On Mon, Jul 2, 2012 at 5:24 PM, Nathan Alderfer <[email protected]> wrote: > Hi, I'm currently working on a project that is attempting to use KLEE to > help automatically inject exploits into vulnerable code for testing and POC. > I was wondering if it was possible to extend KLEE to give a program concrete > inputs when certain parameters are met (for example, if an array of over 100 > length is found, inject a certain string of shellcode rather than > symbolically fuzzing the array), and if so, where in the source code this > type of functionality should be implemented. > _______________________________________________ > klee-dev mailing list > [email protected] > http://keeda.Stanford.EDU/mailman/listinfo/klee-dev >
Hi, imho, it's not the way KLEE should be used. First of all, you need to specify a lot of inputs: how are you going to inject code, what kind of input it is and program flow... etc. Without details, here is rough idea how to deal with it (I will use analogy do Computer Algebra Systems (CAS)): Instead of modifying KLEE in it's roots to solve problem (like modifying CAS in order to solve special equation with special function), I would rather implement programmable code that is going to do exploit injection and than try to run this code fed by Klee with symbolic input in order to find with klee, how to drive it to inject exploit (in analogy to CAS, it's like implementing what you need on a top of CAS with given by CAS programming language). Good luck, Grzegorz Wierzowiecki _______________________________________________ klee-dev mailing list [email protected] http://keeda.Stanford.EDU/mailman/listinfo/klee-dev
