SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Moved fuzzer to examples

Browse Source
This commit is contained in:
Dominik Maier 2021-02-26 08:35:18 +01:00
parent 691c9d4bf6
commit d48524168a
8 changed files with 76 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
.github/workflows/build_and_test.yml vendored
View File

@ -11,31 +11,37 @@ jobs:
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Build - name: Build
run: cd libafl && cargo build --verbose run: cargo build --verbose
build-all: all-features-build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Build - name: Build
run: cd libafl &&cargo build --no-default-features --features runtime --features std --features anymapdbg --verbose run: cargo build --all-features --verbose
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Test - name: Test
run: cd libafl && cargo test --verbose run: cargo test --verbose
build-no-std: examples-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: cd libafl && cargo build --no-default-features --verbose
test-no-std:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@v2 - uses: actions/checkout@v2
- name: Test - name: Test
run: cd libafl && cargo test --no-default-features --verbose run: cargo build --examples --verbose
no-std-build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build
run: cargo build --no-default-features --verbose
no-std-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Test
run: cargo test --no-default-features --verbose
docs: docs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:

14
Cargo.toml Normal file
View File

@ -0,0 +1,14 @@
[profile.release]
lto = true
codegen-units = 1
opt-level = 3
debug = true
[workspace]
members = [
"libafl",
#example fuzzers
"fuzzers/libfuzzer_libpng",
]

1
README.md
View File

@ -12,6 +12,7 @@ It is released as Free and Open Source Software under the GNU Lesser General Pub
We collect example fuzzers in `./fuzzers`. We collect example fuzzers in `./fuzzers`.
The best-tested fuzzer is `./fuzzers/libfuzzer_libpng`, a clone of libfuzzer using libafl for a libpng harness. The best-tested fuzzer is `./fuzzers/libfuzzer_libpng`, a clone of libfuzzer using libafl for a libpng harness.
See its readme (here)[./fuzzers/libfuzzer_libpng/README.md].
If you want to get a quick overview, run `cargo doc`. If you want to get a quick overview, run `cargo doc`.
Feel free to open issues or contact us directly. Thank you for your support. <3 Feel free to open issues or contact us directly. Thank you for your support. <3

14
fuzzers/libfuzzer_libpng/Cargo.toml
View File

@ -11,11 +11,11 @@ build = "build.rs"
default = ["std"] default = ["std"]
std = [] std = []
[profile.release] #[profile.release]
lto = true #lto = true
codegen-units = 1 #codegen-units = 1
opt-level = 3 #opt-level = 3
debug = true #debug = true
[build-dependencies] [build-dependencies]
cc = { version = "1.0", features = ["parallel"] } cc = { version = "1.0", features = ["parallel"] }
@ -24,8 +24,8 @@ num_cpus = "1.0"
[dependencies] [dependencies]
libafl = { path = "../../libafl/" } libafl = { path = "../../libafl/" }
[[bin]] [[example]]
name = "libfuzzer_libpng" name = "libfuzzer_libpng"
path = "./src/mod.rs" path = "./src/fuzzer.rs"
test = false test = false
bench = false bench = false

22
fuzzers/libfuzzer_libpng/README.md Normal file
View File

@ -0,0 +1,22 @@
# Libfuzzer for libpng
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
It has been tested on Linux.
## Build
To build this example, run `cargo build --example libfuzzer_libpng --release`.
This will call (the build.rs)[./builld.rs], which in turn downloads a libpng archive from the web.
Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the c++ harness)[./harness.cc] and the instrumented `libpng`.
Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`.
## Run
The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel.
Each following execution will run a fuzzer client.
As this example uses in-process fuzzing, we added a Restarting Event Manager (`setup_restarting_mgr`).
This means each client will start itself again to listen for crashes and timeouts.
By restarting the actual fuzzer, it can recover from these exit conditions.
For convenience, you may just run `./test.sh` in this folder.

0
fuzzers/libfuzzer_libpng/src/mod.rs → fuzzers/libfuzzer_libpng/src/fuzzer.rs
View File

13
fuzzers/libfuzzer_libpng/test.sh
View File

@ -2,9 +2,16 @@
mkdir -p ./crashes mkdir -p ./crashes
cargo build --release || exit 1 cargo build --example libfuzzer_libpng --release || exit 1
cp ../../target/release/libfuzzer ./.libfuzzer_test.elf cp ../../target/release/examples/libfuzzer_libpng ./.libfuzzer_test.elf
RUST_BACKTRACE=full ./.libfuzzer_test.elf # The broker
RUST_BACKTRACE=full ./.libfuzzer_test.elf &
# Give the broker time to spawn
sleep 2
echo "Spawning client"
# The 1st fuzzer client
RUST_BACKTRACE=full ./.libfuzzer_test.elf 2>/dev/null
killall .libfuzzer_test.elf
rm -rf ./.libfuzzer_test.elf rm -rf ./.libfuzzer_test.elf

8
libafl/Cargo.toml
View File

@ -24,10 +24,10 @@ harness = false
name = "hash_speeds" name = "hash_speeds"
harness = false harness = false
[profile.release] #[profile.release]
lto = true #lto = true
opt-level = 3 #opt-level = 3
debug = true #debug = true
[features] [features]
default = ["std", "anymapdbg"] default = ["std", "anymapdbg"]