CrossHair
klee
Our great sponsors
CrossHair | klee | |
---|---|---|
8 | 4 | |
948 | 2,454 | |
- | 1.6% | |
9.2 | 8.8 | |
7 days ago | 10 days ago | |
Python | C++ | |
GNU General Public License v3.0 or later | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
CrossHair
-
Try CrossHair while working other Python projects
Writing some Python for Hacktoberfest? Try out CrossHair while you do that and get credit for a blog post too! https://github.com/pschanely/CrossHair/issues/173
-
What are some amazing, great python external modules, libraries to explore?
CrossHair, Hypothesis, and Mutmut for advanced testing.
-
Formal Verification Methods in industry
When you say "formal verification methods", what kind of techniques are you interested in? While using interactive theorem provers will most likely not become very widespread, there are plenty of tools that use formal techniques to give more correctness guarantees. These tools might give some guarantees, but do not guarantee complete functional correctness. WireGuard (VPN tunnel) is I think a very interesting application where they verified the protocol. There are also some tools in use, e.g. Mythril and CrossHair, that focus on detecting bugs using symbolic execution. There's also INFER from Facebook/Meta which tries to verify memory safety automatically. The following GitHub repo might also interest you, it lists some companies that use formal methods: practical-fm
-
Klara: Python automatic test generations and static analysis library
The main difference that Klara bring to the table, compared to similar tool like pynguin and Crosshair is that the analysis is entirely static, meaning that no user code will be executed, and you can easily extend the test generation strategy via plugin loading (e.g. the options arg to the Component object returned from function above is not needed for test coverage).
-
Pynguin – Allow developers to generate Python unit tests automatically
Just in case you are looking for an alternative approach: if you write contracts in your code, you might also consider crosshair [1] or icontract-hypothesis [2]. If your function/method does not need any pre-conditions then the the type annotations can be directly used.
(I'm one of the authors of icontract-hypothesis.)
[1] https://github.com/pschanely/CrossHair
[2] https://github.com/mristin/icontract-hypothesis
-
Programming in Z3 by learning to think like a compiler
There's a tool for verification of Python programs based on contracts which uses Z3: https://github.com/pschanely/CrossHair
You can use it as part of your CI or during the development (there's even a neat "watch" mode, akin to auto-correct).
- Diff the behavior of two Python functions
-
Finding Software Bugs Using Symbolic Execution
Looking at some of your SMT-based projects, I'd love to compare your SMT solver notes with my mine from working on https://github.com/pschanely/CrossHair
Sadly, there aren't a lot of resources on how to use SMT solvers well.
klee
- GrayC: Greybox Fuzzing of Compilers and Analysers for C [pdf]
-
Go Noob question: How can I output LLVM IR, instrument it and also looking for a symbolic execution engine
I also want to use something like KLEE: https://klee.github.io/
-
If people make game engines in C, why do (other) people say C is impossibly hard and can never be correct?
I think that KLEE was quite good at that. See https://klee.github.io/
-
A Saudi woman's iPhone revealed hacking around the world
I think the most critical part the flow is the integer overflow bug, and it is totally avoidable. I am a software engine at Microsoft. Half my time was spent on security and compliance. We have the right tool, right policy to avoid such things happen. However, I'm not saying Microsoft software is free of integer overflow bugs. I don't intend to advertise Microsoft C/C++ development tools here, but they are what I know most.
Let's go to the technical part: If you are asked to implement the binary algorithm with your favorite programming language, how do you verify your code is correct? Unit-tests. How many test cases you may need? More than 10. As long as you have enough tests, your don't need to worry too much. But how much test coverage is enough? Please remember JDK had a integer overflow bug in their binary search in early 2000s. So, people know the algorithm, but normally people don't know how to test their code, therefore most people can't write bug-free binary search code. And any non-trivial C/C++ function may need tens of thousands test cases. Simply you can't write the tests by hand.
You need the right tools: fuzzing and static analysis.
At Microsoft, every file parser should go through fuzzing, which basically is you generate some random input, then you run your tests with the random inputs. Not very fantastic. But there is another kind of fuzzing: symbolic execution, which tries to find all the possible execution paths of your code. If you run symbolic execution with your binary search code, you can get 100% test coverage. And it is guaranteed bug-free. It is like a math proof. Please note the advantage is based on human just had surprising great advancement on SAT solvers in the last 20 years. And often you need to make some compromises between your business goal and security. Most functions can't reach 100% test coverage. You need to simplify them. See https://github.com/klee/klee to get a quickstart. Though C/C++ is often considered unsafe, they have the best fuzzer.
Then it is about SAL annotation and static analyzer. In C, whenever you pass a pointer of an array to another function, you should also pass its length with it. And in the callee function you should check the length. If you forgot it, your static code analyzer will give you a warning. In such a sense, if you didn't allocate enough memory, it will only result an error code being returned instead of undefined behavior.
The last thing: Use safeint wrapping your malloc function. https://docs.microsoft.com/en-us/cpp/safeint/safeint-library...
When we move off the binary search toy example to a real code base, clearly you can see how much extra effort is needed to make the code safe. Please pardon me, most OSS libraries don't have the resource. Many famous OSS projects are "Mom-and-pop" shops. They don't have any compliance rule. They invest very little on fuzzing. So the big companies really should help them. Now you see an integer overflow bug was found in Apple's image render, but was the code written by Apple? Not necessarily. Now we all see the importance of the Open Source movement. It's time to think how to harden their security. For example, even I want to spend my free time on adding SAL annotations to an OSS project I love, would the maintainers accept it?
What are some alternatives?
pynguin - The PYthoN General UnIt Test geNerator is a test-generation tool for Python
Triton - Triton is a dynamic binary analysis library. Build your own program analysis tools, automate your reverse engineering, perform software verification or just emulate code.
icontract-hypothesis - Combine contracts and automatic testing.
bap - Binary Analysis Platform
angr - A powerful and user-friendly binary analysis platform!
rust-verification-tools - RVT is a collection of tools/libraries to support both static and dynamic verification of Rust programs.
alive2 - Automatic verification of LLVM optimizations
miasm - Reverse engineering framework in Python
iansui - 芫荽,基於 Klee One 改造的學習用台灣繁體字型
boofuzz - A fork and successor of the Sulley Fuzzing Framework
I.Ming - I.Ming ( I.明體 / 一点明朝体 / 一點明體 )