Basic coverage guided fuzzing
American Fuzzy Lop (AFL)
AFL compiler wrappers (if source code is available)
Comes with a number of compiler wrappers to add instrumentation in compiled code:
afl-gcc
afl-g++
afl-clang
afl-clang++
afl-clang-fast
afl-clang-fast++
AFL
compilers will assign a unique random id and add _afl_maybe_log
callbacks to every basic code blocks to trace block hit counts and determine code coverage.
# -ggdb -O0: generates a debug build used for crash analysis later on.
afl-gcc -fsanitize=address,undefined -ggdb -O0 <INPUT_CODE_FILE> -o <OUTPUT_BINARY>
Tests cases minimization with AFL
The AFL
's afl-cmin
utility can be used to minimize the tests cases / fuzzing corpus by finding the smallest subset of inputs files that will trigger the full range of instrumentation points in the targeted program.
afl-cmin -i <INPUT_CORPUS_FOLDER> -o <MINIMIZED_CORPUS_FOLDER> -- <TARGETED_APP>
AFL fuzzing
Information on the status screen can be found in the official AFL documention on the status screen.
# Example to generate a very basic img input corpus.
mkdir in && echo "IMG TEST" > in/1.img
afl-fuzz -i <INPUT_CORPUS_FOLDER> -o <OUTPUT_CRASH_FOLDER> -m none -- <TARGETED_APP> @@
If source code was not available and AFL
callbacks couldn't be added to the targeted program, the qemu
fuzzing mode should be used:
# Support to qemu mode should be enabled first.
sudo ./build_qemu_support.sh
# Blackbox fuzzing of the targeted program.
afl-fuzz -Q -i <INPUT_CORPUS_FOLDER> -o <OUTPUT_CRASH_FOLDER> -- <TARGETED_APP> @@
AFL
can run in a multi-cores / distributed mode, with a master and one or more slave instances. The instances will then synchronize on the execution paths found.
screen -S <MASTER_ID>
afl-fuzz -M <MASTER_ID> -i <INPUT_CORPUS_FOLDER> -o <OUTPUT_CRASH_FOLDER> -m none -- <TARGETED_APP> @@
# Can be repeated to add more slave instances.
screen -S <SLAVE_ID>
afl-fuzz -S <SLAVE_ID> -i <INPUT_CORPUS_FOLDER> -o <OUTPUT_CRASH_FOLDER> -m none -- <TARGETED_APP> @@
AFL crashes analysis with GDB
Source:
https://trustfoundry.net/introduction-to-triaging-fuzzer-generated-crashes/
# The targeted program should be compiled with no code optimization (with -ggdb -O0 for example).
gdb <TARGETED_APP>
# Crach file name example: id:000000,sig:06,src:000000,op:havoc,rep:16
(gdb) r <AFL_CRASH_FILE>
Last updated