SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Move to just (binary_only / full_system) (#2949)

Browse Source 
* just port for binary only / systemmode fuzzers

* introduce just libraries, with pre-initialized variables and common recipes

---------

Co-authored-by: Dongjia "toka" Zhang <tokazerkje@outlook.com>
This commit is contained in:
Romain Malmain 2025-02-13 12:42:38 +01:00 committed by GitHub
parent 99e763ff7d
commit cb471a9282
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
59 changed files with 1060 additions and 2923 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.devcontainer/devcontainer.json
View File

@ -23,7 +23,7 @@
// "forwardPorts": [], // "forwardPorts": [],
// Uncomment the next line to run commands after the container is created - for example installing curl. // Uncomment the next line to run commands after the container is created - for example installing curl.
// Install development components that shouldn't be in the main Dockerfile // Install development components that shouldn't be in the main Dockerfile
"postCreateCommand": "rustup component add --toolchain nightly rustfmt clippy llvm-tools-preview && cargo binstall --locked cargo-make", "postCreateCommand": "rustup component add --toolchain nightly rustfmt clippy llvm-tools-preview",
// Uncomment when using a ptrace-based debugger like C++, Go, and Rust // Uncomment when using a ptrace-based debugger like C++, Go, and Rust
"runArgs": [ "runArgs": [
"--cap-add=SYS_PTRACE", "--cap-add=SYS_PTRACE",

23
.github/workflows/build_and_test.yml vendored
View File

@ -259,7 +259,7 @@ jobs:
# Binary-only # Binary-only
- ./fuzzers/binary_only/fuzzbench_fork_qemu - ./fuzzers/binary_only/fuzzbench_fork_qemu
- ./fuzzers/binary_only/frida_executable_libpng - ./fuzzers/binary_only/frida_executable_libpng
- ./fuzzers/binary_only/frida_windows_gdiplus # - ./fuzzers/binary_only/frida_windows_gdiplus
- ./fuzzers/binary_only/frida_libpng - ./fuzzers/binary_only/frida_libpng
- ./fuzzers/binary_only/fuzzbench_qemu - ./fuzzers/binary_only/fuzzbench_qemu
- ./fuzzers/binary_only/intel_pt_baby_fuzzer - ./fuzzers/binary_only/intel_pt_baby_fuzzer
@ -291,7 +291,6 @@ jobs:
# In-process # In-process
- ./fuzzers/fuzz_anything/cargo_fuzz - ./fuzzers/fuzz_anything/cargo_fuzz
# - ./fuzzers/inprocess/dynamic_analysis
- ./fuzzers/inprocess/fuzzbench - ./fuzzers/inprocess/fuzzbench
- ./fuzzers/inprocess/fuzzbench_text - ./fuzzers/inprocess/fuzzbench_text
- ./fuzzers/inprocess/fuzzbench_ctx - ./fuzzers/inprocess/fuzzbench_ctx
@ -303,10 +302,10 @@ jobs:
- ./fuzzers/inprocess/libfuzzer_libpng_cmin - ./fuzzers/inprocess/libfuzzer_libpng_cmin
- ./fuzzers/inprocess/libfuzzer_libpng_norestart - ./fuzzers/inprocess/libfuzzer_libpng_norestart
# - ./fuzzers/inprocess/libfuzzer_libpng_tcp_manager # - ./fuzzers/inprocess/libfuzzer_libpng_tcp_manager
# - ./fuzzers/inprocess/libfuzzer_windows_asan
- ./fuzzers/inprocess/libfuzzer_stb_image_sugar - ./fuzzers/inprocess/libfuzzer_stb_image_sugar
- ./fuzzers/inprocess/libfuzzer_stb_image - ./fuzzers/inprocess/libfuzzer_stb_image
# - ./fuzzers/structure_aware/libfuzzer_stb_image_concolic # - ./fuzzers/structure_aware/libfuzzer_stb_image_concolic
# - ./fuzzers/inprocess/libfuzzer_windows_asan
# - ./fuzzers/inprocess/sqlite_centralized_multi_machine # - ./fuzzers/inprocess/sqlite_centralized_multi_machine
# Fuzz Anything # Fuzz Anything
@ -429,9 +428,9 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: ./.github/workflows/windows-tester-prepare - uses: ./.github/workflows/windows-tester-prepare
- name: Build fuzzers/binary_only/frida_libpng - name: Build fuzzers/binary_only/frida_libpng
run: cd fuzzers/binary_only/frida_libpng/ && cargo make test run: cd fuzzers/binary_only/frida_libpng/ && just test
windows-frida-libfuzzer-stb-image: windows-libfuzzer-stb-image:
runs-on: windows-latest runs-on: windows-latest
needs: needs:
- common - common
@ -441,6 +440,16 @@ jobs:
- name: Build fuzzers/inprocess/libfuzzer_stb_image - name: Build fuzzers/inprocess/libfuzzer_stb_image
run: cd fuzzers/inprocess/libfuzzer_stb_image && cargo build --release run: cd fuzzers/inprocess/libfuzzer_stb_image && cargo build --release
windows-libfuzzer-asan:
runs-on: windows-latest
needs:
- common
steps:
- uses: actions/checkout@v4
- uses: ./.github/workflows/windows-tester-prepare
- name: Build fuzzers/inprocess/libfuzzer_windows_asan
run: cd fuzzers/inprocess/libfuzzer_windows_asan && just test
windows-frida-gdiplus: windows-frida-gdiplus:
runs-on: windows-latest runs-on: windows-latest
needs: needs:
@ -449,7 +458,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: ./.github/workflows/windows-tester-prepare - uses: ./.github/workflows/windows-tester-prepare
- name: Build fuzzers/binary_only/frida_windows_gdiplus - name: Build fuzzers/binary_only/frida_windows_gdiplus
run: cd fuzzers/binary_only/frida_windows_gdiplus/ && cargo make test && cargo make test_cmplog run: cd fuzzers/binary_only/frida_windows_gdiplus/ && just test && just test_cmplog
windows-tinyinst-simple: windows-tinyinst-simple:
runs-on: windows-latest runs-on: windows-latest
@ -461,7 +470,7 @@ jobs:
- uses: actions/checkout@v4 - uses: actions/checkout@v4
- uses: ./.github/workflows/windows-tester-prepare - uses: ./.github/workflows/windows-tester-prepare
- name: Build fuzzers/binary_only/tinyinst_simple - name: Build fuzzers/binary_only/tinyinst_simple
run: cd fuzzers/binary_only/tinyinst_simple/ && cargo make test run: cd fuzzers/binary_only/tinyinst_simple/ && just test
windows-clippy: windows-clippy:
runs-on: windows-latest runs-on: windows-latest

4
.github/workflows/fuzzer-tester-prepare/action.yml vendored
View File

@ -22,10 +22,6 @@ runs:
- name: Add wasm target - name: Add wasm target
shell: bash shell: bash
run: rustup target add wasm32-unknown-unknown run: rustup target add wasm32-unknown-unknown
- name: install cargo-make
uses: baptiste0928/cargo-install@v3
with:
crate: cargo-make
- name: install just - name: install just
uses: extractions/setup-just@v2 uses: extractions/setup-just@v2
with: with:

4
.github/workflows/qemu-fuzzer-tester-prepare/action.yml vendored
View File

@ -10,10 +10,6 @@ runs:
- name: enable mult-thread for `make` - name: enable mult-thread for `make`
shell: bash shell: bash
run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)" run: export MAKEFLAGS="-j$(expr $(nproc) \+ 1)"
- name: install cargo-make
uses: baptiste0928/cargo-install@v3
with:
crate: cargo-make
- name: install just - name: install just
uses: extractions/setup-just@v2 uses: extractions/setup-just@v2
with: with:

3
.github/workflows/windows-tester-prepare/action.yml vendored
View File

@ -15,9 +15,6 @@ runs:
- name: Set LIBCLANG_PATH - name: Set LIBCLANG_PATH
shell: pwsh shell: pwsh
run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV run: echo "LIBCLANG_PATH=$((gcm clang).source -replace "clang.exe")" >> $env:GITHUB_ENV
- name: install cargo-make
shell: pwsh
run: cargo install --force cargo-make
- name: install just - name: install just
uses: extractions/setup-just@v2 uses: extractions/setup-just@v2
with: with:

8
README.md
View File

@ -29,8 +29,8 @@ LibAFL is fast, multi-platform, no_std compatible, and scales over cores and mac
- **LLVM tools** - **LLVM tools**
- The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from [here](https://apt.llvm.org/) - The LLVM tools (including clang, clang++) are needed (newer than LLVM 15.0.0 up to LLVM 18.1.3) If you are using Debian/Ubuntu, again, we highly recommmend that you install the package from [here](https://apt.llvm.org/)
- (In `libafl_concolic`, we only support LLVM version newer than 18) - (In `libafl_concolic`, we only support LLVM version newer than 18)
- Cargo-make: - Just:
- We use cargo-make to build the fuzzers in `fuzzers/` directory. You can install it with `cargo install cargo-make` - We use [just](https://github.com/casey/just) to build the fuzzers in `fuzzers/` directory. You can find instructions to install it in your environment [in the Just Programmer's Manual](https://just.systems/man/en/packages.html).
#### Clone the LibAFL repository with #### Clone the LibAFL repository with
```sh ```sh
@ -52,9 +52,9 @@ cd docs && mdbook serve
We collect all example fuzzers in [`./fuzzers`](./fuzzers/). We collect all example fuzzers in [`./fuzzers`](./fuzzers/).
Be sure to read their documentation (and source), this is *the natural way to get started!* Be sure to read their documentation (and source), this is *the natural way to get started!*
```sh ```sh
cargo make run just run
``` ```
You can run each example fuzzer with this following command, as long as the fuzzer directory has `Makefile.toml` file. The best-tested fuzzer is [`./fuzzers/inprocess/libfuzzer_libpng`](./fuzzers/inprocess/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness. You can run each example fuzzer with this following command, as long as the fuzzer directory has a `Justfile` file. The best-tested fuzzer is [`./fuzzers/inprocess/libfuzzer_libpng`](./fuzzers/inprocess/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
### Resources ### Resources
- [Installation guide](./docs/src/getting_started/setup.md) - [Installation guide](./docs/src/getting_started/setup.md)

50
fuzzers/binary_only/frida_executable_libpng/Justfile Normal file
View File

@ -0,0 +1,50 @@
import "../../../just/libafl.just"
FUZZER_NAME := "libfrida_executable_fuzzer"
FUZZER_LIB := FUZZER + ".so"
[unix]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[unix]
lib: libpng
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
make -j -C libpng-1.6.37
[unix]
harness: lib
clang++ -O0 -c -fPIC harness.cc -o harness.o
clang++ -O0 harness.cc libpng-1.6.37/.libs/libpng16.a -lz -o libpng-harness -g
[unix]
build:
cargo build --profile {{ PROFILE }}
[unix]
run: build harness
LD_PRELOAD={{ FUZZER_LIB }} ./libpng-harness -i corpus -o out -H ./libpng-harness
[unix]
test: build harness
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
LD_PRELOAD={{ FUZZER_LIB }} ./libpng-harness -i corpus -o out -H ./libpng-harness > fuzz_stdout.log &
sleep 10s && pkill libpng-harness
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[unix]
clean:
rm -rf ./libpng-harness
make -C libpng-1.6.37 clean
cargo clean

120
fuzzers/binary_only/frida_executable_libpng/Makefile.toml
View File

@ -1,120 +0,0 @@
# Variables
[env]
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
cd ..
make -C libpng-1.6.37
'''
dependencies = ["libpng"]
# Harness
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
clang++ -O0 -c -fPIC harness.cc -o harness.o
clang++ -O0 harness.cc libpng-1.6.37/.libs/libpng16.a -lz -o libpng-harness -g
'''
dependencies = ["lib"]
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
LD_PRELOAD=$CARGO_TARGET_DIR/${PROFILE_DIR}/libfrida_executable_fuzzer.so ./libpng-harness -i corpus -o out -H ./libpng-harness
'''
dependencies = ["fuzzer", "harness"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
LD_PRELOAD=$CARGO_TARGET_DIR/${PROFILE_DIR}/libfrida_executable_fuzzer.so ./libpng-harness -i corpus -o out -H ./libpng-harness > fuzz_stdout.log &
sleep 10s && pkill libpng-harness
if grep -qa "corpus: 30" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer", "harness"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./libpng-harness
make -C libpng-1.6.37 clean
cargo clean
'''

67
fuzzers/binary_only/frida_libpng/Justfile Normal file
View File

@ -0,0 +1,67 @@
import "../../../just/libafl.just"
FUZZER_NAME := "frida_fuzzer"
FUZZER_NAME_WIN := "frida_fuzzer.exe"
set windows-shell := ['cmd.exe', '/c']
set unstable
[unix]
libpng:
#!/bin/bash
if [ ! -f v1.6.37.tar.gz ]; then
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
fi
tar -xvf v1.6.37.tar.gz
[unix]
lib: libpng
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes
make -j -C libpng-1.6.37
[unix]
harness: lib
clang++ -O3 -c -fPIC harness.cc -o harness.o
clang++ -O3 harness.o libpng-1.6.37/.libs/libpng16.a -shared -lz -o libpng-harness.so
[windows]
harness:
cl /c harness_win.cpp && link harness_win.obj /dll
[unix]
[windows]
build:
cargo build --profile {{ PROFILE }}
[unix]
run: build harness
{{ FUZZER }} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so
[windows]
run: build harness
{{TARGET_DIR}}\{{PROFILE}}\{{FUZZER_NAME_WIN}} -F LLVMFuzzerTestOneInput -H .\harness_win.dll -l .\harness_win.dll --cores=0
[unix]
test: build harness
#!/bin/bash
rm -rf libafl_unix_shmem_server || true
timeout 30s {{ FUZZER }} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so | tee fuzz_stdout.log 2>/dev/null || true
if grep -qa "corpus: 70" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[windows]
[script("cmd.exe", "/c")]
test: build harness
start "" "{{TARGET_DIR}}\{{PROFILE}}\{{FUZZER_NAME_WIN}}" -F LLVMFuzzerTestOneInput -H .\harness_win.dll -l .\harness_win.dll --cores=0
ping -n 10 127.0.0.1>NUL && taskkill /im frida_fuzzer.exe /F
dir /a-d corpus_discovered && (echo Files exist) || (exit /b 1337)
[unix]
clean:
make -C libpng-1.6.37 clean
cargo clean

160
fuzzers/binary_only/frida_libpng/Makefile.toml
View File

@ -1,160 +0,0 @@
# Variables
[env]
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "frida_fuzzer", mapping = { "linux" = "frida_fuzzer", "macos" = "frida_fuzzer", "windows" = "frida_fuzzer.exe" } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# libpng
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "libpng_unix"
windows_alias = "unsupported"
[tasks.libpng_unix]
condition = { files_not_exist = ["./libpng-1.6.37"] }
script_runner = "@shell"
script = '''
wget https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar -xvf v1.6.37.tar.gz
'''
# Library
[tasks.lib]
linux_alias = "lib_unix"
mac_alias = "lib_unix"
windows_alias = "unsupported"
[tasks.lib_unix]
script_runner = "@shell"
script = '''
cd libpng-1.6.37 && ./configure --enable-shared=no --with-pic=yes --enable-hardware-optimizations=yes --disable-dependency-tracking
cd ..
make -C libpng-1.6.37
'''
dependencies = ["libpng"]
# Harness
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "harness_unix"
windows_alias = "harness_windows"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
clang++ -O3 -c -fPIC harness.cc -o harness.o
clang++ -O3 harness.o libpng-1.6.37/.libs/libpng16.a -shared -lz -o libpng-harness.so
'''
dependencies = ["lib"]
[tasks.harness_windows]
script_runner = "@shell"
script = '''
cl /c harness_win.cpp && link harness_win.obj /dll
'''
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "fuzzer_windows"
[tasks.fuzzer_unix]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
cp ${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME} .
'''
[tasks.fuzzer_windows]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
cp ./target/${PROFILE_DIR}/${FUZZER_NAME} .
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "run_windows"
[tasks.run_unix]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so
'''
dependencies = ["fuzzer", "harness"]
[tasks.run_windows]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./harness_win.dll -l ./harness_win.dll --cores=0
'''
dependencies = ["fuzzer", "harness"]
# Test
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_mac"
windows_alias = "test_windows"
[tasks.test_unix]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 30s ./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so | tee fuzz_stdout.log 2>/dev/null || true
if grep -qa "corpus: 70" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["fuzzer", "harness"]
# Don't grep and check the result on macOS because it's unstable
[tasks.test_mac]
script_runner = "@shell"
script = '''
rm -rf libafl_unix_shmem_server || true
timeout 30s ./${FUZZER_NAME} -F LLVMFuzzerTestOneInput -H ./libpng-harness.so -l ./libpng-harness.so | tee fuzz_stdout.log 2>/dev/null || true
'''
dependencies = ["fuzzer", "harness"]
[tasks.test_windows]
script_runner = "@shell"
script = '''
start "" "frida_fuzzer.exe" -F LLVMFuzzerTestOneInput -H ./harness_win.dll -l ./harness_win.dll --cores=0
#ping is for timeout
ping -n 10 127.0.0.1>NUL && taskkill /im frida_fuzzer.exe /F
>nul 2>nul dir /a-d "corpus_discovered\*" && (echo Files exist) || (exit /b 1337)
'''
dependencies = ["fuzzer", "harness"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
make -C libpng-1.6.37 clean
cargo clean
'''

49
fuzzers/binary_only/frida_windows_gdiplus/Justfile Normal file
View File

@ -0,0 +1,49 @@
import "../../../just/libafl.just"
FUZZER_NAME := "frida_windows_gdiplus.exe"
set windows-shell := ['cmd.exe', '/c']
set unstable
[windows]
harness:
cl.exe /LD harness.cc /link /dll gdiplus.lib ole32.lib
[windows]
harness_cmplog_test:
ml64 cmplog_test.asm /subsystem:windows /link /dll /def:cmplog_test.def /entry:dll_main /out:cmplog.dll
[windows]
build:
cargo build --profile {{ PROFILE }}
copy {{TARGET_DIR}}\{{PROFILE}}\{{FUZZER_NAME}} .
[windows]
run: build harness
.\{{TARGET_DIR}}\{{PROFILE}}\{{FUZZER_NAME}} -H harness.dll -i corpus -o output --libs-to-instrument gdi32.dll --libs-to-instrument gdi32full.dll --libs-to-instrument gdiplus.dll --libs-to-instrument WindowsCodecs.dll --disable-excludes
[windows]
[script("cmd.exe", "/c")]
test_cmplog: build harness_cmplog_test
@echo off
for %%i in (t1 t2 t3 t4 t5 t6 t7) do (
echo Testing %%i...
rmdir /s /q output_%%i
start "" "{{FUZZER_NAME}}" -H cmplog.dll -i corpus -o output_%%i --libs-to-instrument cmplog.dll -F %%i -C
ping -n 3 127.0.0.1>NUL && taskkill /im {{ FUZZER }} /F
dir /a-d "output_%%i" && (echo Files exist) || (exit /b 1337)
)
echo All tests done
[windows]
[script("cmd.exe", "/c")]
test: build harness
start "" "{{FUZZER_NAME}}" -H harness.dll -i corpus -o output --libs-to-instrument gdi32.dll --libs-to-instrument gdi32full.dll --libs-to-instrument gdiplus.dll --libs-to-instrument WindowsCodecs.dll --disable-excludes
ping -n 10 127.0.0.1>NUL && taskkill /im frida_windows_gdiplus.exe /F
dir /a-d corpus_discovered && (echo Files exist) || (exit /b 1337)
[windows]
clean:
make -C libpng-1.6.37 clean
cargo clean

99
fuzzers/binary_only/frida_windows_gdiplus/Makefile.toml
View File

@ -1,99 +0,0 @@
# Variables
[env]
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
FUZZER_NAME = { source = "${CARGO_MAKE_RUST_TARGET_OS}", default_value = "frida_windows_gdiplus", mapping = { "linux" = "frida_windows_gdiplus", "macos" = "frida_windows_gdiplus", "windows" = "frida_windows_gdiplus.exe" } }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Harness
[tasks.harness]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "harness_windows"
[tasks.harness_windows]
script_runner = "@shell"
script = '''
cl.exe /LD harness.cc /link /dll gdiplus.lib ole32.lib
'''
[tasks.harness_windows_cmplog_test]
script_runner = "@shell"
script = '''
ml64 cmplog_test.asm /subsystem:windows /link /dll /def:cmplog_test.def /entry:dll_main /out:cmplog.dll
'''
# Fuzzer
[tasks.fuzzer]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "fuzzer_windows"
[tasks.fuzzer_windows]
script_runner = "@shell"
script = '''
cargo build --profile ${PROFILE}
cp ./target/${PROFILE_DIR}/${FUZZER_NAME} .
'''
# Run the fuzzer
[tasks.run]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "run_windows"
[tasks.run_windows]
script_runner = "@shell"
script = '''
./${FUZZER_NAME} -H harness.dll -i corpus -o output --libs-to-instrument gdi32.dll --libs-to-instrument gdi32full.dll --libs-to-instrument gdiplus.dll --libs-to-instrument WindowsCodecs.dll --disable-excludes
'''
dependencies = ["fuzzer", "harness"]
# Test
[tasks.test]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "test_windows"
[tasks.test_cmplog]
linux_alias = "unsupported"
mac_alias = "unsupported"
windows_alias = "test_windows_cmplog"
[tasks.test_windows_cmplog]
script_runner = "@shell"
script = '''
@echo off
for %%i in (t1 t2 t3 t4 t5 t6 t7) do (
echo Testing %%i...
rmdir /s /q output_%%i
start "" "frida_windows_gdiplus.exe" -H cmplog.dll -i corpus -o output_%%i --libs-to-instrument cmplog.dll -F %%i -C
ping -n 3 127.0.0.1>NUL && taskkill /im frida_windows_gdiplus.exe /F
>nul 2>nul dir /a-d "output_%%i" && (echo Files exist) || (exit /b 1337)
)
echo All tests done
'''
dependencies = ["fuzzer", "harness_windows_cmplog_test"]
[tasks.test_windows]
script_runner = "@shell"
script = '''
start "" "frida_windows_gdiplus.exe" -H harness.dll -i corpus -o output --libs-to-instrument gdi32.dll --libs-to-instrument gdi32full.dll --libs-to-instrument gdiplus.dll --libs-to-instrument WindowsCodecs.dll --disable-excludes
#ping is for timeout
ping -n 10 127.0.0.1>NUL && taskkill /im frida_windows_gdiplus.exe /F
>nul 2>nul dir /a-d "corpus_discovered\*" && (echo Files exist) || (exit /b 1337)
'''
dependencies = ["fuzzer", "harness"]

44
fuzzers/binary_only/fuzzbench_fork_qemu/Justfile Normal file
View File

@ -0,0 +1,44 @@
import "../../../just/libafl.just"
FUZZER_NAME := "fuzzbench_fork_qemu"
[unix]
harness:
cc -c libfuzzer_main.c
cc \
./fuzz.c \
./libfuzzer_main.o \
-o {{ BUILD_DIR }}/harness \
-lm -lz
[unix]
build:
cargo build --profile {{ PROFILE }}
[unix]
run: build harness
cargo run \
--profile {{ PROFILE }} \
./{{ FUZZER_NAME }} \
-- \
--libafl-in ./corpus \
--libafl-out ./out \
./{{ FUZZER_NAME }}
[unix]
test: build harness
#!/bin/bash
rm -rf out/
timeout 15s {{ FUZZER }} {{ BUILD_DIR }}/harness -- --libafl-in ../../inprocess/libfuzzer_libpng/corpus --libafl-out out ./harness | tee fuzz_stdout.log
if grep -qa "corpus: 5" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[unix]
clean:
cargo clean

115
fuzzers/binary_only/fuzzbench_fork_qemu/Makefile.toml
View File

@ -1,115 +0,0 @@
env_scripts = ['''
#!@duckscript
profile = get_env PROFILE
if eq ${profile} "dev"
set_env PROFILE_DIR debug
else
set_env PROFILE_DIR ${profile}
end
''', '''
#!@duckscript
runs_on_ci = get_env RUN_ON_CI
if ${runs_on_ci}
cargo_target_dir = get_env CARGO_MAKE_CRATE_TARGET_DIRECTORY
set_env TARGET_DIR ${cargo_target_dir}
end
''']
# Variables
[env]
FUZZER_NAME = 'harness'
PROJECT_DIR = { script = ["pwd"] }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Qemu fuzzer not supported on windows"
'''
# fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Harness
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "harness_unix"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
cc -c "${PROJECT_DIR}/libfuzzer_main.c"
cc \
./fuzz.c \
./libfuzzer_main.o \
-o ${FUZZER_NAME} \
-lm -lz
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
command = "cargo"
args = [
"run",
"--profile",
"${PROFILE}",
"./${FUZZER_NAME}",
"--",
"--libafl-in",
"./corpus",
"--libafl-out",
"./out",
"./${FUZZER_NAME}",
]
dependencies = ["harness"]
# Run the fuzzer
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
# Short test
[tasks.test_unix]
script_runner = "@shell"
script = '''
timeout 15s ${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_fork_qemu ${PROJECT_DIR}/harness -- --libafl-in ${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/corpus --libafl-out ${PROJECT_DIR}/out ${PROJECT_DIR}/harness | tee fuzz_stdout.log
if grep -qa "corpus: 5" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["harness", "fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
cargo clean
'''

42
fuzzers/binary_only/fuzzbench_qemu/Justfile Normal file
View File

@ -0,0 +1,42 @@
import "../../../just/libafl.just"
FUZZER_NAME := "fuzzbench_qemu"
HARNESS_NAME := "harness"
[unix]
harness:
cc -c libfuzzer_main.c
cc \
./fuzz.c \
./libfuzzer_main.o \
-o {{ HARNESS_NAME }} \
-lm -lz
[unix]
build:
cargo build --profile {{ PROFILE }}
[unix]
run: build harness
{{ FUZZER }} \
--libafl-in ./corpus \
--libafl-out ./out \
./{{ HARNESS_NAME }} \
-- \
./{{ HARNESS_NAME }}
[unix]
test: build harness
#!/bin/bash
timeout 15s {{ FUZZER }} ./harness -- --libafl-in ../../inprocess/libfuzzer_libpng/corpus --libafl-out out ./harness | tee fuzz_stdout.log
if grep -qa "objectives: 5" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
[unix]
clean:
cargo clean

101
fuzzers/binary_only/fuzzbench_qemu/Makefile.toml
View File

@ -1,101 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'harness'
PROJECT_DIR = { script = ["pwd"] }
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Qemu fuzzer not supported on windows"
'''
# fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_unix"
mac_alias = "fuzzer_unix"
windows_alias = "unsupported"
[tasks.fuzzer_unix]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Harness
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "harness_unix"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
cc -c "${PROJECT_DIR}/libfuzzer_main.c"
cc \
./fuzz.c \
./libfuzzer_main.o \
-o ${FUZZER_NAME} \
-lm -lz
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "run_unix"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
cargo build \
--profile \
${PROFILE}
${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_qemu \
--libafl-in \
../../inprocess/libfuzzer_libpng/corpus \
--libafl-out \
./out \
./${FUZZER_NAME} \
-- \
./${FUZZER_NAME}
'''
dependencies = ["harness"]
# Run the fuzzer
[tasks.test]
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
# Short test
[tasks.test_unix]
script_runner = "@shell"
script = '''
timeout 15s ${TARGET_DIR}/${PROFILE_DIR}/fuzzbench_qemu ${PROJECT_DIR}/harness -- --libafl-in ${PROJECT_DIR}/../../inprocess/libfuzzer_libpng/corpus --libafl-out ${PROJECT_DIR}/out ${PROJECT_DIR}/harness | tee fuzz_stdout.log
if grep -qa "objectives: 1" fuzz_stdout.log; then
echo "Fuzzer is working"
else
echo "Fuzzer does not generate any testcases or any crashes"
exit 1
fi
'''
dependencies = ["harness", "fuzzer"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -f ./${FUZZER_NAME}
cargo clean
'''

26
fuzzers/binary_only/intel_pt_baby_fuzzer/Makefile.toml
View File

@ -1,26 +0,0 @@
[env]
RUST_BACKTRACE = "0"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
[env.development]
PROFILE_DIR = "debug"
CARGO_BUILD_ARG = ""
[env.release]
PROFILE_DIR = "release"
CARGO_BUILD_ARG = "--release"
[tasks.build]
command = "cargo"
args = ["build", "--profile", "${CARGO_MAKE_CARGO_PROFILE}"]
[tasks.setcap]
script = "sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${PROFILE_DIR}/${CARGO_MAKE_CRATE_NAME}"
dependencies = ["build"]
[tasks.run]
command = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${PROFILE_DIR}/${CARGO_MAKE_CRATE_NAME}"
dependencies = ["build", "setcap"]
[tasks.default]
alias = "run"

31
fuzzers/binary_only/intel_pt_command_executor/Justfile Normal file
View File

@ -0,0 +1,31 @@
import "../../../just/libafl.just"
FUZZER_NAME := "intel_pt_command_executor"
[unix]
target_dir:
mkdir -p {{ TARGET_DIR }}
[unix]
build_target: target_dir
rustc src/target_program.rs --out-dir {{ TARGET_DIR }} -O
[unix]
build:
cargo build --profile {{ PROFILE }}
[unix]
setcap:
sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep {{ FUZZER }}
[unix]
run: build build_target setcap
{{ FUZZER }}
[unix]
test: build
echo "Build is successful."
[unix]
clean:
cargo clean

39
fuzzers/binary_only/intel_pt_command_executor/Makefile.toml
View File

@ -1,39 +0,0 @@
[env]
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
[env.development]
PROFILE_DIR = "debug"
[env.release]
PROFILE_DIR = "release"
[tasks.target_dir]
condition = { files_not_exist = ["${TARGET_DIR}"] }
script_runner = "@shell"
script = '''
mkdir -p ${TARGET_DIR}
'''
[tasks.build_target]
dependencies = ["target_dir"]
command = "rustc"
args = ["src/target_program.rs", "--out-dir", "${TARGET_DIR}", "-O"]
[tasks.build_fuzzer]
command = "cargo"
args = ["build", "--profile", "${CARGO_MAKE_CARGO_PROFILE}"]
[tasks.build]
dependencies = ["build_fuzzer", "build_target"]
[tasks.setcap]
script = "sudo setcap cap_ipc_lock,cap_sys_ptrace,cap_sys_admin,cap_syslog=ep ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${PROFILE_DIR}/${CARGO_MAKE_CRATE_NAME}"
dependencies = ["build_fuzzer"]
[tasks.run]
command = "cargo"
args = ["run", "--profile", "${CARGO_MAKE_CARGO_PROFILE}"]
dependencies = ["build", "setcap"]
[tasks.default]
alias = "run"

45
fuzzers/binary_only/qemu_cmin/Justfile Normal file
View File

@ -0,0 +1,45 @@
import "../../../just/libafl-qemu-libpng.just"
FUZZER_NAME := "qemu_cmin"
HARNESS := TARGET_DIR / ("libpng-harness-" + PROFILE)
[unix]
build:
cargo build \
--profile {{ PROFILE }} \
--features {{ ARCH }} \
--target-dir {{ TARGET_DIR }}
[unix]
harness: libpng
#!/bin/bash
source {{ DOTENV }}
$CROSS_CXX \
./harness.cc \
$CROSS_CFLAGS \
"{{TARGET_DIR}}/build-png/.libs/libpng16.a" \
"{{TARGET_DIR}}/build-zlib/libz.a" \
-I"{{TARGET_DIR}}/build-png" \
-I"{{TARGET_DIR}}/build-zlib/zlib/lib" \
-L"{{TARGET_DIR}}/build-zlib/zlib/lib" \
-o"{{ HARNESS }}" \
-lm -static
[unix]
run: harness build
{{ FUZZER }} \
--output ./output \
--input ./corpus \
--verbose \
-- {{ HARNESS }}
[unix]
test:
ARCH=x86_64 just run
ARCH=arm just run
[unix]
clean:
cargo clean

320
fuzzers/binary_only/qemu_cmin/Makefile.toml
View File

@ -1,320 +0,0 @@
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
#LIBAFL_DEBUG_OUTPUT = "1"
#CUSTOM_QEMU_DIR= "~/qemu-libafl-bridge"
[env.arm]
CROSS_CC = "arm-linux-gnueabi-gcc"
CROSS_CXX = "arm-linux-gnueabi-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/arm"
LIBPNG_ARCH = "arm"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "arm"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.aarch64]
CROSS_CC = "aarch64-linux-gnu-gcc"
CROSS_CXX = "aarch64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/aarch64"
LIBPNG_ARCH = "aarch64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "aarch64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.x86_64]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.i386]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = "-m32"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/i386"
LIBPNG_ARCH = "i386"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "i386"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.mips]
CROSS_CC = "mipsel-linux-gnu-gcc"
CROSS_CXX = "mipsel-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/mips"
LIBPNG_ARCH = "mips"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "mips"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.ppc]
CROSS_CC = "powerpc-linux-gnu-gcc"
CROSS_CXX = "powerpc-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/ppc"
LIBPNG_ARCH = "ppc"
LIBPNG_OPTIMIZATIONS = "no"
FEATURE = "ppc"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Qemu fuzzer not supported on windows/mac"
'''
[tasks.target_dir]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
'''
[tasks.deps_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.arch_target_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${TARGET_DIR}"] }
script_runner = "@shell"
script = '''
mkdir ${TARGET_DIR}
'''
[tasks.zlib]
linux_alias = "zlib_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.zlib_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13",
] }
script_runner = "@shell"
# NOTE: There's no specific reason we're using an old version of zlib,
# but newer versions get moved to fossils/ after a while.
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz" \
https://zlib.net/fossils/zlib-1.2.13.tar.gz
tar \
zxvf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.zlib_unix]
dependencies = ["arch_target_dir", "zlib_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-zlib/libz.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-zlib/
mkdir ${TARGET_DIR}/build-zlib/
cd ${TARGET_DIR}/build-zlib/ && \
CC=$CROSS_CC \
CFLAGS=${CROSS_CFLAGS} \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13/configure \
--prefix=./zlib
make install
'''
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libpng_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37",
] }
script_runner = "@shell"
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar \
-xvf "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.libpng_unix]
dependencies = ["arch_target_dir", "zlib", "libpng_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-png/.libs/libpng16.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-png/
mkdir ${TARGET_DIR}/build-png/
cd ${TARGET_DIR}/build-png/ && \
CC=$CROSS_CC \
CFLAGS="${CROSS_CFLAGS} -I"${TARGET_DIR}/build-zlib/zlib/lib"" \
LDFLAGS=-L"${TARGET_DIR}/build-zlib/zlib/lib" \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37/configure \
--enable-shared=no \
--with-pic=yes \
--enable-hardware-optimizations=${LIBPNG_OPTIMIZATIONS} \
--host=${LIBPNG_ARCH} \
make
'''
[tasks.build]
linux_alias = "build_unix"
mac_alias = "build_unix"
windows_alias = "unsupported"
[tasks.build_unix]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--features",
"${FEATURE}",
"--target-dir",
"${TARGET_DIR}",
]
[tasks.fuzzer]
dependencies = ["build"]
script_runner = "@shell"
script = '''
rm -f ${TARGET_DIR}/${PROFILE_DIR}/qemu_cmin-${CARGO_MAKE_PROFILE}
mv ${TARGET_DIR}/${PROFILE_DIR}/qemu_cmin ${TARGET_DIR}/${PROFILE_DIR}/qemu_cmin-${CARGO_MAKE_PROFILE}
'''
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
${CROSS_CXX} \
./harness.cc \
$CROSS_CFLAGS \
"${TARGET_DIR}/build-png/.libs/libpng16.a" \
"${TARGET_DIR}/build-zlib/libz.a" \
-I"${TARGET_DIR}/build-png" \
-I"${TARGET_DIR}/build-zlib/zlib/lib" \
-L"${TARGET_DIR}/build-zlib/zlib/lib" \
-o"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}" \
-lm \
-static
'''
dependencies = ["libpng"]
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_cmin-${CARGO_MAKE_PROFILE}"
args = [
"--output",
"./output",
"--input",
"./corpus",
"--verbose",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
dependencies = ["lightweight"]
# Tidy up after we've run our tests so we don't hog all the disk space
command = "cargo"
args = ["make", "clean"]
[tasks.test_full]
linux_alias = "test_unix_full"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix_full]
dependencies = ["all"]
# Tidy up after we've run our tests so we don't hog all the disk space
command = "cargo"
args = ["make", "clean"]
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''
[tasks.arm]
command = "cargo"
args = ["make", "-p", "arm", "run"]
[tasks.aarch64]
command = "cargo"
args = ["make", "-p", "aarch64", "run"]
[tasks.x86_64]
command = "cargo"
args = ["make", "-p", "x86_64", "run"]
[tasks.i386]
command = "cargo"
args = ["make", "-p", "i386", "run"]
[tasks.mips]
command = "cargo"
args = ["make", "-p", "mips", "run"]
[tasks.ppc]
command = "cargo"
args = ["make", "-p", "ppc", "run"]
[tasks.all]
dependencies = ["arm", "aarch64", "x86_64", "i386", "mips", "ppc"]
[tasks.lightweight]
dependencies = ["arm", "x86_64"]

65
fuzzers/binary_only/qemu_coverage/Justfile Normal file
View File

@ -0,0 +1,65 @@
import "../../../just/libafl-qemu-libpng.just"
FUZZER_NAME := "qemu_coverage"
HARNESS := TARGET_DIR / ("libpng-harness-" + PROFILE)
[unix]
build:
cargo build \
--profile {{ PROFILE }} \
--features {{ ARCH }} \
--target-dir {{ TARGET_DIR }}
[unix]
harness: libpng
#!/bin/bash
source {{ DOTENV }}
$CROSS_CXX \
./harness.cc \
$CROSS_CFLAGS \
"{{TARGET_DIR}}/build-png/.libs/libpng16.a" \
"{{TARGET_DIR}}/build-zlib/libz.a" \
-I"{{TARGET_DIR}}/build-png" \
-I"{{TARGET_DIR}}/build-zlib/zlib/lib" \
-L"{{TARGET_DIR}}/build-zlib/zlib/lib" \
-o"{{ HARNESS }}" \
-lm -static
[unix]
run: harness build
{{ FUZZER }} \
--coverage-path {{ TARGET_DIR }}/cov.drcov \
--input-dir ./corpus \
--verbose \
-- {{ HARNESS }}
[unix]
test_inner: run
#!/bin/bash
cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_merge -- \
-i {{ TARGET_DIR }}/cov-000.drcov {{ TARGET_DIR }}/cov-001.drcov {{TARGET_DIR }}/cov-002.drcov {{ TARGET_DIR }}/cov-003.drcov \
--output {{ TARGET_DIR }}/cov-merged.drcov || exit 1
NB_BLOCKS=$(cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_dump_addrs -- \
-i {{ TARGET_DIR }}/cov-merged.drcov -a | wc -l || exit 1)
echo "Nb blocks found: $NB_BLOCKS"
if [ $NB_BLOCKS -ge 1700 ]; then
echo "Test succeeded"
else
echo "Did not find more than 1700 blocks."
exit 1
fi
[unix]
test:
ARCH=x86_64 just test_inner
ARCH=arm just test_inner
[unix]
clean:
cargo clean

350
fuzzers/binary_only/qemu_coverage/Makefile.toml
View File

@ -1,350 +0,0 @@
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
#LIBAFL_DEBUG_OUTPUT = "1"
#CUSTOM_QEMU_DIR= "~/qemu-libafl-bridge"
[env.arm]
CROSS_CC = "arm-linux-gnueabi-gcc"
CROSS_CXX = "arm-linux-gnueabi-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/arm"
LIBPNG_ARCH = "arm"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "arm"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.aarch64]
CROSS_CC = "aarch64-linux-gnu-gcc"
CROSS_CXX = "aarch64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/aarch64"
LIBPNG_ARCH = "aarch64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "aarch64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.x86_64]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.i386]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = "-m32"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/i386"
LIBPNG_ARCH = "i386"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "i386"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.mips]
CROSS_CC = "mipsel-linux-gnu-gcc"
CROSS_CXX = "mipsel-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/mips"
LIBPNG_ARCH = "mips"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "mips"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[env.ppc]
CROSS_CC = "powerpc-linux-gnu-gcc"
CROSS_CXX = "powerpc-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/ppc"
LIBPNG_ARCH = "ppc"
LIBPNG_OPTIMIZATIONS = "no"
FEATURE = "ppc"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Qemu fuzzer not supported on windows/mac"
'''
[tasks.target_dir]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
'''
[tasks.deps_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.arch_target_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${TARGET_DIR}"] }
script_runner = "@shell"
script = '''
mkdir ${TARGET_DIR}
'''
[tasks.zlib]
linux_alias = "zlib_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.zlib_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13",
] }
script_runner = "@shell"
# NOTE: There's no specific reason we're using an old version of zlib,
# but newer versions get moved to fossils/ after a while.
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz" \
https://zlib.net/fossils/zlib-1.2.13.tar.gz
tar \
zxvf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.zlib_unix]
dependencies = ["arch_target_dir", "zlib_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-zlib/libz.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-zlib/
mkdir ${TARGET_DIR}/build-zlib/
cd ${TARGET_DIR}/build-zlib/ && \
CC=$CROSS_CC \
CFLAGS=${CROSS_CFLAGS} \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13/configure \
--prefix=./zlib
make install
'''
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libpng_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37",
] }
script_runner = "@shell"
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar \
-xvf "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.libpng_unix]
dependencies = ["arch_target_dir", "zlib", "libpng_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-png/.libs/libpng16.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-png/
mkdir ${TARGET_DIR}/build-png/
cd ${TARGET_DIR}/build-png/ && \
CC=$CROSS_CC \
CFLAGS="${CROSS_CFLAGS} -I"${TARGET_DIR}/build-zlib/zlib/lib"" \
LDFLAGS=-L"${TARGET_DIR}/build-zlib/zlib/lib" \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37/configure \
--enable-shared=no \
--with-pic=yes \
--enable-hardware-optimizations=${LIBPNG_OPTIMIZATIONS} \
--host=${LIBPNG_ARCH} \
make
'''
[tasks.build]
linux_alias = "build_unix"
mac_alias = "build_unix"
windows_alias = "unsupported"
[tasks.build_unix]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--features",
"${FEATURE}",
"--target-dir",
"${TARGET_DIR}",
]
[tasks.fuzzer]
dependencies = ["build"]
script_runner = "@shell"
script = '''
rm -f ${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage-${CARGO_MAKE_PROFILE}
mv ${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage ${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage-${CARGO_MAKE_PROFILE}
'''
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
${CROSS_CXX} \
./harness.cc \
$CROSS_CFLAGS \
"${TARGET_DIR}/build-png/.libs/libpng16.a" \
"${TARGET_DIR}/build-zlib/libz.a" \
-I"${TARGET_DIR}/build-png" \
-I"${TARGET_DIR}/build-zlib/zlib/lib" \
-L"${TARGET_DIR}/build-zlib/zlib/lib" \
-o"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}" \
-lm \
-static
'''
dependencies = ["libpng"]
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
${TARGET_DIR}/${PROFILE_DIR}/qemu_coverage-${CARGO_MAKE_PROFILE} \
--coverage-path \
${TARGET_DIR}/cov.drcov \
--input-dir \
./corpus \
-- \
${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}
'''
dependencies = ["harness", "fuzzer"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
dependencies = ["lightweight"]
# Tidy up after we've run our tests so we don't hog all the disk space
command = "cargo"
args = ["make", "clean"]
[tasks.test_full]
linux_alias = "test_unix_full"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix_full]
dependencies = ["all"]
# Tidy up after we've run our tests so we don't hog all the disk space
command = "cargo"
args = ["make", "clean"]
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''
[tasks.test_inner]
script_runner = "@shell"
script = '''
cargo make ${FEATURE} || exit 1
cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_merge -- \
-i ${TARGET_DIR}/cov-000.drcov ${TARGET_DIR}/cov-001.drcov ${TARGET_DIR}/cov-002.drcov ${TARGET_DIR}/cov-003.drcov \
--output ${TARGET_DIR}/cov-merged.drcov || exit 1
NB_BLOCKS=$(cargo run --manifest-path ../../../utils/drcov_utils/Cargo.toml --bin drcov_dump_addrs -- \
-i ${TARGET_DIR}/cov-merged.drcov -a | wc -l || exit 1)
echo "Nb blocks found: $NB_BLOCKS"
if [ $NB_BLOCKS -ge 1700 ]; then
echo "Test succeeded"
else
echo "Did not find more than 1700 blocks."
exit 1
fi
'''
[tasks.arm]
command = "cargo"
args = ["make", "-p", "arm", "run"]
[tasks.test_arm]
command = "cargo"
args = ["make", "-p", "arm", "test_inner"]
[tasks.aarch64]
command = "cargo"
args = ["make", "-p", "aarch64", "run"]
[tasks.x86_64]
command = "cargo"
args = ["make", "-p", "x86_64", "run"]
[tasks.test_x86_64]
command = "cargo"
args = ["make", "-p", "x86_64", "test_inner"]
[tasks.i386]
command = "cargo"
args = ["make", "-p", "i386", "run"]
[tasks.mips]
command = "cargo"
args = ["make", "-p", "mips", "run"]
[tasks.ppc]
command = "cargo"
args = ["make", "-p", "ppc", "run"]
[tasks.all]
dependencies = ["arm", "aarch64", "x86_64", "i386", "mips", "ppc"]
[tasks.lightweight]
dependencies = ["test_x86_64", "test_arm"]

96
fuzzers/binary_only/qemu_launcher/Justfile Normal file
View File

@ -0,0 +1,96 @@
import "../../../just/libafl-qemu-libpng.just"
FUZZER_NAME := "qemu_launcher"
HARNESS := TARGET_DIR / ("libpng-harness-" + PROFILE)
[unix]
build:
cargo build \
--profile {{ PROFILE }} \
--features {{ ARCH }} \
--target-dir {{ TARGET_DIR }}
[unix]
harness: libpng
#!/bin/bash
source {{ DOTENV }}
$CROSS_CXX \
./harness.cc \
$CROSS_CFLAGS \
"{{ TARGET_DIR }}/build-png/.libs/libpng16.a" \
"{{ TARGET_DIR }}/build-zlib/libz.a" \
-I"{{ TARGET_DIR }}/build-png" \
-I"{{ DEPS_DIR }}/libpng-1.6.37" \
-I"{{ TARGET_DIR }}/build-zlib/zlib/lib" \
-L"{{ TARGET_DIR }}/build-zlib/zlib/lib" \
-o"{{ HARNESS }}" \
-lm
[unix]
run: harness build
{{ FUZZER }} \
--input ./corpus \
--output {{ TARGET_DIR }}/output/ \
--log {{TARGET_DIR}}/output/log.txt \
--cores 0-7 \
--asan-cores 0-3 \
--cmplog-cores 2-5 \
--iterations 1000000 \
--tui \
-- \
{{ HARNESS }}
[unix]
test_inner: harness build
#!/bin/bash
source {{ DOTENV }}
export QEMU_LAUNCHER={{ FUZZER }}
./tests/injection/test.sh || exit 1
# complie again with simple mgr
cargo build --profile={{PROFILE}} --features="simplemgr,{{ARCH}}" --target-dir={{ TARGET_DIR }}
./tests/qasan/test.sh || exit 1
[unix]
test:
ARCH=x86_64 just test_inner
single: harness build
{{ FUZZER }} \
--input ./corpus \
--output {{ TARGET_DIR }}/output/ \
--log {{ TARGET_DIR }}/output/log.txt \
--cores 0 \
-- \
{{ HARNESS }}
asan: harness build
{{ FUZZER }} \
--input ./corpus \
--output {{ TARGET_DIR }}/output/ \
--log {{ TARGET_DIR }}/output/log.txt \
--cores 0 \
--asan-cores 0 \
-- \
{{ HARNESS }}
asan_guest: harness build
{{ FUZZER }} \
--input ./corpus \
--output {{ TARGET_DIR }}/output/ \
--log {{ TARGET_DIR }}/output/log.txt \
--cores 0 \
--asan-guest-cores 0 \
-- \
{{ HARNESS }}
[unix]
clean:
cargo clean

424
fuzzers/binary_only/qemu_launcher/Makefile.toml
View File

@ -1,424 +0,0 @@
env_scripts = ['''
#!@duckscript
profile = get_env PROFILE
if eq ${profile} "dev"
set_env PROFILE_DIR debug
else
set_env PROFILE_DIR ${profile}
end
''']
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
#LIBAFL_DEBUG_OUTPUT = "1"
#CUSTOM_QEMU_DIR= "~/qemu-libafl-bridge"
[env.arm]
CROSS_CC = "arm-linux-gnueabi-gcc"
CROSS_CXX = "arm-linux-gnueabi-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/arm"
LIBPNG_ARCH = "arm"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "arm"
[env.aarch64]
CROSS_CC = "aarch64-linux-gnu-gcc"
CROSS_CXX = "aarch64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/aarch64"
LIBPNG_ARCH = "aarch64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "aarch64"
[env.x86_64]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/x86_64"
LIBPNG_ARCH = "x86_64"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "x86_64"
[env.i386]
CROSS_CC = "x86_64-linux-gnu-gcc"
CROSS_CXX = "x86_64-linux-gnu-g++"
CROSS_CFLAGS = "-m32"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/i386"
LIBPNG_ARCH = "i386"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "i386"
[env.mips]
CROSS_CC = "mipsel-linux-gnu-gcc"
CROSS_CXX = "mipsel-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/mips"
LIBPNG_ARCH = "mips"
LIBPNG_OPTIMIZATIONS = "yes"
FEATURE = "mips"
[env.ppc]
CROSS_CC = "powerpc-linux-gnu-gcc"
CROSS_CXX = "powerpc-linux-gnu-g++"
CROSS_CFLAGS = ""
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/ppc"
LIBPNG_ARCH = "ppc"
LIBPNG_OPTIMIZATIONS = "no"
FEATURE = "ppc"
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Qemu fuzzer not supported on windows/mac"
'''
[tasks.target_dir]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
'''
[tasks.deps_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/"] }
script_runner = "@shell"
script = '''
mkdir ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.arch_target_dir]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${TARGET_DIR}"] }
script_runner = "@shell"
script = '''
mkdir ${TARGET_DIR}
'''
[tasks.zlib]
linux_alias = "zlib_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.zlib_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13",
] }
script_runner = "@shell"
# NOTE: There's no specific reason we're using an old version of zlib,
# but newer versions get moved to fossils/ after a while.
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz" \
https://zlib.net/fossils/zlib-1.2.13.tar.gz
tar \
zxvf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13.tar.gz \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.zlib_unix]
dependencies = ["arch_target_dir", "zlib_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-zlib/libz.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-zlib/
mkdir ${TARGET_DIR}/build-zlib/
cd ${TARGET_DIR}/build-zlib/ && \
CC=$CROSS_CC \
CFLAGS=${CROSS_CFLAGS} \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/zlib-1.2.13/configure \
--prefix=./zlib
make install
'''
[tasks.libpng]
linux_alias = "libpng_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libpng_unix_wget]
dependencies = ["deps_dir"]
condition = { files_not_exist = [
"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37",
] }
script_runner = "@shell"
script = '''
wget \
-O "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar \
-xvf "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/v1.6.37.tar.gz" \
-C ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/
'''
[tasks.libpng_unix]
dependencies = ["arch_target_dir", "zlib", "libpng_unix_wget"]
condition = { files_not_exist = ["${TARGET_DIR}/build-png/.libs/libpng16.a"] }
script_runner = "@shell"
script = '''
rm -rf ${TARGET_DIR}/build-png/
mkdir ${TARGET_DIR}/build-png/
cd ${TARGET_DIR}/build-png/ && \
CC=$CROSS_CC \
CFLAGS="${CROSS_CFLAGS}" \
CPPFLAGS="-I${TARGET_DIR}/build-zlib/zlib/include" \
LDFLAGS=-L"${TARGET_DIR}/build-zlib/zlib/lib" \
${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37/configure \
--enable-shared=no \
--with-pic=yes \
--enable-hardware-optimizations=${LIBPNG_OPTIMIZATIONS} \
--host=${LIBPNG_ARCH} \
make
'''
[tasks.build]
linux_alias = "build_unix"
mac_alias = "build_unix"
windows_alias = "unsupported"
[tasks.build_unix]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--features",
"${FEATURE}",
"--target-dir",
"${TARGET_DIR}",
]
[tasks.fuzzer]
dependencies = ["build"]
script_runner = "@shell"
script = '''
rm -f ${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}
mv ${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher ${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}
'''
[tasks.harness]
linux_alias = "harness_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.harness_unix]
script_runner = "@shell"
script = '''
${CROSS_CXX} \
./harness.cc \
$CROSS_CFLAGS \
"${TARGET_DIR}/build-png/.libs/libpng16.a" \
"${TARGET_DIR}/build-zlib/libz.a" \
-I"${TARGET_DIR}/build-png" \
-I"${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/deps/libpng-1.6.37" \
-I"${TARGET_DIR}/build-zlib/zlib/include" \
-L"${TARGET_DIR}/build-zlib/zlib/lib" \
-o"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}" \
-lm
'''
dependencies = ["libpng"]
[tasks.debug]
linux_alias = "debug_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.debug_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}"
args = [
"--input",
"./corpus",
"--output",
"${TARGET_DIR}/output/",
"--log",
"${TARGET_DIR}/output/log.txt",
"--cores",
"0-7",
"--asan-cores",
"0-3",
"--cmplog-cores",
"2-5",
"--iterations",
"100000",
"--verbose",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}"
args = [
"--input",
"./corpus",
"--output",
"${TARGET_DIR}/output/",
"--log",
"${TARGET_DIR}/output/log.txt",
"--cores",
"0-7",
"--asan-cores",
"0-3",
"--cmplog-cores",
"2-5",
"--iterations",
"1000000",
"--tui",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.single]
linux_alias = "single_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.single_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}"
args = [
"--input",
"./corpus",
"--output",
"${TARGET_DIR}/output/",
"--log",
"${TARGET_DIR}/output/log.txt",
"--cores",
"0",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.asan]
linux_alias = "asan_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.asan_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}"
args = [
"--input",
"./corpus",
"--output",
"${TARGET_DIR}/output/",
"--log",
"${TARGET_DIR}/output/log.txt",
"--cores",
"0",
"--asan-cores",
"0",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.asan_guest]
linux_alias = "asan_guest_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.asan_guest_unix]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher-${CARGO_MAKE_PROFILE}"
args = [
"--input",
"./corpus",
"--output",
"${TARGET_DIR}/output/",
"--log",
"${TARGET_DIR}/output/log.txt",
"--cores",
"0",
"--asan-guest-cores",
"0",
"--",
"${TARGET_DIR}/libpng-harness-${CARGO_MAKE_PROFILE}",
]
dependencies = ["harness", "fuzzer"]
[tasks.test]
linux_alias = "test_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.test_unix]
script_runner = "@shell"
script = '''
echo "Profile: ${PROFILE}"
export QEMU_LAUNCHER=${TARGET_DIR}/${PROFILE_DIR}/qemu_launcher
./tests/injection/test.sh || exit 1
# complie again with simple mgr
cargo build --profile=${PROFILE} --features="simplemgr" --target-dir=${TARGET_DIR}
./tests/qasan/test.sh || exit 1
'''
dependencies = ["build_unix"]
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "clean_unix"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''
[tasks.arm]
command = "cargo"
args = ["make", "-p", "arm", "run"]
[tasks.aarch64]
command = "cargo"
args = ["make", "-p", "aarch64", "run"]
[tasks.x86_64]
command = "cargo"
args = ["make", "-p", "x86_64", "run"]
[tasks.i386]
command = "cargo"
args = ["make", "-p", "i386", "run"]
[tasks.mips]
command = "cargo"
args = ["make", "-p", "mips", "run"]
[tasks.ppc]
command = "cargo"
args = ["make", "-p", "ppc", "run"]
[tasks.all]
dependencies = ["arm", "aarch64", "x86_64", "i386", "mips", "ppc"]

40
fuzzers/binary_only/tinyinst_simple/Justfile Normal file
View File

@ -0,0 +1,40 @@
import "../../../just/libafl.just"
FUZZER_NAME := "tinyinst_simple"
set windows-shell := ["cmd.exe", "/c"]
set unstable
[linux]
harness:
clang test/test.cpp -o test.exe
[windows]
harness:
cl test\test.cpp -o test.exe
fuzzer:
cargo build --profile {{PROFILE}}
run: harness fuzzer
cargo run --profile {{PROFILE}}
[linux]
test: harness fuzzer
#!/bin/bash
cp {{TARGET_DIR}}/{{PROFILE_DIR}}/tinyinst_simple .
echo "Running tests"
timeout 5s ./tinyinst_simple || true
# corpus_discovered folder exists and is not empty
if [ -d "corpus_discovered" ] && [ -n "$(ls -A corpus_discovered)" ]; then
echo "Fuzzer works!"
else
exit 1
fi
[windows]
test: harness fuzzer
copy .\target\{{PROFILE_DIR}}\tinyinst_simple.exe .
start .\tinyinst_simple.exe
ping -n 10 127.0.0.1>NUL && taskkill /im tinyinst_simple.exe /F
dir /a-d corpus_discovered && (echo Files exist) || (exit /b 1337)

95
fuzzers/binary_only/tinyinst_simple/Makefile.toml
View File

@ -1,95 +0,0 @@
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
PROFILE_DIR = { source = "${PROFILE}", default_value = "release", mapping = { "release" = "release", "dev" = "debug" }, condition = { env_not_set = [
"PROFILE_DIR",
] } }
CARGO_TARGET_DIR = { value = "target", condition = { env_not_set = [
"CARGO_TARGET_DIR",
] } }
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this"
'''
# Harness
[tasks.harness]
linux_alias = "harness_linux"
mac_alias = "unsupported"
windows_alias = "harness_windows"
[tasks.harness_linux]
script = '''
clang test/test.cpp -o test.exe
'''
[tasks.harness_windows]
script = '''
cl test\test.cpp -o test.exe
'''
# Fuzzer
[tasks.fuzzer]
linux_alias = "fuzzer_linux"
mac_alias = "unsupported"
windows_alias = "fuzzer_windows"
[tasks.fuzzer_linux]
dependencies = ["harness"]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
[tasks.fuzzer_windows]
dependencies = ["harness"]
command = "cargo"
args = ["build", "--profile", "${PROFILE}"]
# Run the fuzzer
[tasks.run]
linux_alias = "run_linux"
mac_alias = "unsupported"
windows_alias = "run_windows"
[tasks.run_linux]
dependencies = ["harness", "fuzzer"]
command = "cargo"
args = ["run", "--profile", "${PROFILE}"]
[tasks.run_windows]
dependencies = ["harness", "fuzzer"]
command = "cargo"
args = ["run", "--profile", "${PROFILE}"]
# Run the fuzzer
[tasks.test]
linux_alias = "test_linux"
mac_alias = "unsupported"
windows_alias = "test_windows"
[tasks.test_linux]
script_runner = "@shell"
script = '''
cp ${CARGO_TARGET_DIR}/${PROFILE_DIR}/tinyinst_simple .
echo running tests
timeout 5s ./tinyinst_simple || true
# corpus_discovered folder exists and is not empty
if [ -d "corpus_discovered" ] && [ -n "$(ls -A corpus_discovered)" ]; then
echo "Fuzzer works!"
else
exit 1
fi
'''
dependencies = ["harness", "fuzzer"]
[tasks.test_windows]
script_runner = "@shell"
script = '''
copy .\target\${PROFILE_DIR}\tinyinst_simple.exe .
start "" "tinyinst_simple.exe"
#ping is for timeout
ping -n 10 127.0.0.1>NUL && taskkill /im tinyinst_simple.exe /F
>nul 2>nul dir /a-d "corpus_discovered\*" && (echo Files exist) || (exit /b 1337)
'''
dependencies = ["harness", "fuzzer"]

32
fuzzers/full_system/nyx_libxml2_parallel/Justfile Normal file
View File

@ -0,0 +1,32 @@
import "../../../just/libafl.just"
FUZZER_NAME := "nyx_libxml2_parallel"
[unix]
libxml2:
./setup_libxml2.sh
[unix]
enable_kvm_vmware_hypercall:
#!/bin/bash
if [ ! -e /sys/module/kvm/parameters/enable_vmware_backdoor ] ||
! grep -qF Y /sys/module/kvm/parameters/enable_vmware_backdoor; then
sudo modprobe -r kvm-intel # or kvm-amd for AMD
sudo modprobe -r kvm
sudo modprobe kvm enable_vmware_backdoor=y
sudo modprobe kvm-intel
fi;
[unix]
build: libxml2
[unix]
run: libxml2 enable_kvm_vmware_hypercall
cargo run
[unix]
test: build
[unix]
clean:
make -C libxml2 clean
cargo clean

69
fuzzers/full_system/nyx_libxml2_parallel/Makefile.toml
View File

@ -1,69 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'nyx_libxml2_parallel'
PROJECT_DIR = { script = ["pwd"] }
[config]
skip_core_tasks = true # skip `cargo test` to avoid error
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
[tasks.build]
dependencies = ["libxml2"]
[tasks.libxml2]
linux_alias = "libxml2_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libxml2_unix]
# condition = { files_not_exist = ["./libxml2"]}
script_runner = "@shell"
script = '''
./setup_libxml2.sh
'''
[tasks.enable_kvm_vmware_hypercall]
script_runner = "@shell"
script = '''
if [ ! -e /sys/module/kvm/parameters/enable_vmware_backdoor ] ||
! grep -qF Y /sys/module/kvm/parameters/enable_vmware_backdoor; then
sudo modprobe -r kvm-intel # or kvm-amd for AMD
sudo modprobe -r kvm
sudo modprobe kvm enable_vmware_backdoor=y
sudo modprobe kvm-intel
fi;
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
cargo run
'''
dependencies = ["libxml2", "enable_kvm_vmware_hypercall"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
make -C ./libxml2 clean
cargo clean
'''

32
fuzzers/full_system/nyx_libxml2_standalone/Justfile Normal file
View File

@ -0,0 +1,32 @@
import "../../../just/libafl.just"
FUZZER_NAME := "nyx_libxml2_parallel"
[unix]
libxml2:
./setup_libxml2.sh
[unix]
enable_kvm_vmware_hypercall:
#!/bin/bash
if [ ! -e /sys/module/kvm/parameters/enable_vmware_backdoor ] ||
! grep -qF Y /sys/module/kvm/parameters/enable_vmware_backdoor; then
sudo modprobe -r kvm-intel # or kvm-amd for AMD
sudo modprobe -r kvm
sudo modprobe kvm enable_vmware_backdoor=y
sudo modprobe kvm-intel
fi;
[unix]
build: libxml2
[unix]
run: libxml2 enable_kvm_vmware_hypercall
cargo run
[unix]
test: build
[unix]
clean:
make -C libxml2 clean
cargo clean

69
fuzzers/full_system/nyx_libxml2_standalone/Makefile.toml
View File

@ -1,69 +0,0 @@
# Variables
[env]
FUZZER_NAME = 'nyx_libxml2_standalone'
PROJECT_DIR = { script = ["pwd"] }
[config]
skip_core_tasks = true # skip `cargo test` to avoid error
[tasks.unsupported]
script_runner = "@shell"
script = '''
echo "Cargo-make not integrated yet on this platform"
'''
[tasks.build]
dependencies = ["libxml2"]
[tasks.libxml2]
linux_alias = "libxml2_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.libxml2_unix]
# condition = { files_not_exist = ["./libxml2"]}
script_runner = "@shell"
script = '''
./setup_libxml2.sh
'''
[tasks.enable_kvm_vmware_hypercall]
script_runner = "@shell"
script = '''
if [ ! -e /sys/module/kvm/parameters/enable_vmware_backdoor ] ||
! grep -qF Y /sys/module/kvm/parameters/enable_vmware_backdoor; then
sudo modprobe -r kvm-intel # or kvm-amd for AMD
sudo modprobe -r kvm
sudo modprobe kvm enable_vmware_backdoor=y
sudo modprobe kvm-intel
fi;
'''
# Run the fuzzer
[tasks.run]
linux_alias = "run_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.run_unix]
script_runner = "@shell"
script = '''
cargo run
'''
dependencies = ["libxml2", "enable_kvm_vmware_hypercall"]
# Clean up
[tasks.clean]
linux_alias = "clean_unix"
mac_alias = "unsupported"
windows_alias = "unsupported"
[tasks.clean_unix]
# Disable default `clean` definition
clear = true
script_runner = "@shell"
script = '''
make -C ./libxml2 clean
cargo clean
'''

69
fuzzers/full_system/qemu_baremetal/Justfile Normal file
View File

@ -0,0 +1,69 @@
import "../../../just/libafl-qemu.just"
FUZZER_NAME := "qemu_baremetal"
KERNEL := TARGET_DIR / "example.elf"
DUMMY_IMG := TARGET_DIR / "dummy.qcow2"
target_dir:
mkdir -p "{{TARGET_DIR}}"
image: target_dir
qemu-img create -f qcow2 {{DUMMY_IMG}} 32M
target flavor: image target_dir
arm-none-eabi-gcc -ggdb -ffreestanding -nostartfiles -lgcc \
-T example/mps2_m3.ld \
-mcpu=cortex-m3 \
-D "TARGET_{{ uppercase(flavor) }}" \
-I {{BUILD_DIR / "include"}} \
example/main.c \
example/startup.c \
-o {{TARGET_DIR}}/example.elf
build flavor="breakpoint": target_dir
cargo build \
--profile {{PROFILE}} \
--no-default-features \
--features std,{{flavor}} \
--target-dir {{TARGET_DIR}}
run flavor="breakpoint": (target flavor) (build flavor)
{{BUILD_DIR / "qemu_baremetal"}} \
-icount shift=auto,align=off,sleep=off \
-machine mps2-an385 \
-monitor null \
-kernel {{KERNEL}} \
-drive if=none,format=qcow2,file={{DUMMY_IMG}} \
-serial null \
-nographic \
-snapshot \
-S
test_flavor flavor: (target flavor) (build flavor)
#!/bin/bash
export KERNEL={{ KERNEL }}
export TARGET_DIR={{ TARGET_DIR }}
TMP_DIR=$(mktemp -d)
timeout 20s {{ FUZZER }} \
-icount shift=auto,align=off,sleep=off \
-machine mps2-an385 \
-monitor null \
-kernel {{ KERNEL }} -serial null \
-drive if=none,format=qcow2,file={{ DUMMY_IMG }} \
-nographic \
-snapshot \
-S | tee "$TMP_DIR/fuzz.log" 2>&1 || true
if [ -z "$(grep 'Objective' $TMP_DIR/fuzz.log)" ]; then
echo "qemu_baremetal ${FEATURE}: Fuzzer did not find the objective in $TMP_DIR/fuzz.log"
exit 1
else
echo "qemu_baremetal ${FEATURE}: Objective found."
fi
test: (test_flavor "low_level") (test_flavor "breakpoint") (test_flavor "sync_exit")
clean:
cargo clean

234
fuzzers/full_system/qemu_baremetal/Makefile.toml
View File

@ -1,234 +0,0 @@
env_scripts = ['''
#!@duckscript
profile = get_env PROFILE
if eq ${profile} "dev"
set_env PROFILE_DIR debug
else
set_env PROFILE_DIR ${profile}
end
''', '''
#!@duckscript
runs_on_ci = get_env RUN_ON_CI
if ${runs_on_ci}
cargo_target_dir = get_env CARGO_MAKE_CRATE_TARGET_DIRECTORY
set_env TARGET_DIR ${cargo_target_dir}
set_env KERNEL ${cargo_target_dir}/example.elf
end
''']
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${FEATURE}"
LIBAFL_QEMU_CLONE_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge"
KERNEL = "${TARGET_DIR}/example.elf"
[tasks.target_dir]
condition = { files_not_exist = ["${TARGET_DIR}"] }
script_runner = "@shell"
script = '''
mkdir -p ${TARGET_DIR}
'''
[tasks.image]
dependencies = ["target_dir"]
condition = { files_not_exist = ["${TARGET_DIR}/dummy.qcow2"] }
script_runner = "@shell"
script = '''
qemu-img create -f qcow2 ${TARGET_DIR}/dummy.qcow2 32M
'''
[tasks.target]
dependencies = ["target_dir"]
condition = { env_set = ["TARGET_DEFINE"] }
command = "arm-none-eabi-gcc"
args = [
"-ggdb",
"-ffreestanding",
"-nostartfiles",
"-lgcc",
"-T",
"${CARGO_MAKE_WORKING_DIRECTORY}/example/mps2_m3.ld",
"-mcpu=cortex-m3",
"${CARGO_MAKE_WORKING_DIRECTORY}/example/main.c",
"${CARGO_MAKE_WORKING_DIRECTORY}/example/startup.c",
"-D",
"${TARGET_DEFINE}",
"-I",
"${TARGET_DIR}/${PROFILE_DIR}/include",
"-o",
"${TARGET_DIR}/example.elf",
]
[tasks.build_fuzzer]
condition = { env_set = ["FEATURE"] }
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--no-default-features",
"--features",
"std,${FEATURE}",
"--target-dir",
"${TARGET_DIR}",
]
dependencies = ["image"]
[tasks.run_fuzzer]
command = "${TARGET_DIR}/${PROFILE_DIR}/qemu_baremetal"
args = [
"-icount",
"shift=auto,align=off,sleep=off",
"-machine",
"mps2-an385",
"-monitor",
"null",
"-kernel",
"${TARGET_DIR}/example.elf",
"-serial",
"null",
"-nographic",
"-snapshot",
"-drive",
"if=none,format=qcow2,file=${TARGET_DIR}/dummy.qcow2",
"-S",
]
dependencies = ["target"]
[tasks.test_fuzzer]
condition = { env_set = ["FEATURE"] }
script_runner = "@shell"
script = '''
TMP_DIR=$(mktemp -d)
cargo make build_$FEATURE
timeout 20s ${TARGET_DIR}/${PROFILE_DIR}/qemu_baremetal -icount shift=auto,align=off,sleep=off -machine mps2-an385 -monitor null -kernel ${TARGET_DIR}/example.elf -serial null -nographic -snapshot -drive if=none,format=qcow2,file=${TARGET_DIR}/dummy.qcow2 -S | tee $TMP_DIR/fuzz.log 2>&1 || true
if [ -z "$(grep 'Objective' $TMP_DIR/fuzz.log)" ]; then
echo "qemu_baremetal ${FEATURE}: Fuzzer did not find the objective in $TMP_DIR/fuzz.log"
exit 1
else
echo "qemu_baremetal ${FEATURE}: Objective found."
fi
'''
dependencies = ["target"]
[tasks.build_low_level]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=low_level",
"-e",
"TARGET_DEFINE=TARGET_CLASSIC",
"build_fuzzer",
]
[tasks.test_low_level]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=low_level",
"-e",
"TARGET_DEFINE=TARGET_CLASSIC",
"test_fuzzer",
]
[tasks.build_breakpoint]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=breakpoint",
"-e",
"TARGET_DEFINE=TARGET_BREAKPOINT",
"build_fuzzer",
]
[tasks.test_breakpoint]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=breakpoint",
"-e",
"TARGET_DEFINE=TARGET_BREAKPOINT",
"test_fuzzer",
]
[tasks.build_sync_exit]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=sync_exit",
"-e",
"TARGET_DEFINE=TARGET_SYNC_EXIT",
"build_fuzzer",
]
[tasks.test_sync_exit]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=sync_exit",
"-e",
"TARGET_DEFINE=TARGET_SYNC_EXIT",
"test_fuzzer",
]
[tasks.low_level]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=low_level",
"-e",
"TARGET_DEFINE=TARGET_CLASSIC",
"run_fuzzer",
]
[tasks.breakpoint]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=breakpoint",
"-e",
"TARGET_DEFINE=TARGET_BREAKPOINT",
"run_fuzzer",
]
[tasks.sync_exit]
command = "cargo"
args = [
"make",
"-e",
"FEATURE=sync_exit",
"-e",
"TARGET_DEFINE=TARGET_SYNC_EXIT",
"run_fuzzer",
]
[tasks.test]
clear = true
run_task = { name = ["test_low_level", "test_breakpoint", "test_sync_exit"] }
[tasks.build]
clear = true
run_task = { name = ["build_low_level", "build_breakpoint", "build_sync_exit"] }
[tasks.run]
alias = "low_level"
[tasks.clean]
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''

14
fuzzers/full_system/qemu_baremetal/README.md
View File

@ -21,24 +21,20 @@ sudo apt -y install qemu-utils gcc-arm-none-eabi
## Build ## Build
Build one of the flavors (breakpoint by default):
```bash ```bash
cargo make build just build
``` ```
## Run ## Run
```bash Run one of the flavors (breakpoint by default):
cargo make run
```
It is also possible to run the fuzzer with the other features:
```bash ```bash
cargo make <feature> just run
``` ```
With feature being `low_level`, `breakpoint` or `sync_exit`.
This will build the desired fuzzer (src/fuzzer_<feature>.rs) and a small example binary based on FreeRTOS, which can run under a qemu emulation target. This will build the desired fuzzer (src/fuzzer_<feature>.rs) and a small example binary based on FreeRTOS, which can run under a qemu emulation target.
Since the instrumentation is based on snapshots, QEMU needs a virtual drive (even if it is unused...). Since the instrumentation is based on snapshots, QEMU needs a virtual drive (even if it is unused...).
Thus, the makefile creates a dummy QCOW2 image `dummy.qcow2` (can be found in the `target directory`). Thus, the makefile creates a dummy QCOW2 image `dummy.qcow2` (can be found in the `target directory`).

69
fuzzers/full_system/qemu_linux_kernel/Justfile Normal file
View File

@ -0,0 +1,69 @@
import "../../../just/libafl-qemu.just"
FUZZER_NAME := "qemu_linux_kernel"
LINUX_BUILDER_URL := "git@github.com:AFLplusplus/linux-qemu-image-builder.git"
LINUX_BUILDER_DIR := TARGET_DIR / "linux_builder"
LINUX_BUILDER_OUT := LINUX_BUILDER_DIR / "output"
target_dir:
mkdir -p "{{TARGET_DIR}}"/runtime
mkdir -p "{{TARGET_DIR}}"/setup
linux_builder_dir: target_dir
#!/bin/bash
if [ ! -d {{ LINUX_BUILDER_DIR }} ]; then
git clone {{ LINUX_BUILDER_URL }} {{ LINUX_BUILDER_DIR }}
else
git -C {{ LINUX_BUILDER_DIR }} pull
fi
update_files api="": target_dir linux_builder_dir (build api)
cp -r setup/* "{{ LINUX_BUILDER_DIR }}/setup/"
cp -r runtime/* "{{ LINUX_BUILDER_DIR }}/runtime/"
cp {{ BUILD_DIR }}/include/* "{{ LINUX_BUILDER_DIR }}/setup/"
target api="": linux_builder_dir update_files
{{LINUX_BUILDER_DIR}}/build.sh
build api="":
cargo build \
--profile {{ PROFILE }} \
--target-dir {{ TARGET_DIR }} \
--features "{{ api }}"
run api="": (build api)
#!/bin/bash
rm -rf corpus_gen
# Find the bios dir of LibAFL QEMU
if [ ! -z "${LIBAFL_QEMU_DIR}" ]; then
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu
else
LIBAFL_QEMU_BIOS_DIR={{ LIBAFL_QEMU_DIR_DEFAULT }}/build/qemu-bundle/usr/local/share/qemu
fi
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.fd -F raw {{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.qcow2
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.fd -F raw {{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.qcow2
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/linux.qcow2 -F qcow2 {{ LINUX_BUILDER_OUT }}/linux.tmp.qcow2
{{FUZZER}} \
-accel tcg \
-m 4G \
-drive if=pflash,format=qcow2,file="{{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.qcow2" `# OVMF code pflash` \
-drive if=pflash,format=qcow2,file="{{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.qcow2" `# OVMF vars pflash` \
-device ahci,id=ahci,bus=pci.0,addr=4 \
-device ide-hd,bus=ahci.0,drive=disk,bootindex=1 \
-blockdev driver=file,filename="{{ LINUX_BUILDER_OUT }}/linux.tmp.qcow2",node-name=storage `# Backend file of "disk"` \
-blockdev driver=qcow2,file=storage,node-name=disk `# QCOW2 "disk"` \
-L "${LIBAFL_QEMU_BIOS_DIR}" \
-nographic \
-monitor null \
-serial null
test: build (build "nyx")
clean:
cargo clean

223
fuzzers/full_system/qemu_linux_kernel/Makefile.toml
View File

@ -1,223 +0,0 @@
env_scripts = ['''
#!@duckscript
profile = get_env PROFILE
harness_api = get_env HARNESS_API
if eq ${profile} "dev"
set_env PROFILE_DIR debug
else
set_env PROFILE_DIR ${profile}
end
if eq ${harness_api} "nyx"
set_env FEATURE nyx
elseif eq ${harness_api} "lqemu"
set_env FEATURE ""
else
echo "Unknown harness API: ${harness_api}"
exit 1
end
''', '''
#!@duckscript
runs_on_ci = get_env RUN_ON_CI
if ${runs_on_ci}
cargo_target_dir = get_env CARGO_MAKE_CRATE_TARGET_DIRECTORY
set_env TARGET_DIR ${cargo_target_dir}
end
''']
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
WORKING_DIR = "${CARGO_MAKE_WORKING_DIRECTORY}"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
LIBAFL_QEMU_CLONE_DIR = { value = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge", condition = { env_not_set = [
"LIBAFL_QEMU_DIR",
] } }
HARNESS_API = { value = "lqemu", condition = { env_not_set = ["HARNESS_API"] } }
LINUX_BUILDER_URL = "git@github.com:AFLplusplus/linux-qemu-image-builder.git"
LINUX_BUILDER_DIR = { value = "${TARGET_DIR}/linux_builder", condition = { env_not_set = [
"LINUX_BUILDER_DIR",
] } }
LINUX_BUILDER_OUT = "${LINUX_BUILDER_DIR}/output"
[tasks.target_dir]
condition = { files_not_exist = [
"${TARGET_DIR}",
"${TARGET_DIR}/runtime",
"${TARGET_DIR}/setup",
] }
script_runner = "@shell"
script = '''
mkdir -p ${TARGET_DIR}/runtime
mkdir -p ${TARGET_DIR}/setup
'''
[tasks.linux_builder_dir]
condition = { files_not_exist = ["${LINUX_BUILDER_DIR}"] }
script_runner = "@shell"
script = '''
git clone ${LINUX_BUILDER_URL} ${LINUX_BUILDER_DIR}
'''
[tasks.target]
dependencies = ["build", "linux_builder_dir"]
script_runner = "@shell"
script = '''
git -C ${LINUX_BUILDER_DIR} pull
# Copy setup & runtime fixed files
cp -r ${WORKING_DIR}/setup/* ${LINUX_BUILDER_DIR}/setup/
cp -r ${WORKING_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
# Copy generated libafl qemu header files to setup
cp ${TARGET_DIR}/${PROFILE_DIR}/include/* ${LINUX_BUILDER_DIR}/setup/
${LINUX_BUILDER_DIR}/build.sh
'''
[tasks.target_update]
dependencies = ["build", "linux_builder_dir"]
script_runner = "@shell"
script = '''
git -C ${LINUX_BUILDER_DIR} pull
# Copy setup & runtime fixed files
cp -r ${WORKING_DIR}/setup/* ${LINUX_BUILDER_DIR}/setup/
cp -r ${WORKING_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
# Copy generated libafl qemu header files to setup
cp ${TARGET_DIR}/${PROFILE_DIR}/include/* ${LINUX_BUILDER_DIR}/setup/
${LINUX_BUILDER_DIR}/update.sh
'''
[tasks.build]
dependencies = ["target_dir"]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--target-dir",
"${TARGET_DIR}",
"--features",
"${FEATURE}",
]
[tasks.run]
dependencies = ["build"]
script_runner = "@shell"
script = '''
rm -rf "${WORKING_DIR}/corpus_gen"
# Find the bios dir of LibAFL QEMU
if [ ! -z "${LIBAFL_QEMU_DIR}" ]; then
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu
else
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_CLONE_DIR}/build/qemu-bundle/usr/local/share/qemu
fi
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd -F raw ${LINUX_BUILDER_OUT}/OVMF_CODE.4m.qcow2
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd -F raw ${LINUX_BUILDER_OUT}/OVMF_VARS.4m.qcow2
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/linux.qcow2 -F qcow2 ${LINUX_BUILDER_OUT}/linux.tmp.qcow2
${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_kernel \
-accel tcg \
-m 4G \
-drive if=pflash,format=qcow2,file="${LINUX_BUILDER_OUT}/OVMF_CODE.4m.qcow2" `# OVMF code pflash` \
-drive if=pflash,format=qcow2,file="${LINUX_BUILDER_OUT}/OVMF_VARS.4m.qcow2" `# OVMF vars pflash` \
-device ahci,id=ahci,bus=pci.0,addr=4 \
-device ide-hd,bus=ahci.0,drive=disk,bootindex=1 \
-blockdev driver=file,filename="${LINUX_BUILDER_OUT}/linux.tmp.qcow2",node-name=storage `# Backend file of "disk"` \
-blockdev driver=qcow2,file=storage,node-name=disk `# QCOW2 "disk"` \
-L "${LIBAFL_QEMU_BIOS_DIR}" \
-nographic \
-monitor null \
-serial null
'''
[tasks.test_unix]
script_runner = "@shell"
script = '''
# TODO: Run real test, not only building.
# LibAFL QEMU API
HARNESS_API=lqemu cargo make build
# Nyx API
HARNESS_API=nyx cargo make build
'''
[tasks.test]
description = "Run a test"
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.debug]
dependencies = ["build"]
command = "time"
args = [
"${TARGET_DIR}/${PROFILE_DIR}/qemu_systemmode_linux_kernel",
"-accel",
"kvm",
"-m",
"4G",
"-drive",
"if=pflash,format=raw,readonly=on,file=${LINUX_BUILDER_OUT}/OVMF_CODE.fd",
"-drive",
"if=pflash,format=raw,snapshot=off,file=${LINUX_BUILDER_OUT}/OVMF_VARS.fd",
"-blockdev",
"filename=${LINUX_BUILDER_OUT}/linux.qcow2,node-name=storage,driver=file",
"-blockdev",
"driver=qcow2,file=storage,node-name=disk",
"-device",
"virtio-scsi-pci,id=scsi0",
"-device",
"scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1",
"-L",
"${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu",
"-snapshot",
]
[tasks.perf]
command = "perf"
args = [
"record",
"--call-graph",
"dwarf",
"${TARGET_DIR}/${PROFILE_DIR}/qemu_systemmode_linux_kernel",
"-accel",
"tcg",
"-m",
"4G",
"-drive",
"if=pflash,format=raw,readonly=on,file=${LINUX_BUILDER_OUT}/OVMF_CODE.fd",
"-drive",
"if=pflash,format=raw,snapshot=off,file=${LINUX_BUILDER_OUT}/OVMF_VARS.fd",
"-blockdev",
"filename=${LINUX_BUILDER_OUT}/linux.qcow2,node-name=storage,driver=file",
"-blockdev",
"driver=qcow2,file=storage,node-name=disk",
"-device",
"virtio-scsi-pci,id=scsi0",
"-device",
"scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1",
"-L",
"${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu",
"-snapshot",
# "-icount", "shift=auto,align=off,sleep=off",
# "-monitor", "null",
# "-serial", "null",
# "-nographic",
]
[tasks.clean]
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''

4
fuzzers/full_system/qemu_linux_process/Cargo.toml
View File

@ -5,10 +5,14 @@ authors = ["Romain Malmain <rmalmain@pm.me>"]
edition = "2021" edition = "2021"
[features] [features]
default = ["lqemu"]
## Build and run the target with the Nyx API instead of the built-in LibAFL QEMU API. ## Build and run the target with the Nyx API instead of the built-in LibAFL QEMU API.
nyx = [] nyx = []
## Build and run the target with the LibAFL QEMU API.
lqemu = []
shared = ["libafl_qemu/shared"] shared = ["libafl_qemu/shared"]
[profile.release] [profile.release]

74
fuzzers/full_system/qemu_linux_process/Justfile Normal file
View File

@ -0,0 +1,74 @@
import "../../../just/libafl-qemu.just"
FUZZER_NAME := "qemu_linux_kernel"
LINUX_BUILDER_URL := "git@github.com:AFLplusplus/linux-qemu-image-builder.git"
LINUX_BUILDER_DIR := TARGET_DIR / "linux_builder"
LINUX_BUILDER_OUT := LINUX_BUILDER_DIR / "output"
target_dir:
mkdir -p "{{TARGET_DIR}}"
linux_builder_dir: target_dir
#!/bin/bash
if [ ! -d {{ LINUX_BUILDER_DIR }} ]; then
git clone {{ LINUX_BUILDER_URL }} {{ LINUX_BUILDER_DIR }}
else
git -C {{ LINUX_BUILDER_DIR }} pull
fi
compile_target api="lqemu": (build api)
clang -O0 -static -I {{ BUILD_DIR }}/include \
example/harness_{{ api }}.c \
-o {{ LINUX_BUILDER_DIR }}/runtime/harness
update_files api="lqemu": target_dir linux_builder_dir (build api)
cp -r setup/* "{{ LINUX_BUILDER_DIR }}/setup/"
cp -r runtime/* "{{ LINUX_BUILDER_DIR }}/runtime/"
cp {{ BUILD_DIR }}/include/* "{{ LINUX_BUILDER_DIR }}/setup/"
target api="lqemu": linux_builder_dir update_files
{{LINUX_BUILDER_DIR}}/build.sh
build api="lqemu":
cargo build \
--no-default-features \
--profile {{ PROFILE }} \
--target-dir {{ TARGET_DIR }} \
--features "{{ api }}"
run api="lqemu": (build api)
#!/bin/bash
rm -rf corpus_gen
# Find the bios dir of LibAFL QEMU
if [ ! -z "${LIBAFL_QEMU_DIR}" ]; then
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu
else
LIBAFL_QEMU_BIOS_DIR={{ LIBAFL_QEMU_DIR_DEFAULT }}/build/qemu-bundle/usr/local/share/qemu
fi
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.fd -F raw {{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.qcow2
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.fd -F raw {{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.qcow2
qemu-img create -f qcow2 -o backing_file={{ LINUX_BUILDER_OUT }}/linux.qcow2 -F qcow2 {{ LINUX_BUILDER_OUT }}/linux.tmp.qcow2
{{FUZZER}} \
-accel tcg \
-m 4G \
-drive if=pflash,format=qcow2,file="{{ LINUX_BUILDER_OUT }}/OVMF_CODE.4m.qcow2" `# OVMF code pflash` \
-drive if=pflash,format=qcow2,file="{{ LINUX_BUILDER_OUT }}/OVMF_VARS.4m.qcow2" `# OVMF vars pflash` \
-device ahci,id=ahci,bus=pci.0,addr=4 \
-device ide-hd,bus=ahci.0,drive=disk,bootindex=1 \
-blockdev driver=file,filename="{{ LINUX_BUILDER_OUT }}/linux.tmp.qcow2",node-name=storage `# Backend file of "disk"` \
-blockdev driver=qcow2,file=storage,node-name=disk `# QCOW2 "disk"` \
-L "${LIBAFL_QEMU_BIOS_DIR}" \
-nographic \
-monitor null \
-serial null
test: build (build "nyx")
clean:
cargo clean

257
fuzzers/full_system/qemu_linux_process/Makefile.toml
View File

@ -1,257 +0,0 @@
env_scripts = ['''
#!@duckscript
profile = get_env PROFILE
harness_api = get_env HARNESS_API
if eq ${profile} "dev"
set_env PROFILE_DIR debug
else
set_env PROFILE_DIR ${profile}
end
if eq ${harness_api} "nyx"
set_env FEATURE nyx
elseif eq ${harness_api} "lqemu"
set_env FEATURE ""
else
echo "Unknown harness API: ${harness_api}"
exit 1
end
''', '''
#!@duckscript
runs_on_ci = get_env RUN_ON_CI
if ${runs_on_ci}
cargo_target_dir = get_env CARGO_MAKE_CRATE_TARGET_DIRECTORY
set_env TARGET_DIR ${cargo_target_dir}
set_env KERNEL ${cargo_target_dir}/example.elf
end
''']
[env]
PROFILE = { value = "release", condition = { env_not_set = ["PROFILE"] } }
WORKING_DIR = "${CARGO_MAKE_WORKING_DIRECTORY}"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}"
LIBAFL_QEMU_CLONE_DIR = { value = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/qemu-libafl-bridge", condition = { env_not_set = [
"LIBAFL_QEMU_DIR",
] } }
LINUX_BUILDER_URL = "git@github.com:AFLplusplus/linux-qemu-image-builder.git"
LINUX_BUILDER_DIR = { value = "${TARGET_DIR}/linux_builder", condition = { env_not_set = [
"LINUX_BUILDER_DIR",
] } }
LINUX_BUILDER_OUT = "${LINUX_BUILDER_DIR}/output"
HARNESS_API = { value = "lqemu", condition = { env_not_set = ["HARNESS_API"] } }
[tasks.target_dir]
condition = { files_not_exist = [
"${TARGET_DIR}",
"${TARGET_DIR}/runtime",
"${TARGET_DIR}/setup",
] }
script_runner = "@shell"
script = '''
mkdir -p ${TARGET_DIR}/runtime
mkdir -p ${TARGET_DIR}/setup
'''
[tasks.linux_builder_dir]
condition = { files_not_exist = ["${LINUX_BUILDER_DIR}"] }
script_runner = "@shell"
script = '''
git clone ${LINUX_BUILDER_URL} ${LINUX_BUILDER_DIR}
'''
[tasks.compile_target_nyx]
condition = { env = { "HARNESS_API" = "nyx" } }
dependencies = ["target_dir", "linux_builder_dir"]
command = "clang"
args = [
"-O0",
"-static",
"${WORKING_DIR}/example/harness_nyx.c",
"-o",
"${TARGET_DIR}/runtime/harness",
"-I",
"${TARGET_DIR}/${PROFILE_DIR}/include",
]
[tasks.compile_target_native]
condition = { env = { "HARNESS_API" = "lqemu" } }
dependencies = ["target_dir", "linux_builder_dir"]
command = "clang"
args = [
"-O0",
"-static",
"${WORKING_DIR}/example/harness.c",
"-o",
"${TARGET_DIR}/runtime/harness",
"-I",
"${TARGET_DIR}/${PROFILE_DIR}/include",
]
[tasks.compile_target]
dependencies = ["compile_target_native", "compile_target_nyx"]
[tasks.target]
dependencies = ["build", "compile_target"]
script_runner = "@shell"
script = '''
git -C ${LINUX_BUILDER_DIR} pull
# Copy generated harness
cp -r ${TARGET_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
# Copy setup & runtime fixed files
cp -r ${WORKING_DIR}/setup/* ${LINUX_BUILDER_DIR}/setup/
cp -r ${WORKING_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
${LINUX_BUILDER_DIR}/build.sh
'''
[tasks.target_update]
dependencies = ["build", "compile_target"]
script_runner = "@shell"
script = '''
# Copy generated harness
cp -r ${TARGET_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
# Copy setup & runtime fixed files
cp -r ${WORKING_DIR}/runtime/* ${LINUX_BUILDER_DIR}/runtime/
${LINUX_BUILDER_DIR}/update.sh
'''
[tasks.build]
dependencies = ["target_dir"]
command = "cargo"
args = [
"build",
"--profile",
"${PROFILE}",
"--target-dir",
"${TARGET_DIR}",
"--features",
"${FEATURE}",
]
[tasks.test_unix]
script_runner = "@shell"
script = '''
# TODO: Run real test, not only building.
# LibAFL QEMU API
HARNESS_API=lqemu cargo make build
# Nyx API
HARNESS_API=nyx cargo make build
'''
[tasks.test]
description = "Run a test"
linux_alias = "test_unix"
mac_alias = "test_unix"
windows_alias = "unsupported"
[tasks.run]
dependencies = ["build"]
script_runner = "@shell"
script = '''
rm -rf "${WORKING_DIR}/corpus_gen"
# Find the bios dir of LibAFL QEMU
if [ ! -z "${LIBAFL_QEMU_DIR}" ]; then
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu
else
LIBAFL_QEMU_BIOS_DIR=${LIBAFL_QEMU_CLONE_DIR}/build/qemu-bundle/usr/local/share/qemu
fi
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/OVMF_CODE.4m.fd -F raw ${LINUX_BUILDER_OUT}/OVMF_CODE.4m.qcow2
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/OVMF_VARS.4m.fd -F raw ${LINUX_BUILDER_OUT}/OVMF_VARS.4m.qcow2
qemu-img create -f qcow2 -o backing_file=${LINUX_BUILDER_OUT}/linux.qcow2 -F qcow2 ${LINUX_BUILDER_OUT}/linux.tmp.qcow2
${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_process \
-accel tcg \
-m 4G \
-drive if=pflash,format=qcow2,file="${LINUX_BUILDER_OUT}/OVMF_CODE.4m.qcow2" `# OVMF code pflash` \
-drive if=pflash,format=qcow2,file="${LINUX_BUILDER_OUT}/OVMF_VARS.4m.qcow2" `# OVMF vars pflash` \
-device ahci,id=ahci,bus=pci.0,addr=4 \
-device ide-hd,bus=ahci.0,drive=disk,bootindex=1 \
-blockdev driver=file,filename="${LINUX_BUILDER_OUT}/linux.tmp.qcow2",node-name=storage `# Backend file of "disk"` \
-blockdev driver=qcow2,file=storage,node-name=disk `# QCOW2 "disk"` \
-L "${LIBAFL_QEMU_BIOS_DIR}" \
-nographic \
-monitor null \
-serial null
# -snapshot
#-blockdev driver=syx-cow-cache,file=storage,node-name=storage-syx \
# gdb --args
'''
[tasks.debug]
dependencies = ["build"]
command = "time"
args = [
"${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_process",
"-accel",
"tcg",
"-m",
"4G",
"-drive",
"if=pflash,format=raw,file=${LINUX_BUILDER_OUT}/OVMF_CODE.fd",
"-drive",
"if=pflash,format=raw,file=${LINUX_BUILDER_OUT}/OVMF_VARS.fd",
"-blockdev",
"filename=${LINUX_BUILDER_OUT}/linux.qcow2,node-name=storage,driver=file",
"-blockdev",
"driver=qcow2,file=storage,node-name=disk",
"-device",
"virtio-scsi-pci,id=scsi0",
"-device",
"scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1",
"-L",
"${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu",
#"-snapshot",
]
[tasks.perf]
command = "perf"
args = [
"record",
"--call-graph",
"dwarf",
"${TARGET_DIR}/${PROFILE_DIR}/qemu_linux_process",
"-accel",
"tcg",
"-m",
"4G",
"-drive",
"if=pflash,format=raw,readonly=on,file=${LINUX_BUILDER_OUT}/OVMF_CODE.fd",
"-drive",
"if=pflash,format=raw,snapshot=off,file=${LINUX_BUILDER_OUT}/OVMF_VARS.fd",
"-blockdev",
"filename=${LINUX_BUILDER_OUT}/linux.qcow2,node-name=storage,driver=file",
"-blockdev",
"driver=qcow2,file=storage,node-name=disk",
"-device",
"virtio-scsi-pci,id=scsi0",
"-device",
"scsi-hd,bus=scsi0.0,drive=disk,id=virtio-disk0,bootindex=1",
"-L",
"${LIBAFL_QEMU_DIR}/build/qemu-bundle/usr/local/share/qemu",
"-snapshot",
# "-icount", "shift=auto,align=off,sleep=off",
# "-monitor", "null",
# "-serial", "null",
# "-nographic",
]
[tasks.clean]
clear = true
script_runner = "@shell"
script = '''
rm -rf ${CARGO_MAKE_CRATE_TARGET_DIRECTORY}
cargo clean
'''

0
fuzzers/full_system/qemu_linux_process/example/harness.c → fuzzers/full_system/qemu_linux_process/example/harness_lqemu.c
View File

2
fuzzers/inprocess/libfuzzer_stb_image/Justfile
View File

@ -29,7 +29,7 @@ run: fuzzer
[windows] [windows]
run: fuzzer run: fuzzer
echo "Not integrated into cargo-make yet." echo "Not integrated into just yet."
[linux] [linux]
[macos] [macos]

2
fuzzers/inprocess/libfuzzer_stb_image_sugar/Justfile
View File

@ -29,7 +29,7 @@ run: fuzzer
[windows] [windows]
run: fuzzer run: fuzzer
echo "Not integrated into cargo-make yet." echo "Not integrated into just yet."
[linux] [linux]
[macos] [macos]

6
just/README.md Normal file
View File

@ -0,0 +1,6 @@
# LibAFL Just Library
Here is stored the common library used by our example fuzzers.
It mainly consists of boilerplate definitions and convenient functions.
One of these files should always be included in final `Justfile`s.

3
just/envs/.env.aarch64 Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="aarch64-linux-gnu-gcc"
CROSS_CXX="aarch64-linux-gnu-g++"
CROSS_CFLAGS=""

3
just/envs/.env.arm Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="arm-linux-gnueabi-gcc"
CROSS_CXX="arm-linux-gnueabi-g++"
CROSS_CFLAGS=""

3
just/envs/.env.i386 Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="x86_64-linux-gnu-gcc"
CROSS_CXX="x86_64-linux-gnu-g++"
CROSS_CFLAGS="-m32"

3
just/envs/.env.mips Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="mipsel-linux-gnu-gcc"
CROSS_CXX="mipsel-linux-gnu-g++"
CROSS_CFLAGS=""

3
just/envs/.env.ppc Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="powerpc-linux-gnu-gcc"
CROSS_CXX="powerpc-linux-gnu-gcc"
CROSS_CFLAGS=""

3
just/envs/.env.x86_64 Normal file
View File

@ -0,0 +1,3 @@
CROSS_CC="x86_64-linux-gnu-gcc"
CROSS_CXX="x86_64-linux-gnu-g++"
CROSS_CFLAGS=""

84
just/libafl-qemu-libpng.just Normal file
View File

@ -0,0 +1,84 @@
import "libafl-qemu.just"
# Useful rules to build libpng for multiple architecture.
ARCH := env("ARCH", "x86_64")
OPTIMIZATIONS := env("OPTIMIZATIONS", "yes")
DEPS_DIR := TARGET_DIR / "deps"
DOTENV := source_directory() / "envs" / ".env." + ARCH
[unix]
target_dir:
mkdir -p {{ TARGET_DIR }}
[unix]
deps_dir:
mkdir -p {{ DEPS_DIR }}
[unix]
arch_dir:
mkdir -p {{ ARCH }}
[unix]
zlib_wget: deps_dir
#!/bin/bash
wget \
-O "{{ DEPS_DIR }}/zlib-1.2.13.tar.gz" \
https://zlib.net/fossils/zlib-1.2.13.tar.gz
tar \
zxvf {{ DEPS_DIR }}/zlib-1.2.13.tar.gz \
-C {{ DEPS_DIR }}
[unix]
zlib: zlib_wget
#!/bin/bash
source {{ DOTENV }}
rm -rf {{ TARGET_DIR }}/build-zlib/
mkdir {{ TARGET_DIR }}/build-zlib/
cd {{ TARGET_DIR }}/build-zlib/ && \
CC=$CROSS_CC \
CFLAGS=$CROSS_CFLAGS \
{{ DEPS_DIR }}/zlib-1.2.13/configure \
--prefix=./zlib
make -j install
[unix]
libpng_wget: deps_dir
wget \
-O "{{ DEPS_DIR }}/v1.6.37.tar.gz" \
https://github.com/glennrp/libpng/archive/refs/tags/v1.6.37.tar.gz
tar \
-xvf "{{ DEPS_DIR }}/v1.6.37.tar.gz" \
-C {{ DEPS_DIR }}
[unix]
libpng: arch_dir zlib libpng_wget
#!/bin/bash
source {{ DOTENV }}
rm -rf {{ TARGET_DIR }}/build-png/
mkdir {{TARGET_DIR}}/build-png/
cd {{ TARGET_DIR }}/build-png/ && \
CC=$CROSS_CC \
CFLAGS="$CROSS_CFLAGS -I"{{ TARGET_DIR }}/build-zlib/zlib/lib"" \
LDFLAGS=-L"{{ TARGET_DIR }}/build-zlib/zlib/lib" \
{{ DEPS_DIR }}/libpng-1.6.37/configure \
--enable-shared=no \
--with-pic=yes \
--enable-hardware-optimizations={{ OPTIMIZATIONS }} \
--host={{ ARCH }} \
make -j -C {{ TARGET_DIR }}/build-png/

3
just/libafl-qemu.just Normal file
View File

@ -0,0 +1,3 @@
import "libafl.just"
export LIBAFL_QEMU_DIR_DEFAULT := BUILD_DIR / "qemu-libafl-bridge"

41
just/libafl.just Normal file
View File

@ -0,0 +1,41 @@
# Main Justfile for LibAFL
# Provides multiple useful variables.
#
# Must be set:
# - `FUZZER_NAME`: Name of the executable.
#
# Provides:
# - `PROFILE`: Profile (either `dev` or `release`). Default is `release`.
# - `PROFILE_DIR`: Profile directory (either `debug` or `release`).
# - `TARGET_DIR`: target directry. Defaults to `target`.
# - `BUILD_DIR`: Root directory in which the program is compiled.
# - `FUZZER`: Executable path.
PROFILE := env("PROFILE", "release")
PROFILE_DIR := if PROFILE == "dev" { "debug" } else { "release" }
TARGET_DIR := absolute_path(env("TARGET_DIR", "target"))
BUILD_DIR := TARGET_DIR / PROFILE_DIR
FUZZER_EXTENSION := if os_family() == "windows" { ".exe" } else { "" }
FUZZER := BUILD_DIR / FUZZER_NAME + FUZZER_EXTENSION
JUSTHASHES := ".justhashes"
buildfile fpath:
#!/bin/bash
# Init hash files if does not exit
if [ ! -f {{ JUSTHASHES }} ]; then
touch {{ JUSTHASHES }}
fi
if [ -d {{ fpath }}]
echo "{{ fpath }} already exists as dir."
exit 1
fi
# Run the file recipe if it changed or was not built before
if [ ! -f {{ fpath }} ] || [ ! "$(md5sum {{ fpath }} | head -c 32)" == "$(grep " {{ fpath }}" {{ JUSTHASHES }} | head -c 32)" ]; then
just {{ fpath }}
echo "$(grep -v "{{ fpath }}" {{ JUSTHASHES }})" > {{ JUSTHASHES }}
md5sum {{ fpath }} >> {{ JUSTHASHES }}
fi

2
libafl_qemu/libafl_qemu_build/src/build.rs
View File

@ -11,7 +11,7 @@ use crate::cargo_add_rpath;
pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge"; pub const QEMU_URL: &str = "https://github.com/AFLplusplus/qemu-libafl-bridge";
pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge"; pub const QEMU_DIRNAME: &str = "qemu-libafl-bridge";
pub const QEMU_REVISION: &str = "695657e4f3f408c34b146d5191b102d5eb99b74b"; pub const QEMU_REVISION: &str = "06c738f64a4a92d5fc8184c9b5a9fe9340f4a63f";
pub struct BuildResult { pub struct BuildResult {
pub qemu_path: PathBuf, pub qemu_path: PathBuf,

19
libafl_qemu/src/modules/drcov.rs
View File

@ -152,23 +152,16 @@ where
match DRCOV_MAP.lock().unwrap().as_mut().unwrap().entry(pc) { match DRCOV_MAP.lock().unwrap().as_mut().unwrap().entry(pc) {
Entry::Occupied(entry) => { Entry::Occupied(entry) => {
let id = *entry.get(); let id = *entry.get();
if drcov_module.full_trace {
Some(id) Some(id)
} else {
None
}
} }
Entry::Vacant(entry) => { Entry::Vacant(entry) => {
let id = meta.current_id; let id = meta.current_id;
entry.insert(id); entry.insert(id);
meta.current_id = id + 1; meta.current_id = id + 1;
if drcov_module.full_trace {
// GuestAddress is u32 for 32 bit guests
#[expect(clippy::unnecessary_cast)] #[expect(clippy::unnecessary_cast)]
Some(id as u64) Some(id as u64)
} else {
None
}
} }
} }
} }
@ -201,7 +194,7 @@ pub fn gen_block_lengths<ET, F, I, S>(
#[allow(clippy::needless_pass_by_value)] // no longer a problem with nightly #[allow(clippy::needless_pass_by_value)] // no longer a problem with nightly
pub fn exec_trace_block<ET, F, I, S>( pub fn exec_trace_block<ET, F, I, S>(
_qemu: Qemu, _qemu: Qemu,
emulator_modules: &mut EmulatorModules<ET, I, S>, _emulator_modules: &mut EmulatorModules<ET, I, S>,
_state: Option<&mut S>, _state: Option<&mut S>,
id: u64, id: u64,
) where ) where
@ -210,10 +203,8 @@ pub fn exec_trace_block<ET, F, I, S>(
I: Unpin, I: Unpin,
S: Unpin + HasMetadata, S: Unpin + HasMetadata,
{ {
if emulator_modules.get::<DrCovModule<F>>().unwrap().full_trace {
DRCOV_IDS.lock().unwrap().as_mut().unwrap().push(id); DRCOV_IDS.lock().unwrap().as_mut().unwrap().push(id);
} }
}
impl<F, I, S> EmulatorModule<I, S> for DrCovModule<F> impl<F, I, S> EmulatorModule<I, S> for DrCovModule<F>
where where
@ -395,9 +386,7 @@ impl<F> DrCovModule<F> {
unsafe { unsafe {
for module in self.module_mapping.as_ref().unwrap_unchecked().iter() { for module in self.module_mapping.as_ref().unwrap_unchecked().iter() {
let (range, (_, _)) = module; let (range, (_, _)) = module;
if *pc >= range.start.try_into().unwrap() if range.contains(&u64::try_from(*pc).unwrap()) {
&& *pc <= range.end.try_into().unwrap()
{
module_found = true; module_found = true;
break; break;
} }

4
scripts/test_fuzzer.sh
View File

@ -54,11 +54,11 @@ do
if [ -e ./Makefile.toml ] && grep -qF "skip_core_tasks = true" Makefile.toml; then if [ -e ./Makefile.toml ] && grep -qF "skip_core_tasks = true" Makefile.toml; then
echo "[*] Building $fuzzer (running tests is not supported in this context)" echo "[*] Building $fuzzer (running tests is not supported in this context)"
cargo make build || exit 1 just build || exit 1
echo "[+] Done building $fuzzer" echo "[+] Done building $fuzzer"
elif [ -e ./Makefile.toml ]; then elif [ -e ./Makefile.toml ]; then
echo "[*] Testing $fuzzer" echo "[*] Testing $fuzzer"
cargo make test || exit 1 just test || exit 1
echo "[+] Done testing $fuzzer" echo "[+] Done testing $fuzzer"
elif [ -e ./Justfile ]; then elif [ -e ./Justfile ]; then
echo "[*] Testing $fuzzer" echo "[*] Testing $fuzzer"

31
utils/gdb_qemu/Justfile Normal file
View File

@ -0,0 +1,31 @@
import "../../just/libafl.just"
DEMO_TARGET := "powerpc-unknown-linux-gnu"
HOST_TARGET := "x86_64-unknown-linux-gnu"
DEMO_DIR := {{TARGET_DIR}}/{{DEMO_TARGET}}/"debug"
TARGET_DIR := {{TARGET_DIR}}/{{HOST_TARGET}}/"debug"
FUZZER_NAME := ""
clean:
cargo clean
format:
cargo fmt -- --emit=files
demo: format
cargo build -p gdb_demo --profile {{PROFILE}} --target powerpc-unknown-linux-gnu
run_demo: demo
cargo run -p gdb_demo --target powerpc-unknown-linux-gnu
build: format
cargo build -p gdb_qemu --profile {{PROFILE}}
run: demo
cargo run -p gdb_qemu --profile {{PROFILE}} -- -p 1234 -L trace -- qemu-ppc -L /usr/powerpc-linux-gnu -g 1234 {{DEMO_DIR}}/gdb_demo
gdb:
gdb-multiarch -ex "set architecture powerpc:MPC8XX" -ex "set pagination off" -ex "set confirm off" -ex "file {{DEMO_DIR}}/gdb_demo" -ex "target remote | {{TARGET_DIR}}/gdb_qemu -p 1234 -L trace qemu-ppc -- -L /usr/powerpc-linux-gnu -g 1234 {{DEMO_DIR}}/gdb_demo"
all: demo build

88
utils/gdb_qemu/Makefile.toml
View File

@ -1,88 +0,0 @@
[config]
default_to_workspace = false
[env]
DEMO_TARGET = "powerpc-unknown-linux-gnu"
HOST_TARGET = "x86_64-unknown-linux-gnu"
PROFILE = "dev"
DEMO_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${DEMO_TARGET}/debug"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${HOST_TARGET}/debug"
[env.release]
PROFILE = "release"
DEMO_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${DEMO_TARGET}/release"
TARGET_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/${HOST_TARGET}/release"
[tasks.clean]
command = "cargo"
args = ["clean"]
[tasks.format]
install_crate = "rustfmt"
command = "cargo"
args = ["fmt", "--", "--emit=files"]
[tasks.demo]
dependencies = ["format", "clippy"]
command = "cargo"
args = [
"build",
"-p",
"gdb_demo",
"--profile",
"${PROFILE}",
"--target",
"powerpc-unknown-linux-gnu",
]
[tasks.run_demo]
dependencies = ["demo"]
command = "cargo"
args = ["run", "-p", "gdb_demo", "--target", "powerpc-unknown-linux-gnu"]
[tasks.build]
dependencies = ["format", "clippy"]
command = "cargo"
args = ["build", "-p", "gdb_qemu", "--profile", "${PROFILE}"]
[tasks.run]
command = "cargo"
dependencies = ["demo"]
args = [
"run",
"-p",
"gdb_qemu",
"--profile",
"${PROFILE}",
"--",
"-p",
"1234",
"-L",
"trace",
"--",
"qemu-ppc",
"-L",
"/usr/powerpc-linux-gnu",
"-g",
"1234",
"${DEMO_DIR}/gdb_demo",
]
[tasks.gdb]
command = "gdb-multiarch"
dependencies = ["demo", "build"]
args = [
"-ex",
"set architecture powerpc:MPC8XX",
"-ex",
"set pagination off",
"-ex",
"set confirm off",
"-ex",
"file ${DEMO_DIR}/gdb_demo",
"-ex",
"target remote | ${TARGET_DIR}/gdb_qemu -p 1234 -L trace qemu-ppc -- -L /usr/powerpc-linux-gnu -g 1234 ${DEMO_DIR}/gdb_demo",
]
[tasks.all]
dependencies = ["demo", "build"]

29
utils/noaslr/Justfile Normal file
View File

@ -0,0 +1,29 @@
import "../../just/libafl.just"
FUZZER_NAME := ""
clean:
cargo clean
format:
cargo fmt -- --emit=files
demo: format
cargo build -p noaslr_demo --profile {{PROFILE}}
run_demo: demo
cargo run -p noaslr_demo
build: format
cargo build -p noaslr --profile {{PROFILE}}
buildlib: format
cargo build -p libnoaslr --profile {{PROFILE}}
run: demo
cargo run -p noaslr --profile {{PROFILE}} -- {{BUILD_DIR}}/demo -- -f /proc/self/maps -- test
runlib: demo buildlib
LD_PRELOAD={{BUILD_DIR}}/libnoaslr.so cargo run -p noaslr_demo --profile {{PROFILE}} -- -f /proc/self/maps -- test
all: demo build buildlib

78
utils/noaslr/Makefile.toml
View File

@ -1,78 +0,0 @@
[config]
default_to_workspace = false
[env]
PROFILE = "dev"
BUILD_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/debug"
[env.release]
PROFILE = "release"
BUILD_DIR = "${CARGO_MAKE_CRATE_TARGET_DIRECTORY}/release"
[tasks.clean]
command = "cargo"
args = ["clean"]
[tasks.format]
install_crate = "rustfmt"
command = "cargo"
args = ["fmt", "--", "--emit=files"]
[tasks.demo]
dependencies = ["format", "clippy"]
command = "cargo"
args = ["build", "-p", "demo", "--profile", "${PROFILE}"]
[tasks.run_demo]
dependencies = ["demo"]
command = "cargo"
args = ["run", "-p", "demo"]
[tasks.build]
dependencies = ["format", "clippy"]
command = "cargo"
args = ["build", "-p", "noaslr", "--profile", "${PROFILE}"]
[tasks.buildlib]
dependencies = ["format", "clippy"]
command = "cargo"
args = ["build", "-p", "libnoaslr", "--profile", "${PROFILE}"]
[tasks.run]
command = "cargo"
dependencies = ["demo"]
env = { "ZZZ_TEST_ZZZ" = "ZZZ TEST ZZZ" }
args = [
"run",
"-p",
"noaslr",
"--profile",
"${PROFILE}",
"--",
"${BUILD_DIR}/demo",
"--",
"-f",
"/proc/self/maps",
"--",
"test",
]
[tasks.runlib]
command = "cargo"
dependencies = ["demo", "buildlib"]
env = { "LD_PRELOAD" = "${BUILD_DIR}/libnoaslr.so", "ZZZ_TEST_ZZZ" = "ZZZ TEST ZZZ" }
args = [
"run",
"-p",
"demo",
"--profile",
"${PROFILE}",
"--",
"-f",
"/proc/self/maps",
"--",
"test",
]
[tasks.all]
dependencies = ["demo", "build", "buildlib"]