Directed Greybox Fuzzing with AFL

Related tags

Deep Learning aflgo
Overview

AFLGo: Directed Greybox Fuzzing

AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo generates inputs specifically with the objective to exercise these target locations.

Unlike AFL, AFLGo spends most of its time budget on reaching specific target locations without wasting resources stressing unrelated program components. This is particularly interesting in the context of

  • patch testing by setting changed statements as targets. When a critical component is changed, we would like to check whether this introduced any vulnerabilities. AFLGo, a fuzzer that can focus on those changes, has a higher chance of exposing the regression.
  • static analysis report verification by setting statements as targets that a static analysis reports as potentially dangerous or vulnerability-inducing. When assessing the security of a program, static analysis tools might identify dangerous locations, such as critical system calls. AFLGo can generate inputs that actually show that this is indeed no false positive.
  • information flow detection by setting sensitive sources and sinks as targets. To expose data leakage vulnerabilities, a security researcher would like to generate executions that exercise sensitive sources containing private information and sensitive sinks where data becomes visible to the outside world. A directed fuzzer can be used to generate such executions efficiently.
  • crash reproduction by setting method calls in the stack-trace as targets. When in-field crashes are reported, only the stack-trace and some environmental parameters are sent to the in-house development team. To preserve the user's privacy, the specific crashing input is often not available. AFLGo could help the in-house team to swiftly reproduce these crashes.

AFLGo is based on AFL from Michał Zaleski <[email protected]>. Checkout the project awesome-directed-fuzzing for related work on directed greybox/whitebox fuzzing.

Integration into OSS-Fuzz

The easiest way to use AFLGo is as patch testing tool in OSS-Fuzz. Here is our integration:

Environment Variables

  • AFLGO_INST_RATIO -- The proportion of basic blocks instrumented with distance values (default: 100).
  • AFLGO_SELECTIVE -- Add AFL-trampoline only to basic blocks with distance values? (default: off).
  • AFLGO_PROFILING_FILE -- When CFG-tracing is enabled, the data will be stored here.

How to instrument a Binary with AFLGo

  1. Install LLVM 11.0.0 with Gold-plugin. You can also follow these instructions or run AFLGo building script.
  2. Install other prerequisite
sudo apt-get update
sudo apt-get install python3
sudo apt-get install python3-dev
sudo apt-get install python3-pip
sudo apt-get install libboost-all-dev  # boost is not required if you use genDistance.sh in step 7
sudo pip3 install --upgrade pip
sudo pip3 install networkx
sudo pip3 install pydot
sudo pip3 install pydotplus
  1. Compile AFLGo fuzzer, LLVM-instrumentation pass and the distance calculator
# Checkout source code
git clone https://github.com/aflgo/aflgo.git
export AFLGO=$PWD/aflgo

# Compile source code
pushd $AFLGO
make clean all 
cd llvm_mode
make clean all
cd ..
cd distance_calculator/
cmake -G Ninja ./
cmake --build ./
popd
  1. Download subject (e.g., libxml2) or just run libxml2 fuzzing script.
# Clone subject repository
git clone https://gitlab.gnome.org/GNOME/libxml2
export SUBJECT=$PWD/libxml2
  1. Set targets (e.g., changed statements in commit ef709ce2). Writes BBtargets.txt.
# Setup directory containing all temporary files
mkdir temp
export TMP_DIR=$PWD/temp

# Download commit-analysis tool
wget https://raw.githubusercontent.com/jay/showlinenum/develop/showlinenum.awk
chmod +x showlinenum.awk
mv showlinenum.awk $TMP_DIR

# Generate BBtargets from commit ef709ce2
pushd $SUBJECT
  git checkout ef709ce2
  git diff -U0 HEAD^ HEAD > $TMP_DIR/commit.diff
popd
cat $TMP_DIR/commit.diff |  $TMP_DIR/showlinenum.awk show_header=0 path=1 | grep -e "\.[ch]:[0-9]*:+" -e "\.cpp:[0-9]*:+" -e "\.cc:[0-9]*:+" | cut -d+ -f1 | rev | cut -c2- | rev > $TMP_DIR/BBtargets.txt

# Print extracted targets. 
echo "Targets:"
cat $TMP_DIR/BBtargets.txt
  1. Note: If there are no targets, there is nothing to instrument!
  2. Generate CG and intra-procedural CFGs from subject (i.e., libxml2).
# Set aflgo-instrumenter
export CC=$AFLGO/afl-clang-fast
export CXX=$AFLGO/afl-clang-fast++

# Set aflgo-instrumentation flags
export COPY_CFLAGS=$CFLAGS
export COPY_CXXFLAGS=$CXXFLAGS
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
export CFLAGS="$CFLAGS $ADDITIONAL"
export CXXFLAGS="$CXXFLAGS $ADDITIONAL"

# Build libxml2 (in order to generate CG and CFGs).
# Meanwhile go have a coffee ☕️
export LDFLAGS=-lpthread
pushd $SUBJECT
  ./autogen.sh
  ./configure --disable-shared
  make clean
  make xmllint
popd
# * If the linker (CCLD) complains that you should run ranlib, make
#   sure that libLTO.so and LLVMgold.so (from building LLVM with Gold)
#   can be found in /usr/lib/bfd-plugins
# * If the compiler crashes, there is some problem with LLVM not 
#   supporting our instrumentation (afl-llvm-pass.so.cc:540-577).
#   LLVM has changed the instrumentation-API very often :(
#   -> Check LLVM-version, fix problem, and prepare pull request.
# * You can speed up the compilation with a parallel build. However,
#   this may impact which BBs are identified as targets. 
#   See https://github.com/aflgo/aflgo/issues/41.


# Test whether CG/CFG extraction was successful
$SUBJECT/xmllint --valid --recover $SUBJECT/test/dtd3
ls $TMP_DIR/dot-files
echo "Function targets"
cat $TMP_DIR/Ftargets.txt

# Clean up
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt

# Generate distance ☕️
# $AFLGO/scripts/genDistance.sh is the original, but significantly slower, version
$AFLGO/scripts/gen_distance_fast.py $SUBJECT $TMP_DIR xmllint

# Check distance file
echo "Distance values:"
head -n5 $TMP_DIR/distance.cfg.txt
echo "..."
tail -n5 $TMP_DIR/distance.cfg.txt
  1. Note: If distance.cfg.txt is empty, there was some problem computing the CG-level and BB-level target distance. See $TMP_DIR/step*.
  2. Instrument subject (i.e., libxml2)
export CFLAGS="$COPY_CFLAGS -distance=$TMP_DIR/distance.cfg.txt"
export CXXFLAGS="$COPY_CXXFLAGS -distance=$TMP_DIR/distance.cfg.txt"

# Clean and build subject with distance instrumentation ☕️
pushd $SUBJECT
  make clean
  ./configure --disable-shared
  make xmllint
popd

If your compilation crashes in this step, have a look at Issue #4.

How to fuzz the instrumented binary

  • We set the exponential annealing-based power schedule (-z exp).
  • We set the time-to-exploitation to 45min (-c 45m), assuming the fuzzer is run for about an hour.
# Construct seed corpus
mkdir in
cp $SUBJECT/test/dtd* in
cp $SUBJECT/test/dtds/* in

$AFLGO/afl-fuzz -S ef709ce2 -z exp -c 45m -i in -o out $SUBJECT/xmllint --valid --recover @@
  • Tipp: Concurrently fuzz the most recent version as master with classical AFL :)
$AFL/afl-fuzz -M master -i in -o out $MASTER/xmllint --valid --recover @@
  • Run more fuzzing scripts of various real programs like Binutils, jasper, lrzip, libming and DARPA CGC.
Comments
  • Error in building binutils

    Error in building binutils

    Hi, I'm trying to build binutils to reproduce the bug CVE-2016-4487. But I'm not able to build binutils using similar commands given in the example. This is the error that i get when trying to build:

    /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yywrap' /usr/bin/ld.gold: ar.o: previous definition here

    I'm getting the following error if I skip the "-Wl,-plugin-opt=save-temps" parameter

    clang (LLVM option parsing): for the -targets option: may only occur zero or one times!
    clang (LLVM option parsing): for the -outdir option: may only occur zero or one times!

    Can anyone share the build steps for binutils?

    opened by deathholes 14
  • ERROR in step 7 while running

    ERROR in step 7 while running "./autogen.sh"

    Hi, thanks for your AFLGO. Now I am using aflgo following the steps with llvm-3.9.1 but failed in step7 many times. This is what i get running "./autogen.sh". You can see the error: C compiler cannot create executables. It seems that your compiler failed the check. Could you please give me any suggestion about how to solve the problem? Thank you very much!

    chenyixiu@chenyixiu-INVALID:~/libxml2$ ./autogen.sh I am going to run ./configure with no arguments - if you wish to pass any to it, please specify them on the ./autogen.sh command line. configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:9200: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level libtoolize: putting auxiliary files in .'. libtoolize: copying file./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, m4'. libtoolize: copying filem4/libtool.m4' libtoolize: copying file m4/ltoptions.m4' libtoolize: copying filem4/ltsugar.m4' libtoolize: copying file m4/ltversion.m4' libtoolize: copying filem4/lt~obsolete.m4' configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:598: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see: configure.ac:52: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation configure.ac:60: installing './compile' configure.ac:7: installing './config.guess' configure.ac:7: installing './config.sub' configure.ac:52: installing './install-sh' configure.ac:52: installing './missing' Makefile.am: installing './INSTALL' Makefile.am: installing './COPYING' using GNU General Public License v3 file Makefile.am: Consider adding the COPYING file to the version control system Makefile.am: for your code, to avoid questions about which license your project uses /usr/share/automake-1.14/am/ltlibrary.am: warning: 'libxml2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:22: while processing Libtool library 'libxml2.la' /usr/share/automake-1.14/am/ltlibrary.am: warning: 'testdso.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:173: while processing Libtool library 'testdso.la' Makefile.am: installing './depcomp' doc/Makefile.am:21: warning: wildcard tutorial/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.c: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.pdf: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/callouts/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard API.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.1: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.xsl: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .gif: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:301: warning: filter-out %/xmlversion.h, $(wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) doc/Makefile.am:301: warning: wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu extra=CVE-2015-8317-5-gef709ce checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking for gcc... /home/chenyixiu/aflgo/afl-clang-fast checking whether the C compiler works... no configure: error: in /home/chenyixiu/libxml2': configure: error: C compiler cannot create executables Seeconfig.log' for more details

    Now type 'make' to compile libxml2.

    opened by Jiadosi 14
  • distance.callgraph.txt: No such file or directory

    distance.callgraph.txt: No such file or directory

    Hi, when I use aflgo, i always meet a problem that the cat: ..../AFLGO/temp/distance.callgraph.txt: No such file or directory there are my environment subject:libxml2 OS: ubuntu 16.04 LLVM: 4.0

    and when i excute the command $AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR xmllint, the result is (1) Constructing CG for /home/wcc/Downloads/AFLGO/libxml2/.libs/xmllint.. (2) Computing distance for call graph .. cat: /home/wcc/Downloads/AFLGO/temp/distance.callgraph.txt: No such file or directory

    Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

    Working in CG mode.. Loading targets.. No targets available -- Problem in Step 2 of generating ! -- You can resume by executing: $ /home/wcc/Downloads/AFLGO/aflgo/scripts/genDistance.sh /home/wcc/Downloads/AFLGO/libxml2 /home/wcc/Downloads/AFLGO/temp xmllint /home/wcc/Downloads/AFLGO/temp

    And the Ftargets.txt is xmlAddID__internal_alias xmlAddID step2.log is Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

    Working in CG mode.. Loading targets.. No targets available

    Thanks!

    opened by CCWANG19 12
  • oss-fuzz installation, stuck at step 2

    oss-fuzz installation, stuck at step 2

    Hi, I am trying to install the oss-fuzz before installing aflgo and im doing this behind corporate firewall. I keep getting the error:

    E: Unable to locate package libc6-dev
    E: Unable to locate package binutils
    E: Unable to locate package libgcc-5-dev
    

    when the /infra/base-images/base-clang/Dockerfile is running. I poked around google and most suggestions include doing sudo apt-get update, sudo apt-get upgrade, adding repositories like multiverse etc etc, and i've tried them but this error is still thrown. I've also tried editing the Dockerfile to run RUN apt-get install -y libc6-dev binutils libgcc-5-dev, but the error message:

    Step 3/12 : RUN sudo apt-get install -y libc6-dev binutils libgcc-5-dev
     ---> Running in fa2d4767bc4c
    /bin/sh: 1: sudo: not found
    The command '/bin/sh -c sudo apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 127
    

    then appears. Help!! Not sure if its the corporate firewall preventing it from downloading the packages (which, last time I checked, were the latest versions already as of 25 June 2018)

    Below is what comes up in the terminal when entering infra/base-images/all.sh:

    + docker build --pull -t gcr.io/oss-fuzz-base/base-image infra/base-images/base-image
    Sending build context to Docker daemon   2.56kB
    Step 1/9 : FROM ubuntu:16.04
    16.04: Pulling from library/ubuntu
    Digest: sha256:b050c1822d37a4463c01ceda24d0fc4c679b0dd3c43e742730e2884d3c582e3a
    Status: Image is up to date for ubuntu:16.04
     ---> 5e8b97a2a082
    Step 2/9 : MAINTAINER [email protected]
     ---> Using cache
     ---> ce3911a754ea
    Step 3/9 : ENV DEBIAN_FRONTEND noninteractive
     ---> Using cache
     ---> ae05540f823a
    Step 4/9 : RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y
     ---> Using cache
     ---> 9dbd6c3bdefc
    Step 5/9 : ENV OUT /out
     ---> Using cache
     ---> 498e0b22b8b3
    Step 6/9 : ENV SRC /src
     ---> Using cache
     ---> 9a6be30850ec
    Step 7/9 : ENV WORK /work
     ---> Using cache
     ---> 0ca61162fa17
    Step 8/9 : ENV PATH "$PATH:/out"
     ---> Using cache
     ---> 5e933374ad11
    Step 9/9 : RUN mkdir -p $OUT $SRC $WORK && chmod a+rwx $OUT $SRC $WORK
     ---> Using cache
     ---> 85e3704aafae
    Successfully built 85e3704aafae
    Successfully tagged gcr.io/oss-fuzz-base/base-image:latest
    + docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang
    Sending build context to Docker daemon  6.656kB
    Step 1/12 : FROM gcr.io/oss-fuzz-base/base-image
     ---> 85e3704aafae
    Step 2/12 : MAINTAINER [email protected]
     ---> Using cache
     ---> 15da6853474d
    Step 3/12 : RUN apt-get install -y libc6-dev binutils libgcc-5-dev
     ---> Running in 0c969a46d227
    Reading package lists...
    Building dependency tree...
    Reading state information...
    E: Unable to locate package libc6-dev
    E: Unable to locate package binutils
    E: Unable to locate package libgcc-5-dev
    The command '/bin/sh -c apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 100```
    
    opened by swonlek 10
  • Fuzz Chromium [Couldn't find any binaries in folder (Instrumenting chromium)]

    Fuzz Chromium [Couldn't find any binaries in folder (Instrumenting chromium)]

    Want to fuzz Chromium? See some useful links here.


    Hi there,

    I'm trying to instrument Chromium. I can follow along your instructions perfectly fine until the 7th step here. You take libxml2 as an example and build it. Prior to that, you export some additional compiler flags:

    # Set aflgo-instrumentation flags
    export COPY_CFLAGS=$CFLAGS
    export COPY_CXXFLAGS=$CXXFLAGS
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    export CFLAGS="$CFLAGS $ADDITIONAL"
    export CXXFLAGS="$CXXFLAGS $ADDITIONAL"
    

    Build script for chromium

    After that, I've replaced the build section by the build instructions for chromium:

    # --- 🔄 Build chromium
    # in order to generate CG and CFGs later... meanwhile, go have a coffee ☕️
    # see: https://github.com/chromium/chromium/blob/master/docs/linux/build_instructions.md
    
    # Install additional build dependencies
    ./build/install-build-deps.sh
    
    # Gclient sync
    gclient sync
    
    # Run the hooks
    gclient runhooks
    
    # Set up the build
    gn gen out/MyChromeBuild --is_debug=false
    
    # Finally build chromium
    autoninja -C out/MyChromeBuild chrome
    # --- 🔄
    

    After having built chrome for several hours, the gen_distance_fast.py claims that (path shortened):

    gen_distance_fast.py: error: Couldn't find any binaries in folder .../chromium/src/out/MyChromeBuild
    

    However, in this folder, there is indeed a file called chrome (1.2 GB big).


    Binary not found

    Do you have any tips for me? I've looked into gen_distance_fast.py and don't quite get why the binary has to be in that specific format (ending with *.0.0.*.bc)?

     binaries = list(args.binaries_directory.glob("*.0.0.*.bc"))
        if len(binaries) == 0:
            parser.error("Couldn't find any binaries in folder "
                         f"{args.binaries_directory}.")
    

    | :heavy_exclamation_mark: | I guess AFLGo assumes that I have to use something along the lines of CMake. However, Chrome uses gn and ninja as build tool. Is that a problem? Please clarify the 7th step for me as it is unclear how the CG and CFGs are extracted from the subject without ever calling a script residing inside the AFLGo repository. Is it that you provide additional CFLAGS to pass to LLVM (so I would need a specific compiler) or how is this step working exactly? This is my biggest confusion at the moment. | |---------------|:-------------------------|

    What is this third argument?

    Also, I don't understand why you pass in xmllint as an example in the readme:

    # Generate distance ☕️
    # $AFLGO/scripts/genDistance.sh is the original, but significantly slower, version
    $AFLGO/scripts/gen_distance_fast.py $SUBJECT $TMP_DIR xmllint
    

    In the gen_distance_fast.py script, the third argument corresponds to the fuzzer name. I thought that AFLGo itself is the fuzzer. Why do we have to specify a "Name of fuzzer binary" here?

    Thank you for any help 😇

    opened by Splines 9
  • Unable to find target in callgraph when fuzzing Apache httpd

    Unable to find target in callgraph when fuzzing Apache httpd

    Fuzzing target

    Apache httpd

    Patched used

    The patch for CVE-2016-2161.

    Httpd version

    Commit 5da25a4

    Aflgo version

    Compiled from the latest commit on master branch.

    Issue description

    Unable to find the targets in $TMP_DIR/Ftarget.txt in the callgraph (dot-files/callgraph.dot).

    opened by cty12 9
  • Distance calculation failure

    Distance calculation failure

    Hi,

    I tried to run AFLGo with openjpeg according to README. I succeeded to instrument but when I run gen_distance_fast.py script, the error messages are printed repeatedly as follows.

    ~/aflgo$ $AFLGO/scripts/gen_distance_fast.py $SUBJECT/build/bin $TMP_DIR opj_dump
    (0) Constructing CG for /home/user/aflgo/openjpeg-2.1.1/build/bin/opj_dump.0.0.preopt.bc..
    (1) Computing distance for callgraph
    (1) Computing distance for control-flow graphs (this might take a while)
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    ...
    
    ~/aflgo/temp$ cat step0.log 
    Writing 'callgraph.dot'...
    

    Can you tell me what's the problem?

    Additionally, I also tried to fuzz gif2png. However the configuration step failed with the following error.

    $ ./configure
    ...
    checking whether make sets $(MAKE)... yes
    checking for gcc... /home/user/aflgo/gif2png-2.5.8/afl-clang-fast
    checking whether the C compiler works... no
    configure: error: in `/home/user/aflgo/gif2png-2.5.8':
    configure: error: C compiler cannot create executables
    See `config.log' for more details
    

    I followed all 1~6 step on README file, Is there something I missed?

    opened by blbi 8
  • clang4.0 not support -V -g options

    clang4.0 not support -V -g options

    configure:3509: ./aflgo/afl-clang-fast -V >&5 clang-4.0: error: unsupported option '-V -g' configure:3520: $? = 1 configure:3509: ./aflgo/afl-clang-fast -qversion >&5 clang-4.0: error: unknown argument: '-qversion' configure:3520: $? = 1

    opened by apinellia 8
  • Fuzzing lrzip CVE 2017-8846 with ASAN

    Fuzzing lrzip CVE 2017-8846 with ASAN

    Hi,

    I recently run the following script to fuzz lrzip:

    https://github.com/aflgo/aflgo/blob/master/scripts/fuzz/lrzip-CVE-2017-8846.sh

    I could successfully generate distance files, and fuzz the program with AFLGo on Ubuntu 18.04. I generated the binary both with and without ASAN support (when generating distance files, I did not set AFL_USE_ASAN as specified here). As expected, lrzip becomes extremely slow with ASAN (<1 exec/sec). I guess the only option here is to compile the binary with m32 which is not recognized by clang wrapper of AFLGo (afl-clang-fast) and ended up with a FATAL.

    I see that you build all projects with ASAN support in the paper. Did you generate 32 binaries? If so, how can I compile lrzip as 32-bit on a 64 bit machine? Or, did you use any other tricks to fuzz with ASAN?

    Thanks,

    Sadullah

    opened by scanakci 7
  • problems on AFLGo Building Script

    problems on AFLGo Building Script

    when ninja running, there are some errors: 1. ninja: build stopped : subcommand failed; 2. c++ : internal compiler error: killed(program cc1plus) what should I do ? THX

    opened by Kiwi071211 7
  • Error in building binutils

    Error in building binutils

    My error description is very similar to #37 which has been closed due to inactivity.

    When building binutils with Clang + Gold I get the following error:

    /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here

    Additional Information: OS: Ubuntu 18.04.3 Clang version: I tried 4.0.0, 4.0.1, and 6.0.0 (all result in same error) Binutils version: I tried 2.33.1 and 2.29.1 (all result in sam error) Configure Flags: --disable-werror --disable-shared --disable-ld (all result in sam error) Gold Linker: I tried version 1.15 and 1.16

    I am able to build binutils with clang, when skipping the gold arguments.

    Is ther anything else I could try?

    Edit: Added gold linker version

    opened by OskarBo 7
  • Incorrect method of merge call graph

    Incorrect method of merge call graph

    Hello, While reading and testing the python script gen_distance_fast.py, I wonder how it identifies caller and callee functions from different callgraph files. The .callgraph.dot is generated separately by the command opt and NodeID is different for the same function in different .callgraph.dot files. So I make a demo to test it.

    I create two .c files as below.

    // a.c
    #include <stdio.h>
    #include "b.h"
    
    static void test(){
        printf("test from a.c\n");
    }
    
    int main(){
        test();
        testB();
    }
    // b.c
    #include <stdio.h>
    #include "b.h"
    
    static void test(){
        printf("test from b.c\n");
    }
    
    void testB(){
        test();
    }
    

    Secondly, I generate .bc, .ll and callgraph files for them with the following command.

    # .bc
    clang -g -O0 -c -emit-llvm a.c -o a.bc
    clang -g -O0 -c -emit-llvm b.c -o b.bc
    # .ll
    llvm-dis a.bc -o a.ll
    llvm-dis b.bc -o b.ll
    # .callgraph.dot
    opt -dot-callgraph a.bc
    opt -dot-callgraph b.bc
    

    Thirdly, I merge the two .callgraph.dot into by the following python script with same method in the gen_distance_fast.py

    #!/usr/bin/env python3
    
    import networkx as nx
    
    
    a_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./a.bc.callgraph.dot"))
    b_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./b.bc.callgraph.dot"))
    a_cg.update(b_cg)
    with open('./all.bc.callgraph.dot','w') as f:
        nx.drawing.nx_pydot.write_dot(a_cg, f)
    print("done")
    

    However, the result is disappointing. NetworkX cannot identify the same function in different .callgraph.dot files. There are two Nodes with the same label testB, which should be merged. The .callgraph.dot files is shown in the following.

    # a.bc.callgraph.dot
    digraph "Call graph: a.bc" {
    	label="Call graph: a.bc";
    
    	Node0x590adb0 [shape=record,label="{main}"];
    	Node0x590adb0 -> Node0x590ae60;
    	Node0x590adb0 -> Node0x590af10;
    	Node0x590af10 [shape=record,label="{testB}"];
    	Node0x590ae60 [shape=record,label="{test}"];
    	Node0x590ae60 -> Node0x590b050;
    	Node0x590b050 [shape=record,label="{printf}"];
    }
    # b.bc.callgraph.dot
    digraph "Call graph: b.bc" {
    	label="Call graph: b.bc";
    
    	Node0x4ed5900 [shape=record,label="{testB}"];
    	Node0x4ed5900 -> Node0x4ed59b0;
    	Node0x4ed59b0 [shape=record,label="{test}"];
    	Node0x4ed59b0 -> Node0x4ed5a60;
    	Node0x4ed5a60 [shape=record,label="{printf}"];
    }
    # merged all.bc.callgraph.dot
    strict digraph "Call graph: b.bc" {
    label="Call graph: b.bc";
    Node0x590adb0 [label="{main}", shape=record];
    Node0x590af10 [label="{testB}", shape=record];
    Node0x590ae60 [label="{test}", shape=record];
    Node0x590b050 [label="{printf}", shape=record];
    Node0x4ed5900 [label="{testB}", shape=record];
    Node0x4ed59b0 [label="{test}", shape=record];
    Node0x4ed5a60 [label="{printf}", shape=record];
    Node0x590adb0 -> Node0x590ae60;
    Node0x590adb0 -> Node0x590af10;
    Node0x590ae60 -> Node0x590b050;
    Node0x4ed5900 -> Node0x4ed59b0;
    Node0x4ed59b0 -> Node0x4ed5a60;
    }
    
    
    
    opened by TheSilentDawn 1
  • Fail to build lua [lua.o: File format not recognized]

    Fail to build lua [lua.o: File format not recognized]

    Hi there,

    I would like to fuzz lua with AFLGo but it fails during the first building. The CG and CFGs seem generated successfully, but the binary is not.

    Target

    export TMP_DIR=$OUT/temp
    mkdir -p $TMP_DIR
    echo "liolib.c:298\nldebug.c:197\nldebug.c:848\nldebug.c:920" > $TMP_DIR/BBtargets.txt
    

    Fetch Lua

    git clone --no-checkout https://github.com/lua/lua.git
    git -C lua checkout dbdc74dc5502c2e05e1c1e2ac894943f418c8431
    

    Set AFLGo ENV

    export CC="$HOME/aflgo/afl-clang-fast"
    export CXX="$HOME/aflgo/afl-clang-fast++"
    
    export COPY_CFLAGS=$CFLAGS
    export COPY_CXXFLAGS=$CXXFLAGS
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    export CFLAGS="$CFLAGS $ADDITIONAL"
    export CXXFLAGS="$CXXFLAGS $ADDITIONAL"
    

    Modify makefile

    To support AFLGo configuration, I modify its makefile as follows:

    -CC= gcc
    -CFLAGS= -Wall -O2 $(MYCFLAGS) -fno-stack-protector -fno-common -march=native
    +CC ?= gcc
    +CFLAGS += -Wall $(MYCFLAGS) -fno-stack-protector -fno-common -march=native
    
    -LIBS = -lm
    +LIBS += -lm
    
     $(LUA_T): $(LUA_O) $(CORE_T)
    -	$(CC) -o $@ $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)
    +	$(CC) -o $@ $(LDFLAGS) $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)
    

    Build

    cd lua
    make clean
    make liblua.a # could generate dot/F/BB files in $TMP_DIR
    make lua # fails to generate binary _lua_
    

    Error Msg

    Command make -j$(nproc) lua fails with the following msg:

    $HOME/aflgo/afl-clang-fast -o lua -g  -Wfatal-errors -Wextra -Wshadow -Wsign-compare -Wundef -Wwrite-strings -Wredundant-decls -Wdisabled-optimization -Wdouble-promotion  -Wdeclaration-after-statement -Wmissing-prototypes -Wnested-externs -Wstrict-prototypes -Wc++-compat -Wold-style-definition  -Wlogical-op -Wno-aggressive-loop-optimizations  -Wl,-E lua.o liblua.a -lrt -lm -ldl -lreadline 
    aflgo-compiler (yeah!) 2.52b
    lua.o: file not recognized: File format not recognized
    clang: fatal error: linker command failed with exit code 1 (use -v to see invocation)
    makefile:114: recipe for target 'lua' failed
    make: *** [lua] Error 1
    

    The file format of lua.o is "LLVM IR bitcode"

    file lua.o
    lua.o: LLVM IR bitcode
    
    opened by qhjchc 0
  • Fix using relative filename to find targets

    Fix using relative filename to find targets

    Hello, I'm trying to reproduce CVE-2016-4487 using scripts/fuzz/cxxfilt-CVE-2016-4487.sh. However, I found that content in Ftargets.txt is incomplete. According to valgrind report, the CVE callstack should include following functions, but as I executed cxxfilt-CVE-2016-4487.sh, Ftargets.txt contains only several functions.

    valgrind report

    valgrind binutils/cxxfilt _Q10-__9cafebabe.
    ==3272167== Memcheck, a memory error detector      
    ==3272167== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==3272167== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
    ==3272167== Command: binutils-2.26/binutils/cxxfilt _Q10-__9cafebabe.   
    ==3272167== 
    ==3272167== Invalid write of size 8                                                
    ==3272167==    at 0x23B180: register_Btype (cplus-dem.c:4319)             
    ==3272167==    by 0x23755A: demangle_class (cplus-dem.c:2594)                                                                                                         
    ==3272167==    by 0x234EAC: demangle_signature (cplus-dem.c:1490)                 
    ==3272167==    by 0x23441D: internal_cplus_demangle (cplus-dem.c:1203)
    ==3272167==    by 0x23399A: cplus_demangle (cplus-dem.c:886)
    ==3272167==    by 0x137E21: demangle_it (cxxfilt.c:62)
    ==3272167==    by 0x1382B6: main (cxxfilt.c:227)
    ...
    
    

    target locations in scripts/fuzz/cxxfilt-CVE-2016-4487.sh

    cxxfilt.c:227
    cxxfilt.c:62
    cplus-dem.c:886
    cplus-dem.c:1203
    cplus-dem.c:1490
    cplus-dem.c:2594
    cplus-dem.c:4319
    

    actually Ftargets.txt

    cplus_demangle
    internal_cplus_demangle
    main
    demangle_it
    

    I dumped all values of target_file, target_line, filename, line used to find the BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and found that sometimes filename was relative filename. aflgo has already handled this problem when constructing bb_namein llvm_mode/afl-llvm-pass.so.cc:331, but it seems that aflgo still tried to use relative filename to find BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and may cause missing certain target locations. I removed the relative path for every filename, it seems to solve the problem.

    llvm_mode/afl-llvm-pass.so.cc

    ...
    325  if (bb_name.empty()) {
    326
    327    std::size_t found = filename.find_last_of("/\\");
    328    if (found != std::string::npos)
    329      filename = filename.substr(found + 1);
    330
    331    bb_name = filename + ":" + std::to_string(line);
    332  }
    ...
    344  if (!target_file.compare(filename) && target_line == line)
    345    is_target = true;
    ...
    

    part of values of target_file, target_line, filename, line using in llvm_mode/afl-llvm-pass.so.cc:344

    # target_file target_line filename line
    ...
    ../../libiberty/cplus-dem.c 4319 cxxfilt.c 227   
    ../../libiberty/cplus-dem.c 4319 cxxfilt.c 62    
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 886 
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 1203
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 1490
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 2594
    **../../libiberty/cplus-dem.c 4319 cplus-dem.c 4319** is target location, should be found
    ...
    

    what I modified

    ...
      std::size_t found = filename.find_last_of("/\\");
      if (found != std::string::npos)
        filename = filename.substr(found + 1);
              
      if (bb_name.empty()) 
       bb_name = filename + ":" + std::to_string(line);
    ...
      if (!target_file.compare(filename) && target_line == line)
        is_target = true;
    ...
    

    fixed Ftargets.txt

    cplus_demangle
    internal_cplus_demangle
    demangle_signature
    register_Btype
    demangle_class
    main
    demangle_it
    

    By the way, I test on ubuntu 20.04. In my system scripts/fuzz/cxxfilt-CVE-2016-4487.sh:8 will write a $character to first line of BBtargets.txt and cause first target location can't be found. I'm not sure this problem exists in every system, but in my case I need to remove this $ character.

    opened by tl455047 0
  • Building libav with aflgo

    Building libav with aflgo

    Hi,

    I would like to fuzz avconv from libav with AFLGo. These are the commands I used to build libav:

    export AFLGO=path/to/aflgo
    export CC=$AFLGO/afl-clang-fast
    export CXX=$AFLGO/afl-clang-fast
    cd path/to/libav
    mkdir temp; mkdir obj-aflgo
    export TMP_DIR=$PWD/temp
    export LDFLAGS=-lpthread
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    cd obj-aflgo
    ../configure --cc=$CC --prefix=`pwd` --extra-cflags="$ADDITIONAL" --disable-shared
    

    However, I got a C compiler test failed error saying temp/test.o: file not recognized: File format not recognized. I guess that the test failed because afl-clang-fast generate the IR bitcode instead of the ELF object file. I have read #69 and #71, and they suggest using --host-cflags. So, I changed the configure command to:

    ../configure --cc=$CC --prefix=`pwd` --host-cflags="$ADDITIONAL" --disable-shared --disable-doc
    

    Using the above configure command, configuring the makefile and building the libav can be done successfully but afl-clang-fast does not generate the dot-files. The BBnames.txt and BBcalls.txt are also empty. Therefore, I cannot calculate the distance.

    Would you please help me to build libav with aflgo?

    Here is the commit hash of the libav and the BBtargets.txt :

    Commuit hash : c4642788e83b0858bca449f9b6e71ddb015dfa5d BBtargets.txt:

    libavcodec/aacdec.c:2578
    libavcodec/aacdec.c:2631
    libavcodec/aacdec.c:2666
    libavcodec/aacdec.c:2944
    libavcodec/aacdec.c:3010
    libavcodec/decode.c:336
    libavcodec/decode.c:387
    libavcodec/decode.c:405
    libavcodec/decode.c:466
    libavformat/utils.c:1950
    libavformat/utils.c:2459
    avtools/avconv_opt.c:821
    avtools/avconv_opt.c:2467
    avtools/avconv_opt.c:2504
    avtools/avconv.c:2953
    

    Thank you.

    opened by irfanariq 2
  • If the target test program requires two or more input files

    If the target test program requires two or more input files

    If the target test program requires two or more input files, such as./target file1 file2, how should the fuzz procedure be constructed, whether the fuzz source code needs to be modified, or whether AFL/AFLGo supports fuzz testing for the target? If yes, then whether the obtained crash is also a combination of two or more files.

    opened by qwwq251 0
  • Python scripts for fuzzing

    Python scripts for fuzzing

    Hi there,

    Erik Imgrund, a friend of mine, recently wrote a python program to simplify the usage of AFLGo. It's an alternative to bash scripts that - at least in our opinion - are very powerful but sometimes quite frightening and not easy to understand/adapt/play around with.

    Pros and Cons I'd like to adapt the Python program and incorporate it into AFLGo (this is cleared with Erik Imgrund) as I feel other users would benefit from it. Python has a nice syntax, is easy to learn and widespread. It's heavily used in the fields of machine learning which would simplify the process to use AFLGo. Cons are that we have duplicate scripts, so there are two places to adapt if the API is changing some day. Yet, that's also the case right now with the sample shell scripts.

    I'd like to open a pull request to AFLGo if the general idea described here is welcome. If so, it'd be great to know where a good place would be to place the scripts.

    All the best, Dominic

    enhancement 
    opened by Splines 2
Releases(LLVM-4.0)
Owner
Maintained by @mboehme, @thuanpv, and @strongcourage
null
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Fuzzing tool (TFuzz): a fuzzing tool based on program transformation

T-Fuzz T-Fuzz consists of 2 components: Fuzzing tool (TFuzz): a fuzzing tool based on program transformation Crash Analyzer (CrashAnalyzer): a tool th

HexHive 244 Nov 9, 2022
AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet: A Greybox Fuzzer for Network Protocols AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a m

null 626 Jan 6, 2023
The PyTorch implementation of Directed Graph Contrastive Learning (DiGCL), NeurIPS-2021

Directed Graph Contrastive Learning The PyTorch implementation of Directed Graph Contrastive Learning (DiGCL). In this paper, we present the first con

Tong Zekun 28 Jan 8, 2023
Organseg dags - The repository contains the codebase for multi-organ segmentation with directed acyclic graphs (DAGs) in CT.

Organseg dags - The repository contains the codebase for multi-organ segmentation with directed acyclic graphs (DAGs) in CT.

yzf 1 Jun 12, 2022
An AFL implementation with UnTracer (our coverage-guided tracer)

UnTracer-AFL This repository contains an implementation of our prototype coverage-guided tracing framework UnTracer in the popular coverage-guided fuz

null 113 Dec 17, 2022
Driller: augmenting AFL with symbolic execution!

Driller Driller is an implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer. Dril

Shellphish 791 Jan 6, 2023
FairFuzz: AFL extension targeting rare branches

FairFuzz An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested str

Caroline Lemieux 222 Nov 16, 2022
IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL.

IJON SPACE EXPLORER IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL. Using only a small (usually one line) annotati

Chair for Sys­tems Se­cu­ri­ty 146 Dec 16, 2022
MOpt-AFL provided by the paper "MOPT: Optimized Mutation Scheduling for Fuzzers"

MOpt-AFL 1. Description MOpt-AFL is a AFL-based fuzzer that utilizes a customized Particle Swarm Optimization (PSO) algorithm to find the optimal sele

null 172 Dec 18, 2022
AFLFast (extends AFL with Power Schedules)

AFLFast Power schedules implemented by Marcel Böhme <[email protected]>. AFLFast is an extension of AFL which is written and maintained by Michal

Marcel Böhme 380 Jan 3, 2023
AFL binary instrumentation

E9AFL --- Binary AFL E9AFL inserts American Fuzzy Lop (AFL) instrumentation into x86_64 Linux binaries. This allows binaries to be fuzzed without the

null 242 Dec 12, 2022
Differential fuzzing for the masses!

NEZHA NEZHA is an efficient and domain-independent differential fuzzer developed at Columbia University. NEZHA exploits the behavioral asymmetries bet

null 147 Dec 5, 2022
InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing

InsTrim The paper: InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing Build Prerequisite llvm-8.0-dev clang-8.0 cmake >= 3.2 Make git cl

null 75 Dec 23, 2022
ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing ProFuzzBench is a benchmark for stateful fuzzing of network protocols. It includes a suite of

null 155 Jan 8, 2023
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
A fuzzing framework for SMT solvers

yinyang A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang c

Project Yin-Yang for SMT Solver Testing 145 Jan 4, 2023
AntiFuzz: Impeding Fuzzing Audits of Binary Executables

AntiFuzz: Impeding Fuzzing Audits of Binary Executables Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf Usage: The python scri

Chair for Sys­tems Se­cu­ri­ty 88 Dec 21, 2022