This repository provides the source code for TeTRIS: our prototype fuzzer for source-to-source code transpilers.
This work is presented in our paper TeTRIS: General-purpose Fuzzing for Translation Bugs in Source-to-Source Code Transpilers, appearing in the 2025 Annual Computer Security Applications Conference (ACSAC'25).
| Citing this repository: |
@inproceedings{arafat:TeTRIS, title = {TeTRIS: General-purpose Fuzzing for Translation Bugs in Source-to-Source Code Transpilers}, author = {Yeaseen Arafat and Stefan Nagy}, booktitle = {{Annual} {Computer} {Security} {Applications} {Conference} ({ACSAC})}, year = {2025},}
|
| Maintainers: | Yeaseen Arafat ([email protected]) and Stefan Nagy ([email protected]) |
| License: | MIT License |
| Disclaimer: | This software is provided as-is with no warranty. |
Install prerequisite packages by running setup.sh.
We provide example transpiler fuzzing setups in transpilers (e.g. c2rust, c4go, etc.), including seeds and a corresponding fuzz.py launcher script.
Replicating a per-transpiler fuzzing setup generally requires the following:
- Ensure the transpiler binary itself (e.g.,
c2rust) and any other necessary binaries (e.g.,clang) are all accessible from your$PATHenvironment (details in each correspondingREADME). - Run a fuzzing campaign with the following:
python3 fuzz.py <trial_number>. - Fuzzing outputs from that campaign will be saved in:
fuzzing/output_<trial_number>.
As TeTRIS is built atop of the AFL fuzzer, we also recommend configuring your system as follows:
sudo sh -c 'echo core >/proc/sys/kernel/core_pattern'
sudo sysctl -w kernel.core_pattern="core" > /dev/null
sudo sysctl -w kernel.randomize_va_space=0 > /dev/null
sudo sh -c 'echo performance | tee /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor'
Below are instructions for extending TeTRIS:
- Follow any existing
fuzz.pyscript. - Provide seed directories in the script.
- Set the language in building TeTRIS.
- Provide necessary
fuzz_env_template, instrumentation and verifier scripts.
- Create a
<LANGUAGE>folder under generator/grammars. - Provide the BNF
grammar, precedence declaration inff, flex rules inextra_flex_rules_<LAN>and the semantic specification insemantic_json.
| Transpiler | Reported Bugs |
|---|---|
| CxGo | gotranspile/cxgo#75, gotranspile/cxgo#76, gotranspile/cxgo#77, gotranspile/cxgo#78, gotranspile/cxgo#79, gotranspile/cxgo#80, gotranspile/cxgo#81 |
| C4Go | Konstantin8105/c4go#515, Konstantin8105/c4go#516 |
| Go2Hx | go2hx/go2hx#178, go2hx/go2hx#179 |
| Zig Translate-C | https://github.com/ziglang/zig/issues/21855 |
If you find new bugs using TeTRIS, please let us know!
This material is based upon work supported by the National Science Foundation (NSF) under Award No. 2419798, and by the Defense Advanced Research Projects Agency (DARPA) under Award No. FA8750-24-2-0002, Subaward No. GR105409-SUB00001384.