Guess the password with klee

Introduction

I heard that there is something called klee, so I tried to identify the password, so I leave a memorandum. I don't understand the specifics at all, so I just moved.

Problem to solve

I targeted the check_password () function introduced in the Using symbolic environment of the klee tutorial. This function returns 1 when the password hello is entered, and 0 otherwise.

password.c

#include <stdio.h>

int check_password(char *buf) {
  if (buf[0] == 'h' && buf[1] == 'e' &&
      buf[2] == 'l' && buf[3] == 'l' &&
      buf[4] == 'o')
    return 1;
  return 0;
}

int main(int argc, char **argv) {
  if (argc < 2)
     return 1;
  
  if (check_password(argv[1])) {
    printf("Password found!\n");
    return 0;
  }

  return 1;
}

The tutorial explains how to generate a test case that includes command line arguments, but in this article we aimed to actually ask for a password.

Actually ask for a password

From here, the password is actually obtained by symbolic execution.

Code to execute

There are two klee functions used this time.

• klee_make_symbolic: Mark variables as symbolic
• klee_assert: Same as C language assert. If false, the program is forcibly terminated there.

In the sample code, the command line argument char ** argv is taken, but this time it is rewritten tochar pass [6]as long as symbolic execution can be performed.

password.c

#include <stdio.h>
#include "klee/klee.h"

int check_password(char *buf) {
    if (buf[0] == 'h' && buf[1] == 'e' &&
        buf[2] == 'l' && buf[3] == 'l' &&
        buf[4] == 'o')
        return 1;
    return 0;
}

int main(void) {
    char pass[6];

    klee_make_symbolic(pass, sizeof(pass[0]) * 6, "pass");
    if (check_password(pass)) {
        printf("Password found!\n");
    	klee_assert(0);
        return 0;
    }
    return 1;
}

Execution method

Just hit the klee command after running clang. In the part of / home / klee / klee_src / include, specify the path of klee according to your environment. If you are using docker, you can leave the example below as it is.

$ clang -I /home/klee/klee_src/include -emit-llvm -c -g -O0 -Xclang -disable-O0-optnone password.c
$ klee password.bc

Execution result and password

When executed, the following result will be obtained.

From this content, you can see that the result was output to the directory klee-out-0, so take a look.

Multiple files called .ktest are output, but each is a test case. Use the ktest-tool command to see this .ktest file.

In the code executed this time, if the passwords match, the process is interrupted with klee_assert. So, if you look at the test case where .assert.err exists (test000005.ktest), you can get the password.

at the end

When I first heard it, I thought that klee was a tool that would analyze if I passed a binary like angr, but this method requires a procedure to add klee / klee.h etc. to the source code. It seems. I would like to find out if there is an easy way to use it even when I only have the binary.