int main() {
int p1,p2, x;
klee_make_symbolic(&p1, sizeof(p1), "p1");
klee_make_symbolic(&p2, sizeof(p2), "p2");
klee_make_symbolic(&x, sizeof(x), "x");
klee_assume(x == 0);
if (p1 > 8)
x = x;
else
x = x + 1;
if (p2 > 8)
x = x;
else
x = x + 2;
// Without the join, this example produces 4 tests, but with the
// join just1 1.
klee_join("dummy1", x);
klee_assert(x <= 3);
return x;
}
int
main (int argc, char *argv[])
{
int value = 0x12345678;
klee_set_taint(1, &value, sizeof(value));
value = 10;
klee_assert(klee_get_taint(&value,sizeof(value)) == 0 );
}
void
test_UIToFP ()
{
float c = 1.0;
unsigned int a = 0;
klee_set_taint (1, &a, sizeof (a));
c = a ;
klee_assert (klee_get_taint (&c, sizeof (c)) == 1 );
}
void
test_FPTrunc ()
{
double a = 1.0;
float c = 0.0;
klee_set_taint (4, &a, sizeof (a));
c = a ;
klee_assert (klee_get_taint (&c, sizeof (c)) == 4 );
}
void
test_FPExt ()
{
float a = 1.0;
double c = 0.0;
klee_set_taint (1, &a, sizeof (a));
c = a ;
klee_assert (klee_get_taint (&c, sizeof (c)) == 1 );
}
void
test_FPToSI ()
{
float a = 1.0;
int c = 0;
klee_set_taint (1, &a, sizeof (a));
c = a ;
klee_assert (klee_get_taint (&c, sizeof (c)) == 1 );
}
int main(int argc, char **argv) {
int a, b;
klee_make_symbolic(&a, sizeof(a), "a");
klee_make_symbolic(&b, sizeof(b), "b");
klee_assert(f1(a, b) == f2(a, b));
return 0;
}
void
test_SIToFP ()
{
float c = 1.0;
int a = 0;
klee_set_taint (1, &a, sizeof (a));
c = a ;
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 ));
}
void
test_SRem ()
{
int a = 120;
int b = 100;
int c = 0;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
c = a % b;
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2));
}
void
test_AShr ()
{
int a = -1;
int b = 1;
int c = 0;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
c = a >> b;
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2));
}
int main (int argc, char** argv) {
int x;
int y;
int xa;
int ya;
klee_make_symbolic(&xa, sizeof(xa), "xa");
klee_make_symbolic(&ya, sizeof(ya), "ya");
klee_assume(xa + 2 * ya >= 0);
klee_assert(xa + 2 * ya >= -1);
return 0;
}
void
test_FAdd ()
{
float a = 1.0;
float b = 100.0;
float c = 0.0;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
c = a + b;
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2));
}
int main (int argc, char** argv) {
int x;
int y;
klee_make_symbolic(&x, sizeof(x), "x");
klee_make_symbolic(&y, sizeof(y), "y");
// klee_assume((1.99946831462933) * x + (1.99946259758235) * y >= 0.999016667912656);
klee_assume (x < 0);
klee_assume (x + y > -1);
klee_assert (y >= 0);
return 0;
}
void
test_Shl ()
{
int a = 1;
int b = 8;
int c = 0;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
c = a << b;
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2));
}
int main (int argc, char** argv) {
int x;
int y;
klee_make_symbolic(&x, sizeof(x), "x");
klee_make_symbolic(&y, sizeof(y), "y");
klee_assume(x + y > -1);
klee_assume (x >= 0);
x--;
y++;
klee_assert(x + y > -1);
return 0;
}
void
test_And ()
{
int a = 1;
int b = 100;
int c = 0;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
c = a & b;
printf("C taint: %d\n", klee_get_taint (&c, sizeof (c)));
klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2));
}
/**
* Constants should not contribute any taint
*/
int
main (int argc, char *argv[])
{
int a = 10;
int b = 10;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (1, &b, sizeof (b));
int c ;
c = b+1;
klee_assert(klee_get_taint (&c, sizeof (c))==1);
}
int main() {
int count;
int i;
klee_make_symbolic(&count, sizeof(count), "count");
klee_make_symbolic(&i, sizeof(i), "i");
klee_assume(count == 0);
klee_assume(i == 0);
klee_abstract(i == 0);
klee_abstract(count == 2);
while(i < 3){
count++;
i++;
}
klee_assert(count == 3);
}
int
main (int argc, char *argv[])
{
int result;
int param=1;
klee_set_taint(1,¶m,sizeof(param));
if (param == 1)
result = 1;
else
result = 2;
klee_assert(klee_get_taint(&result,sizeof(result))==1);
return result;
}
int
main (int argc, char *argv[])
{
int value_w = 0x12345678;
int *value_p = &value_w;
int value_r = 0x1111111;
klee_set_taint(0, &value_w, sizeof(value_w));
klee_set_taint(1, &value_p, sizeof(value_p));
klee_set_taint(2, &value_r, sizeof(value_r));
*value_p = value_r;
klee_assert(klee_get_taint(&value_w,sizeof(value_w))==3);
return 0;
}
int
main (int argc, char *argv[])
{
int i=0;
char input[7]="SECRET";
char output[7];
klee_set_taint(0x8, output, 7);
klee_set_taint(0x1, input, 7);
for (i=0; i<7; i++)
output[i] = covert_channel(input[i]);
klee_assert(klee_get_taint(output, sizeof(output))==0x1);
}
/* Tests taint is mantained under internal function calls
*/
int
main (int argc, char *argv[])
{
int result;
int parama=100;
int paramb=200;
klee_set_taint(1, ¶ma, sizeof(parama));
klee_set_taint(2, ¶mb, sizeof(paramb));
result = fun(parama, paramb);
result = result / 2;
klee_assert(klee_get_taint(&result, sizeof(result))==3);
return result;
}
int
main (int argc, char *argv[])
{
int value = 0x12345678;
int *value_p = &value;
int result;
klee_set_taint(0,&result,sizeof(result));
klee_set_taint(1,&value,sizeof(value));
klee_set_taint(2,&value_p,sizeof(value_p));
result = *value_p;
//printf ("Result taint: 0x%08x\n", klee_get_taint(&result,sizeof(result)));
klee_assert(klee_get_taint(&result,sizeof(result))==3);
return result;
}
void
test_FCmp ()
{
float a = 1.0;
float b = 2.0;
float c = 10.0;
float d = 20.0;
float result;
klee_set_taint (1, &a, sizeof (a));
klee_set_taint (2, &b, sizeof (b));
klee_set_taint (4, &c, sizeof (c));
klee_set_taint (8, &d, sizeof (d));
if (a>b)
result=c;
else
result=d;
klee_assert (klee_get_taint (&result, sizeof (result)) == 8);
}
int main(int argc, char *argv[]) {
printf("Hi, I'm %s\n", argv[0]); // The first "argument" is the path-to-self
if(argc != 2) { // argc is how long argv is, including that path-to-self
puts("You need to give me exactly one argument!");
return -1;
}
// if statements, character and string constants, && and ||, and
// comparisions work a lot like Java or any other language.
if(argv[1][0] == 't') {
if(argv[1][1] == 'h' && argv[1][2] == 'i' && argv[1][3] == 's') {
// In C, characters are just numbers from 0 to 255.
if(argv[1][4] == 95 && argv[1][5] == 105 && argv[1][6] == 0x73) {
puts("half way there!");
if(argv[1][7] != 0x5f) return 0;
// Since characters are just numbers, we can bit-flip them!
if(argv[1][8] != ~'t' || argv[1][9] != ~'h' || argv[1][10] != ~'e') {
puts("noooo!");
return 0;
}
// Lastly, "strings" are really just pointers to characters.
// argv[1][11] is the 12th character of argv[1]. So, &argv[1][11]
// points at that 12th character, which in C is basically just
// the argv[1] string from the 12th character onwards.
if(strcmp("_pass\x99word", &argv[1][11]) == 0) {
// strcmp returns 0 if the strings match, and non-zero if
// they don't. You can type `man strcmp` (without backticks)
// at the terminal to get more detailed information on strcmp.
puts("yep, that's it!");
klee_assert(0);
system("sh -i");
return 0;
}
}
}
}
puts("nope!");
return 0;
}
int main() {
unsigned char input[4];
unsigned char *p, *pl;
unsigned short hbtype;
unsigned int payload;
unsigned int padding = 16; /* Use minimum padding */
/* Another issue is to track the source of this input */
p = &(input[0]);
klee_set_taint(1, &(p[2]), 2 * sizeof(unsigned char));
hbtype = *p++;
n2s(p, payload);
pl = p;
if (hbtype == TLS1_HB_REQUEST) {
unsigned char *buffer, *bp;
/* Allocate memory for the response, size is 1 bytes
* message type, plus 2 bytes payload length, plus
* payload, plus padding
*/
buffer = malloc(1 + 2 + payload + padding);
bp = buffer;
/* Enter response type, length and copy payload */
*bp++ = TLS1_HB_RESPONSE;
s2n(payload, bp);
klee_assert(klee_get_taint(&payload, sizeof payload) == 0);
memcpy(bp, pl, payload);
bp += payload;
free(buffer);
}
return 0;
}
void check_observers()
{
klee_assert(microwave_combined_Y.S1);
klee_assert(microwave_combined_Y.S2);
klee_assert(microwave_combined_Y.R1);
klee_assert(microwave_combined_Y.R2);
klee_assert(microwave_combined_Y.R3);
klee_assert(microwave_combined_Y.R4);
klee_assert(microwave_combined_Y.R5);
klee_assert(microwave_combined_Y.R6);
klee_assert(microwave_combined_Y.R7);
klee_assert(microwave_combined_Y.R8);
klee_assert(microwave_combined_Y.R9);
klee_assert(microwave_combined_Y.R10);
klee_assert(microwave_combined_Y.R11);
klee_assert(microwave_combined_Y.R12);
}
int main() {
INPUT_VAL iv;
RETURN_VAL rv;
// controller new state array
int state_arr_[NUM_STATES];
// controller output array
int output_arr[NUM_OUTPUTS];
// extraneous input arr
int input_arr[NUM_INPUTS];
// controller present state array
//int state_arr[NUM_STATES] = { 1, 12, 123 };
int state_arr[NUM_STATES];
// plant state array
int x_arr[NUM_X];
int dummy_nextstate_arr[NUM_STATES];
int dummy_output_arr[NUM_OUTPUTS];
#if CONTROLLER_MODE == UNROLL
"I can not be compiled"
#elif CONTROLLER_MODE == CONCOLIC
// do nothing
#elif CONTROLLER_MODE == SYMBOLIC
//make state symbolic
klee_make_symbolic(state_arr, sizeof(state_arr), "state_arr");
#else
"I can not be compiled"
#endif
// make X symbolic
klee_make_symbolic(x_arr, sizeof(x_arr), "x_arr");
// make extraneous inputs symbolic
klee_make_symbolic(input_arr, sizeof(input_arr), "input_arr");
klee_make_symbolic(dummy_nextstate_arr, sizeof(dummy_nextstate_arr), "dummy_nextstate_arr");
klee_make_symbolic(dummy_output_arr, sizeof(dummy_output_arr), "dummy_output_arr");
// not sure what the below commented code is showing...? Test it out?
/*
klee_make_symbolic(&s[0], sizeof(int), "s0");
klee_make_symbolic(&x[0], sizeof(int), "x0");
klee_make_symbolic(&s[1], sizeof(int), "s1");
klee_make_symbolic(&x[1], sizeof(int), "x1");
*/
/*
s[0] = klee_int("s0");
s[1] = klee_int("s1");
x[0] = klee_int("x0");
x[1] = klee_int("x1");
*/
// write klee assumes
// klee_assume((x[0] >= 0)&(s[0] >= 0)&(x[0] <= 10)&(s[0] <= 10));
// klee_assume((x[1] >= 0)&(s[1] >= 0)&(x[1] <= 10)&(s[1] <= 10));
/*
klee_assume(x_arr[0] >= 2800);
klee_assume(x_arr[0] <= 2900);
klee_assume(state_arr[0] >= 0);
klee_assume(state_arr[0] <= 0);
*/
//klee_assume(state_arr[2] >= 0);
//klee_assume(state_arr[2] <= 999);
//klee_assume(input_arr[0] >= 0);
//klee_assume(input_arr[0] <= 0);
// controller init functions need to be defined
controller_init();
iv.state_arr = state_arr;
iv.x_arr = x_arr;
iv.input_arr = input_arr;
rv.state_arr = state_arr_;
rv.output_arr = output_arr;
// ignore return value.
controller(&iv, &rv);
//klee_assert(dummy_nextstate_arr[0] == state_arr_[0] & dummy_nextstate_arr[1] == state_arr_[1] & dummy_nextstate_arr[2] == state_arr_[2] & dummy_output_arr[0] == output_arr[0]);
{
int i = 0;
int dummy_output_assert = 1;
int dummy_state_assert = 1;
for(i=0;i<NUM_OUTPUTS;i++){
dummy_output_assert &= (dummy_output_arr[i] == output_arr[i]);
}
for(i=0;i<NUM_STATES;i++){
dummy_state_assert &= (dummy_nextstate_arr[i] == state_arr_[i]);
}
/*
int a1 = (dummy_output_arr[0] == output_arr[0]);
int a2 = (dummy_nextstate_arr[0] == state_arr_[0]);
int a3 = (dummy_nextstate_arr[1] == state_arr_[1]);
int a4 = (dummy_nextstate_arr[2] == state_arr_[2]);
klee_assert(a1 & a2 & a3 & a4);
*/
klee_assert(dummy_output_assert & dummy_state_assert);
}
// add provided klee asserts
//klee_assert(rv.output_arr[0] == 0U);
return 0;
}
