SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bump to 0.7

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-12-01 17:22:09 +01:00
parent 2fb1c3520a
commit 37b8cb0d2f
45 changed files with 573 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
README.md
View File

@ -4,7 +4,12 @@
Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
LibAFL is written and maintained by Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <mail@dmnk.co>.
LibAFL is written and maintained by
* [Andrea Fioraldi](https://twitter.com/andreafioraldi) <andrea@aflplus.plus>
* [Dominik Maier](https://twitter.com/domenuk) <dominik@aflplus.plus>
* [s1341](https://twitter.com/srubenst1341) <github@shmarya.net>
* [Dongjia Zhang](https://github.com/tokatoka) <toka@aflplus.plus>
## Why LibAFL?
@ -27,7 +32,7 @@ It offers a main crate that provide building blocks for custom fuzzers, [libafl]
LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
+ SanitizerCoverage, in [libafl_targets](./libafl_targets)
+ Frida, in [libafl_frida](./libafl_frida), by s1341 <github@shmarya.net>
+ Frida, in [libafl_frida](./libafl_frida)
+ QEMU user-mode, in [libafl_qemu](./libafl_qemu)
## Getting started
@ -69,11 +74,15 @@ The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_lib
+ [Installation guide](./docs/src/getting_started/setup.md)
+ Our RC3 [talk](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") explaining the core concepts
+ [Online API documentation](https://docs.rs/libafl/)
+ The LibAFL book (very WIP) [online](https://aflplus.plus/libafl-book) or in the [repo](./docs/src/)
+ The LibAFL book (WIP) [online](https://aflplus.plus/libafl-book) or in the [repo](./docs/src/)
+ Our RC3 [talk](http://www.youtube.com/watch?v=3RWkT1Q5IV0 "Fuzzers Like LEGO") explaining the core concepts
+ Our Fuzzcon Europe [talk](https://www.youtube.com/watch?v=PWB8GIhFAaI "LibAFL: The Advanced Fuzzing Library") with a (a bit but not so much outdated) step-by-step discussion on how to build some example fuzzers
+ The Fuzzing101 [solutions](https://github.com/epi052/fuzzing-101-solutions) & series of [blog posts](https://epi052.gitlab.io/notes-to-self/blog/2021-11-01-fuzzing-101-with-libafl/) by [epi](https://github.com/epi052)
## Contributing
@ -82,7 +91,7 @@ Check the [TODO.md](./TODO.md) file for features that we plan to support.
For bugs, feel free to open issues or contact us directly. Thank you for your support. <3
Even though we will gladly assist you in finishing up your PR, try to
- use *stable* rust
- keep all the crates compiling with *stable* rust (hide the eventual non-stable code under [`cfg`s](https://github.com/AFLplusplus/LibAFL/blob/main/libafl/build.rs#L26))
- run `cargo fmt` on your code before pushing
- check the output of `cargo clippy --all` or `./clippy.sh`
- run `cargo build --no-default-features` to check for `no_std` compatibility (and possibly add `#[cfg(feature = "std")]`) to hide parts of your code.

2
fuzzers/baby_fuzzer/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "baby_fuzzer"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/baby_fuzzer_gramatron/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "baby_fuzzer"
version = "0.6.0"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/baby_fuzzer_nautilus/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "baby_fuzzer"
version = "0.6.0"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2018"

2
fuzzers/baby_fuzzer_tokens/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "baby_fuzzer"
version = "0.6.0"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/baby_no_std/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "baby_no_std"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/forkserver_simple/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "forkserver_simple"
version = "0.6.1"
version = "0.7.0"
authors = ["tokatoka <tokazerkje@outlook.com>"]
edition = "2021"

6
fuzzers/frida_libpng/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "frida_libpng"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"
build = "build.rs"
@ -31,8 +31,8 @@ reqwest = { version = "0.11.4", features = ["blocking"] }
libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public" ] } #, "llmp_small_maps", "llmp_debug"]}
capstone = "0.10.0"
frida-gum = { version = "0.6.1", features = [ "auto-download", "event-sink", "invocation-listener"] }
libafl_frida = { path = "../../libafl_frida", version = "0.6.1", features = ["cmplog"] }
libafl_targets = { path = "../../libafl_targets", version = "0.6.1" , features = ["sancov_cmplog"] }
libafl_frida = { path = "../../libafl_frida", features = ["cmplog"] }
libafl_targets = { path = "../../libafl_targets", features = ["sancov_cmplog"] }
lazy_static = "1.4.0"
libc = "0.2"
libloading = "0.7.0"

2
fuzzers/fuzzbench/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fuzzbench"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/fuzzbench_gsoc/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fuzzbench"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/fuzzbench_qemu/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "fuzzbench_qemu"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/generic_inmemory/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "generic_inmemory"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libafl_atheris/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_atheris"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2018"

2
fuzzers/libfuzzer_libmozjpeg/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_libmozjpeg"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libfuzzer_libpng/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_libpng"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libfuzzer_libpng_ctx/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_libpng_launcher"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libfuzzer_libpng_launcher/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_libpng_launcher"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libfuzzer_reachability/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_reachability"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/libfuzzer_stb_image/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_stb_image"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"
build = "build.rs"

2
fuzzers/libfuzzer_stb_image_concolic/fuzzer/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_stb_image_concolic"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>", "Julius Hohnerlein"]
edition = "2021"
build = "build.rs"

2
fuzzers/libfuzzer_stb_image_concolic/runtime/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "example_runtime"
version = "0.1.0"
version = "0.7.0"
edition = "2021"
authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>"]

2
fuzzers/libfuzzer_stb_image_sugar/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libfuzzer_stb_image"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"
build = "build.rs"

2
fuzzers/push_harness/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "push_harness"
version = "0.5.0"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

2
fuzzers/push_stage_harness/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "push_stage_harness"
version = "0.5.0"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

1
fuzzers/qemu_launcher/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
libpng-*

19
fuzzers/qemu_launcher/Cargo.toml Normal file
View File

@ -0,0 +1,19 @@
[package]
name = "qemu_launcher"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2018"
[features]
default = ["std"]
std = []
[profile.release]
lto = true
codegen-units = 1
opt-level = 3
debug = true
[dependencies]
libafl = { path = "../../libafl/" }
libafl_qemu = { path = "../../libafl_qemu/" }

41
fuzzers/qemu_launcher/Makefile Normal file
View File

@ -0,0 +1,41 @@
FUZZER_NAME="libpng_harness"
PROJECT_DIR=$(shell dirname $(realpath $(firstword $(MAKEFILE_LIST))))
UNAME := $(shell uname)
PHONY: all
all: fuzzer
libpng-1.6.37:
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
target/release/qemu_launcher: src/*
cargo build --release
libpng-1.6.37/.libs/libpng16.a: libpng-1.6.37
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
$(MAKE) -C libpng-1.6.37
# Build the libpng harness
c++ \
$(PROJECT_DIR)/harness.cc \
$(PROJECT_DIR)/libpng-1.6.37/.libs/libpng16.a \
-I$(PROJECT_DIR)/libpng-1.6.37/ \
-o $(FUZZER_NAME) \
-lm -lz
fuzzer: target/release/qemu_launcher libpng-1.6.37/.libs/libpng16.a
clean:
rm ./$(FUZZER_NAME)
$(MAKE) -C libpng-1.6.37 clean
run: all
cargo run --release ./$(FUZZER_NAME)
short_test: all
rm -rf libafl_unix_shmem_server || true
timeout 10s cargo run --release ./$(FUZZER_NAME) &
test: all
timeout 60s cargo run --release ./$(FUZZER_NAME) &

47
fuzzers/qemu_launcher/README.md Normal file
View File

@ -0,0 +1,47 @@
# Libfuzzer for libpng, with launcher
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example.
It has been tested on Linux.
In contrast to the normal libfuzzer libpng example, this uses the `launcher` feature, that automatically spawns `n` child processes, and binds them to a free core.
## Build
To build this example, run
```bash
cargo build --release
```
This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback.
In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.
Then download libpng, and unpack the archive:
```bash
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
```
Now compile libpng, using the libafl_cc compiler wrapper:
```bash
cd libpng-1.6.37
./configure
make CC=../target/release/libafl_cc CXX=../target/release/libafl_cxx -j `nproc`
```
You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`.
Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.
```
cd ..
./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
```
Afterwards, the fuzzer will be ready to run.
## Run
Just run once, the launcher feature should do the rest.

BIN
fuzzers/qemu_launcher/corpus/not_kitty.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 218 B

BIN
fuzzers/qemu_launcher/corpus/not_kitty_alpha.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 376 B

BIN
fuzzers/qemu_launcher/corpus/not_kitty_gamma.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 228 B

BIN
fuzzers/qemu_launcher/corpus/not_kitty_icc.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 427 B

203
fuzzers/qemu_launcher/harness.cc Normal file
View File

@ -0,0 +1,203 @@
// libpng_read_fuzzer.cc
// Copyright 2017-2018 Glenn Randers-Pehrson
// Copyright 2015 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that may
// be found in the LICENSE file https://cs.chromium.org/chromium/src/LICENSE
// Last changed in libpng 1.6.35 [July 15, 2018]
// The modifications in 2017 by Glenn Randers-Pehrson include
// 1. addition of a PNG_CLEANUP macro,
// 2. setting the option to ignore ADLER32 checksums,
// 3. adding "#include <string.h>" which is needed on some platforms
// to provide memcpy().
// 4. adding read_end_info() and creating an end_info structure.
// 5. adding calls to png_set_*() transforms commonly used by browsers.
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include <vector>
#define PNG_INTERNAL
#include "png.h"
#define PNG_CLEANUP \
if(png_handler.png_ptr) \
{ \
if (png_handler.row_ptr) \
png_free(png_handler.png_ptr, png_handler.row_ptr); \
if (png_handler.end_info_ptr) \
png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
&png_handler.end_info_ptr); \
else if (png_handler.info_ptr) \
png_destroy_read_struct(&png_handler.png_ptr, &png_handler.info_ptr,\
nullptr); \
else \
png_destroy_read_struct(&png_handler.png_ptr, nullptr, nullptr); \
png_handler.png_ptr = nullptr; \
png_handler.row_ptr = nullptr; \
png_handler.info_ptr = nullptr; \
png_handler.end_info_ptr = nullptr; \
}
struct BufState {
const uint8_t* data;
size_t bytes_left;
};
struct PngObjectHandler {
png_infop info_ptr = nullptr;
png_structp png_ptr = nullptr;
png_infop end_info_ptr = nullptr;
png_voidp row_ptr = nullptr;
BufState* buf_state = nullptr;
~PngObjectHandler() {
if (row_ptr)
png_free(png_ptr, row_ptr);
if (end_info_ptr)
png_destroy_read_struct(&png_ptr, &info_ptr, &end_info_ptr);
else if (info_ptr)
png_destroy_read_struct(&png_ptr, &info_ptr, nullptr);
else
png_destroy_read_struct(&png_ptr, nullptr, nullptr);
delete buf_state;
}
};
void user_read_data(png_structp png_ptr, png_bytep data, size_t length) {
BufState* buf_state = static_cast<BufState*>(png_get_io_ptr(png_ptr));
if (length > buf_state->bytes_left) {
png_error(png_ptr, "read error");
}
memcpy(data, buf_state->data, length);
buf_state->bytes_left -= length;
buf_state->data += length;
}
static const int kPngHeaderSize = 8;
// Entry point for LibFuzzer.
// Roughly follows the libpng book example:
// http://www.libpng.org/pub/png/book/chapter13.html
extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
if (size < kPngHeaderSize) {
return 0;
}
std::vector<unsigned char> v(data, data + size);
if (png_sig_cmp(v.data(), 0, kPngHeaderSize)) {
// not a PNG.
return 0;
}
PngObjectHandler png_handler;
png_handler.png_ptr = nullptr;
png_handler.row_ptr = nullptr;
png_handler.info_ptr = nullptr;
png_handler.end_info_ptr = nullptr;
png_handler.png_ptr = png_create_read_struct
(PNG_LIBPNG_VER_STRING, nullptr, nullptr, nullptr);
if (!png_handler.png_ptr) {
return 0;
}
png_handler.info_ptr = png_create_info_struct(png_handler.png_ptr);
if (!png_handler.info_ptr) {
PNG_CLEANUP
return 0;
}
png_handler.end_info_ptr = png_create_info_struct(png_handler.png_ptr);
if (!png_handler.end_info_ptr) {
PNG_CLEANUP
return 0;
}
png_set_crc_action(png_handler.png_ptr, PNG_CRC_QUIET_USE, PNG_CRC_QUIET_USE);
#ifdef PNG_IGNORE_ADLER32
png_set_option(png_handler.png_ptr, PNG_IGNORE_ADLER32, PNG_OPTION_ON);
#endif
// Setting up reading from buffer.
png_handler.buf_state = new BufState();
png_handler.buf_state->data = data + kPngHeaderSize;
png_handler.buf_state->bytes_left = size - kPngHeaderSize;
png_set_read_fn(png_handler.png_ptr, png_handler.buf_state, user_read_data);
png_set_sig_bytes(png_handler.png_ptr, kPngHeaderSize);
if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
PNG_CLEANUP
return 0;
}
// Reading.
png_read_info(png_handler.png_ptr, png_handler.info_ptr);
// reset error handler to put png_deleter into scope.
if (setjmp(png_jmpbuf(png_handler.png_ptr))) {
PNG_CLEANUP
return 0;
}
png_uint_32 width, height;
int bit_depth, color_type, interlace_type, compression_type;
int filter_type;
if (!png_get_IHDR(png_handler.png_ptr, png_handler.info_ptr, &width,
&height, &bit_depth, &color_type, &interlace_type,
&compression_type, &filter_type)) {
PNG_CLEANUP
return 0;
}
// This is going to be too slow.
if (width && height > 100000000 / width) {
PNG_CLEANUP
#ifdef HAS_DUMMY_CRASH
#ifdef __aarch64__
asm volatile (".word 0xf7f0a000\n");
#else
asm("ud2");
#endif
#endif
return 0;
}
// Set several transforms that browsers typically use:
png_set_gray_to_rgb(png_handler.png_ptr);
png_set_expand(png_handler.png_ptr);
png_set_packing(png_handler.png_ptr);
png_set_scale_16(png_handler.png_ptr);
png_set_tRNS_to_alpha(png_handler.png_ptr);
int passes = png_set_interlace_handling(png_handler.png_ptr);
png_read_update_info(png_handler.png_ptr, png_handler.info_ptr);
png_handler.row_ptr = png_malloc(
png_handler.png_ptr, png_get_rowbytes(png_handler.png_ptr,
png_handler.info_ptr));
for (int pass = 0; pass < passes; ++pass) {
for (png_uint_32 y = 0; y < height; ++y) {
png_read_row(png_handler.png_ptr,
static_cast<png_bytep>(png_handler.row_ptr), nullptr);
}
}
png_read_end(png_handler.png_ptr, png_handler.end_info_ptr);
PNG_CLEANUP
return 0;
}
int main() {
uint8_t buf [10] = {0};
LLVMFuzzerTestOneInput(buf, 10);
}

BIN
fuzzers/qemu_launcher/libpng_harness Executable file
View File

Binary file not shown.

201
fuzzers/qemu_launcher/src/main.rs Normal file
View File

@ -0,0 +1,201 @@
use core::time::Duration;
use std::{env, path::PathBuf, process};
use libafl::{
bolts::{
current_nanos,
launcher::Launcher,
rands::StdRand,
shmem::{ShMemProvider, StdShMemProvider},
tuples::tuple_list,
},
corpus::{
Corpus, InMemoryCorpus, IndexesLenTimeMinimizerCorpusScheduler, OnDiskCorpus,
QueueCorpusScheduler,
},
events::EventConfig,
executors::{ExitKind, TimeoutExecutor},
feedback_or, feedback_or_fast,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback, TimeoutFeedback},
fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes},
monitors::MultiMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{HitcountsMapObserver, TimeObserver, VariableMapObserver},
stages::StdMutationalStage,
state::{HasCorpus, StdState},
Error,
};
use libafl_qemu::{
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu, MmapPerms, QemuExecutor, Regs,
};
pub fn main() {
// Hardcoded parameters
let timeout = Duration::from_secs(1);
let broker_port = 1337;
let cores = [0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11];
let corpus_dirs = [PathBuf::from("./corpus")];
let objective_dir = PathBuf::from("./crashes");
// Initialize QEMU
let args: Vec<String> = env::args().collect();
let env: Vec<(String, String)> = env::vars().collect();
emu::init(&args, &env);
let mut elf_buffer = Vec::new();
let elf = EasyElf::from_file(emu::binary_path(), &mut elf_buffer).unwrap();
let test_one_input_ptr = elf
.resolve_symbol("LLVMFuzzerTestOneInput", emu::load_addr())
.expect("Symbol LLVMFuzzerTestOneInput not found");
println!("LLVMFuzzerTestOneInput @ {:#x}", test_one_input_ptr);
emu::set_breakpoint(test_one_input_ptr); // LLVMFuzzerTestOneInput
emu::run();
println!(
"Break at {:#x}",
emu::read_reg::<_, u64>(Regs::Rip).unwrap()
);
// Get the return address
let stack_ptr: u64 = emu::read_reg(Regs::Rsp).unwrap();
let mut ret_addr = [0u64];
emu::read_mem(stack_ptr, &mut ret_addr);
let ret_addr = ret_addr[0];
println!("Stack pointer = {:#x}", stack_ptr);
println!("Return address = {:#x}", ret_addr);
emu::remove_breakpoint(test_one_input_ptr); // LLVMFuzzerTestOneInput
emu::set_breakpoint(ret_addr); // LLVMFuzzerTestOneInput ret addr
let input_addr = emu::map_private(0, 4096, MmapPerms::ReadWrite).unwrap();
println!("Placing input at {:#x}", input_addr);
// The wrapped harness function, calling out to the LLVM-style harness
let mut harness = |input: &BytesInput| {
let target = input.target_bytes();
let mut buf = target.as_slice();
let mut len = buf.len();
if len > 4096 {
buf = &buf[0..4096];
len = 4096;
}
emu::write_mem(input_addr, buf);
emu::write_reg(Regs::Rdi, input_addr).unwrap();
emu::write_reg(Regs::Rsi, len).unwrap();
emu::write_reg(Regs::Rip, test_one_input_ptr).unwrap();
emu::write_reg(Regs::Rsp, stack_ptr).unwrap();
emu::run();
ExitKind::Ok
};
let mut run_client = |state: Option<_>, mut mgr, _core_id| {
// Create an observation channel using the coverage map
let edges = unsafe { &mut edges::EDGES_MAP };
let edges_counter = unsafe { &mut edges::MAX_EDGES_NUM };
let edges_observer =
HitcountsMapObserver::new(VariableMapObserver::new("edges", edges, edges_counter));
// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
// The state of the edges feedback.
let feedback_state = MapFeedbackState::with_observer(&edges_observer);
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
// Time feedback, this one does not need a feedback state
TimeFeedback::new_with_observer(&time_observer)
);
// A feedback to choose if an input is a solution or not
let objective = feedback_or_fast!(CrashFeedback::new(), TimeoutFeedback::new());
// If not restarting, create a State from scratch
let mut state = state.unwrap_or_else(|| {
StdState::new(
// RNG
StdRand::with_seed(current_nanos()),
// Corpus that will be evolved, we keep it in memory for performance
InMemoryCorpus::new(),
// Corpus in which we store solutions (crashes in this example),
// on disk so the user can get them after stopping the fuzzer
OnDiskCorpus::new(objective_dir.clone()).unwrap(),
// States of the feedbacks.
// They are the data related to the feedbacks that you want to persist in the State.
tuple_list!(feedback_state),
)
});
// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(QueueCorpusScheduler::new());
// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
// Create a QEMU in-process executor
let executor = QemuExecutor::new(
&mut harness,
// The QEMU helpers define common hooks like coverage tracking hooks
tuple_list!(QemuEdgeCoverageHelper::new()),
tuple_list!(edges_observer, time_observer),
&mut fuzzer,
&mut state,
&mut mgr,
)
.expect("Failed to create QemuExecutor");
// Wrap the executor to keep track of the timeout
let mut executor = TimeoutExecutor::new(executor, timeout);
if state.corpus().count() < 1 {
state
.load_initial_inputs(&mut fuzzer, &mut executor, &mut mgr, &corpus_dirs)
.unwrap_or_else(|_| {
println!("Failed to load initial corpus at {:?}", &corpus_dirs);
process::exit(0);
});
println!("We imported {} inputs from disk.", state.corpus().count());
}
// Setup an havoc mutator with a mutational stage
let mutator = StdScheduledMutator::new(havoc_mutations());
let mut stages = tuple_list!(StdMutationalStage::new(mutator));
fuzzer.fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)?;
Ok(())
};
// The shared memory allocator
let shmem_provider = StdShMemProvider::new().expect("Failed to init shared memory");
// The stats reporter for the broker
let monitor = MultiMonitor::new(|s| println!("{}", s));
// Build and run a Launcher
match Launcher::builder()
.shmem_provider(shmem_provider)
.broker_port(broker_port)
.configuration(EventConfig::from_build_id())
.monitor(monitor)
.run_client(&mut run_client)
.cores(&cores)
.stdout_file(Some("/dev/null"))
.build()
.launch()
{
Ok(()) => (),
Err(Error::ShuttingDown) => println!("Fuzzing stopped by user. Good bye."),
Err(err) => panic!("Failed to run launcher: {:?}", err),
}
}

2
fuzzers/tutorial/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "tutorial"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021"

4
libafl/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
description = "Slot your own fuzzers together and extend their features using Rust"
documentation = "https://docs.rs/libafl"
@ -59,7 +59,7 @@ typed-builder = "0.9.0" # Implement the builder pattern at compiletime
ahash = { version = "0.7", default-features=false, features=["compile-time-rng"] } # The hash function already used in hashbrown
intervaltree = { git = "https://github.com/andreafioraldi/rust-intervaltree", version = "0.2.6", default-features = false, features = ["serde"] }
libafl_derive = { version = "0.6.1", optional = true, path = "../libafl_derive" }
libafl_derive = { version = "0.7.0", optional = true, path = "../libafl_derive" }
serde_json = { version = "1.0", optional = true, default-features = false, features = ["alloc"] } # an easy way to debug print SerdeAnyMap
miniz_oxide = { version = "0.4.4", optional = true}
core_affinity = { version = "0.5", git = "https://github.com/s1341/core_affinity_rs", rev = "6648a7a", optional = true }

2
libafl_cc/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_cc"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>"]
description = "Commodity library to wrap compilers and link LibAFL"
documentation = "https://docs.rs/libafl_cc"

2
libafl_concolic/symcc_libafl/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "symcc_libafl"
version = "0.1.0"
version = "0.7.0"
edition = "2021"
authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>", "Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
description = "Meta package for symcc_runtime"

6
libafl_concolic/symcc_runtime/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "symcc_runtime"
version = "0.1.2"
version = "0.7.0"
edition = "2021"
authors = ["Julius Hohnerlein <julihoh@users.noreply.github.com>", "Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
description = "Build Concolic Tracing tools based on SymCC in Rust"
@ -21,7 +21,7 @@ no-cpp-runtime = []
unchecked_unwrap = "3"
ctor = "0.1"
libc = "0.2"
libafl = {path = "../../libafl", version="0.6", default-features=false, features=["std"]}
libafl = {path = "../../libafl", version="0.7", default-features=false, features=["std"]}
[build-dependencies]
cmake = "0.1"
@ -29,4 +29,4 @@ bindgen = "0.59"
regex = "1"
lazy_static = "1.4"
which = "4.1"
symcc_libafl = {path = "../symcc_libafl", version="0.1"}
symcc_libafl = {path = "../symcc_libafl", version="0.7"}

2
libafl_derive/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_derive"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>"]
description = "Derive proc-macro crate for LibAFL"
documentation = "https://docs.rs/libafl_derive"

6
libafl_frida/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_frida"
version = "0.6.1"
version = "0.7.0"
authors = ["s1341 <github@shmarya.net>"]
description = "Frida backend library for LibAFL"
documentation = "https://docs.rs/libafl_frida"
@ -19,8 +19,8 @@ cmplog = []
cc = { version = "1.0", features = ["parallel"] }
[dependencies]
libafl = { path = "../libafl", version = "0.6.1", features = ["std", "libafl_derive"] }
libafl_targets = { path = "../libafl_targets", version = "0.6.1", features = ["std", "sancov_cmplog"] }
libafl = { path = "../libafl", version = "0.7.0", features = ["std", "libafl_derive"] }
libafl_targets = { path = "../libafl_targets", version = "0.7.0", features = ["std", "sancov_cmplog"] }
nix = "0.23.0"
libc = "0.2"
hashbrown = "0.11"

6
libafl_qemu/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_qemu"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>"]
description = "QEMU user backend library for LibAFL"
documentation = "https://docs.rs/libafl_qemu"
@ -15,8 +15,8 @@ python = ["pyo3", "pyo3-build-config"]
default = []
[dependencies]
libafl = { path = "../libafl", version = "0.6.1" }
libafl_targets = { path = "../libafl_targets", version = "0.6.1" }
libafl = { path = "../libafl", version = "0.7.0" }
libafl_targets = { path = "../libafl_targets", version = "0.7.0" }
serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
hashbrown = { version = "0.9", features = ["serde", "ahash-compile-time-rng"] } # A faster hashmap, nostd compatible
num-traits = "0.2"

8
libafl_sugar/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_sugar"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>"]
description = "Sugar builders to create common fuzzers with LibAFL"
documentation = "https://docs.rs/libafl_sugar"
@ -19,9 +19,9 @@ default = []
pyo3-build-config = { version = "0.14.5", optional = true }
[dependencies]
libafl = { path = "../libafl", version = "0.6.1" }
libafl_targets = { path = "../libafl_targets", version = "0.6.1" }
libafl_qemu = { path = "../libafl_qemu", version = "0.6.1" }
libafl = { path = "../libafl", version = "0.7.0" }
libafl_targets = { path = "../libafl_targets", version = "0.7.0" }
libafl_qemu = { path = "../libafl_qemu", version = "0.7.0" }
typed-builder = "0.9.0" # Implement the builder pattern at compiletime
#pyo3 = { version = "0.14.3", features = ["extension-module"], optional = true }
pyo3 = { version = "0.14.3", optional = true }

4
libafl_targets/Cargo.toml
View File

@ -1,6 +1,6 @@
[package]
name = "libafl_targets"
version = "0.6.1"
version = "0.7.0"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>"]
description = "Common code for target instrumentation that can be used combined with LibAFL"
documentation = "https://docs.rs/libafl_targets"
@ -28,6 +28,6 @@ cc = { version = "1.0", features = ["parallel"] }
[dependencies]
rangemap = "0.1.10"
libafl = { path = "../libafl", version = "0.6.1", features = [] }
libafl = { path = "../libafl", version = "0.7.0", features = [] }
serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
# serde-big-array = "0.3.2"