TritonDSE
The utility pastis-triton enables launching a TritonDSE. It can be launched
in an alert driven manner in ALERT_ONLY or in independent manner with CHECK_ALL.
Also, it can be run in two modes, online to interact with a pastis-broker server or offline
to run locally on its own.
Online
The online mode only requires an IP and a port to run as all subsequent parameters will be provided by the broker. The default IP and port are localhost on 5555.
If the broker is running on the same machine pastis-triton can be launched with:
$ pastis-triton online
If the broker runs on a different machine it can then be launched with:
$ pastis-triton online -h 8.8.8.8 -p 5555
The utility will then automatically receive the parameters, the binary to test and will start performing its coverage.
Offline
Running locally, all parameters normally through the network then have to be provided on the commande line. The help message is the following:
Usage: pastis-triton offline [OPTIONS] PROGRAM [PARGVS]...
Options:
-r, --sast-report FILE SAST report to use
-c, --count INTEGER Number of execution [default: 0]
--config FILE Triton configuration file
-s, --seed PATH Seed or directory of seeds to give to the
exploration
-x, --exmode [AUTO|SINGLE_EXEC|PERSISTENT]
Execution mode [default: SINGLE_EXEC]
-fmod, --fuzzmode [AUTO|INSTRUMENTED|BINARY_ONLY]
Fuzz mode [default: BINARY_ONLY]
-chk, --chkmode [CHECK_ALL|ALERT_ONLY|ALERT_ONE]
Check mode [default: CHECK_ALL]
-cov, --covmode [block|edge|path|PREFIXED_EDGE]
Coverage strategy [default: edge]
-i, --seedinj [STDIN|ARGV] Location where to inject input [default:
STDIN]
-n, --name TEXT Name of the executable if program is an
archive containing multiple files
-t, --target TEXT Target alert address in case of ALERT_ONE
checkmode
-p, --probe TEXT Probe to load as a python module (should
contain a ProbeInterface)
-w, --workspace TEXT Path to TritonDSE workspace
--debug Enable debug logs
--debug-pp Enable debugging path predicate
--trace Show execution trace in debug logging
Details:
--sast-reportSAST report if any--countlimit the number of iterations to perform (number of program execution)--configtritondse configuration file to use--seedinitial seed file or directory to use as initial corpus--exmodeonlySINGLE_EXECis supported at the moment--fuzzmodonlyBINARY_ONLYapplies for TritonDSE--chkmodechange the running mode--covmodecoverage strategy to apply--seedinjlocation where to inject the input file.--namename of the executable of the PROGRAM provided is an archive--targettarget address to try reaching when launched in ALERT_ONE--probeExternal Probe module that should be attached to the exploration--workspaceworkspace directory (if not provided in the configuration file)--debugshow debug logs--debug-ppEnable debugging the path predicate (debugging only)--traceLog the complete execution trace in a file (to be combined with--count 1)
Configuration & Results
The project handles PASTIS parameters and translate them in their counterpart
in tritondse. For instance the running mode CHECK_ALL and ALERT_ONLY are
PASTIS parameters. That parameter will be put in practice by register different
callbacks. As such, ALERT_ONLY will only register a callback on the intrinsic
function while CHECK_ALL requires registering callbacks on many more events.
Note
The configuration file, and workspace uses the tritondse mechanism. Thus, one must refers to tritondse documentation for additional information about the configuration file or the workspace organization.