Inferred Model-based Fuzzer

Overview

IMF: Inferred Model-based Fuzzer

IMF is a kernel API fuzzer that leverages an automated API model inferrence techinque proposed in our paper at CCS. IMF currently only supports macOS. To see how to configure and run IMF, see the followings.

Setup

Requirements

  • python2.7
  • pypy
  • clang

How to run

  1. Generate hooking library for APIs
$ ./gen-hook [output(hooking code) path]
$ clang  -Wall -dynamiclib -framework IOKit -framework CoreFoundation -arch i386\
         -arch x86_64 hook.c -o hook
  1. Collect logs
$ DYLD_INSERT_LIBRARIES=[hooking library path] [program path] [program args]
  1. Filter logs
$ ./filter-log [log dir] [output dir] [# of output(filtered log)] [# of core]
  1. Infer a model and generate a fuzzer.
$ ./gen-fuzz [filtered logs path] [output(fuzzer code) path] [# of core]
  1. Compile the fuzzer
$ clang -framework IOKit -framework CoreFoundation -arch i386 fuzz.c -o fuzz
  1. Run the fuzzer
$ ./fuzz -f [log path] -s [seed] -b [bitlen] -r [rate] -l [# of max loops]
  1. You may want to run the generated fuzzer within a while loop.

CVEs

  • CVE-2017-7159

Authors

This research project has been conducted by SoftSec Lab at KAIST.

Citing IMF

To cite our paper (pdf):

@INPROCEEDINGS{han:ccs2017,
    author = {HyungSeok Han and Sang Kil Cha},
    title = {Inferred Model-based Fuzzing},
    booktitle = {Proceedings of the ACM Conference on Computer and Communications Security},
    year = {2017},
    pages = {2345--2358}
}

Acknowledgement

The work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIT).

You might also like...
An atmospheric growth and evolution model based on the EVo degassing model and FastChem 2.0

EVolve Linking planetary mantles to atmospheric chemistry through volcanism using EVo and FastChem. Overview EVolve is a linked mantle degassing and a

A lightweight Python-based 3D network multi-agent simulator. Uses a cell-based congestion model. Calculates risk, loudness and battery capacities of the agents. Suitable for 3D network optimization tasks.
A lightweight Python-based 3D network multi-agent simulator. Uses a cell-based congestion model. Calculates risk, loudness and battery capacities of the agents. Suitable for 3D network optimization tasks.

AMAZ3DSim AMAZ3DSim is a lightweight python-based 3D network multi-agent simulator. It uses a cell-based congestion model. It calculates risk, battery

Model search is a framework that implements AutoML algorithms for model architecture search at scale
Model search is a framework that implements AutoML algorithms for model architecture search at scale

Model search (MS) is a framework that implements AutoML algorithms for model architecture search at scale. It aims to help researchers speed up their exploration process for finding the right model architecture for their classification problems (i.e., DNNs with different types of layers).

Capture all information throughout your model's development in a reproducible way and tie results directly to the model code!
Capture all information throughout your model's development in a reproducible way and tie results directly to the model code!

Rubicon Purpose Rubicon is a data science tool that captures and stores model training and execution information, like parameters and outcomes, in a r

Implementation of STAM (Space Time Attention Model), a pure and simple attention model that reaches SOTA for video classification
Implementation of STAM (Space Time Attention Model), a pure and simple attention model that reaches SOTA for video classification

STAM - Pytorch Implementation of STAM (Space Time Attention Model), yet another pure and simple SOTA attention model that bests all previous models in

ReConsider is a re-ranking model that re-ranks the top-K (passage, answer-span) predictions of an Open-Domain QA Model like DPR (Karpukhin et al., 2020).

ReConsider ReConsider is a re-ranking model that re-ranks the top-K (passage, answer-span) predictions of an Open-Domain QA Model like DPR (Karpukhin

Ever felt tired after preprocessing the dataset, and not wanting to write any code further to train your model? Ever encountered a situation where you wanted to record the hyperparameters of the trained model and able to retrieve it afterward? Models Playground is here to help you do that. Models playground allows you to train your models right from the browser.  Model Zoo for AI Model Efficiency Toolkit
Model Zoo for AI Model Efficiency Toolkit

We provide a collection of popular neural network models and compare their floating point and quantized performance.

😇A pyTorch implementation of the DeepMoji model: state-of-the-art deep learning model for analyzing sentiment, emotion, sarcasm etc

------ Update September 2018 ------ It's been a year since TorchMoji and DeepMoji were released. We're trying to understand how it's being used such t

Comments
  • Q for const.py

    Q for const.py

    hi! I have a question for the Header in const.py what does the function below working for? void log_CFTypeRef(FILE *f,CFTypeRef target) will it play a role in the following log-filtering part? i tried to delete it and generated some logs, but got stuck in the ./filter-log step. I have no idea how to fix it. looking for your reply.

    opened by Jiadosi 3
  • hi

    hi

    you got any idea how to avoid segfaulting on arch64? im' clueless here, what arch did you run this at? with what clang version?

    the generated fuzzers segfaults for me... in all sorts of different places

    best

    opened by ghost 1
  • Fix string handling in hook

    Fix string handling in hook

    When the value recorded in the API log is '" ' "', ApiFuzz will make an error when executing the evaluate function. Because python recognizes the second single quote as an identifier, but that is actually data.

    To prevent ApiFuzz from reporting errors and allow API Log to display value strings better, I escaped all non-alpha and non-digital characters into the form of '\xXX'.

    And it works pretty well.

    {'name':'location','value': '"\x0f\x18"','size' : 0x80,'cnt':0x1, 'data':[]}
    
    opened by Kiprey 0
  • clang

    clang

    hi! what is the version of your clang? i got clang error on step 1. clang: error: linker command failed with exit code 1 (use -v to see invocation) looking for your reply, thanks

    opened by Jiadosi 0
Owner
SoftSec Lab
SoftSec Lab @ KAIST
SoftSec Lab
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 158 Dec 28, 2022
DiAne is a smart fuzzer for IoT devices

Diane Diane is a fuzzer for IoT devices. Diane works by identifying fuzzing triggers in the IoT companion apps to produce valid yet under-constrained

seclab 28 Jan 4, 2023
AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet: A Greybox Fuzzer for Network Protocols AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a m

null 626 Jan 6, 2023
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

null 356 Dec 23, 2022
A Kernel fuzzer focusing on race bugs

Razzer: Finding kernel race bugs through fuzzing Environment setup $ source scripts/envsetup.sh scripts/envsetup.sh sets up necessary environment var

Systems and Software Security Lab at Seoul National University (SNU) 328 Dec 26, 2022
Fuzzer for Linux Kernel Drivers

difuze: Fuzzer for Linux Kernel Drivers This repo contains all the sources (including setup scripts), you need to get difuze up and running. Tested on

seclab 344 Dec 27, 2022
In this project we investigate the performance of the SetCon model on realistic video footage. Therefore, we implemented the model in PyTorch and tested the model on two example videos.

Contrastive Learning of Object Representations Supervisor: Prof. Dr. Gemma Roig Institutions: Goethe University CVAI - Computational Vision & Artifici

Dirk Neuhäuser 6 Dec 8, 2022
Step by Step on how to create an vision recognition model using LOBE.ai, export the model and run the model in an Azure Function

Step by Step on how to create an vision recognition model using LOBE.ai, export the model and run the model in an Azure Function

El Bruno 3 Mar 30, 2022
MBPO (paper: When to trust your model: Model-based policy optimization) in offline RL settings

offline-MBPO This repository contains the code of a version of model-based RL algorithm MBPO, which is modified to perform in offline RL settings Pape

LxzGordon 1 Oct 24, 2021
RoMA: Robust Model Adaptation for Offline Model-based Optimization

RoMA: Robust Model Adaptation for Offline Model-based Optimization Implementation of RoMA: Robust Model Adaptation for Offline Model-based Optimizatio

null 9 Oct 31, 2022