News: Please refer to our open-source GitHub repo here!
An example command to run Beacon is
/Beacon/precondInfer /Beacon/Test/swftophp-2017-7578.bc -target-file=/Beacon/Test/cstest.txt -join-bound=5
In this example:
parser.c:66
meaning that the target for directed fuzzing is at Line 66 of parser.c. The target file must contain a single line of the form “fileName:lineNum”.
Some clarifications:
Caveats:
Beacon uses the debug information in the LLVM IR to find the location in IR that corresponds to the source code location given in the target file. Therefore, the given bitcode should contain debug information. Also, since one source code line can map to multiple LLVM instructions, the target instruction located by Beacon is simply one of those instructions. Finally, the current implementation does not allow the target instruction to be a Phi Instruction.
The target location process can be described using the following pseudo-code:
Given (filename, linenum) in the target file
for each instruction I in the given bc:
let (debug_file, debug_line)
be the file name and line number of I recovered from debug information
if (filename is a substring of debug_file) && (linenum == debug_line)
treat I as the target instruction and start the static analysis