本文为看雪论坛优秀文章
看雪论坛作者ID:FSTARK
背景介绍
The goal of this project is to evaluate the robustness of various UNIX utility programs, given an unpredictable input stream. [...] First, you will build a fuzz generator. This is a program that will output a random character stream. Second, you will take the fuzz generator and use it to attack as many UNIX utilities as possible, with the goal of trying to break them.
AFL(american fuzzy lop)最初由Michał Zalewski开发,和libFuzzer等一样是基于覆盖引导(Coverage-guided)的模糊测试工具,它通过记录输入样本的代码覆盖率,从而调整输入样本以提高覆盖率,增加发现漏洞的概率。其工作流程大致如下:
(1) 从源码编译程序时进行插桩,以记录代码覆盖率(Code Coverage)
开始结合
sudo apt-get install -y cargo \
clang-10 \
cmake \
g++ \
git \
libz3-dev \
llvm-10-dev \
llvm-10-tools \
ninja-build \
python3-pip \
zlib1g-dev
pip3 install lit
git clone https://github.com/Z3Prover/z3
cd z3
python scripts/mk_make.py
cd build
make
sudo make install
git clone -b v2.56b https://github.com/google/AFL.git afl
cd afl && make
git clone https://github.com/eurecom-s3/symcc symcc_source
cd symcc_source
git submodule init
git submodule update
mkdir symcc_build_simple
cd symcc_build_simple
CC=clang-10 CXX=clang++-10 cmake -G Ninja \
-DQSYM_BACKEND=OFF \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DZ3_TRUST_SYSTEM_VERSION=on \
-DLLVM_DIR=/usr/lib/llvm-10/cmake \
../symcc_source \
&& ninja check
mkdir symcc_build_qsym
cd symcc_build_qsym
cmake -G Ninja \
-DQSYM_BACKEND=ON \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DZ3_TRUST_SYSTEM_VERSION=on \
-DLLVM_DIR=/usr/lib/llvm-10/cmake \
-DZ3_DIR=/home/fstark/symcc_afl/z3/build \
../symcc_source \
&& ninja check \
&& cargo install --path ../symcc_source/util/symcc_fuzzing_helper
git clone -b llvmorg-10.0.1 --depth 1 https://github.com/llvm/llvm-project.git llvm_source
mkdir libcxx_symcc_install
mkdir libcxx_symcc_build
cd libcxx_symcc_build
export SYMCC_REGULAR_LIBCXX=yes SYMCC_NO_SYMBOLIC_INPUT=yes \
&& cmake -G Ninja ../llvm_source/llvm \
-DLLVM_ENABLE_PROJECTS="libcxx;libcxxabi" \
-DLLVM_TARGETS_TO_BUILD="X86" \
-DLLVM_DISTRIBUTION_COMPONENTS="cxx;cxxabi;cxx-headers" \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_INSTALL_PREFIX=$BASE/libcxx_symcc_install \
-DCMAKE_C_COMPILER=$BASE/symcc_build_simple/symcc \
-DCMAKE_CXX_COMPILER=$BASE/symcc_build_simple/sym++ \
&& ninja distribution && ninja install-distribution
#include <stdio.h>
#include <stdint.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
int foo(char *arr, int t1){
int i = 0;
if (arr[i++] == 'c') return 0;
if (arr[i++] == 'd') return 1;
if (arr[i++] == 'c') return 2;
if (arr[i++] == 'c') return 3;
if (arr[i++] == 's') return 4;
if (arr[i++] == 'b') return 5;
if (arr[i++] == 's') return 6;
if (arr[i++] == 'g') return 7;
if (*(int*)arr != 0xdeadbeef )return 0;
//Can we trigger this code?
return (int)(20 / t1);
}
int main(int argc, char* argv[]){
//open file
FILE *f = fopen(argv[1],"rb");
// get file size
fseek(f, 0, SEEK_END);
long fsize = ftell(f);
// read file contents
fseek(f, 0, SEEK_SET);
char *string = malloc(fsize + 1);
fread(string, 1, fsize, f);
fclose(f);
// pass string to foo
int retval = foo(string, argc-2);
free(string);
return retval;
}
afl-clang -O0 int_check.c -o afl_int_check
../symcc_build_qsym/symcc -O0 int_check.c -o symcc_int_check
mkdir corpus
echo "AAAAAAAAAAAAAAAAAAAAAAAA" > corpus/seed
afl-fuzz -M fuzz1 -i corpus/ -o out -m none -- ./afl_int_check @@
afl-fuzz -S fuzz2 -i corpus/ -o out -m none -- ./afl_int_check @@
~/.cargo/bin/symcc_fuzzing_helper -o out -a fuzz2 -n symcc -- ./symcc_int_check @@
总结
参考资料
看雪ID:FSTARK
https://bbs.pediy.com/user-home-832012.htm
# 往期推荐
球分享
球点赞
球在看
点击“阅读原文”,了解更多!