An AFL implementation with UnTracer (our coverage-guided tracer)

Overview

UnTracer-AFL

This repository contains an implementation of our prototype coverage-guided tracing framework UnTracer in the popular coverage-guided fuzzer AFL. Coverage-guided tracing employs two versions of the target binary: (1) a forkserver-only oracle binary modified with basic block-level software interrupts on unseen basic blocks for quickly identifying coverage-increasing testcases and (2) a fully-instrumented tracer binary for tracing the coverage of all coverage-increasing testcases.

In UnTracer, both the oracle and tracer binaries use the AFL-inspired forkserver execution model. For oracle instrumentation we require all target binaries be compiled with untracer-cc -- our "forkserver-only" modification of AFL's assembly-time instrumenter afl-cc. For tracer binary instrumentation we utilize Dyninst with much of our code based-off AFL-Dyninst. We plan to incorporate a purely binary-only ("black-box") instrumentation approach in the near future. Our current implementation of UnTracer supports basic block coverage.

Presented in our paper Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing
(2019 IEEE Symposium on Security and Privacy).
Citing this repository: @inproceedings{nagy:fullspeedfuzzing,
title = {Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing},
author = {Stefan Nagy and Matthew Hicks},
booktitle = {{IEEE} Symposium on Security and Privacy (Oakland)},
year = {2019},}
Developers: Stefan Nagy ([email protected]) and Matthew Hicks ([email protected])
License: MIT License
Disclaimer: This software is strictly a research prototype.

INSTALLATION

1. Download and build Dyninst (we used v9.3.2)

sudo apt-get install cmake m4 zlib1g-dev libboost-all-dev libiberty-dev
wget https://github.com/dyninst/dyninst/archive/v9.3.2.tar.gz
tar -xf v9.3.2.tar.gz dyninst-9.3.2/
mkdir dynBuildDir
cd dynBuildDir
cmake ../dyninst-9.3.2/ -DCMAKE_INSTALL_PREFIX=`pwd`
make
make install

2. Download UnTracer-AFL (this repo)

git clone https://github.com/FoRTE-Research/UnTracer-AFL

3. Configure environment variables

export DYNINST_INSTALL=/path/to/dynBuildDir
export UNTRACER_AFL_PATH=/path/to/Untracer-AFL

export DYNINSTAPI_RT_LIB=$DYNINST_INSTALL/lib/libdyninstAPI_RT.so
export LD_LIBRARY_PATH=$DYNINST_INSTALL/lib:$UNTRACER_AFL_PATH
export PATH=$PATH:$UNTRACER_AFL_PATH

4. Build UnTracer-AFL

Update DYN_ROOT in UnTracer-AFL/Makefile to your Dyninst install directory. Then, run the following commands:

make clean && make all

USAGE

First, compile all target binaries using "forkserver-only" instrumentation. As with AFL, you will need to manually set the C compiler (untracer-clang or untracer-gcc) and/or C++ compiler (untracer-clang++ or untracer-g++). Note that only non-position-independent target binaries are supported, so compile all target binaries with CFLAG -no-pie (unnecessary for Clang). For example:

NOTE: We provide a set of fuzzing-ready benchmarks available here: https://github.com/FoRTE-Research/FoRTE-FuzzBench.

$ CC=/path/to/afl/untracer-clang ./configure --disable-shared
$ CXX=/path/to/afl/untracer-clang++.
$ make clean all
Instrumenting in forkserver-only mode...

Then, run untracer-afl as follows:

untracer-afl -i [/path/to/seed/dir] -o [/path/to/out/dir] [optional_args] -- [/path/to/target] [target_args]

Status Screen

  • calib execs and trim execs - Number of testcase calibration and trimming executions, respectively. Tracing is done for both.
  • block coverage - Percentage of total blocks found (left) and the number of total blocks (right).
  • traced / queued - Ratio of traced versus queued testcases. This ratio should (ideally) be 1:1 but will increase as trace timeouts occur.
  • trace tmouts (discarded) - Number of testcases which timed out during tracing. Like AFL, we do not queue these.
  • no new bits (discarded) - Number of testcases which were marked coverage-increasing by the oracle but did not actually increase coverage. This should (ideally) be 0.

Comments
  • untracer-afl segfault Ubuntu 18.04

    untracer-afl segfault Ubuntu 18.04

    Hi, untracer-afl segfault's on Ubuntu 18.04. it reports:

    [*] setting up tracer binary.. bad_alloc() [*] setting up basic block array.. segfault

    target binary is compiled without PIE and installation went fine which platform did you run it on?

    opened by ickyphuz 9
  • No instrumentation targets found during make:

    No instrumentation targets found during make:

    $ CFLAGS="-Wa,-F" CC=/home/genewitch/UnTracer-AFL/untracer-clang CXX=/home/genewitch/UnTracer-AFL/untracer-clang++ ./configure --disable-shared

    $ make

    make[1]: Entering directory '/home/genewitch/libarchive-libarchive-b52dd6c'
      CC       libarchive/archive_entry_link_resolver.lo
    afl-cc 2.52b by <[email protected]>
    afl-as 2.52b by <[email protected]>
    Instrumenting in forkserver-only mode...
    Instrumenting in forkserver-only mode...
    [!] WARNING: No instrumentation targets found.
      CC       libarchive/archive_entry_sparse.lo
    afl-cc 2.52b by <[email protected]>
    afl-as 2.52b by <[email protected]>
    Instrumenting in forkserver-only mode...
    Instrumenting in forkserver-only mode...
    [!] WARNING: No instrumentation targets found.
      CC       libarchive/archive_entry_stat.lo
    afl-cc 2.52b by <[email protected]>
    afl-as 2.52b by <[email protected]>
    Instrumenting in forkserver-only mode...
    Instrumenting in forkserver-only mode...
    [!] WARNING: No instrumentation targets found.
      CC       libarchive/archive_entry_strmode.lo
    afl-cc 2.52b by <[email protected]>
    afl-as 2.52b by <[email protected]>
    Instrumenting in forkserver-only mode...
    Instrumenting in forkserver-only mode...
    [!] WARNING: No instrumentation targets found.
      CC       libarchive/archive_entry_xattr.lo
    afl-cc 2.52b by <[email protected]>
    afl-as 2.52b by <[email protected]>
    Instrumenting in forkserver-only mode...
    Instrumenting in forkserver-only mode...
    [!] WARNING: No instrumentation targets found.
      CC       libarchive/archive_getdate.lo
    afl-cc 2.52b by <[email protected]>
    
    

    this continues on until the binary is built, with some afl-as with the same warnings. Am i just too tired to do this tonight?

    opened by genewitch 4
  • several problems in the installation

    several problems in the installation

    Hi, I have several problems in the installation. I would like to ask what is the specific operation of this step? "Update DYN_ROOT in UnTracer-AFL/Makefile to your Dyninst install directory. " When I skip this step, the resulting error is shown here.

    [*] Checking for the ability to commpile x86 code. . . [+] Everything seems to be working,"ready to compile. gcc-03 -furoll-loops -wall -D_FORTIFY_SOURCB=2 -g -Wno-pointer-sign -DAFL_PATH= "/usr/loca1/lib/af1"-DDOC_ PATH="/usr/local/share/doc/afl\” -DBIN_PATH "/usr/local/bin" untracer-afl.c -o untracer-afl -I/usr/include -I/home/osboxes/ dynBuildDir/include -L/home/osboxes/ dynBuildDir/lib -lcommon -liberty -ldyninstAPI -lboost_system -1dl /usr/bin/la: cannot find -lcommon /usr/bin/ld: cannot find -ldyninstAPI collect2 :_error : ld returned 1 exit status Makefile:84: recipe for target 'untracer-afl’failed make:***[untracer-afl] Error 1

    Also, does untracer have to run on Ubuntu 18.04? I'm currently using Ubuntu 16.04. Thanks.

    opened by kimiwanano 3
  • Illegal pointer to buffer in Dyninst

    Illegal pointer to buffer in Dyninst

    An illegal pointer error message occurs, when I compile openssl-1.1.0c in Google Fuzzer-test-suite (link). Is it Dyninst bug?

    UnTracer-AFL | FoRTE-Research @ Virginia Tech | based on AFL by <[email protected]>
    [+] You have 80 CPU cores and 2 runnable tasks (utilization: 2%).
    [+] Try parallel jobs - see docs/parallel_fuzzing.txt.
    [*] Checking CPU core loadout...
    [+] Found a free CPU core, binding to #0.
    [*] Checking core_pattern...
    [*] Checking CPU scaling governor...
    [*] Setting up output directories...
    [+] Output directory exists but deemed OK to reuse.
    [*] Deleting old session data...
    [+] Output dir cleanup successful.
    [*] Scanning 'in'...
    [+] No auto-generated dictionary tokens to reuse.
    [*] Creating hard links for all input files...
    [*] Validating target binary...
    [*] Setting up oracle binaries...
    [*] Setting up tracer binary...
    Error: illegal pointer to buffer!
    Target of 49a460 from addr 437323 in insn call 63138 + RIP + 5
    UnTracerDyninst: /path/to/untracer/dyninst-9.3.2/dyninstAPI/src/Relocation/Transformers/Movement-adhoc.C:402: bool Dyninst::Relocation::adhocMovementTransformer::isGetPC(Dyninst::Relocation::Widget::Ptr, Dyninst::Relocation::adhocMovementTransformer::InsnPtr, Dyninst::Absloc&, Dyninst::Address&): Assertion `0' failed.
    Error: illegal pointer to buffer!
    Target of 49a460 from addr 437323 in insn call 63138 + RIP + 5
    UnTracerDyninst: /path/to/untracer/dyninst-9.3.2/dyninstAPI/src/Relocation/Transformers/Movement-adhoc.C:402: bool Dyninst::Relocation::adhocMovementTransformer::isGetPC(Dyninst::Relocation::Widget::Ptr, Dyninst::Relocation::adhocMovementTransformer::InsnPtr, Dyninst::Absloc&, Dyninst::Address&): Assertion `0' failed.
    [*] Setting up basic block array...
    
    
    opened by ChijinZ 2
  • Get wrong environment  varible in untracer-gcc.c:58

    Get wrong environment varible in untracer-gcc.c:58

    Is there a mistake in untracer-gcc.c:58? I don't think it is a valid environment varible with "-".

      u8 *afl_path = getenv("UNTRACER-AFL_PATH");
    
    opened by ChijinZ 2
  • segmentation fault

    segmentation fault

    hello I use untracer to fuzz tcpdump, however it occurs this problem: image

    I have tried the solution in above issue, but it doesn't work.

    Could you tell me how to solve it? Thank you.

    opened by MaggieCwj 0
  • Error occurred during the use of untracer

    Error occurred during the use of untracer

    I ran into the problem Missing basic block map: 'fuzz_out//sfconvert.bblist'! At the beginning, I had the same problem as the last issue, but after I updated the path related to Dyninst, there was no error reported by UntracerDyninst any more, but the error remains. This is also the reason why I opened a new problem. config: I used Dynist-10.2.0 since the Dynins-9.x version was no longer supported. Other installation steps are the same as those provided in the readme. However, when I fuzzing, an error occured. fc206c42da79516328463e16f826596 I checked the fuzz_out folder again and found that %s.dummy was successfully created, but %s.bblist and %s.cur_trace were not created correctly. a87b492335bb2026a50d4fa9442bfee So I wonder how can I solve this problem? Do you have any suggestions? Thank you very much!

    opened by kimiwanano 2
Owner
null
A library for performing coverage guided fuzzing of neural networks

TensorFuzz: Coverage Guided Fuzzing for Neural Networks This repository contains a library for performing coverage guided fuzzing of neural networks,

Brain Research 195 Dec 28, 2022
Computational modelling of ray propagation through optical elements using the principles of geometric optics (Ray Tracer)

Computational modelling of ray propagation through optical elements using the principles of geometric optics (Ray Tracer) Introduction By applying the

Son Gyo Jung 1 Jul 9, 2022
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

null 356 Dec 23, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Driller: augmenting AFL with symbolic execution!

Driller Driller is an implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer. Dril

Shellphish 791 Jan 6, 2023
FairFuzz: AFL extension targeting rare branches

FairFuzz An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested str

Caroline Lemieux 222 Nov 16, 2022
IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL.

IJON SPACE EXPLORER IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL. Using only a small (usually one line) annotati

Chair for Sys­tems Se­cu­ri­ty 146 Dec 16, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
MOpt-AFL provided by the paper "MOPT: Optimized Mutation Scheduling for Fuzzers"

MOpt-AFL 1. Description MOpt-AFL is a AFL-based fuzzer that utilizes a customized Particle Swarm Optimization (PSO) algorithm to find the optimal sele

null 172 Dec 18, 2022
AFLFast (extends AFL with Power Schedules)

AFLFast Power schedules implemented by Marcel Böhme <[email protected]>. AFLFast is an extension of AFL which is written and maintained by Michal

Marcel Böhme 380 Jan 3, 2023
AFL binary instrumentation

E9AFL --- Binary AFL E9AFL inserts American Fuzzy Lop (AFL) instrumentation into x86_64 Linux binaries. This allows binaries to be fuzzed without the

null 242 Dec 12, 2022
Code for 'Self-Guided and Cross-Guided Learning for Few-shot segmentation. (CVPR' 2021)'

SCL Introduction Code for 'Self-Guided and Cross-Guided Learning for Few-shot segmentation. (CVPR' 2021)' We evaluated our approach using two baseline

null 34 Oct 8, 2022
Rethinking Space-Time Networks with Improved Memory Coverage for Efficient Video Object Segmentation

STCN Rethinking Space-Time Networks with Improved Memory Coverage for Efficient Video Object Segmentation Ho Kei Cheng, Yu-Wing Tai, Chi-Keung Tang [a

Rex Cheng 456 Dec 12, 2022
Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Angora Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without s

null 833 Jan 7, 2023
FCA: Learning a 3D Full-coverage Vehicle Camouflage for Multi-view Physical Adversarial Attack

FCA: Learning a 3D Full-coverage Vehicle Camouflage for Multi-view Physical Adversarial Attack Case study of the FCA. The code can be find in FCA. Cas

IDRL 21 Dec 15, 2022
Codecov coverage standard for Python

Python-Standard Last Updated: 01/07/22 00:09:25 What is this? This is a Python application, with basic unit tests, for which coverage is uploaded to C

Codecov 10 Nov 4, 2022
PyTorch implementation of our Adam-NSCL algorithm from our CVPR2021 (oral) paper "Training Networks in Null Space for Continual Learning"

Adam-NSCL This is a PyTorch implementation of Adam-NSCL algorithm for continual learning from our CVPR2021 (oral) paper: Title: Training Networks in N

Shipeng Wang 34 Dec 21, 2022
Convolutional neural network web app trained to track our infant’s sleep schedule using our Google Nest camera.

Machine Learning Sleep Schedule Tracker What is it? Convolutional neural network web app trained to track our infant’s sleep schedule using our Google

g-parki 7 Jul 15, 2022
The pytorch implementation of the paper "text-guided neural image inpainting" at MM'2020

TDANet: Text-Guided Neural Image Inpainting, MM'2020 (Oral) MM | ArXiv This repository implements the paper "Text-Guided Neural Image Inpainting" by L

LisaiZhang 75 Dec 22, 2022