News: Please refer to our open-source GitHub repo here!

An example command to run Beacon is

/Beacon/precondInfer /Beacon/Test/swftophp-2017-7578.bc -target-file=/Beacon/Test/cstest.txt -join-bound=5

In this example:

• /Beacon/Test/swftophp-2017-7578.bc is the bitcode file for the target project.
• /Beacon/Test/cstest.txt has the following content:

     parser.c:66

meaning that the target for directed fuzzing is at Line 66 of parser.c. The target file must contain a single line of the form “fileName:lineNum”.

Some clarifications:

• The target usually is the crash point of the given vulnerabilities. We obtain them using the crash report recorded in the CVE database.

Caveats:

Beacon uses the debug information in the LLVM IR to find the location in IR that corresponds to the source code location given in the target file. Therefore, the given bitcode should contain debug information. Also, since one source code line can map to multiple LLVM instructions, the target instruction located by Beacon is simply one of those instructions. Finally, the current implementation does not allow the target instruction to be a Phi Instruction.

The target location process can be described using the following pseudo-code:

Given (filename, linenum) in the target file
for each instruction I in the given bc:
  let (debug_file, debug_line)
      be the file name and line number of I recovered from debug information
  if (filename is a substring of debug_file) && (linenum == debug_line)
    treat I as the target instruction and start the static analysis