We adapted https://github.com/SVF-tools/SVF-example to implement data flow analysis in drone control software (e.g., ArduPilot and PX4).
We release this source code in the hope of benefiting others.
You are kindly asked to acknowledge usage of the tool by citing SVF papers (http://svf-tools.github.io/SVF) as well as our paper.
@inproceedings{kim2021pgfuzz,
title={PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles},
author={Kim, Hyungsub and Ozmen, Muslum Ozgur and Bianchi, Antonio and Celik, Z Berkay and Xu, Dongyan},
booktitle={Proceedings of the Network and Distributed System Security Symposium (NDSS)},
year={2021}
}
npm i --silent svf-lib --prefix ${HOME}
git clone https://github.com/KimHyungSub/SVF-data-flow.git
source ./env.sh
cmake the project (cmake -DCMAKE_BUILD_TYPE=Debug . for debug build)
cmake . && make
clang -S -c -g -fno-discard-value-names -emit-llvm example.c -o example.ll
./bin/svf-data-flow example.ll
- 'trace_target_list.txt' contains a list of configuration parameters.
- This executable reads 'trace_target_list.txt' and then collects all the uses of each configuration parameter.
- You can check the analysis output in 'output.txt'.
- Note that the bc file must be complied by the same LLVM version of this SVF's one (LLVM 13.0.0).
./bin/svf-data-flow copter_4_1_llvm_13.bc > output.txt
- The bc file must be complied by the same LLVM version of this SVF's one (LLVM 13.0.0).
- If you want to analyze other configuration parameters, please put new configuration parameters into trace_target_list.txt
- This data flow analysis also can be used to trace other variables in drone control software.
- The sample bc file (copter_4_1_llvm_13.bc) does not contain whole ArduPilot source code.
- Your machine must be equipped with 64GB - 128GB RAM when you analyze whole ArduPilot/PX4 bc files.