked_list(1); 17 | return 0; 18 | } 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/run_wp_3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT, since (false /\ (RAX = 4 => RAX = 4)) is always false 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --postcond="(assert (= RAX #x0000000000000004))" \ 9 | --user-func-specs="g,(assert false),(assert (= RAX #x0000000000000004))" \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/run_wp_single_2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT since RAX would need to be 0x61 instead of 0x67 to be UNSAT 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --show=paths \ 9 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000067))" \ 10 | --trip-assert \ 11 | -- ./bin/main_1 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/equiv_argc/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test compares equiv_argc that has been compiled with different compilers. 4 | 5 | # Should return UNSAT 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --compare-post-reg-values=RAX \ 11 | --no-byteweight \ 12 | -- ./bin/equiv_argc-6404 ./bin/equiv_argc-6487 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/run_wp_8bit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # an example that compares the debruijn method of finding the LSB instead 4 | # to that of using a for loop 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=rightmost_index_8 \ 11 | --compare-post-reg-values=RAX \ 12 | --no-byteweight \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_rsp/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This checks that in an subroutine that does not use RSP 4 | # that RSP is still included in the generated pointer constraints 5 | # and that there are no errors 6 | 7 | # Should return UNSAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --pointer-reg-list=RDI,RSI \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/run_wp_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT: we provide a spec only for g, which means f can still return 0x67 and we can trip the assert 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000061))" \ 9 | --trip-assert \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | -------------------------------------------------------------------------------- /docs/tutorial/03/binary/Makefile: -------------------------------------------------------------------------------- 1 | BASE=main 2 | BASE_FIXED=main_fixed 3 | 4 | all: x86-64 5 | 6 | x86-64: $(BASE) $(BASE_FIXED) 7 | 8 | $(BASE): $(BASE).c 9 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 10 | 11 | $(BASE_FIXED): $(BASE_FIXED).c 12 | $(CC) -g -Wall -Wpedantic -fno-stack-protector -z execstack -o $@ $< 13 | 14 | clean: 15 | rm -f $(BASE) 16 | rm -f $(BASE_FIXED) 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/run_wp_16bit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # an example that compares the debruijn method of finding the LSB instead 4 | # to that of using a for loop 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=rightmost_index_16 \ 11 | --compare-post-reg-values=RAX \ 12 | --no-byteweight \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/debruijn/run_wp_32bit.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # an example that compares the debruijn method of finding the LSB instead 4 | # to that of using a for loop 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=rightmost_index_32 \ 11 | --compare-post-reg-values=RAX \ 12 | --no-byteweight \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/func_name_map/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A test that compares two binaries that perform an addition operation on the 4 | # same two floating point numbers. 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --init-mem \ 12 | --compare-post-reg-values=YMM0 \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --num-unroll=0 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000003))" \ 13 | --loop-invariant="$(cat loop_invariant.smt)" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Checks return value of f1 in stripped main_1 4 | # Uses ogre file to lift only relevant function, and give it a name 5 | # 6 | # Should be UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=f1 \ 11 | --ogre=main1.ogre \ 12 | --postcond="(assert (= R0 (_ bv1 32)))" \ 13 | -- ./bin/main_1_stripped 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple example that assert_fails when argc = 3. 4 | 5 | # WP finds the input value to main which will result in 6 | # reaching assert_fail during execution. 7 | 8 | # Should return SAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --trip-asserts \ 14 | --show=diagnostics \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_6/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/orig $(BIN_DIR)/mod 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/run_wp_assume_unsat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests the function spec to __VERIFIER_assume. If the assumption that 4 | # x > 0 holds, it is impossible to hit the case where there is a __VERIFIER_error. 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --trip-asserts \ 12 | -- ./bin/verifier_assume_unsat 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/loop_invariant.smt: -------------------------------------------------------------------------------- 1 | (((address 0x1D) 2 | (invariant 3 | "(assert 4 | (let ((x ((_ zero_extend 32) ((_ extract 31 0) RDI))) 5 | (y ((_ zero_extend 32) ((_ extract 31 0) RSI))) 6 | (z ((_ zero_extend 32) ((_ extract 31 0) RDX)))) 7 | (and (= (bvadd x y) z) 8 | (bvule x z) 9 | (bvuge y #x0000000000000000))))"))) 10 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/run_wp_unroll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests WP's ability to unroll a simple loop 5 times. It should be 4 | # able to tell that x is being incremented. 5 | 6 | # Should return UNSAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=5 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct Account { 6 | int balance; 7 | } account, account_copy; 8 | 9 | 10 | int main(int argc,char ** argv) { 11 | account.balance = 2048; 12 | memcpy(&account_copy, &account, argc); 13 | if (account_copy.balance) 14 | return 0; 15 | else 16 | return 1; 17 | } 18 | 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memcpy/memcpy_example_2/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct Account { 6 | int balance; 7 | } account, account_copy; 8 | 9 | 10 | int main(int argc,char ** argv) { 11 | account.balance = 2048; 12 | memcpy(&account_copy, &account, argc); 13 | if (account_copy.balance) 14 | return 0; 15 | else 16 | return 1; 17 | } 18 | 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_ifs/run_wp_inline.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test analyzes both the gotoExample and nestedIfExample. 4 | 5 | # This test inlines all the calls to calloc rather than running the calloc 6 | # function spec. 7 | 8 | # Should return UNSAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --inline=.* \ 14 | --trip-asserts \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/Makefile: -------------------------------------------------------------------------------- 1 | # include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/src/main.c: -------------------------------------------------------------------------------- 1 | // Tests that our code sees and uses f and g's specs 2 | #include 3 | 4 | int g() { 5 | return 0x0000000000000067; 6 | } 7 | int f() { 8 | return 0x0000000000000067; 9 | } 10 | 11 | int main(int argc, char ** argv) { 12 | if (f() == 0x0000000000000067) assert(0); 13 | if (g() == 0x0000000000000067) assert(0); 14 | return argc; 15 | } 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/conditional_call/src/main.asm: -------------------------------------------------------------------------------- 1 | global __assert_fail:function (__assert_fail.end - __assert_fail) 2 | global main:function (main.end - main) 3 | 4 | fmt: db `- %s\n` 5 | 6 | __assert_fail: 7 | mov rax, 60 8 | mov rdi, 3 9 | syscall 10 | ret 11 | .end: 12 | 13 | main: 14 | mov rdi, 0x61 15 | cmp rdi, 0x67 16 | je __assert_fail 17 | ret 18 | .end: 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -O0 -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/single/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test checks that the init-mem flag is able to read the floating point 4 | # number into YMM0. 5 | 6 | # Should return UNSAT. 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --init-mem \ 12 | --postcond="(assert (= ((_ extract 127 0) YMM0) #x0000000000000000000000003fa00000))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/single/run_wp_no_init.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test does not call the init-mem flag. WP would not know the value stored 4 | # into YMM0. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --show=bir \ 12 | --postcond="(assert (= ((_ extract 127 0) YMM0) #x0000000000000000000000003fa00000))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_two/src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int foo(uint8_t i){ 7 | int j = 0; 8 | while(j < 3){ 9 | j++; 10 | while(j < 3){ 11 | j++; 12 | } 13 | } 14 | printf("\nVALUE: %x\n", j); 15 | return j ; 16 | } 17 | 18 | int main(int argc, char** argv) { 19 | foo(5); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/run_wp_unroll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests WP's ability to unroll a simple loop 5 times. It should be 4 | # able to tell that x is being incremented. 5 | 6 | # Should return UNSAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=5 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1.o $(BIN_DIR)/main_2.o 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%.o: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -O0 -g -c -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_stack_protection/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 5 | 6 | $(BIN_DIR): 7 | mkdir -p $@ 8 | 9 | $(BIN_DIR)/main_1: $(SRC_DIR)/main_1.c $(BIN_DIR) 10 | gcc -fstack-protector -Wall -g -o $@ $< 11 | 12 | $(BIN_DIR)/main_2: $(SRC_DIR)/main_2.c $(BIN_DIR) 13 | gcc -fno-stack-protector -Wall -g -o $@ $< 14 | 15 | clean: 16 | rm -rf $(BIN_DIR) 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/Makefile: -------------------------------------------------------------------------------- 1 | SAMPLE_DIRS = $(wildcard */) 2 | BUILD_DIRS = $(SAMPLE_DIRS:%=build-%) 3 | CLEAN_DIRS = $(SAMPLE_DIRS:%=clean-%) 4 | 5 | .PHONY: all subdirs $(BUILD_DIRS) 6 | all: $(BUILD_DIRS) 7 | $(BUILD_DIRS): 8 | $(MAKE) -C $(@:build-%=%) 9 | 10 | .PHONY: clean subdirs $(CLEAN_DIRS) 11 | clean: $(CLEAN_DIRS) 12 | $(CLEAN_DIRS): 13 | $(MAKE) -C $(@:clean-%=%) clean 14 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/unsat/Makefile: -------------------------------------------------------------------------------- 1 | include ../../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -O0 -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 14 | gcc $(FLAGS) -Wall -g -o $@ $< 15 | 16 | clean: 17 | rm -rf $(BIN_DIR) 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/run_wp_single.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # test that an unrolled loop does not effect resulting values 4 | 5 | # Should return SAT with RDI=5 6 | 7 | run() { 8 | bap wp \ 9 | --func=foo \ 10 | --num-unroll=3 \ 11 | --postcond="(assert (not (= RAX #x0000000000000005)))" \ 12 | --no-byteweight \ 13 | --show=diagnostics \ 14 | -- ./bin/main_1 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/run_wp_sat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a single call to malloc. This tests uses the 4 | # nondeterministic chaos spec for malloc. 5 | 6 | # Should return SAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --show=bir,paths \ 12 | --compare-post-reg-values=RAX \ 13 | --inline=sub_* \ 14 | -- ./bin/main_1.o ./bin/main_2.o 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A program which trips an assert when the bit encoding 4 | # of the nqueens problem is solved for n=$1. 5 | 6 | # Should return SAT 7 | 8 | run_net () { 9 | bap wp \ 10 | --func=encode_nqueens \ 11 | --trip-asserts \ 12 | --num-unroll=0 \ 13 | --inline="sub*" \ 14 | --show=diagnostics \ 15 | -- bin/main_$1 16 | } 17 | 18 | run_net $1 19 | 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_null_check/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # The modified binary adds a null check after the call to malloc. In the case 4 | # that malloc returns NULL, the modified binary will hit an assert_fail. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --trip-asserts \ 12 | --compare-post-reg-values=RAX \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/run_wp_compare.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # test that an unrolled loop does not effect results in the comparative case 4 | 5 | # Should return UNSAT 6 | 7 | run() { 8 | bap wp \ 9 | --func=foo \ 10 | --num-unroll=3 \ 11 | --postcond="(assert (= RAX_orig RAX_mod))" \ 12 | --no-byteweight \ 13 | --show=diagnostics \ 14 | -- ./bin/main_1 ./bin/main_2 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test accumulates the values on the stack into RAX. THe two binaries have 4 | # different values on the stack, giving different outputs. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --compare-post-reg-values=RAX \ 12 | --no-glibc-runtime \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Checks that return value of f1 is identical if we lift the same 4 | # binary twice. Uses the same ogre file for both. 5 | # 6 | # Should be UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=f1 \ 11 | --ogre=main1.ogre \ 12 | --postcond="(assert (= R0_orig R0_mod))" \ 13 | -- ./bin/main_1_stripped ./bin/main_1_stripped 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/run_wp_2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return UNSAT: we can trip neither assert because both f and g have postcondition RAX=61 4 | 5 | run () { 6 | bap wp \ 7 | --func=main \ 8 | --user-func-specs="f,(assert true),(assert (= RAX #x0000000000000061));g,(assert true),(assert (= RAX #x0000000000000061))" \ 9 | --trip-assert \ 10 | -- ./bin/main 11 | } 12 | 13 | run 14 | -------------------------------------------------------------------------------- /vsa/value_set/lib/Makefile: -------------------------------------------------------------------------------- 1 | project = cbat_value_set 2 | 3 | all: build 4 | 5 | clean.local: 6 | opam pin remove -y . 7 | dune uninstall 8 | dune clean 9 | 10 | build: 11 | dune build -p $(project) 12 | 13 | install.local: build 14 | dune install 15 | opam pin add -y . 16 | 17 | doc: 18 | dune build @doc 19 | 20 | check.installed.findlib: 21 | ocamlfind query $(project) 22 | 23 | check.installed.opam: 24 | opam show $(project) 25 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests a simple loop invariant checker. 4 | 5 | # Should return UNSAT. 6 | 7 | run () { 8 | bap wp \ 9 | --show=bir \ 10 | --func=loop \ 11 | --precond="(assert (bvule RDX #x000000007fffffff))" \ 12 | --postcond="(assert (= RAX init_RDX))" \ 13 | --loop-invariant="$(cat loop_invariant.smt)" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_ret_val/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple test that shows an instance where WP catches a function that has 4 | # different return values between the two binaries. In this case, main_1 returns 5 | # a 2 and main_2 returns a 5. 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --compare-post-reg-values=RAX \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/floating_point/comparison/sat/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A test that compares two binaries that perform an addition operation on two 4 | # floating point numbers. The values added differ between the two binaries. 5 | 6 | # Should return SAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --init-mem \ 12 | --compare-post-reg-values=YMM0 \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/run_wp_pre.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple example that assert_fails when argc = 3. 4 | 5 | # Tests a user defined precondition that argc/RDI = 2. In this case, it is 6 | # impossible to hit assert_fail during execution. 7 | 8 | # Should return UNSAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --precond="(assert (= RDI #x0000000000000000))" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/verifier_calls/run_wp_nondet.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests the function spec for __VERIFIER_nondet, which chaoses the output 4 | # variable. In the case that __VERIFIER_nondet_int() returns a value greater 5 | # than 0, we hit the __VERIFIER_error. 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --trip-asserts \ 13 | -- ./bin/verifier_nondet 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/run_wp_unroll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. Without the invariant, WP 4 | # wouldn't be able to determine that x is 5 at the end of the function. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=5 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/return_argc/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example returns the first argument to main. 4 | 5 | # This tests a user defined postcondition. In this case, the postcondition of 6 | # RAX = 0 will not always be fulfilled in the binary. 7 | 8 | # Should return SAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --postcond="(assert (= RAX #x0000000000000000))" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/switch_case_assignments/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test compares our switch_case_assignment example that has been 4 | # compiled with multiple compilers 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --compare-post-reg-values=RAX \ 11 | --func=process_status \ 12 | -- ./bin/switch_case_assignments-23908 ./bin/switch_case_assignments-26471 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/do_while/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. Without the invariant, WP 4 | # wouldn't be able to determine that x is 5 at the end of the function. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=0 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/on_stack/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. Without the invariant, WP 4 | # wouldn't be able to determine that x is 5 at the end of the function. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=0 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/null_deref/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple example that contains a dereferences a NULL value. 4 | 5 | # In this case, the verification condition that checks if memory dereferences 6 | # are non-null is turned off, and WP is unable to determine which input causes 7 | # the null dereference. 8 | 9 | # Should return UNSAT 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /bildb/lib/screens/bildb_architecture.mli: -------------------------------------------------------------------------------- 1 | (** Generates the UI screen that displays architecture information. *) 2 | 3 | open Bap_primus.Std 4 | 5 | module Ui = Bildb_ui 6 | 7 | module Make : functor (Machine : Primus.Machine.S) -> sig 8 | type event = Ui.Event (Machine).t 9 | 10 | (** [about ()] generates a screen that displays info about 11 | the machine architecture (e.g., x86_64, etc). *) 12 | val about : unit -> event Machine.t 13 | 14 | end 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/equiv_argc/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # The modified version of this test adds a check to argc and returns a 4 | # different value if true. WP is able to determine that this is the case when 5 | # argc is 2. (RDI = 2) 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --compare-post-reg-values=RAX \ 13 | --show=diagnostics \ 14 | -- ./bin/main_1 ./bin/main_2 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/in_registers/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. Without the invariant, WP 4 | # wouldn't be able to determine that x is 5 at the end of the function. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=0 \ 11 | --func=loop \ 12 | --postcond="(assert (= RAX #x0000000000000005))" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/Makefile: -------------------------------------------------------------------------------- 1 | include ../../optimization_flags.mk 2 | 3 | SRC_DIR = src 4 | BIN_DIR = bin 5 | 6 | FLAGS += -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 9 | 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%: $(SRC_DIR)/%.asm $(BIN_DIR) 14 | nasm -f elf64 -o $@.o $< 15 | gcc -Wall -g -o $@ $@.o 16 | rm -rf $@.o 17 | 18 | clean: 19 | rm -rf $(BIN_DIR) 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_2_by_2/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # solves a 4 by 4 sudoku puzzle encoded into a 32 bit integer. If the correct 4 | # solution is provided as input to sudoku_solver, a null dereference is 5 | # performed 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=sudoku_solver \ 12 | --check-null-derefs \ 13 | --no-byteweight \ 14 | --show=diagnostics \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/position_independent/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests inlining a function that has been compiled with fPIC. 4 | # init() returns different values, and if inlined properly, WP should be able 5 | # to capture this. 6 | 7 | # Should return SAT. 8 | 9 | run () { 10 | bap wp \ 11 | --func=example \ 12 | --inline="init|sub_*" \ 13 | --compare-post-reg-values=RAX \ 14 | -- ./bin/main_1.so ./bin/main_2.so 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/sudoku_3_by_3/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # solves a 9 by 9 sudoku puzzle encoded into a a series of 64 bit integers. If 4 | # the correct solution is provided as input to sudoku_solver, an assert is 5 | # tripped is performed 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=sudoku_solver \ 12 | --check-null-derefs \ 13 | --no-byteweight \ 14 | --inline="sub*" \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/run_wp_single_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example returns SAT when no --user-func-specs flag is included. 4 | # This example returns UNSAT when the following --user-func-specs flag is added. 5 | 6 | run () { 7 | bap wp \ 8 | --func=main \ 9 | --show=paths \ 10 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000061))" \ 11 | --trip-assert \ 12 | -- ./bin/main_1 13 | } 14 | 15 | run 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple test that adds 1 to the input. 4 | 5 | # Runs WP on the function foo with a postcondition that states that the foo's 6 | # output (RAX) should be equal to the its input (the initial value of RDI) + 1. 7 | 8 | # Should return UNSAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=foo \ 13 | --postcond="(assert (= RAX (bvadd init_RDI #x0000000000000001)))" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/no_position_independent/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests inlining a function that has been compiled without the fPIC flag. 4 | # init() returns different values, and if inlined properly, WP should be able 5 | # to capture this. 6 | 7 | # Should return SAT. 8 | 9 | run () { 10 | bap wp \ 11 | --func=example \ 12 | --inline=init \ 13 | --compare-post-reg-values=RAX \ 14 | -- ./bin/main_1.so ./bin/main_2.so 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/diff_pointer_val/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple test where the output of a function is a pointer that contains 4 | # different values. WP is able to catch that the output varies between the 5 | # two binaries. In this case, main_1 returns a 5 and main_2 returns a 6. 6 | 7 | # Should return SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --compare-post-reg-values=RAX \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/src/main.c: -------------------------------------------------------------------------------- 1 | //Idea: 2 | // Tests that our code sees and uses g's pre and post-conditions. 3 | // Should return UNSAT 4 | #include 5 | #include 6 | 7 | // pre : (true) 8 | int g() { 9 | return 0x0000000000000067; 10 | } 11 | // post : (RAX = 4) 12 | 13 | 14 | int main(int argc,char ** argv) { 15 | argc = g(); 16 | if (argc == 0x0000000000000067) assert(0); 17 | return argc; 18 | } 19 | // post : (RAX = 3) 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_return/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests that an indirect call with a return has its stack pointer incremented 4 | # as part of our indirect call spec. 5 | 6 | run () { 7 | bap wp \ 8 | --func=indirect_call \ 9 | --compare-func-calls \ 10 | --postcond="(assert (and (= RSP_orig (bvadd init_RSP_orig #x0000000000000008)) (= RSP_mod (bvadd init_RSP_mod #x0000000000000008))))" \ 11 | -- ./bin/main_1 ./bin/main_2 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a function with two nested calls to foo then bar. 4 | 5 | # Without inlining, we only summarize the first call (foo), and do not inspect 6 | # the second call (bar). As a result, we do not find the assert_fail. 7 | 8 | # Should return UNSAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --trip-asserts \ 14 | --show=diagnostics \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /vsa/value_set/plugin/Makefile: -------------------------------------------------------------------------------- 1 | PASS_NAME = value_set 2 | 3 | .PHONY: all build install clean 4 | 5 | all: install 6 | 7 | build: 8 | bapbuild -use-ocamlfind -pkg 'cbat_value_set' -tag 'warn(A-48-44)' $(PASS_NAME).plugin 9 | 10 | install: build 11 | bapbundle update -desc 'Performs value-set analysis on binaries' $(PASS_NAME).plugin 12 | bapbundle install $(PASS_NAME).plugin 13 | 14 | clean: 15 | bapbundle remove $(PASS_NAME).plugin 16 | bapbuild -clean 17 | rm -f *.plugin 18 | rm -rf _build 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/cbat-multicompiler-samples/csmith/run_wp_inline.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test compares csmith.c compiled with different compilers. 4 | 5 | # This test inlines all function calls rather than using function summaries. 6 | 7 | # Should return UNSAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=main \ 12 | --compare-post-reg-values=RAX \ 13 | --use-fun-input-regs \ 14 | --inline=.* \ 15 | -- ./bin/csmith-10684 ./bin/csmith-16812 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp5.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Checks to see if f1 in main_2 returns 1 more than f1 in main_1. It should. 4 | # We use stripped main_1 and unstripped main_2 and only provide ogre for 5 | # the former. 6 | # 7 | # Should be UNSAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=f1 \ 12 | --ogre-orig=main1.ogre \ 13 | --postcond="(assert (= (bvadd (_ bv1 32) R0_orig) R0_mod))" \ 14 | -- ./bin/main_1_stripped ./bin/main_2 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp6.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Checks to see if f1 in main_2 returns 1 more than f1 in main_1. It should. 4 | # We use unstripped main_1 and stripped main_2 and only provide ogre for 5 | # the latter. 6 | # 7 | # Should be UNSAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=f1 \ 12 | --ogre-mod=main2.ogre \ 13 | --postcond="(assert (= (bvadd (_ bv1 32) R0_orig) R0_mod))" \ 14 | -- ./bin/main_1 ./bin/main_2_stripped 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_depth_one/run_wp_less_loop.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # in the case we do not unroll the loop all the way and terminate early 4 | # expected behavior is to not be affected by the loop. See issue #236 5 | 6 | # Should return SAT 7 | 8 | run() { 9 | bap wp \ 10 | --func=foo \ 11 | --num-unroll=2 \ 12 | --postcond="(assert (not (= RAX #x0000000000000005)))" \ 13 | --no-byteweight \ 14 | --show=diagnostics \ 15 | -- ./bin/main_1 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/run_wp_no_invariant.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. Without the invariant, WP 4 | # wouldn't be able to determine that x is incremented z times. 5 | 6 | # Should return SAT. 7 | 8 | run () { 9 | bap wp \ 10 | --num-unroll=0 \ 11 | --func=loop \ 12 | --precond="(assert (bvult RDX #x000000007fffffff))" \ 13 | --postcond="(assert (= RAX init_RDX))" \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/malloc/compare_simple/run_wp_unsat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a single call to malloc. This tests turns off the chaos 4 | # function spec and treats the malloc function as any other function. 5 | 6 | # Should return UNSAT 7 | 8 | run () { 9 | bap wp \ 10 | --func=foo \ 11 | --show=bir,paths \ 12 | --compare-post-reg-values=RAX \ 13 | --inline=sub_* \ 14 | --no-chaos=malloc \ 15 | -- ./bin/main_1.o ./bin/main_2.o 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /vsa/value_set/Makefile: -------------------------------------------------------------------------------- 1 | CBAT_VALUE_SET = lib 2 | PLUGIN = plugin 3 | TESTS = unit_tests 4 | 5 | .PHONY: install doc test clean reinstall 6 | 7 | all: install 8 | 9 | install: 10 | $(MAKE) -C $(CBAT_VALUE_SET) $@.local 11 | $(MAKE) -C $(PLUGIN) $@ 12 | 13 | doc: 14 | $(MAKE) -C $(CBAT_VALUE_SET) $@ 15 | 16 | test: install 17 | $(MAKE) -C $(TESTS) $@ 18 | 19 | clean: 20 | $(MAKE) -C $(PLUGIN) $@ 21 | $(MAKE) -C $(CBAT_VALUE_SET) $@.local 22 | $(MAKE) -C $(TESTS) $@ 23 | 24 | reinstall: clean install 25 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_call/run_wp_inline_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example contains a function call to foo. 4 | 5 | # This tests that WP can inline all functions. With foo inlined, WP should find 6 | # that when argc (RDI) = 5, the execution of the program will hit the assert_fail. 7 | 8 | # Should return SAT. 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --inline=.* \ 14 | --trip-asserts \ 15 | --show=diagnostics \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/indirect_call_no_return/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests that an indirect call with no return does not have 4 | # its stack pointer incremented as part of our indirect call spec. 5 | 6 | run () { 7 | bap wp \ 8 | --func=indirect_call \ 9 | --compare-func-calls \ 10 | --postcond="(assert (and (= RSP_orig (bvadd init_RSP_orig #x0000000000000008)) (= RSP_mod (bvadd init_RSP_mod #x0000000000000008))))" \ 11 | -- ./bin/main_1 ./bin/main_2 12 | } 13 | 14 | run 15 | -------------------------------------------------------------------------------- /bildb/lib/screens/bildb_initialization.mli: -------------------------------------------------------------------------------- 1 | (** Generates the UI screen that displays the initialization of BILDB. *) 2 | 3 | open Bap_primus.Std 4 | 5 | module Ui = Bildb_ui 6 | module State = Bildb_state 7 | 8 | module Make : functor (Machine : Primus.Machine.S) -> sig 9 | type event = Ui.Event (Machine).t 10 | 11 | (** [show state] generates a screen that displays the initialization 12 | data contained in [state] (see {!State.Data}). *) 13 | val show : State.Data.t -> event Machine.t 14 | 15 | end 16 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/linked_list/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # An example with a linked list that attempts to write a 1 into a NULL pointer. 4 | 5 | # In this case, the verification condition that checks if memory dereferences 6 | # are non-null is turned off, and WP is unable to determine that this binary 7 | # attempts to write a 1 in an address that is NULL. 8 | 9 | # Should return UNSAT 10 | 11 | run () { 12 | bap wp \ 13 | --func=create_linked_list \ 14 | -- ./bin/main 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/run_wp4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Check to see if the two versions of f1 return the same value. They don't. 4 | # uses two different ogre files to find the two f1s in the two stripped 5 | # binaries. 6 | # 7 | # Should be SAT 8 | 9 | run () { 10 | bap wp \ 11 | --func=f1 \ 12 | --ogre-orig=main1.ogre \ 13 | --ogre-mod=main2.ogre \ 14 | --postcond="(assert (= R0_orig R0_mod))" \ 15 | -- ./bin/main_1_stripped ./bin/main_2_stripped 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_single/run_wp_sat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests the single binary case of the --wp-poitner-reg-list flag. In this 4 | # case, we ensure that the program cannot take input that points to an 5 | # uninitialized region on the stack. Without the flag, this is possible. 6 | 7 | # Should return SAT 8 | 9 | set -x 10 | 11 | run () { 12 | bap wp \ 13 | --func=foo \ 14 | --postcond="(assert (not (= RAX #x00000000deadbeef)))" \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/README.md: -------------------------------------------------------------------------------- 1 | This folder contains four tests that test the basic logic of subroutine specs. 2 | In each case, we build the weakest precondition for the subroutine that should 3 | look like the following: 4 | 5 | `run_wp_1.sh` - true & (false => false), should return UNSAT 6 | 7 | `run_wp_2.sh` - true & (true => false), should return SAT 8 | 9 | `run_wp_3.sh` - true & (RAX=4 => RAX=4), should return UNSAT 10 | 11 | `run_wp_4.sh` - RAX=4 & (RAX=4 => RAX=4), should return SAT 12 | -------------------------------------------------------------------------------- /vsa/explicit_edge/Makefile: -------------------------------------------------------------------------------- 1 | PASS_NAME = explicit_edge 2 | 3 | .PHONY: all build install clean 4 | 5 | all: install 6 | 7 | build: 8 | bapbuild -use-ocamlfind -pkg 'cbat_value_set' -tag 'warn(A-48-44)' $(PASS_NAME).plugin 9 | 10 | install: build 11 | bapbundle update -desc 'Performs value-set analysis on binaries' $(PASS_NAME).plugin 12 | bapbundle install $(PASS_NAME).plugin 13 | 14 | clean: 15 | bapbundle remove $(PASS_NAME).plugin 16 | bapbuild -clean 17 | rm -f *.plugin 18 | rm -rf _build 19 | 20 | reinstall: clean install 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/nondet_iters/run_wp_unroll.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests a loop without an invariant to check. WP can't determine how many 4 | # times x is incremented, since the we iterate over the loop an arbitrary 5 | # number of times. 6 | 7 | # Should return SAT. 8 | 9 | run () { 10 | bap wp \ 11 | --num-unroll=5 \ 12 | --func=loop \ 13 | --precond="(assert (bvult RDX #x000000007fffffff))" \ 14 | --postcond="(assert (= RAX init_RDX))" \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/src/main_1.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | lea -0x98(%rsp), %rsp 7 | movq $0x2, (%rsp) 8 | movq $0x3, 0x8(%rsp) 9 | movq $0x4, 0x10(%rsp) 10 | addq 0x10(%rsp), %rax 11 | addq 0x8(%rsp), %rax 12 | addq (%rsp), %rax 13 | lea 0x98(%rsp), %rsp 14 | ret 15 | 16 | _start: 17 | call main 18 | mov $0x3c, %rax 19 | xor %rdi, %rdi 20 | syscall 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_stack/src/main_2.S: -------------------------------------------------------------------------------- 1 | .global _start 2 | 3 | .text 4 | 5 | main: 6 | lea -0x98(%rsp), %rsp 7 | movq $0x3, (%rsp) 8 | movq $0x4, 0x8(%rsp) 9 | movq $0x5, 0x10(%rsp) 10 | addq 0x10(%rsp), %rax 11 | addq 0x8(%rsp), %rax 12 | addq (%rsp), %rax 13 | lea 0x98(%rsp), %rsp 14 | ret 15 | 16 | _start: 17 | call main 18 | mov $0x3c, %rax 19 | xor %rdi, %rdi 20 | syscall 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/mem_comparison/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests that we can properly model memory for ARM binaries. 4 | 5 | # A test where the function foo_get indexes the array foo with length 10. The 6 | # address of the memory read is different between the two binaries. 7 | 8 | # Should return SAT 9 | 10 | run () { 11 | bap wp \ 12 | --show=bir,paths \ 13 | --func=foo_get \ 14 | --compare-post-reg-values=R0,R1,R4,R5,R6,R7,R8,R9,R10,R11 \ 15 | -- ./bin/main_1 ./bin/main_2 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_call/run_wp_inline_foo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example contains a function call to foo. 4 | 5 | # This tests that WP can inline the function foo based off the regex. With foo 6 | # inlined, WP should find that when argc (RDI) = 5, the execution of the program 7 | # will hit the assert_fail. 8 | 9 | # Should return SAT. 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | --inline=foo \ 15 | --trip-asserts \ 16 | --show=diagnostics \ 17 | -- ./bin/main 18 | } 19 | 20 | run 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/init_var/run_wp_sat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple test that adds 1 to the input. 4 | 5 | # Runs WP on the function foo with a postcondition that states that the foo's 6 | # output (RAX) should be equal to the its input (the initial value of RDI) + 2, 7 | # which is impossible due to the definition of foo. 8 | 9 | # Should return SAT 10 | 11 | run () { 12 | bap wp \ 13 | --func=foo \ 14 | --postcond="(assert (= RAX (bvadd init_RDI #x0000000000000002)))" \ 15 | -- ./bin/main 16 | } 17 | 18 | run 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/ogre_files/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | CC = arm-linux-gnueabi-gcc 4 | 5 | 6 | FLAGS = -Wpedantic -fno-stack-protector -z execstack 7 | 8 | all: $(BIN_DIR)/main_1 $(BIN_DIR)/main_2 \ 9 | $(BIN_DIR)/main_1_stripped $(BIN_DIR)/main_2_stripped 10 | $(BIN_DIR): 11 | mkdir -p $@ 12 | 13 | $(BIN_DIR)/%_stripped: $(BIN_DIR)/% 14 | cp $(BIN_DIR)/$* $@ 15 | strip $@ 16 | 17 | $(BIN_DIR)/%: $(SRC_DIR)/%.c $(BIN_DIR) 18 | $(CC) $(FLAGS) -Wall -g -o $@ $< 19 | 20 | clean: 21 | rm -rf $(BIN_DIR) 22 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/run_wp_inline_regex.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a function with two nested calls to foo then bar. 4 | 5 | # This tests that we can inline both foo and bar with the regex passed into the 6 | # inline flag, allowing WP to find the case where assert_fail is hit in bar. 7 | 8 | # Should return SAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --inline="foo|bar" \ 14 | --trip-asserts \ 15 | --show=diagnostics \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nested_function_calls/run_wp_inline_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a function with two nested calls to foo then bar. 4 | 5 | # Here, we are inlining all function calls, allowing us to inspect both foo and 6 | # bar. This allows WP to find the case where assert_fail is reach in bar. 7 | 8 | # Should return SAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=main \ 13 | --show=precond-internal,diagnostics \ 14 | --inline=.* \ 15 | --trip-asserts \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/simple_wp/src/main_with_struct.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | /* typedef struct bar { int foo; } bar_t; */ 6 | 7 | /* int foo(bar_t * baz) { */ 8 | 9 | /* int x = baz -> foo; */ 10 | 11 | /* if(baz->foo == 10) */ 12 | /* assert(0); */ 13 | 14 | /* return 0; */ 15 | 16 | /* } */ 17 | 18 | 19 | 20 | int main(int argc,char ** argv) { 21 | 22 | /* printf("%lu\n", sizeof(bar_t)); */ 23 | 24 | if(2*argc+3 == 135) 25 | assert(0); 26 | 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_1/run_wp_4.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT, since (true /\ (true => false)) is false, which is SAT 4 | # Note: This example would have returned UNSAT if the --user-func-specs flag 5 | # weren't used. So we turn an UNSAT into SAT with the --user-func-specs flag. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --show=precond-smtlib \ 11 | --postcond="(assert true)" \ 12 | --user-func-specs="g,(assert false),(assert true)" \ 13 | -- ./bin/main 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/run_wp_comp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example returns SAT when no --user-func-specs flag is included. 4 | # This example returns UNSAT when a --user-func-specs flag that specifies RAX is 5 | # not equal to #x0000000000000067 is added. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --show=paths \ 11 | --compare-post-reg-values=RAX,RDI \ 12 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000061))" \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/pointer_flag_single/run_wp_unsat.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This tests the single binary case of the --wp-pointer-reg-list flag. In this 4 | # case, we ensure that the program cannot take input that points to an 5 | # uninitialized region on the stack. With the flag, this is not possible. 6 | 7 | # Should return UNSAT 8 | 9 | set -x 10 | 11 | run () { 12 | bap wp \ 13 | --func=foo \ 14 | --postcond="(assert (not (= RAX #x00000000deadbeef)))" \ 15 | --pointer-reg-list=RDI \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/same_null_deref/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example demonstrates how CBAT can catch null dereferences when comparing 4 | # binaries. If both binaries are identical and both dereference null, wp should 5 | # return UNSAT because there are no new paths in the modified binary that would 6 | # have more null dereferences relative to the original binary. 7 | 8 | # Should return UNSAT 9 | 10 | run () { 11 | bap wp \ 12 | --func=null_deref \ 13 | --check-null-derefs \ 14 | -- ./bin/main_1 ./bin/main_2 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A binary that returns the value of a global variable. 4 | 5 | # This tests matching a symbol in the original binary with that of the modified 6 | # binary whose name has been updated similarly to retrowrite's instrumentation 7 | # and whose address is at a different location. 8 | 9 | # Should return UNSAT 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | --compare-post-reg-values=RAX \ 15 | --mem-offset \ 16 | -- ./bin/main_1 ./bin/main_2 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_4/run_wp_1.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example returns UNSAT when the following --user-func-specs flag is included. 4 | # This example returns SAT when no --user-func-specs flag is inluded. 5 | # This example demonstrates a comparative case of using --user-func-specs 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --show=paths \ 11 | --compare-post-reg-values=RAX \ 12 | --user-func-specs="g,(assert true),(assert (= RAX #x0000000000000067))" \ 13 | -- ./bin/main_1 ./bin/main_2 14 | } 15 | 16 | run 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_5/README.md: -------------------------------------------------------------------------------- 1 | A basic C example that tests multiple subroutine specs simultaneously. 2 | 3 | For example, in the code 4 | 5 | ``` 6 | int main(int argc,char ** argv) { 7 | if (f() == 0x0000000000000067) assert(0); 8 | if (g() == 0x0000000000000067) assert(0); 9 | return argc; 10 | } 11 | ``` 12 | 13 | If we want an UNSAT with the trip-assert flag on, 14 | we need to show that neither `f` or `g` can return `67`. 15 | If a postcondition for f and g says `(assert not(= RAX 0x67))`, 16 | then we can be assured an UNSAT. 17 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/nqueens/Makefile: -------------------------------------------------------------------------------- 1 | SRC_DIR = src 2 | BIN_DIR = bin 3 | 4 | BASE = main 5 | 6 | LARGEST_BOARD_SIZE = 19 7 | SMALLEST_BOARD_SIZE = 4 8 | 9 | NUM_RANGE = $(shell seq $(SMALLEST_BOARD_SIZE) $(LARGEST_BOARD_SIZE)) 10 | TARGETS = $(foreach N,$(NUM_RANGE),$(BIN_DIR)/$(BASE)_$N) 11 | 12 | FLAGS = -O3 -D BOARD_SIZE=$(subst $(BIN_DIR)/$(BASE)_,,$@) 13 | 14 | all: $(TARGETS) 15 | 16 | $(BIN_DIR): 17 | mkdir -p $(BIN_DIR) 18 | 19 | 20 | $(TARGETS): $(SRC_DIR)/$(BASE).c $(BIN_DIR) 21 | clang $(FLAGS) -Wall -g -o $@ $< 22 | 23 | clean: 24 | rm -rf $(BIN_DIR) 25 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/run_wp_inline_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a call to foo which returns 3. In main, in the case that 4 | # foo returns 5, we assert_fail. This should be impossible. 5 | 6 | # This tests that WP can inline all functions. With foo inlined, we can determine 7 | # that it only returns 3, and we know that the assert_fail cannot be reached. 8 | 9 | # Should return UNSAT. 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | --inline=.* \ 15 | --trip-asserts \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/run_wp_inline_garbage.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a call to foo which returns 3. In main, in the case that 4 | # foo returns 5, we assert_fail. This should be impossible. 5 | 6 | # This tests passes in a regex that doesn't match any function. 7 | # As a result, no function is inlined, and the output to foo will be chaosed. 8 | 9 | # Should return SAT. 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | --inline=NONEXISTENTGARBAGE \ 15 | --trip-asserts \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop/loop_with_assert/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This binary tests CBAT's ability to unroll loops. In this test, there is a for 4 | # loop that increments a counter, and if that counter has a specific value at 5 | # the end of the loop, we hit an assert(0). 6 | 7 | # If we are able to properly unroll loops, we should be able to reach that 8 | # assert(0) in the analysis. 9 | 10 | # Should return SAT 11 | 12 | run() { 13 | bap wp \ 14 | --func=main \ 15 | --num-unroll=2 \ 16 | --trip-asserts \ 17 | -- ./bin/main 18 | } 19 | 20 | run 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/null_deref/run_wp_null_deref.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A simple example that contains a dereferences a NULL value. 4 | 5 | # In this case, the check-null-deref flag is set. This adds a hook to every 6 | # memory read in the program and adds a verification condition that 7 | # asserts that each read is to a non-null address. From this WP can determine 8 | # that argc/RDI = 3 causes the null dereference. 9 | 10 | # Should return SAT 11 | 12 | run () { 13 | bap wp \ 14 | --func=main \ 15 | --check-null-derefs \ 16 | -- ./bin/main 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/loop_invariant/break/loop_invariant.smt: -------------------------------------------------------------------------------- 1 | (((address 0x1e) 2 | (invariant 3 | "(define-fun read ((addr (_ BitVec 64))) (_ BitVec 32) 4 | (concat (select mem (bvadd addr #x0000000000000003)) 5 | (select mem (bvadd addr #x0000000000000002)) 6 | (select mem (bvadd addr #x0000000000000001)) 7 | (select mem addr))) 8 | (assert 9 | (let ((j (read (bvsub RBP #x0000000000000004))) 10 | (i (read (bvsub RBP #x0000000000000008)))) 11 | (and (bvule i #x00000003) 12 | (= j #x00000005))))"))) 13 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/name_matching/run_wp_addr_rewrite.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # A binary that returns the value of a global variable. 4 | 5 | # This tests matching a symbol in the original binary with that of the modified 6 | # binary whose name has been updated similarly to retrowrite's instrumentation 7 | # and whose address is at a different location. 8 | 9 | # Should return UNSAT 10 | 11 | run () { 12 | bap wp \ 13 | --func=main \ 14 | --compare-post-reg-values=RAX \ 15 | --rewrite-addresses \ 16 | -- ./bin/main_1 ./bin/main_2 17 | } 18 | 19 | run 20 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_3/run_wp_single_3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This example returns SAT when no --user-func_spec flag is included. 4 | # This example returns UNSAT when a --user_func_spec flag that specifies RAX is 5 | # not equal to #x0000000000000067 is added. 6 | 7 | run () { 8 | bap wp \ 9 | --func=main \ 10 | --show=paths \ 11 | --precond="(assert (= RAX #x0000000000000061))" \ 12 | --user-func-specs="g,(assert (= RAX #x0000000000000061)),(assert (= RAX init_RAX))" \ 13 | --trip-assert \ 14 | -- ./bin/main_1 15 | } 16 | 17 | run 18 | -------------------------------------------------------------------------------- /docs/doc/html/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | index 5 | 6 | 7 | 8 | 9 | 10 |
11 |
12 |

OCaml package documentation

13 |
    14 |
  1. bap_wp 0.1
    2. 15 |
16 |
17 |
18 | 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/arm/function_spec/run_wp_inline.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a call to foo which returns 3. In main, in the case that 4 | # foo returns 5, we assert_fail. This should be impossible. 5 | 6 | # This tests that WP can inline foo based off the regex. With foo inlined, we 7 | # can determine that it only returns 3, and we know that the assert_fail 8 | # cannot be reached. 9 | 10 | # Should return UNSAT. 11 | 12 | run () { 13 | bap wp \ 14 | --func=main \ 15 | --inline=foo \ 16 | --trip-asserts \ 17 | -- ./bin/main 18 | } 19 | 20 | run 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/function_spec/run_wp_inline_foo.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # This test contains a call to foo which returns 3. In main, in the case that 4 | # foo returns 5, we assert_fail. This should be impossible. 5 | 6 | # This tests that WP can inline foo based off the regex. With foo inlined, we 7 | # can determine that it only returns 3, and we know that the assert_fail 8 | # cannot be reached. 9 | 10 | # Should return UNSAT. 11 | 12 | run () { 13 | bap wp \ 14 | --func=main \ 15 | --inline=foo \ 16 | --trip-asserts \ 17 | -- ./bin/main 18 | } 19 | 20 | run 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/memory_samples/diff_data/run_wp.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Tests having a different value in the data section (at the same addresses) 4 | # and the same values on the stack. 5 | 6 | # The test accumulates that values in the data section and stack and stores 7 | # the result in RAX. Because the data section has different values, the output 8 | # RAX also differs. 9 | 10 | # Should return SAT 11 | 12 | run () { 13 | bap wp \ 14 | --func=main \ 15 | --compare-post-reg-values=RAX \ 16 | --no-glibc-runtime \ 17 | -- ./bin/main_1 ./bin/main_2 18 | } 19 | 20 | run 21 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_2/README.md: -------------------------------------------------------------------------------- 1 | A basic C example that tests subroutine constraints where the constraint 2 | can determine whether or not an assert_fail is possible for the given C code. 3 | 4 | For example, in the code 5 | 6 | ``` 7 | int main(int argc,char ** argv) { 8 | argc = g(); 9 | if (argc == 0x0000000000000067) assert(0); 10 | return argc; 11 | } 12 | ``` 13 | 14 | If we want an UNSAT with the trip-assert flag on, 15 | we need to show `argc` can't be 0x67. 16 | If a postcondition for g says `(assert not(= RAX 0x67))`, 17 | then we can be assured an UNSAT. 18 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/user_func_spec/sub_spec_6/run_wp_3.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Should return SAT. 4 | 5 | # This is run_wp_1 but with an off-by-one error in the orig g spec, to show we 6 | # get SATs when our specs don't provide the needed information. 7 | 8 | run () { 9 | bap wp \ 10 | --func=main \ 11 | --compare-post-reg-values=RAX \ 12 | --user-func-specs-orig="g,(assert true),(assert (= RAX (bvadd init_RDI (_ bv7 64))))" \ 13 | --user-func-specs-mod="g,(assert true),(assert (= RAX (bvadd init_RDI (_ bv4 64))))" \ 14 | -- ./bin/orig ./bin/mod 15 | } 16 | 17 | run 18 | 19 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/retrowrite_stub/run_wp_inline_all.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | # Stubs the lines of assembly that retrowrite adds to the beginning of each 4 | # label. At the end of the subroutine, the registers between both binaries 5 | # should be equal. 6 | 7 | # This inlines all function calls which should pop 8 | # the stack pointer at the end of each call. 9 | 10 | # Should return UNSAT 11 | 12 | run () { 13 | bap wp \ 14 | --func=main \ 15 | --compare-post-reg-values=RAX \ 16 | --inline=.* \ 17 | --no-glibc-runtime \ 18 | -- ./bin/main_1 ./bin/main_2 19 | } 20 | 21 | run 22 | -------------------------------------------------------------------------------- /wp/resources/sample_binaries/switch_case_assignments/src/main_2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef enum {NAV, DEPLOY} status_t; 5 | 6 | bool process_status(status_t status) { 7 | bool nav = false; 8 | bool deploy = false; 9 | 10 | switch (status) { 11 | case NAV: 12 | nav = true; 13 | 14 | case DEPLOY: 15 | deploy = true; 16 | break; 17 | } 18 | return deploy; 19 | } 20 | 21 | int main() { 22 | 23 | status_t status = NAV; 24 | 25 | if (process_status(status)) { 26 | printf("Payload deployed.\n"); 27 | } 28 | 29 | return 0; 30 | } 31 | --------------------------------------------------------------------------------