int main() { int p1,p2, x; klee_make_symbolic(&p1, sizeof(p1), "p1"); klee_make_symbolic(&p2, sizeof(p2), "p2"); klee_make_symbolic(&x, sizeof(x), "x"); klee_assume(x == 0); if (p1 > 8) x = x; else x = x + 1; if (p2 > 8) x = x; else x = x + 2; // Without the join, this example produces 4 tests, but with the // join just1 1. klee_join("dummy1", x); klee_assert(x <= 3); return x; }
int main (int argc, char *argv[]) { int value = 0x12345678; klee_set_taint(1, &value, sizeof(value)); value = 10; klee_assert(klee_get_taint(&value,sizeof(value)) == 0 ); }
void test_UIToFP () { float c = 1.0; unsigned int a = 0; klee_set_taint (1, &a, sizeof (a)); c = a ; klee_assert (klee_get_taint (&c, sizeof (c)) == 1 ); }
void test_FPTrunc () { double a = 1.0; float c = 0.0; klee_set_taint (4, &a, sizeof (a)); c = a ; klee_assert (klee_get_taint (&c, sizeof (c)) == 4 ); }
void test_FPExt () { float a = 1.0; double c = 0.0; klee_set_taint (1, &a, sizeof (a)); c = a ; klee_assert (klee_get_taint (&c, sizeof (c)) == 1 ); }
void test_FPToSI () { float a = 1.0; int c = 0; klee_set_taint (1, &a, sizeof (a)); c = a ; klee_assert (klee_get_taint (&c, sizeof (c)) == 1 ); }
int main(int argc, char **argv) { int a, b; klee_make_symbolic(&a, sizeof(a), "a"); klee_make_symbolic(&b, sizeof(b), "b"); klee_assert(f1(a, b) == f2(a, b)); return 0; }
void test_SIToFP () { float c = 1.0; int a = 0; klee_set_taint (1, &a, sizeof (a)); c = a ; klee_assert (klee_get_taint (&c, sizeof (c)) == (1 )); }
void test_SRem () { int a = 120; int b = 100; int c = 0; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); c = a % b; klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2)); }
void test_AShr () { int a = -1; int b = 1; int c = 0; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); c = a >> b; klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2)); }
int main (int argc, char** argv) { int x; int y; int xa; int ya; klee_make_symbolic(&xa, sizeof(xa), "xa"); klee_make_symbolic(&ya, sizeof(ya), "ya"); klee_assume(xa + 2 * ya >= 0); klee_assert(xa + 2 * ya >= -1); return 0; }
void test_FAdd () { float a = 1.0; float b = 100.0; float c = 0.0; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); c = a + b; klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2)); }
int main (int argc, char** argv) { int x; int y; klee_make_symbolic(&x, sizeof(x), "x"); klee_make_symbolic(&y, sizeof(y), "y"); // klee_assume((1.99946831462933) * x + (1.99946259758235) * y >= 0.999016667912656); klee_assume (x < 0); klee_assume (x + y > -1); klee_assert (y >= 0); return 0; }
void test_Shl () { int a = 1; int b = 8; int c = 0; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); c = a << b; klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2)); }
int main (int argc, char** argv) { int x; int y; klee_make_symbolic(&x, sizeof(x), "x"); klee_make_symbolic(&y, sizeof(y), "y"); klee_assume(x + y > -1); klee_assume (x >= 0); x--; y++; klee_assert(x + y > -1); return 0; }
void test_And () { int a = 1; int b = 100; int c = 0; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); c = a & b; printf("C taint: %d\n", klee_get_taint (&c, sizeof (c))); klee_assert (klee_get_taint (&c, sizeof (c)) == (1 | 2)); }
/** * Constants should not contribute any taint */ int main (int argc, char *argv[]) { int a = 10; int b = 10; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (1, &b, sizeof (b)); int c ; c = b+1; klee_assert(klee_get_taint (&c, sizeof (c))==1); }
int main() { int count; int i; klee_make_symbolic(&count, sizeof(count), "count"); klee_make_symbolic(&i, sizeof(i), "i"); klee_assume(count == 0); klee_assume(i == 0); klee_abstract(i == 0); klee_abstract(count == 2); while(i < 3){ count++; i++; } klee_assert(count == 3); }
int main (int argc, char *argv[]) { int result; int param=1; klee_set_taint(1,¶m,sizeof(param)); if (param == 1) result = 1; else result = 2; klee_assert(klee_get_taint(&result,sizeof(result))==1); return result; }
int main (int argc, char *argv[]) { int value_w = 0x12345678; int *value_p = &value_w; int value_r = 0x1111111; klee_set_taint(0, &value_w, sizeof(value_w)); klee_set_taint(1, &value_p, sizeof(value_p)); klee_set_taint(2, &value_r, sizeof(value_r)); *value_p = value_r; klee_assert(klee_get_taint(&value_w,sizeof(value_w))==3); return 0; }
int main (int argc, char *argv[]) { int i=0; char input[7]="SECRET"; char output[7]; klee_set_taint(0x8, output, 7); klee_set_taint(0x1, input, 7); for (i=0; i<7; i++) output[i] = covert_channel(input[i]); klee_assert(klee_get_taint(output, sizeof(output))==0x1); }
/* Tests taint is mantained under internal function calls */ int main (int argc, char *argv[]) { int result; int parama=100; int paramb=200; klee_set_taint(1, ¶ma, sizeof(parama)); klee_set_taint(2, ¶mb, sizeof(paramb)); result = fun(parama, paramb); result = result / 2; klee_assert(klee_get_taint(&result, sizeof(result))==3); return result; }
int main (int argc, char *argv[]) { int value = 0x12345678; int *value_p = &value; int result; klee_set_taint(0,&result,sizeof(result)); klee_set_taint(1,&value,sizeof(value)); klee_set_taint(2,&value_p,sizeof(value_p)); result = *value_p; //printf ("Result taint: 0x%08x\n", klee_get_taint(&result,sizeof(result))); klee_assert(klee_get_taint(&result,sizeof(result))==3); return result; }
void test_FCmp () { float a = 1.0; float b = 2.0; float c = 10.0; float d = 20.0; float result; klee_set_taint (1, &a, sizeof (a)); klee_set_taint (2, &b, sizeof (b)); klee_set_taint (4, &c, sizeof (c)); klee_set_taint (8, &d, sizeof (d)); if (a>b) result=c; else result=d; klee_assert (klee_get_taint (&result, sizeof (result)) == 8); }
int main(int argc, char *argv[]) { printf("Hi, I'm %s\n", argv[0]); // The first "argument" is the path-to-self if(argc != 2) { // argc is how long argv is, including that path-to-self puts("You need to give me exactly one argument!"); return -1; } // if statements, character and string constants, && and ||, and // comparisions work a lot like Java or any other language. if(argv[1][0] == 't') { if(argv[1][1] == 'h' && argv[1][2] == 'i' && argv[1][3] == 's') { // In C, characters are just numbers from 0 to 255. if(argv[1][4] == 95 && argv[1][5] == 105 && argv[1][6] == 0x73) { puts("half way there!"); if(argv[1][7] != 0x5f) return 0; // Since characters are just numbers, we can bit-flip them! if(argv[1][8] != ~'t' || argv[1][9] != ~'h' || argv[1][10] != ~'e') { puts("noooo!"); return 0; } // Lastly, "strings" are really just pointers to characters. // argv[1][11] is the 12th character of argv[1]. So, &argv[1][11] // points at that 12th character, which in C is basically just // the argv[1] string from the 12th character onwards. if(strcmp("_pass\x99word", &argv[1][11]) == 0) { // strcmp returns 0 if the strings match, and non-zero if // they don't. You can type `man strcmp` (without backticks) // at the terminal to get more detailed information on strcmp. puts("yep, that's it!"); klee_assert(0); system("sh -i"); return 0; } } } } puts("nope!"); return 0; }
int main() { unsigned char input[4]; unsigned char *p, *pl; unsigned short hbtype; unsigned int payload; unsigned int padding = 16; /* Use minimum padding */ /* Another issue is to track the source of this input */ p = &(input[0]); klee_set_taint(1, &(p[2]), 2 * sizeof(unsigned char)); hbtype = *p++; n2s(p, payload); pl = p; if (hbtype == TLS1_HB_REQUEST) { unsigned char *buffer, *bp; /* Allocate memory for the response, size is 1 bytes * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); klee_assert(klee_get_taint(&payload, sizeof payload) == 0); memcpy(bp, pl, payload); bp += payload; free(buffer); } return 0; }
void check_observers() { klee_assert(microwave_combined_Y.S1); klee_assert(microwave_combined_Y.S2); klee_assert(microwave_combined_Y.R1); klee_assert(microwave_combined_Y.R2); klee_assert(microwave_combined_Y.R3); klee_assert(microwave_combined_Y.R4); klee_assert(microwave_combined_Y.R5); klee_assert(microwave_combined_Y.R6); klee_assert(microwave_combined_Y.R7); klee_assert(microwave_combined_Y.R8); klee_assert(microwave_combined_Y.R9); klee_assert(microwave_combined_Y.R10); klee_assert(microwave_combined_Y.R11); klee_assert(microwave_combined_Y.R12); }
int main() { INPUT_VAL iv; RETURN_VAL rv; // controller new state array int state_arr_[NUM_STATES]; // controller output array int output_arr[NUM_OUTPUTS]; // extraneous input arr int input_arr[NUM_INPUTS]; // controller present state array //int state_arr[NUM_STATES] = { 1, 12, 123 }; int state_arr[NUM_STATES]; // plant state array int x_arr[NUM_X]; int dummy_nextstate_arr[NUM_STATES]; int dummy_output_arr[NUM_OUTPUTS]; #if CONTROLLER_MODE == UNROLL "I can not be compiled" #elif CONTROLLER_MODE == CONCOLIC // do nothing #elif CONTROLLER_MODE == SYMBOLIC //make state symbolic klee_make_symbolic(state_arr, sizeof(state_arr), "state_arr"); #else "I can not be compiled" #endif // make X symbolic klee_make_symbolic(x_arr, sizeof(x_arr), "x_arr"); // make extraneous inputs symbolic klee_make_symbolic(input_arr, sizeof(input_arr), "input_arr"); klee_make_symbolic(dummy_nextstate_arr, sizeof(dummy_nextstate_arr), "dummy_nextstate_arr"); klee_make_symbolic(dummy_output_arr, sizeof(dummy_output_arr), "dummy_output_arr"); // not sure what the below commented code is showing...? Test it out? /* klee_make_symbolic(&s[0], sizeof(int), "s0"); klee_make_symbolic(&x[0], sizeof(int), "x0"); klee_make_symbolic(&s[1], sizeof(int), "s1"); klee_make_symbolic(&x[1], sizeof(int), "x1"); */ /* s[0] = klee_int("s0"); s[1] = klee_int("s1"); x[0] = klee_int("x0"); x[1] = klee_int("x1"); */ // write klee assumes // klee_assume((x[0] >= 0)&(s[0] >= 0)&(x[0] <= 10)&(s[0] <= 10)); // klee_assume((x[1] >= 0)&(s[1] >= 0)&(x[1] <= 10)&(s[1] <= 10)); /* klee_assume(x_arr[0] >= 2800); klee_assume(x_arr[0] <= 2900); klee_assume(state_arr[0] >= 0); klee_assume(state_arr[0] <= 0); */ //klee_assume(state_arr[2] >= 0); //klee_assume(state_arr[2] <= 999); //klee_assume(input_arr[0] >= 0); //klee_assume(input_arr[0] <= 0); // controller init functions need to be defined controller_init(); iv.state_arr = state_arr; iv.x_arr = x_arr; iv.input_arr = input_arr; rv.state_arr = state_arr_; rv.output_arr = output_arr; // ignore return value. controller(&iv, &rv); //klee_assert(dummy_nextstate_arr[0] == state_arr_[0] & dummy_nextstate_arr[1] == state_arr_[1] & dummy_nextstate_arr[2] == state_arr_[2] & dummy_output_arr[0] == output_arr[0]); { int i = 0; int dummy_output_assert = 1; int dummy_state_assert = 1; for(i=0;i<NUM_OUTPUTS;i++){ dummy_output_assert &= (dummy_output_arr[i] == output_arr[i]); } for(i=0;i<NUM_STATES;i++){ dummy_state_assert &= (dummy_nextstate_arr[i] == state_arr_[i]); } /* int a1 = (dummy_output_arr[0] == output_arr[0]); int a2 = (dummy_nextstate_arr[0] == state_arr_[0]); int a3 = (dummy_nextstate_arr[1] == state_arr_[1]); int a4 = (dummy_nextstate_arr[2] == state_arr_[2]); klee_assert(a1 & a2 & a3 & a4); */ klee_assert(dummy_output_assert & dummy_state_assert); } // add provided klee asserts //klee_assert(rv.output_arr[0] == 0U); return 0; }