PolyGlot, a fuzzing framework for language processors

Overview

PolyGlot, a fuzzing framework for language processors

Build

We tested PolyGlot on Ubuntu 18.04.

  1. Get the source code: git clone https://github.com/s3team/Polyglot && cd Polyglot
  2. Install prerequisite: sudo apt install -y make python g++ bison flex clang-format clang
  3. Modify the Makefile to choose the language you want to test
  4. Build everything: make
  5. The fuzzer is in AFL_replate_mutate/afl-fuzz
  6. Use the afl-gcc/afl-g++/afl-clang/afl-clang++ in AFL_replace_mutate to compile the program you want to fuzz.

Config the semantic.json

Before we run the fuzzer, we need to set some values in semantic.json. Here are some important values that you should set:

  1. InitFileDir: This should be an absolute path of your init seed file dir. It can be the same as/different from your path of input.
  2. BuiltinObjFile: If you want to use the build-in functions/variables/class for semantic validation, set this path (not a single file). Refer to grammar/solidity_grammar/semantic.json for an example.

Run

To run the fuzzer, we just run it like normal afl-fuzz:

afl-fuzz -i path/to/inputs -o path/to/outputs -- prog [args @@]

You should collect your own seed inputs for the fuzzer.

Apply on a new language

To do

Video tutorial

asciicast

Publication

One Engine to Fuzz ‘em All: Generic Language Processor Testing with Semantic Validation

Yongheng Chen, Rui Zhong(co-first author), Hong Hu, Hangfan Zhang, Yupeng Yang, Dinghao Wu and Wenke Lee.
In Proceedings of the 41st IEEE Symposium on Security and Privacy (Oakland 2021).

Contact

Yongheng Chen: [email protected]

Rui Zhong: [email protected]

Hong Hu: [email protected]

Hangfan Zhang: [email protected]

Yupeng Yang: [email protected]

Dinghao Wu: [email protected]

Wenke Lee: [email protected]

Comments
  • How to calculate the coverage of the target program using afl instrumentation?

    How to calculate the coverage of the target program using afl instrumentation?

    Hi @zr950624 , a lot of fuzzing is based on the coverage achieved by afl, but afl does not implement the coverage calculation method. I used afl-cov and clang to calculate the coverage, but the calculation efficiency would be seriously reduced due to too many seeds. How can I dynamically obtain the coverage of the target program?

    opened by 1789120321 8
  • error in build

    error in build

    I followed your build instruction, an error occurs, any idea?

    ~/github/Polyglot$ make
    cd grammar/js_grammar && ./replace.sh
    python Generator.py -i grammar/js_grammar/replaced_grammar -t grammar/js_grammar/tokens -d data/destructor -D data/datatype -e data/extra_flex_rule_js -s grammar/js_grammar/semantic.json
    cd parser && flex flex.l && bison bison.y --output=bison_parser.cpp --defines=bison_parser.h --verbose -Wconflicts-rr
    cd AFL_replace_mutate && make
    
    [*] Checking for the ability to compile x86 code...
    [+] Everything seems to be working, ready to compile.
    g++ -std=c++17 -O3 -funroll-loops -fpermissive -g -w -DAFL_PATH=\"/usr/local/lib/afl\" -DDOC_PATH=\"/usr/local/share/doc/afl\" -DBIN_PATH=\"/usr/local/bin\" afl-fuzz.c ../src/*.cpp  ../parser/bison_parser.cpp  ../parser/flex_lexer.cpp -o afl-fuzz -ldl
    afl-fuzz.c: In function ‘u8 fuzz_one(char**)’:
    afl-fuzz.c:5242:5: error: jump to label ‘abandon_entry’
     5242 |     abandon_entry:
          |     ^~~~~~~~~~~~~
    afl-fuzz.c:5198:14: note:   from here
     5198 |         goto abandon_entry;
          |              ^~~~~~~~~~~~~
    afl-fuzz.c:5205:11: note:   crosses initialization of ‘int skip_count’
     5205 |       int skip_count = 0;
          |           ^~~~~~~~~~
    afl-fuzz.c:5242:5: error: jump to label ‘abandon_entry’
     5242 |     abandon_entry:
          |     ^~~~~~~~~~~~~
    afl-fuzz.c:5188:14: note:   from here
     5188 |         goto abandon_entry;
          |              ^~~~~~~~~~~~~
    afl-fuzz.c:5205:11: note:   crosses initialization of ‘int skip_count’
     5205 |       int skip_count = 0;
          |           ^~~~~~~~~~
    afl-fuzz.c:5242:5: error: jump to label ‘abandon_entry’
     5242 |     abandon_entry:
          |     ^~~~~~~~~~~~~
    afl-fuzz.c:5151:16: note:   from here
     5151 |           goto abandon_entry;
          |                ^~~~~~~~~~~~~
    afl-fuzz.c:5205:11: note:   crosses initialization of ‘int skip_count’
     5205 |       int skip_count = 0;
          |           ^~~~~~~~~~
    make[1]: *** [Makefile:77: afl-fuzz] Error 1
    make: *** [Makefile:10: all] Error 2
    
    
    opened by zhunki 3
  • sql_grammar is missing in grammar folder

    sql_grammar is missing in grammar folder

    I try polyglot to fuzz SQLite. However, I find there is no sql_grammar in grammar folder. I want to know how to use poly to do this, and how to write the semantic annotations for SQL language. Thanks.

    opened by where2me 2
  • llvm-mode

    llvm-mode

    Hi.

    Can polyglot be used with AFL LLVM mode?

    I tried using the make file but I get the following error.

    Polyglot/AFL_replace_mutate/llvm_mode$ make
    [*] Checking for working 'llvm-config'...
    [*] Checking for working 'clang'...
    [*] Checking for '../afl-showmap'...
    [+] All set and ready to build.
    [*] Building 32-bit variant of the runtime (-m32)... failed (that's fine)
    [*] Testing the CC wrapper and instrumentation output...
    unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=clang ../afl-clang-fast -O3 -funroll-loops -Wall -D_FORTIF
    Y_SOURCE=2 -g -Wno-pointer-sign -DAFL_PATH=\"/usr/local/lib/afl\" -DBIN_PATH=\"/usr/local/bin\" -DVERSION=\"2.56b\"  ../test-instr.c -o
    test-instr
    ../afl-showmap -m none -q -o .test-instr0 ./test-instr < /dev/null
    echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
    
    Oops, the instrumentation does not seem to be behaving correctly!
    
    Please ping <[email protected]> to troubleshoot the issue.
    
    Makefile:98: recipe for target 'test_build' failed
    make: *** [test_build] Error 1
    
    
    opened by jj19808 1
  • Missing source code

    Missing source code

    In the paper it is mentioned that the source code is publicly available. But in github only readme is present. It would be great if the source code was made public

    opened by fuadmmnf 1
Owner
Software Systems Security Team at Penn State University
Software Systems Security Team at Penn State University
A fuzzing framework for SMT solvers

yinyang A fuzzing framework for SMT solvers. Given a set of seed SMT formulas, yinyang generates mutant formulas to stress-test SMT solvers. yinyang c

Project Yin-Yang for SMT Solver Testing 145 Jan 4, 2023
Hydra: an Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems

Hydra: An Extensible Fuzzing Framework for Finding Semantic Bugs in File Systems Paper Finding Semantic Bugs in File Systems with an Extensible Fuzzin

gts3.org (SSLab@Gatech) 129 Dec 15, 2022
Differential fuzzing for the masses!

NEZHA NEZHA is an efficient and domain-independent differential fuzzer developed at Columbia University. NEZHA exploits the behavioral asymmetries bet

null 147 Dec 5, 2022
InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing

InsTrim The paper: InsTrim: Lightweight Instrumentation for Coverage-guided Fuzzing Build Prerequisite llvm-8.0-dev clang-8.0 cmake >= 3.2 Make git cl

null 75 Dec 23, 2022
ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing

ProFuzzBench - A Benchmark for Stateful Protocol Fuzzing ProFuzzBench is a benchmark for stateful fuzzing of network protocols. It includes a suite of

null 155 Jan 8, 2023
Emulation and Feedback Fuzzing of Firmware with Memory Sanitization

BaseSAFE This repository contains the BaseSAFE Rust APIs, introduced by "BaseSAFE: Baseband SAnitized Fuzzing through Emulation". The example/ directo

Security in Telecommunications 138 Dec 16, 2022
AntiFuzz: Impeding Fuzzing Audits of Binary Executables

AntiFuzz: Impeding Fuzzing Audits of Binary Executables Get the paper here: https://www.usenix.org/system/files/sec19-guler.pdf Usage: The python scri

Chair for Sys­tems Se­cu­ri­ty 88 Dec 21, 2022
Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-art fuzzing techniques

About Fuzzification Fuzzification helps developers protect the released, binary-only software from attackers who are capable of applying state-of-the-

gts3.org (SSLab@Gatech) 55 Oct 25, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Code for the USENIX 2017 paper: kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels

kAFL: Hardware-Assisted Feedback Fuzzing for OS Kernels Blazing fast x86-64 VM kernel fuzzing framework with performant VM reloads for Linux, MacOS an

Chair for Sys­tems Se­cu­ri­ty 541 Nov 27, 2022
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing

QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing Environment Tested on Ubuntu 14.04 64bit and 16.04 64bit Installation # disabl

gts3.org (SSLab@Gatech) 581 Dec 30, 2022
Fuzzing JavaScript Engines with Aspect-preserving Mutation

DIE Repository for "Fuzzing JavaScript Engines with Aspect-preserving Mutation" (in S&P'20). You can check the paper for technical details. Environmen

gts3.org (SSLab@Gatech) 190 Dec 11, 2022
ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing ParmeSan is a sanitizer-guided greybox fuzzer based on Angora. Published Work USENIX Security 2020: ParmeSa

VUSec 158 Dec 31, 2022
Ankou: Guiding Grey-box Fuzzing towards Combinatorial Difference

Ankou Ankou is a source-based grey-box fuzzer. It intends to use a more rich fitness function by going beyond simple branch coverage and considering t

SoftSec Lab 54 Dec 24, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
[ICSE2020] MemLock: Memory Usage Guided Fuzzing

MemLock: Memory Usage Guided Fuzzing This repository provides the tool and the evaluation subjects for the paper "MemLock: Memory Usage Guided Fuzzing

Cheng Wen 54 Jan 7, 2023
A library for performing coverage guided fuzzing of neural networks

TensorFuzz: Coverage Guided Fuzzing for Neural Networks This repository contains a library for performing coverage guided fuzzing of neural networks,

Brain Research 195 Dec 28, 2022
Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 164 Dec 5, 2022
null 571 Dec 25, 2022