ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

Overview

ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

ProFuzzBench is a benchmark for stateful fuzzing of network protocols. It includes a suite of representative open-source network servers for popular protocols (e.g., TLS, SSH, SMTP, FTP, SIP), and tools to automate experimentation.

Citing ProFuzzBench

ProFuzzBench has been accepted for publication as a Tool Demonstrations paper at the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis (ISSTA) 2021.

@inproceedings{profuzzbench,
  title={ProFuzzBench: A Benchmark for Stateful Protocol Fuzzing},
  author={Roberto Natella and Van-Thuan Pham},
  booktitle={Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis},
  year={2021}
}

Folder structure

protocol-fuzzing-benchmark
├── subjects: this folder contains all protocols included in this benchmark and
│   │         each protocol may have more than one target server
│   └── RTSP
│   └── FTP
│   │   └── LightFTP
│   │       └── Dockerfile: subject-specific Dockerfile
│   │       └── run.sh: (subject-specific) main script to run experiment inside a container
│   │       └── cov_script.sh: (subject-specific) script to do code coverage analysis
│   │       └── other files (e.g., patches, other subject-specific scripts)
│   └── ...
└── scripts: this folder contains all scripts to run experiments, collect & analyze results
│   └── execution
│   │   └── profuzzbench_exec_common.sh: main script to spawn containers and run experiments on them
│   │   └── ...
│   └── analysis
│       └── profuzzbench_generate_csv.sh: this script collect code coverage results from different runs
│       └── profuzzbench_plot.py: sample script for plotting
└── README.md

Tutorial - Fuzzing LightFTP server with AFLNet and AFLnwe, a network-enabled version of AFL

Follow the steps below to run and collect experimental results for LightFTP, which is a lightweight File Transfer Protocol (FTP) server. The similar steps should be followed to run experiments on other subjects. Each subject program comes with a README.md file showing subject-specific commands to run experiments.

Step-0. Set up environmental variables

git clone https://github.com/profuzzbench/profuzzbench.git
cd profuzzbench
export PFBENCH=$(pwd)
export PATH=$PATH:$PFBENCH/scripts/execution:$PFBENCH/scripts/analysis

Step-1. Build a docker image

The following commands create a docker image tagged lightftp. The image should have everything available for fuzzing and code coverage collection.

cd $PFBENCH
cd subjects/FTP/LightFTP
docker build . -t lightftp

Step-2. Run fuzzing

Run profuzzbench_exec_common.sh script to start an experiment. The script takes 8 arguments as listed below.

  • 1st argument (DOCIMAGE) : name of the docker image
  • 2nd argument (RUNS) : number of runs, one isolated Docker container is spawned for each run
  • 3rd argument (SAVETO) : path to a folder keeping the results
  • 4th argument (FUZZER) : fuzzer name (e.g., aflnet) -- this name must match the name of the fuzzer folder inside the Docker container (e.g., /home/ubuntu/aflnet)
  • 5th argument (OUTDIR) : name of the output folder created inside the docker container
  • 6th argument (OPTIONS) : all options needed for fuzzing in addition to the standard options written in the target-specific run.sh script
  • 7th argument (TIMEOUT) : time for fuzzing in seconds
  • 8th argument (SKIPCOUNT): used for calculating coverage over time. e.g., SKIPCOUNT=5 means we run gcovr after every 5 test cases because gcovr takes time and we do not want to run it after every single test case

The following commands run 4 instances of AFLNet and 4 instances of AFLnwe to simultaenously fuzz LightFTP in 60 minutes.

cd $PFBENCH
mkdir results-lightftp

profuzzbench_exec_common.sh lightftp 4 results-lightftp aflnet out-lightftp-aflnet "-P FTP -D 10000 -q 3 -s 3 -E -K -c ./ftpclean.sh" 3600 5 &
profuzzbench_exec_common.sh lightftp 4 results-lightftp aflnwe out-lightftp-aflnwe "-D 10000 -K -c ./ftpclean.sh" 3600 5

If the script runs successfully, its output should look similar to the text below.

AFLNET: Fuzzing in progress ...
AFLNET: Waiting for the following containers to stop:  f2da4b72b002 b7421386b288 cebbbc741f93 5c54104ddb86
AFLNET: Collecting results and save them to results-lightftp
AFLNET: Collecting results from container f2da4b72b002
AFLNET: Collecting results from container b7421386b288
AFLNET: Collecting results from container cebbbc741f93
AFLNET: Collecting results from container 5c54104ddb86
AFLNET: I am done!

Step-3. Collect the results

All results (in tar files) should be stored in the folder created in Step-2 (results-lightftp). Specifically, these tar files are the compressed version of output folders produced by all fuzzing instances. If the fuzzer is afl based (e.g., AFLNet, AFLnwe) each folder should contain sub-folders like crashes, hangs, queue and so on. Use profuzzbench_generate_csv.sh script to collect results in terms of code coverage over time. The script takes 5 arguments as listed below.

  • 1st argument (PROG) : name of the subject program (e.g., lightftp)
  • 2nd argument (RUNS) : number of runs
  • 3rd argument (FUZZER) : fuzzer name (e.g., aflnet)
  • 4th argument (COVFILE): CSV-formatted output file keeping the results
  • 5th argument (APPEND) : append mode; set this to 0 for the first fuzzer and 1 for the subsequent fuzzer(s).

The following commands collect the code coverage results produced by AFLNet and AFLnwe and save them to results.csv.

cd $PFBENCH/results-lightftp

profuzzbench_generate_csv.sh lightftp 4 aflnet results.csv 0
profuzzbench_generate_csv.sh lightftp 4 aflnwe results.csv 1

The results.csv file should look similar to text below. The file has six columns showing the timestamp, subject program, fuzzer name, run index, coverage type and its value. The file contains both line coverage and branch coverage over time information. Each coverage type comes with two values, in percentage (_per) and in absolute number (_abs).

time,subject,fuzzer,run,cov_type,cov
1600905795,lightftp,aflnwe,1,l_per,25.9
1600905795,lightftp,aflnwe,1,l_abs,292
1600905795,lightftp,aflnwe,1,b_per,13.3
1600905795,lightftp,aflnwe,1,b_abs,108
1600905795,lightftp,aflnwe,1,l_per,25.9
1600905795,lightftp,aflnwe,1,l_abs,292

Step-4. Analyze the results

The results collected in step 3 (i.e., results.csv) can be used for plotting. For instance, we provide a sample Python script to plot code coverage over time. Use the following command to plot the results and save it to a file.

cd $PFBENCH/results-lightftp

profuzzbench_plot.py -i results.csv -p lightftp -r 4 -c 60 -s 1 -o cov_over_time.png

This is a sample code coverage report generated by the script. Sample report

Parallel builds

To speed-up the build of Docker images, you can pass the option "-j" to make, using the MAKE_OPT environment variable and the --build-arg option of docker build. Example:

export MAKE_OPT="-j4"
docker build . -t lightftp --build-arg MAKE_OPT

FAQs

1. How do I extend ProFuzzBench?

If you want to add a new protocol and/or a new target server (of a supported protocol), please follow the above folder structure and complete the steps below. We use LightFTP as an example.

Step-1. Create a new folder containing the protocol/target server

The folder for LightFTP server is subjects/FTP/LightFTP.

Step-2. Write a Docker file for the new target server and prepare all the subject-specific scripts/files (e.g., target-specific patch, seed corpus)

The following folder structure shows all files we have prepared for fuzzing LightFTP server. Please read our paper to understand the purposes of these files.

subjects/FTP/LightFTP
├── Dockerfile (required): based on this, a target-specific Docker image is built (See Step-1 in the tutorial)
├── run.sh (required): main script to run experiment inside a container
├── cov_script.sh (required): script to do code coverage analysis
├── clean.sh (optional): script to clean server states before fuzzing to improve the stability
├── fuzzing.patch (optional): code changes needed to improve fuzzing results (e.g., remove randomness)
├── gcov.patch (required): code changes needed to support code coverage analysis (e.g., enable gcov, add a signal handler)
├── ftp.dict (optional): a dictionary containing protocol-specific tokens/keywords to support fuzzing
└── in-ftp (required): a seed corpus capturing sequences of client requests sent to the server under test.
│   │       To prepare these seeds, please follow the AFLNet tutorial at https://github.com/aflnet/aflnet.
│   │       Please use ".raw" extension for all seed inputs.
│   │
│   └── ftp_requests_full_anonymous.raw
│   └── ftp_requests_full_normal.raw
└── README.md (optional): a target-specific README containing commands to run experiments

All the required files (i.e., Dockerfile, run.sh, cov_script.sh, gcov.patch, and the seed corpus) follow some templates so that one can easily follow them to prepare files for a new target.

Step-3. Test your new target server

Once a Docker image is successfully built, you should test your commands, as written in a target-specific README.md, inside a single Docker container. For example, we run the following commands to check if everything is working for LightFTP.

//start a container
docker run -it lightftp /bin/bash

//inside the docker container
//run a 60-min fuzzing experiment using AFLNet
cd experiments
run aflnet out-lightftp-aflnet "-P FTP -D 10000 -q 3 -s 3 -E -K -c ./ftpclean.sh" 3600 5

If everything works, there should be no error messages and all the results are stored inside the out-lightftp-aflnet folder.

2. My experiment "hangs". What could be the reason(s)?

Each experiment has two parts: fuzzing and code coverage analysis. The fuzzing part should complete after the specified timeout; however, the code coverage analysis time is subject-specific and it could take several hours if the generated corpus is large or the target server is slow. You can log into the running containers to check the progress if you think your experiment hangs.

Comments
  • Fork server handshake Failed ---ASAN error

    Fork server handshake Failed ---ASAN error

    hello, thanks for your wonderful job,I have learned a lot.But I encoutered a terrible error when I use asan to compile LightFTP and dcmtk in my linux server.

    I follow the instructions of the Dockerfile, and execute them in my ubuntu 16.04 server.

    when I finish all of steps , I start testing, then I suffered the error.

    the first image is dcmtk, shell look like "afl-fuzz -i in-dicom -o out -N tcp://127.0.0.1/5158 -P DICOM -D 10000 -E -K ./dcmqrscp"

    图片1

    the second image is lightftp "afl-fuzz -t 3000 -i in-ftp -x ftp.dict -o out -N tcp://127.0.0.1/2200 -P FTP -D 10000 -q 3 -s 3 -E -K -c ftpclean.sh ./fftp fftp.conf 2200" 2

    for lightftp, when I try "unset AFL_use_asan", the error change into "No such process" 3

    eventually, I use gcc to compile, and add "-Q" with the run shell, it works! "afl-fuzz -t 3000 -i in-ftp -x ftp.dict -o out -N tcp://127.0.0.1/2200 -P FTP -D 10000 -q 3 -s 3 -E -K -c ftpclean.sh ./fftp fftp.conf 2200" 4

    opened by legendsLjj 5
  • fuzzing in docker performance

    fuzzing in docker performance

    Hi ! I am very sorry that I closed the original issue by mistake

    As mentioned in the original link , I have a finding that when I made experimental dockers for afl according to the profuzzbench configuration, when one docker executed the Fuzz task, the speed was 2000/sec; but when 10 dockers were started at the same time to execute the task, the speed dropped to 100/sec for almost every Fuzzer.

    Perhaps we'll think of using tmpfs to save Fuzz's output, so I added the mount command to the docker internal run.sh script for requesting tmpfs, and the result is as mentioned above.

    For a rigorous comparison, I started afl directly on the real host system and pointed the output all to tmpfs, then executed several at the same time, and they all maintained the highest level of speed, i.e. 2000/sec. So, I am wondering if the docker internal application tmpfs is not the real tmpfs, and if so, what do we need to do to make the real tmpfs available to fuzzer in docker?

    opened by songxpu 4
  • Docker build fails with

    Docker build fails with "invalid syntax"

    I'm trying to build the docker image as documented in the README file:

    docker build . -t lightftp
    

    Building the docker image did not complete. Instead an error was thrown:

    Step 4/32 : RUN chmod 777 /tmp
     ---> Using cache
     ---> 09fb8cb05d1b
    Step 5/32 : RUN pip install gcovr==4.2
     ---> Running in 402799b19091
    Collecting gcovr==4.2
      Downloading https://files.pythonhosted.org/packages/70/8e/55232768ba46ba2cbb10ea04f3a8cf41540ee058a4e8eb5e3ac53d190e95/gcovr-4.2-py2.py3-none-any.whl (45kB)
    Collecting lxml (from gcovr==4.2)
      Downloading https://files.pythonhosted.org/packages/82/f7/d0ae1fbd16865ba1403c8c7780f848a00f7182f44dace4f1d3d1d7e4f3e4/lxml-4.8.0-cp27-cp27mu-manylinux_2_5_x86_64.manylinux1_x86_64.whl (5.5MB)
    Collecting jinja2 (from gcovr==4.2)
      Downloading https://files.pythonhosted.org/packages/91/a5/429efc6246119e1e3fbf562c00187d04e83e54619249eb732bb423efa6c6/Jinja2-3.0.3.tar.gz (269kB)
    Collecting MarkupSafe>=2.0 (from jinja2->gcovr==4.2)
      Downloading https://files.pythonhosted.org/packages/1d/97/2288fe498044284f39ab8950703e88abbac2abbdf65524d576157af70556/MarkupSafe-2.1.1.tar.gz
        Complete output from command python setup.py egg_info:
        Traceback (most recent call last):
          File "<string>", line 1, in <module>
          File "/tmp/pip-build-0hxnph/MarkupSafe/setup.py", line 26
            raise BuildFailed() from e
                                   ^
        SyntaxError: invalid syntax
    

    I'm on Kernel Version 5.10.102-1-MANJARO (64-bit) if this matters.

    opened by MKesenheimer 4
  • init_forkserver() crash

    init_forkserver() crash

    Ran LightFTP tutorial exactly as described to fuzz with AFLNet on WSL2 Kali Linux with docker desktop wsl integration. Running into the following error. Wondering if this issue is happening on anyone else's end.

    Command: profuzzbench_exec_common.sh lightftp 1 results-lightftp aflnet out-lightftp-aflnet "-P FTP -D 10000 -q 3 -s 3 -K" 60 5

    Docker logs:

    /home/ubuntu/experiments/LightFTP/Source/Release out-lightftp-aflnet afl-fuzz 2.56b by [email protected] [+] You have 4 CPU cores and 6 runnable tasks (utilization: 150%). [!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set). [*] Checking core_pattern... [*] Setting up output directories... [*] Scanning '/home/ubuntu/experiments/in-ftp'... [+] No auto-generated dictionary tokens to reuse. [*] Creating hard links for all input files... [*] Loading extra dictionary from '/home/ubuntu/experiments/ftp.dict' (level 0)... [+] Loaded 32 extra tokens, size range 3 B to 4 B. [*] Validating target binary... [*] Attempting dry run with 'id:000000,orig:ftp_requests_full_anonymous.raw'... [*] Spinning up the fork server...

    [-] Whoops, the target binary crashed suddenly, before receiving any input     from the fuzzer! Since it seems to be built with ASAN and you have a     restrictive memory limit configured, this is expected; please read     docs/notes_for_asan.txt for help.  [-] PROGRAM ABORT : Fork server crashed with signal 6          Location : init_forkserver(), afl-fuzz.c:3064

    rm: cannot remove '/home/ubuntu/experiments/LightFTP/Source/Release/out-lightftp-aflnet/cov_over_time.csv': No such file or directory rm: cannot remove '/home/ubuntu/fftplog': No such file or directory stat: cannot stat '/home/ubuntu/experiments/LightFTP/Source/Release/out-lightftp-aflnet//replayable-queue/.raw': No such file or directory rm: cannot remove '/home/ubuntu/fftplog': No such file or directory /home/ubuntu/experiments/cov_script: line 40:    39 Segmentation fault      $replayer $f FTP $pno 1 > /dev/null 2>&1 stat: cannot stat '/home/ubuntu/experiments/LightFTP/Source/Release/out-lightftp-aflnet//replayable-queue/id': No such file or directory /home/ubuntu/experiments/cov_script: line 62:    91 Segmentation fault      $replayer $f FTP $pno 1 > /dev/null 2>&1 stat: cannot stat '/home/ubuntu/experiments/LightFTP/Source/Release/out-lightftp-aflnet//replayable-queue/id*': No such file or directory out-lightftp-aflnet/ out-lightftp-aflnet/replayable-crashes/ out-lightftp-aflnet/replayable-hangs/ out-lightftp-aflnet/replayable-new-ipsm-paths/ out-lightftp-aflnet/replayable-queue/ out-lightftp-aflnet/.cur_input out-lightftp-aflnet/cov_over_time.csv out-lightftp-aflnet/regions/ out-lightftp-aflnet/regions/ftp_requests_full_anonymous.raw out-lightftp-aflnet/regions/ftp_requests_full_normal.raw out-lightftp-aflnet/cov_html/ out-lightftp-aflnet/cov_html/index.x_malloc.c.html out-lightftp-aflnet/cov_html/index.ftpserv.c.html out-lightftp-aflnet/cov_html/index.main.c.html out-lightftp-aflnet/cov_html/index.cfgparse.c.html out-lightftp-aflnet/cov_html/index.html out-lightftp-aflnet/plot_data out-lightftp-aflnet/queue/ out-lightftp-aflnet/queue/id:000000,orig:ftp_requests_full_anonymous.raw out-lightftp-aflnet/queue/id:000001,orig:ftp_requests_full_normal.raw out-lightftp-aflnet/queue/.state/ out-lightftp-aflnet/queue/.state/variable_behavior/ out-lightftp-aflnet/queue/.state/redundant_edges/ out-lightftp-aflnet/queue/.state/auto_extras/ out-lightftp-aflnet/queue/.state/deterministic_done/

    opened by jonahmvp 3
  • Problem with forked-daapd and aflnet

    Problem with forked-daapd and aflnet

    I built docker and ran the command directly from the tutorial and then showed aflnet timeout according to docker logs. image

    Further, I went inside docker and ran the forked-daapd program directly and it prompted an assert error image

    How should this issue be addressed?

    opened by songxpu 2
  • Problem with Kamailio SIP and StateAFL

    Problem with Kamailio SIP and StateAFL

    StateAFL is unable to track coverage for Kamalio SIP. The problem seems related to the "-u" option (i.e., run ASAN instrumented version for coverage, separately from StateAFL instrumented version of state analysis). Coverage works when dropping this option.

    opened by rnatella 1
  • how to use tmpfs in docker

    how to use tmpfs in docker

    Hi ! I found that Fuzz is slow when running many dockers at the same time to Fuzz, but the fuzzing speed is normal when only run one docker , so I wonder if it is disk performance causing such a difference?(Here fuzzer is afl ,not aflnet)

    I tried to execute mount -t tmpfs -o size=4096M tmpfs <dir> inside docker, but the speed is still slow, I wonder if it is the tmpfs obtained by mount inside docker container, not the real server memory.

    So, how to solve this problem?

    opened by songxpu 1
  • Update dockerfiles to use to 20.04

    Update dockerfiles to use to 20.04

    Hi

    This PR updates docker files to use ubuntu version 20.04. Related to #3.

    I haven't updated the docker file for OpenSSH yet, as the OpenSSH version in the repository wouldn't build under the newer version of libcrypto. The rest of the docker files build successfully under 20.04.

    opened by RiscInside 1
  • Add explicit WORKDIR, add optional support for deleting containers

    Add explicit WORKDIR, add optional support for deleting containers

    Hi,

    I have 2 small changes I want to propose. Both apply to the profuzzbench_exec_common.sh script. The first change is to explicitly define WORKDIR as "/home/ubuntu/experiments". I had already defined WORKDIR from previously working with aflnet, which also expects the user to set the WORKDIR directory; my WORKDIR and the WORKDIR required by the Docker container did not match up, so the container would simply quit before any fuzzing had occurred. So, I think it's better to simply set the WORKDIR in the script directly.

    The second change is to add a 9th argument, DELETE. Basically, if it is set to any non-empty value, the spawned containers will be removed after the fuzzing sessions have finished. Of course, leaving it blank will resort to the default behavior.

    I guess there may be other scripts that may benefit from these changes, but so far I've only looked at this one.

    opened by PBearson 1
  • redirect data socket in BFTPD

    redirect data socket in BFTPD

    Hello

    Inspired by https://securitylab.github.com/research/fuzzing-sockets-FTP, I redirect socket data flow to stderr in BFTPD, so that we can fuzz more lines in commands.c and dirlist.c (most of the new lines are used for commands like list, retr, stor).

    The results before and after patching are shown in the figures below.

    0 1

    opened by HuShaoRu 1
  • Add another FTP benchmark (PureFTPD)

    Add another FTP benchmark (PureFTPD)

    Hello,

    Here I made one more FTP benchmark (PureFTPD). And same as last time, I tested it on AFLNET and AFLNWE for 6 hours with 4 containers, and here is the coverage figure.

    cov_over_time_pureftpd_4_6h

    It's not surprising that AFLNET still has some advantages in this implementation.

    opened by Melody15 1
  • Fix profuzzbench_plot.py when only a single fuzzer is present

    Fix profuzzbench_plot.py when only a single fuzzer is present

    This addresses #16:

            df1 = df[(df['subject'] == subject) & 
                             (df['fuzzer'] == fuzzer) & 
                             (df['cov_type'] == cov_type)]
    

    can be empty in some cases (e.g. only fuzzed with aflnet). Not extending the mean_list in those cases seems to be fine.

    opened by mm4rks 0
  • profuzzbench_plot.py

    profuzzbench_plot.py

    $ profuzzbench_plot.py -i results.csv -p live555 -r 4 -c 60 -s 1 -o cov_over_time.png Traceback (most recent call last): File "/home/x/profuzzbench-master(1)/profuzzbench-master/scripts/analysis/profuzzbench_plot.py", line 96, in main(args.csv_file, args.put, args.runs, args.cut_off, args.step, args.out_file) File "/home/x/profuzzbench-master(1)/profuzzbench-master/scripts/analysis/profuzzbench_plot.py", line 43, in main cov_total += df3.tail(1).iloc[0, 5] File "/home/x/.local/lib/python3.8/site-packages/pandas/core/indexing.py", line 960, in getitem return self.obj._get_value(*key, takeable=self._takeable) File "/home/x/.local/lib/python3.8/site-packages/pandas/core/frame.py", line 3613, in _get_value return series._values[index] IndexError: index 0 is out of bounds for axis 0 with size 0

    opened by x1280 5
  • AFLNWE:Unable to request new process from fork server(OOM?)

    AFLNWE:Unable to request new process from fork server(OOM?)

    Hello, I used AFLNWE to run some programs in profuzzbench and got a problem. Here are the information: image

    I don't know how to solve the problem. Looking forward your reply. Thank you!

    opened by lijunqiang123 4
  • FTP Subjects: Order of replayable queue affects total measured coverage

    FTP Subjects: Order of replayable queue affects total measured coverage

    Hi,

    I am experimenting with reusing the replayable queues of fuzzing runs against other targets and ProFuzzBench has been a very helpful tool so far! To do so, I am using the "cov_script.sh" for the different FTP subjects, but without any preceding fuzzing.

    However, I have ran into an issue, where the order in which I replay test cases changes the outcome of these replays.

    Specifically, LightFTP's seed "ftp_requests_full_anonymous.raw" seems to be the problem, as it is the only test cases authenticating with USER anonymous instead of USER ubuntu (BFTPD, ProFTPD) or USER fuzzing (PureFPTD). When this test case is replayed on other subjects first, the total coverage is considerably smaller than what the exact same queue achieves, if it is replayed last.

    For example, replaying only the seed corpus of a given subject in addition to the two LightFTP seeds with no fuzzing at all:

    • BFTPD
      • anonymous first: 27.0% line coverage, 16.8% branch coverage
      • anonymous last: 41.9% line coverage, 27.8% branch coverage
    • ProFTPD
      • anonymous first: 16.4% line coverage, 10.9% branch coverage
      • anonymous last: 24.9% line coverage, 17.8% branch coverage

    These are the same 15 test cases, just replayed in a different order!

    LightFTP and PureFTPD appear not to be affected from what I have seen so far.

    It seems to me the reset between replays is not working properly and the run gets "stuck" with the less privileged user. The affected test case even executes a QUIT at the end, although I think the fuzzer shouldn't depend on its test cases to properly clean up after them.

    As I am only reusing ProFuzzBench functionality, I am fairly certain that this is a issue with these FTP subjects in general, not just my use case. Do you have any ideas what exactly the problem is or how to fix it?

    Thanks in advance and thank you for providing this great tool!

    opened by SpormannDavid 2
  • AFLnwe seeds timestamps are non-sequential

    AFLnwe seeds timestamps are non-sequential

    While doing some testing I noticed that the timestamps of the seeds stored in the queue folder of AFLnwe runs are non-sequential:

    $ ll bftpd/out-bftpd-aflnwe-3/queue | head -n50
    -rw-rw-r-- 1 acidghost acidghost   86 Mar  3 17:26 id:000000,orig:seed_1.raw
    -rw------- 1 acidghost acidghost  108 Mar  5 13:05 id:000001,orig:seed_10.raw
    -rw-rw-r-- 1 acidghost acidghost  109 Mar  3 17:26 id:000002,orig:seed_11.raw
    -rw------- 1 acidghost acidghost  108 Mar  5 13:17 id:000003,orig:seed_12.raw
    -rw------- 1 acidghost acidghost   56 Mar  5 13:07 id:000004,orig:seed_13.raw
    -rw-rw-r-- 1 acidghost acidghost  102 Mar  3 17:26 id:000005,orig:seed_2.raw
    -rw------- 1 acidghost acidghost  107 Mar  5 13:08 id:000006,orig:seed_3.raw
    -rw-rw-r-- 1 acidghost acidghost  120 Mar  3 17:26 id:000007,orig:seed_4.raw
    -rw------- 1 acidghost acidghost  139 Mar  5 13:10 id:000008,orig:seed_5.raw
    -rw------- 1 acidghost acidghost   44 Mar  5 13:10 id:000009,orig:seed_6.raw
    -rw------- 1 acidghost acidghost   44 Mar  5 13:10 id:000010,orig:seed_7.raw
    -rw------- 1 acidghost acidghost   40 Mar  5 13:11 id:000011,orig:seed_8.raw
    -rw------- 1 acidghost acidghost   40 Mar  5 13:11 id:000012,orig:seed_9.raw
    -rw------- 1 acidghost acidghost    1 Mar  5 13:04 id:000013,src:000000,op:havoc,rep:64,+cov
    -rw------- 1 acidghost acidghost   67 Mar  5 13:04 id:000014,src:000000,op:havoc,rep:8,+cov
    -rw------- 1 acidghost acidghost   90 Mar  5 13:04 id:000015,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost  108 Mar  5 13:04 id:000016,src:000000,op:havoc,rep:4,+cov
    -rw------- 1 acidghost acidghost   78 Mar  5 13:23 id:000017,src:000000,op:havoc,rep:4
    -rw------- 1 acidghost acidghost   65 Mar  5 13:04 id:000018,src:000000,op:havoc,rep:2
    -rw------- 1 acidghost acidghost   57 Mar  5 13:04 id:000019,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000020,src:000000,op:havoc,rep:2
    -rw------- 1 acidghost acidghost   73 Mar  5 13:04 id:000021,src:000000,op:havoc,rep:4,+cov
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000022,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost  125 Mar  5 13:04 id:000023,src:000000,op:havoc,rep:16
    -rw------- 1 acidghost acidghost   58 Mar  5 13:11 id:000024,src:000000,op:havoc,rep:4,+cov
    -rw------- 1 acidghost acidghost   85 Mar  5 13:04 id:000025,src:000000,op:havoc,rep:16
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000026,src:000000,op:havoc,rep:2
    -rw------- 1 acidghost acidghost  113 Mar  5 13:04 id:000027,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost  122 Mar  5 13:04 id:000028,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost   62 Mar  5 13:04 id:000029,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost   90 Mar  5 13:04 id:000030,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000031,src:000000,op:havoc,rep:2
    -rw------- 1 acidghost acidghost  104 Mar  5 13:04 id:000032,src:000000,op:havoc,rep:16
    -rw------- 1 acidghost acidghost   76 Mar  5 13:04 id:000033,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost   77 Mar  5 13:04 id:000034,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost   91 Mar  5 13:04 id:000035,src:000000,op:havoc,rep:64
    -rw------- 1 acidghost acidghost   97 Mar  5 13:04 id:000036,src:000000,op:havoc,rep:16
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000037,src:000000,op:havoc,rep:2
    -rw------- 1 acidghost acidghost   14 Mar  5 13:04 id:000038,src:000000,op:havoc,rep:128
    -rw------- 1 acidghost acidghost   80 Mar  5 13:11 id:000039,src:000000,op:havoc,rep:16,+cov
    -rw------- 1 acidghost acidghost   76 Mar  5 13:04 id:000040,src:000000,op:havoc,rep:4
    -rw------- 1 acidghost acidghost   63 Mar  5 13:04 id:000041,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost   16 Mar  5 13:04 id:000042,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost    7 Mar  5 13:04 id:000043,src:000000,op:havoc,rep:32
    -rw------- 1 acidghost acidghost   36 Mar  5 13:04 id:000044,src:000000,op:havoc,rep:64
    -rw------- 1 acidghost acidghost  100 Mar  5 13:04 id:000045,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost   78 Mar  5 13:12 id:000046,src:000000,op:havoc,rep:4,+cov
    -rw------- 1 acidghost acidghost   89 Mar  5 13:04 id:000047,src:000000,op:havoc,rep:8
    -rw------- 1 acidghost acidghost   86 Mar  5 13:04 id:000048,src:000000,op:havoc,rep:2
    

    The timestamps for the initials seeds (i.e. ending in .raw) are also not updated while pivoting them from the input seeds folder (see above as the dates are 3 and 5 Mar): https://github.com/aflnet/aflnwe/blob/113102a3ba552028e6fb0193cc2039503def7ef4/afl-fuzz.c#L3303

    When generating plots the cut-off time may turn out wrong because it's based on the timestamp of the first initial (linked) seed:

    https://github.com/profuzzbench/profuzzbench/blob/9962025db43cf93a261c22aee70c29f867ea2058/scripts/analysis/profuzzbench_plot.py#L37-L40 https://github.com/profuzzbench/profuzzbench/blob/9962025db43cf93a261c22aee70c29f867ea2058/subjects/FTP/BFTPD/cov_script.sh#L33-L34 https://github.com/profuzzbench/profuzzbench/blob/9962025db43cf93a261c22aee70c29f867ea2058/subjects/RTSP/Live555/cov_script.sh#L33-L34 https://github.com/profuzzbench/profuzzbench/blob/9962025db43cf93a261c22aee70c29f867ea2058/subjects/FTP/LightFTP/cov_script.sh#L40-L41 (this is the same for all targets/subjects)

    This bug can cause the plots for AFLnwe to be totally wrong as they're cut too short. In the example above the difference in timestamps from the first seed and the others is in days (the run was 1 hour long), causing the plot for AFLnwe to only pick up some of the initial seeds.

    This does not seem to be the case for AFLnet as it uses the replayable-queue where files are created from scratch.

    opened by acidghost 8
Differential fuzzing for the masses!

NEZHA NEZHA is an efficient and domain-independent differential fuzzer developed at Columbia University. NEZHA exploits the behavioral asymmetries bet

null 147 Dec 5, 2022
InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing

InsTrim The paper: InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing Build Prerequisite llvm-8.0-dev clang-8.0 cmake >= 3.2 Make git cl

null 75 Dec 23, 2022
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
A fuzzing framework for SMT solvers

yinyang A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang c

Project Yin-Yang for SMT Solver Testing 145 Jan 4, 2023
AntiFuzz: Impeding Fuzzing Audits of Binary Executables

AntiFuzz: Impeding Fuzzing Audits of Binary Executables Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf Usage: The python scri

Chair for Sys­tems Se­cu­ri­ty 88 Dec 21, 2022
Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques

About Fuzzification Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-

gts3.org (SSLab@Gatech) 55 Oct 25, 2022
Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems Paper Finding Semantic Bugs in File Systems with an Extensible Fuzzin

gts3.org (SSLab@Gatech) 129 Dec 15, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS an

Chair for Sys­tems Se­cu­ri­ty 541 Nov 27, 2022
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing Environment Tested on Ubuntu 14.04 64bit and 16.04 64bit Installation # disabl

gts3.org (SSLab@Gatech) 581 Dec 30, 2022
PolyGlot, a fuzzing framework for language processors

PolyGlot, a fuzzing framework for language processors Build We tested PolyGlot on Ubuntu 18.04. Get the source code: git clone https://github.com/s3te

Software Systems Security Team at Penn State University 79 Dec 27, 2022
Fuzzing JavaScript Engines with Aspect-preserving Mutation

DIE Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details. Environmen

gts3.org (SSLab@Gatech) 190 Dec 11, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference

Ankou Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering t

SoftSec Lab 54 Dec 24, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
[ICSE2020] MemLock: Memory Usage Guided Fuzzing

MemLock: Memory Usage Guided Fuzzing This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing

Cheng Wen 54 Jan 7, 2023
A library for performing coverage guided fuzzing of neural networks

TensorFuzz: Coverage Guided Fuzzing for Neural Networks This repository contains a library for performing coverage guided fuzzing of neural networks,

Brain Research 195 Dec 28, 2022
Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 164 Dec 5, 2022