AFLNet: A Greybox Fuzzer for Network Protocols

Related tags

Deep Learning aflnet
Overview

AFLNet: A Greybox Fuzzer for Network Protocols

AFLNet is a greybox fuzzer for protocol implementations. Unlike existing protocol fuzzers, it takes a mutational approach and uses state-feedback, in addition to code-coverage feedback, to guide the fuzzing process. AFLNet is seeded with a corpus of recorded message exchanges between the server and an actual client. No protocol specification or message grammars are required. It acts as a client and replays variations of the original sequence of messages sent to the server and retains those variations that were effective at increasing the coverage of the code or state space. To identify the server states that are exercised by a message sequence, AFLNet uses the server’s response codes. From this feedback, AFLNet identifies progressive regions in the state space, and systematically steers towards such regions.

Licences

AFLNet is licensed under Apache License, Version 2.0.

AFLNet is an extension of American Fuzzy Lop written and maintained by Michał Zalewski <[email protected]>. For details on American Fuzzy Lop, we refer to README-AFL.md.

Citing AFLNet

AFLNet has been accepted for publication as a Testing Tool paper at the IEEE International Conference on Software Testing, Verification and Validation (ICST) 2020.

@inproceedings{AFLNet,
author={Van{-}Thuan Pham and Marcel B{\"o}hme and Abhik Roychoudhury},
title={AFLNet: A Greybox Fuzzer for Network Protocols},
booktitle={Proceedings of the 13rd IEEE International Conference on Software Testing, Verification and Validation : Testing Tools Track},
year={2020},}

Installation (Tested on Ubuntu 18.04 & 16.04 64-bit)

Prerequisites

# Install clang (as required by AFL/AFLNet to enable llvm_mode)
sudo apt-get install clang
# Install graphviz development
sudo apt-get install graphviz-dev

AFLNet

Download AFLNet and compile it. We have tested AFLNet on Ubuntu 18.04 and Ubuntu 16.04 64-bit and it would also work on all environments that support the vanilla AFL and graphviz.

# First, clone this AFLNet repository to a folder named aflnet
git clone <links to the repository> aflnet
# Then move to the source code folder
cd aflnet
make clean all
cd llvm_mode
# The following make command may not work if llvm-config cannot be found
# To fix this issue, just set the LLVM_CONFIG env. variable to the specific llvm-config version on your machine
# On Ubuntu 18.04, it could be llvm-config-6.0 if you have installed clang using apt-get
make
# Move to AFLNet's parent folder
cd ../..
export AFLNET=$(pwd)/aflnet
export WORKDIR=$(pwd)

Setup PATH environment variables

export PATH=$AFLNET:$PATH
export AFL_PATH=$AFLNET

Usage

AFLNet adds the following options to AFL. Run afl-fuzz --help to see all options. Please also see the FAQs section for common questions about these AFLNet's options.

  • -N netinfo: server information (e.g., tcp://127.0.0.1/8554)

  • -P protocol: application protocol to be tested (e.g., RTSP, FTP, DTLS12, DNS, DICOM, SMTP, SSH, TLS, DAAP-HTTP, SIP)

  • -D usec: (optional) waiting time (in microseconds) for the server to complete its initialization

  • -K : (optional) send SIGTERM signal to gracefully terminate the server after consuming all request messages

  • -E : (optional) enable state aware mode

  • -R : (optional) enable region-level mutation operators

  • -F : (optional) enable false negative reduction mode

  • -c script : (optional) name or full path to a script for server cleanup

  • -q algo: (optional) state selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

  • -s algo: (optional) seed selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

Example command:

afl-fuzz -d -i in -o out -N <server info> -x <dictionary file> -P <protocol> -D 10000 -q 3 -s 3 -E -K -R <executable binary and its arguments (e.g., port number)>

Tutorial - Fuzzing Live555 media streaming server

Live555 Streaming Media is a C++ library for multimedia streaming. The library supports open protocols such as RTP/RTCP and RTSP for streaming. It is used internally by widely-used media players such as VLC and MPlayer and some security cameras & network video recorders (e.g., DLink D-View Cameras, Senstar Symphony, WISENET Video Recorder). In this example, we show how AFLNet can be used to fuzz Live555 and discover bugs in its RTSP server reference implementation (testOnDemandRTSPServer). Similar steps would be followed to fuzz servers implementing other protocols (e.g., FTP, SMTP, SSH).

If you want to run some experiments quickly, please take a look at ProFuzzBench. ProFuzzBench includes a suite of representative open-source network servers for popular protocols (e.g., TLS, SSH, SMTP, FTP, SIP), and tools to automate experimentation.

Step-0. Server and client compilation & setup

The newest source code of Live555 can be downloaded as a tarball at Live555 public page. There is also a mirror of the library on GitHub. In this example, we choose to fuzz an old version of Live555 which was commited to the repository on August 28th, 2018. While fuzzing this specific version of Live555, AFLNet exposed four vulnerabilites in Live555, two of which were zero-day. To compile and setup Live555, please use the following commands.

cd $WORKDIR
# Clone live555 repository
git clone https://github.com/rgaufman/live555.git
# Move to the folder
cd live555
# Checkout the buggy version of Live555
git checkout ceeb4f4
# Apply a patch. See the detailed explanation for the patch below
patch -p1 < $AFLNET/tutorials/live555/ceeb4f4.patch
# Generate Makefile
./genMakefiles linux
# Compile the source
make clean all

As you can see from the commands, we apply a patch to make the server effectively fuzzable. In addition to the changes for generating a Makefile which uses afl-clang-fast++ to do the coverage feedback-enabled instrumentation, we make a small change to disable random session ID generation in Live555. In the unmodified version of Live555, it generates a session ID for each connection and the session ID should be included in subsequent requests sent from the connected client. Otherwise, the requests are quickly rejected by the server and this leads to undeterministic paths while fuzzing. Specifically, the same message sequence could exercise different server paths because the session ID is changing. We handle this specific issue by modifing Live555 in such a way that it always generates the same session ID.

Once Live555 source code has been successfully compiled, we should see the server under test (testOnDemandRTSPServer) and the sample RTSP client (testRTSPClient) placed inside the testProgs folder. We can test the server by running the following commands.

# Move to the folder keeping the RTSP server and client
cd $WORKDIR/live555/testProgs
# Copy sample media source files to the server folder
cp $AFLNET/tutorials/live555/sample_media_sources/*.* ./
# Run the RTSP server on port 8554
./testOnDemandRTSPServer 8554
# Run the sample client on another screen/terminal
./testRTSPClient rtsp://127.0.0.1:8554/wavAudioTest

We should see the outputs from the sample client showing that it successfully connects to the server, sends requests and receives responses including streaming data from the server.

Step-1. Prepare message sequences as seed inputs

AFLNet takes message sequences as seed inputs so we first capture some sample usage scenarios between the sample client (testRTSPClient) and the server under test (SUT). The following steps show how we prepare a seed input for AFLNet based on a usage scenario in which the server streams an audio file in WAV format to the client upon requests. The same steps can be followed to prepare other seed inputs for other media source files (e.g., WebM, MP3).

We first start the server under test

cd $WORKDIR/live555/testProgs
./testOnDemandRTSPServer 8554

After that, we ask tcpdump data-network packet analyzer to capture all traffics through the port opened by the server, which is 8554 in this case. Note that you may need to change the network interface that works for your setup using the -i option.

sudo tcpdump -w rtsp.pcap -i lo port 8554

Once both the server and tcpdump have been started, we run the sample client

cd $WORKDIR/live555/testProgs
./testRTSPClient rtsp://127.0.0.1:8554/wavAudioTest

When the client completes its execution, we stop tcpdump. All the requests and responses in the communication between the client and the server should be stored in the specified rtsp.pcap file. Now we use Wireshark network analyzer to extract only the requests and use the request sequence as a seed input for AFLNet. Please install Wireshark if you haven't done so.

We first open the PCAP file with Wireshark.

wireshark rtsp.pcap

This is a screenshot of Wireshark. It shows packets (requests and responses) in multiple rows, one row for one packet.

Analyzing the pcap file with Wireshark

To extract the request sequence, we first do a right-click and choose Follow->TCP Stream.

Follow TCP Stream

Wireshark will then display all requests and responses in plain text.

View requests and responses in plain text

As we are only interested in the requests for our purpose, we choose incoming traffic to the SUT-opened port by selecting an option from the bottom-left drop-down list. We choose 127.0.0.1:57998->127.0.0.1:8554 in this example which askes Wireshark to display all request messages sent to port 8554.

View requests in plain text

Finally, we switch the data mode so that we can see the request sequence in raw (i.e., binary) mode. Click "Save as" and save it to a file, say rtsp_requests_wav.raw.

View and save requests in raw binary

The newly saved file rtsp_requests_wav.raw can be fed to AFLNet as a seed input. You can follow the above steps to create other seed inputs for AFLNet, say rtsp_requests_mp3.raw and so on. We have prepared a ready-to-use seed corpus in the tutorials/live555/in-rtsp folder.

Step-2. Make modifications to the server code (optional)

Fuzzing network servers is challenging and in several cases, we may need to slightly modify the server under test to make it (effectively and efficiently) fuzzable. For example, this blog post shows several modifications to OpenSSH server to improve the fuzzing performance including disable encryption, disable MAC and so on. In this tutorial, the RTSP server uses the same response code 200 for all successful client requests, no matter what actual server state is. So to make fuzzing more effective, we can apply this simple patch that decomposes the big state 200 into smaller states. It makes the inferred state machine more fine grained and hence AFLNet has more information to guide the state space exploration.

Step-3. Fuzzing

cd $WORKDIR/live555/testProgs
afl-fuzz -d -i $AFLNET/tutorials/live555/in-rtsp -o out-live555 -N tcp://127.0.0.1/8554 -x $AFLNET/tutorials/live555/rtsp.dict -P RTSP -D 10000 -q 3 -s 3 -E -K -R ./testOnDemandRTSPServer 8554

Once AFLNet discovers a bug (e.g., a crash or a hang), a test case containing the message sequence that triggers the bug will be stored in replayable-crashes or replayable-hangs folder. In the fuzzing process, AFLNet State Machine Learning component keeps inferring the implmented state machine of the SUT and a .dot file (ipsm.dot) is updated accordingly so that the user can view that file (using a .dot viewer like xdot) to monitor the current progress of AFLNet in terms of protocol inferencing. Please read the AFLNet paper for more information.

Step-4. Reproducing the crashes found

AFLNet has an utility (aflnet-replay) which can replay message sequences stored in crash and hang-triggering files (in replayable-crashes and replayable-hangs folders). Each file is structured in such a way that aflnet-replay can extract messages based on their size. aflnet-replay takes three parameters which are 1) the path to the test case generated by AFLNet, 2) the network protocol under test, and 3) the server port number. The following commands reproduce a PoC for CVE-2019-7314.

cd $WORKDIR/live555/testProgs
# Start the server
./testOnDemandRTSPServer 8554
# Run aflnet-replay
aflnet-replay $AFLNET/tutorials/live555/CVE_2019_7314.poc RTSP 8554

To get more information about the discovered bug (e.g., crash call stack), you can run the buggy server with GDB or you can apply the Address Sanitizer-Enabled patch ($AFLNET/tutorials/live555/ceeb4f4_ASAN.patch) and recompile the server before running it.

FAQs

1. How do I extend AFLNet?

AFLNet has a modular design that makes it easy to be extended.

1.1. How do I add support for another protocol?

If you want to support another protocol, all you need is to follow the steps below.

Step-1. Implement 2 functions to parse the request and response sequences

You can use the available extract_requests_* and extract_response_codes_* functions as references. These functions should be declared and implemented in aflnet.h and aflnet.c, respectively. Note that, please use the same function parameters.

Step-2. Update main function to support a new protocol

Please update the code that handles the -P option in the main function to support a new protocol.

1.2. How do I implement another search strategy?

It is quite straightforward. You just need to update the two functions choose_target_state and choose_seed. The function update_scores_and_select_next_state may need an extension too.

2. What happens if I don't enable the state-aware mode by adding -E option?

If -E is not enabled, even though AFLNet still manages the requests' boundaries information so it can still follow the sequence diagram of the protocol -- sending a request, waiting for a response and so on, which is not supported by normal networked-enabled AFL. However, in this setup AFLNet will ignore the responses and it does not construct the state machine from the response codes. As a result, AFLNet cannot use the state machine to guide the exploration.

3. When I need -c option and what I should write in the cleanup script?

You may need to provide this option to keep network fuzzing more deterministic. For example, when you fuzz a FTP server you need to clear all the files/folders created in the previous fuzzing iteration in the shared folder because if you do not do so, the server will not be able to create a file if it exists. It means that the FTP server will work differently when it receives the same sequence of requests from the client, which is AFLNet in this fuzzing setup. So basically the script should include commands to clean the environment affecting the behaviors of the server and give the server a clean environment to start.

4. What is false-negative reduction mode and when I should enable it using -F?

Unlike stateless programs (e.g., image processing libraries like LibPNG), several stateful servers (e.g., the RTSP server in the above tutorial) do not terminate themselves after consuming all requests from the client, which is AFLNet in this fuzzing setup. So AFLNet needs to gracefully terminate the server by sending the SIGTERM signal (when -K is specified). Otherwise, AFLNet will detect normal server executions as hangs. However, the issue is that if AFLNet sends SIGTERM signal too early, say right after all request messages have been sent to the server, the server may be forced to terminate when it is still doing some tasks which may lead to server crashes (i.e., false negatives -- the server crashes are missed). The false-negative reduction mode is designed to handle such situations. However, it could slow down the fuzzing process leading to slower execution speed.

Comments
  • how to support SNMP?

    how to support SNMP?

    hi, when i tried to do something to support snmp, some issues occures: 1、i didn't know how to extract the status code from the response 2、if it needs to associate the response and the request

    opened by minifish120 13
  • Some questions about the “region_t* extract_requests_*” function

    Some questions about the “region_t* extract_requests_*” function

    Hello, I am a beginner in fuzzing and am very interested in your research. Yesterday, I read about the extract_requests_tls function. One thing is not very clear: 1、In the function extract_requests_tls (line 242), you define a variable "bytes_to_skip". I don't quite understand what this variable does? Why skip the payload? 2、Regarding the variables you define in each function of extract_requests_*: byte_count, mem_count, region_count, what do these three variables mean when reading the source code? I am really interested in your research and hope to get your answers, thank you very much!

    opened by zan1126 9
  • Possibility of adding support of HTTP protocol

    Possibility of adding support of HTTP protocol

    Hello, I recently became quite engaged in fuzzing and I luckily stumbled onto your project. I've already learned quite a lot from your work :) I was wondering if you could share your thoughts on possibility (and practicality) of adapting aflnet to work with http protocol (by means of adding extract_* functions). My end goal is to fuzz cups (or rather cupsd) which communicates, if I understand correctly, thorugh http (and ipp, obviosuly). I rather hoped that you might comment whether there are any obvious significant challenges to this idea (that I myself missed due to lack of experience with aflnet tool).

    Thanks a lot!

    opened by fellair 6
  • Support Protocol Q/A

    Support Protocol Q/A

    Hi.

    Does the AFLNET tool support protocols operating in the Data Link Layer and Physical Layer?

    Example : CAN Protocol

    It seems that only protocols that support the "TCP/IP" transport layer exist.

    Thank you.

    opened by shtry 6
  • Add DICOM protocol

    Add DICOM protocol

    Hello

    I've added DICOM support for fuzzing. extract_requests_dicom is based on PDU length and extract_response_codes_dicom returns response PDU type as response code. Also, I wrote the tutorial for fuzzing the DICOM server from dcmtk.

    I'm not sure with return 1; in save_if_interesting function. If it is wrong I will roll back changes.

    opened by mshsmlv 6
  • Segmentation fault in the default lightftp tutorial

    Segmentation fault in the default lightftp tutorial

    Hello I'm trying to run the lightftp tutorial through the dockerfile provided and I get a segmentation fault.

    ubuntu@f0588163c0a6:~/LightFTP/Source/Release$ $AFLNET/afl-fuzz -d -i $AFLNET/tutorials/lightftp/in-ftp/ -o out-lightftp -N tcp://127.0.0.1/2200 -x $AFLNET/tutor
    ials/lightftp/ftp.dict -P FTP -D 10000 -q 3 -s 3 -E -R -c ./ftpclean.sh ./fftp ./fftp-tasos.conf 2200
    afl-fuzz 2.56b by <[email protected]>
    [+] You have 4 CPU cores and 3 runnable tasks (utilization: 75%).
    [+] Try parallel jobs - see docs/parallel_fuzzing.txt.
    [*] Checking CPU core loadout...
    [+] Found a free CPU core, binding to #0.
    [*] Checking core_pattern...
    [*] Setting up output directories...
    [*] Scanning '/home/ubuntu/aflnet/tutorials/lightftp/in-ftp/'...
    [+] No auto-generated dictionary tokens to reuse.
    [*] Creating hard links for all input files...
    [*] Loading extra dictionary from '/home/ubuntu/aflnet/tutorials/lightftp/ftp.dict' (level 0)...
    [+] Loaded 32 extra tokens, size range 3 B to 4 B.
    [*] Validating target binary...
    [*] Attempting dry run with 'id:000000,orig:ftp_requests_full_anonymous.raw'...
    [*] Spinning up the fork server...
    [+] All right - fork server is up.
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
        len = 76, map size = 15, exec speed = 1384268 us
    [*] Attempting dry run with 'id:000001,orig:ftp_requests_full_normal.raw'...
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
    rm: cannot remove '/home/ubuntu/fftplog': No such file or directory
        len = 83, map size = 15, exec speed = 1383848 us
    [!] WARNING: No new instrumentation output, test case may be useless.
    [+] All test cases processed.
    
    [!] WARNING: The target binary is pretty slow! See docs/perf_tips.txt.
    [!] WARNING: Some test cases look useless. Consider using a smaller set.
    [+] Here are some useful stats:
    
        Test case count : 1 favored, 0 variable, 2 total
           Bitmap range : 15 to 15 bits (average: 15.00 bits)
            Exec timing : 1.38M to 1.38M us (average: 1.38M us)
    
    [*] No -t option specified, so I'll use exec timeout of 1000 ms.
    [+] All set and ready to roll!
    Segmentation fault
    
    opened by andronat 5
  • Segmentation fault when trying to fuzz uftpd.

    Segmentation fault when trying to fuzz uftpd.

    When trying to fuzz uftpd AFLNet segfaults. I compiled uftpd like this: cd /home/vagrant/uftpd && sudo ./autogen.sh && sudo ./configure --prefix=/usr && sudo make CFLAGS="-g -fsanitize=address" LDFLAGS="-fsanitize=address" CC="/home/vagrant/aflnet/afl-gcc" && sudo make install and then executed aflnet/afl-fuzz -i in -o out -N 127.0.0.1/9999 -P FTP -m none -- uftpd -o ftp=9999 -n as root. AFLNet reports afl-fuzz 2.56b by <[email protected]> [+] You have 1 CPU core and 1 runnable tasks (utilization: 100%). [*] Checking core_pattern... [*] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [*] Deleting old session data... [+] Output dir cleanup successful. [*] Scanning 'in'... [+] No auto-generated dictionary tokens to reuse. [*] Creating hard links for all input files... [*] Validating target binary... [*] Attempting dry run with 'id:000000,orig:in'... [*] Spinning up the fork server... [+] All right - fork server is up. Segmentation fault and journalctl | tail gives Jul 14 13:27:59 vagrant kernel: afl-fuzz[24556]: segfault at 0 ip 00007ffff736ea1d sp 00007fffffffdf40 error 4 in libc-2.27.so[7ffff722c000+1e7000]

    opened by ConstantinBN 5
  • Unable to build QEMU

    Unable to build QEMU

    I ran the ./build_qemu_support.sh script with the dependencies installed but it was unable to complete:

    andrew ~/aflnet/qemu_mode (master) $ ./build_qemu_support.sh 
    =================================================
    AFL binary-only instrumentation QEMU build script
    =================================================
    
    [*] Performing basic sanity checks...
    [+] All checks passed!
    [*] Downloading QEMU 2.10.0 from the web...
    
    [... long wget output ...]
    
    2020-05-01 16:41:54 (3.39 MB/s) - ‘qemu-2.10.0.tar.xz’ saved [25040324/25040324]
    
    [+] Cryptographic signature on qemu-2.10.0.tar.xz checks out.
    [*] Uncompressing archive (this will take a while)...
    [+] Unpacking successful.
    [*] Configuring QEMU for ...
    [*] Applying patches...
    patching file linux-user/elfload.c
    patching file accel/tcg/cpu-exec.c
    patching file linux-user/syscall.c
    patching file configure
    patching file util/memfd.c
    [+] Patching done.
    
    ERROR: "cc" either does not exist or does not work
    
    opened by amlamarra 5
  • there is something wrong when fuzzing, perhaps a bug exists in your code?

    there is something wrong when fuzzing, perhaps a bug exists in your code?

    when it works about 12h, it will abort unexpectedly, as follows: lq process timing qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqwq overall results qqqqqk x run time : 0 days, 12 hrs, 50 min, 11 sec x cycles done : 97 x x last new path : 0 days, 0 hrs, 10 min, 0 sec x total paths : 270 x x last uniq crash : 0 days, 1 hrs, 52 min, 5 sec x uniq crashes : 36 x x last uniq hang : none seen yet x uniq hangs : 0 x tq cycle progress qqqqqqqqqqqqqqqqqqqqwq map coverage qvqqqqqqqqqqqqqqqqqqqqqqqu x now processing : 265 (98.15%) x map density : 1.02% / 1.30% x x paths timed out : 0 (0.00%) x count coverage : 4.73 bits/tuple x tq stage progress qqqqqqqqqqqqqqqqqqqqnq findings in depth qqqqqqqqqqqqqqqqqqqqu x now trying : havoc x favored paths : 21 (7.78%) x x stage execs : 61/409 (14.91%) x new edges on : 48 (17.78%) x x total execs : 117k x total crashes : 1436 (36 unique) x x exec speed : 2.25/sec (zzzz...) x total tmouts : 35.7k (61 unique) x tq fuzzing strategy yields qqqqqqqqqqqvqqqqqqqqqqqqqqqwq path geometry qqqqqqqqu x bit flips : n/a, n/a, n/a x levels : 11 x x byte flips : n/a, n/a, n/a x pending : 142 x x arithmetics : n/a, n/a, n/a x pend fav : 0 x x known ints : n/a, n/a, n/a x own finds : 266 x x dictionary : n/a, n/a, n/a x imported : n/a x x havoc : 171/40.3k, 131/71.1k x stability : 100.00% x x trim : n/a, n/a tqqqqqqqqqqqqqqqqqqqqqqqqj mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj [cpu000: 53%] [-] PROGRAM ABORT : Bad alloc request: 1073741828 bytes Stop location : DFL_ck_realloc(), alloc-inl.h:197

    Aborted

    opened by minifish120 5
  • does not build with ubuntu 22.04 / llvm-config-14

    does not build with ubuntu 22.04 / llvm-config-14

    Hi,

    trying to build on Ubuntu 22.04 with:

    FROM ubuntu:22.04
    
    RUN apt-get update && apt-get install -y build-essential git clang graphviz-dev
    
    ENV LLVM_CONFIG=llvm-config-14
    
    RUN git clone https://github.com/aflnet/aflnet && \
        cd aflnet && \
        make clean all && \
        cd llvm_mode make && make
    

    I get the following error:

    clang++ `llvm-config-14 --cxxflags` -Wl,-znodelete -fno-rtti -fpic -O3 -funroll-loops -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -DVERSION=\"2.56b\" -Wno-variadic-macros -shared afl-llvm-pass.so.cc -o ../afl-llvm-pass.so `llvm-config-14 --ldflags`
    afl-llvm-pass.so.cc:52:30: error: expected class name
      class AFLCoverage : public ModulePass {
                                 ^
    afl-llvm-pass.so.cc:59:35: error: only virtual member functions can be marked 'override'
          bool runOnModule(Module &M) override;
                                      ^~~~~~~~
    afl-llvm-pass.so.cc:57:23: error: member initializer 'ModulePass' does not name a non-static data member or base class
          AFLCoverage() : ModulePass(ID) { }
                          ^~~~~~~~~~~~~~
    afl-llvm-pass.so.cc:134:31: error: no matching member function for call to 'CreateLoad'
          LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
                              ~~~~^~~~~~~~~~
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1659:13: note: candidate function not viable: requires 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const char *Name) {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1663:13: note: candidate function not viable: requires at least 2 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const Twine &Name = "") {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1667:13: note: candidate function not viable: requires at least 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, bool isVolatile,
                ^
    afl-llvm-pass.so.cc:140:30: error: no matching member function for call to 'CreateLoad'
          LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
                             ~~~~^~~~~~~~~~
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1659:13: note: candidate function not viable: requires 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const char *Name) {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1663:13: note: candidate function not viable: requires at least 2 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const Twine &Name = "") {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1667:13: note: candidate function not viable: requires at least 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, bool isVolatile,
                ^
    afl-llvm-pass.so.cc:143:15: error: no matching member function for call to 'CreateGEP'
              IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
              ~~~~^~~~~~~~~
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1735:10: note: candidate function not viable: requires at least 3 arguments, but 2 were provided
      Value *CreateGEP(Type *Ty, Value *Ptr, ArrayRef<Value *> IdxList,
             ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1749:10: note: candidate function not viable: requires at least 3 arguments, but 2 were provided
      Value *CreateGEP(Type *Ty, Value *Ptr, Value *Idx, const Twine &Name = "") {
             ^
    afl-llvm-pass.so.cc:147:31: error: no matching member function for call to 'CreateLoad'
          LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
                              ~~~~^~~~~~~~~~
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1659:13: note: candidate function not viable: requires 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const char *Name) {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1663:13: note: candidate function not viable: requires at least 2 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, const Twine &Name = "") {
                ^
    /usr/lib/llvm-14/include/llvm/IR/IRBuilder.h:1667:13: note: candidate function not viable: requires at least 3 arguments, but 1 was provided
      LoadInst *CreateLoad(Type *Ty, Value *Ptr, bool isVolatile,
                ^
    afl-llvm-pass.so.cc:183:10: error: cannot initialize a parameter of type 'llvm::Pass *' with an rvalue of type '(anonymous namespace)::AFLCoverage *'
      PM.add(new AFLCoverage());
             ^~~~~~~~~~~~~~~~~
    /usr/lib/llvm-14/include/llvm/IR/LegacyPassManager.h:48:26: note: passing argument to parameter 'P' here
      virtual void add(Pass *P) = 0;
                             ^
    8 errors generated.
    make: *** [Makefile:84: ../afl-llvm-pass.so] Error 1
    
    opened by lambdafu 4
  • A question about afl-cov with aflnet.

    A question about afl-cov with aflnet.

    Hi, I use aflnet to test a network program. When I finished test, I want to use afl-cov to see the coverage of the program. But afl-cov use stdin or file as input. However aflnet's testcase is network package. Can you help me? Thank you very much.

    opened by DuckRui 4
  • Add docker file

    Add docker file

    I found it difficult to get running on my host machine due to specific versions of dependencies. Using docker was a great solution for me, so hereby I provide the script to others.

    opened by JJK96 0
  • Reproduce dnsmasq crashes

    Reproduce dnsmasq crashes

    Hi! I followed the tutorial for dnsmasq fuzzing, and tried to reproduce those crashes. However, when I started the dnsmasq in one terminal, and use aflnet-replay to send requests in another terminal, I could see responses at the client side (aflnet-replay), but the server side (dnsmasq) had no output or crashes.

    Client side info: 1654490233(1)

    Server side info: 1654490270(1)

    Thanks a lot for your help!

    opened by gcc17 1
  • SYSTEM ERROR : No server states have been detected. Server responses are likely empty

    SYSTEM ERROR : No server states have been detected. Server responses are likely empty

    Hello, the below situation happened when I follow the Tutorial - Fuzzing Live555 media streaming server. Should I how to solve this?

    [*] No -t option specified, so I'll use exec timeout of 1000 ms.
    [+] All set and ready to roll!
    
    [-]  SYSTEM ERROR : No server states have been detected. Server responses are likely empty!
        Stop location : main(), afl-fuzz.c:9160
           OS message : Operation already in progress
    
    
    opened by Ricardo-609 1
  • pthread_create function in lightftp not executed

    pthread_create function in lightftp not executed

    Hi, I use aflnet to test lightftp ,and i checked the the coverage of the program,found that all the pthread_create functions were not executed successfully except pthread_create in ftpmain,I think this is a reason for the low coverage,and I want to know why.Could you tell me the reason.

    for example

    context->WorkerThreadValid = pthread_create(&tid, NULL,(__ptr_thread_start_routine)&append_thread, context);
    if ( context->WorkerThreadValid == 0 )
    	context->WorkerThreadId = tid;
    

    the context->WorkerThreadValid is never become 0 void *stor_thread(PFTPCONTEXT context) functions like this never executed

    opened by kelinshide 0
  • Modbus support + remote only mode

    Modbus support + remote only mode

    I added support for modbus TCP and a remote only mode for fuzzing black box device. Modbus request / response is split to sections as per modbus specification description.

    Since modbus is a binary protocol, there is no clear distinction between packets. Keeping current implementation means we'll have to trust size field in request / response.

    Changes also have to be made to the sending steps to merge message before sending since some modbus implementation (e.g. pymodbus) fail to process if we send them sequentially.

    opened by M3m3M4n 18
Owner
null
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
UAV-Networks-Routing is a Python simulator for experimenting routing algorithms and mac protocols on unmanned aerial vehicle networks.

UAV-Networks Simulator - Autonomous Networking - A.A. 20/21 UAV-Networks-Routing is a Python simulator for experimenting routing algorithms and mac pr

null 0 Nov 13, 2021
DiAne is a smart fuzzer for IoT devices

Diane Diane is a fuzzer for IoT devices. Diane works by identifying fuzzing triggers in the IoT companion apps to produce valid yet under-constrained

seclab 28 Jan 4, 2023
A Kernel fuzzer focusing on race bugs

Razzer: Finding kernel race bugs through fuzzing Environment setup $ source scripts/envsetup.sh scripts/envsetup.sh sets up necessary environment var

Systems and Software Security Lab at Seoul National University (SNU) 328 Dec 26, 2022
Fuzzer for Linux Kernel Drivers

difuze: Fuzzer for Linux Kernel Drivers This repo contains all the sources (including setup scripts), you need to get difuze up and running. Tested on

seclab 344 Dec 27, 2022
Inferred Model-based Fuzzer

IMF: Inferred Model-based Fuzzer IMF is a kernel API fuzzer that leverages an automated API model inferrence techinque proposed in our paper at CCS. I

SoftSec Lab 104 Sep 28, 2022
Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Angora Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without s

null 833 Jan 7, 2023
a grammar based feedback fuzzer

Nautilus NOTE: THIS IS AN OUTDATE REPOSITORY, THE CURRENT RELEASE IS AVAILABLE HERE. THIS REPO ONLY SERVES AS A REFERENCE FOR THE PAPER Nautilus is a

Chair for Sys­tems Se­cu­ri­ty 158 Dec 28, 2022
A lightweight Python-based 3D network multi-agent simulator. Uses a cell-based congestion model. Calculates risk, loudness and battery capacities of the agents. Suitable for 3D network optimization tasks.

AMAZ3DSim AMAZ3DSim is a lightweight python-based 3D network multi-agent simulator. It uses a cell-based congestion model. It calculates risk, battery

Daniel Hirsch 13 Nov 4, 2022
Pytorch Implementation of Adversarial Deep Network Embedding for Cross-Network Node Classification

Pytorch Implementation of Adversarial Deep Network Embedding for Cross-Network Node Classification (ACDNE) This is a pytorch implementation of the Adv

陈志豪 8 Oct 13, 2022
This is a model made out of Neural Network specifically a Convolutional Neural Network model

This is a model made out of Neural Network specifically a Convolutional Neural Network model. This was done with a pre-built dataset from the tensorflow and keras packages. There are other alternative libraries that can be used for this purpose, one of which is the PyTorch library.

null 9 Oct 18, 2022
Web mining module for Python, with tools for scraping, natural language processing, machine learning, network analysis and visualization.

Pattern Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google, Twitter, Wikipedia), web crawler, HTML DOM par

Computational Linguistics Research Group 8.4k Jan 3, 2023
Neurolab is a simple and powerful Neural Network Library for Python

Neurolab Neurolab is a simple and powerful Neural Network Library for Python. Contains based neural networks, train algorithms and flexible framework

null 152 Dec 6, 2022
A scikit-learn compatible neural network library that wraps PyTorch

A scikit-learn compatible neural network library that wraps PyTorch. Resources Documentation Source Code Examples To see more elaborate examples, look

null 4.9k Dec 31, 2022
Visualizer for neural network, deep learning, and machine learning models

Netron is a viewer for neural network, deep learning and machine learning models. Netron supports ONNX (.onnx, .pb, .pbtxt), Keras (.h5, .keras), Tens

Lutz Roeder 21k Jan 6, 2023
Graph neural network message passing reframed as a Transformer with local attention

Adjacent Attention Network An implementation of a simple transformer that is equivalent to graph neural network where the message passing is done with

Phil Wang 49 Dec 28, 2022
data/code repository of "C2F-FWN: Coarse-to-Fine Flow Warping Network for Spatial-Temporal Consistent Motion Transfer"

C2F-FWN data/code repository of "C2F-FWN: Coarse-to-Fine Flow Warping Network for Spatial-Temporal Consistent Motion Transfer" (https://arxiv.org/abs/

EKILI 46 Dec 14, 2022
Simple command line tool for text to image generation using OpenAI's CLIP and Siren (Implicit neural representation network)

Deep Daze mist over green hills shattered plates on the grass cosmic love and attention a time traveler in the crowd life during the plague meditative

Phil Wang 4.4k Jan 3, 2023