├── QuickStartGuide.txt
├── README
├── README.md
├── afl-analyze
├── afl-as
├── afl-clang
├── afl-clang++
├── afl-cmin
├── afl-fuzz
├── afl-g++
├── afl-gcc
├── afl-gotcpu
├── afl-plot
├── afl-showmap
├── afl-tmin
├── afl-whatsup
├── as
├── dictionaries
    ├── README.dictionaries
    ├── gif.dict
    ├── html_tags.dict
    ├── jpeg.dict
    ├── js.dict
    ├── json.dict
    ├── pdf.dict
    ├── png.dict
    ├── sql.dict
    ├── tiff.dict
    ├── webp.dict
    └── xml.dict
├── docs
    ├── COPYING
    ├── ChangeLog
    ├── INSTALL
    ├── QuickStartGuide.txt
    ├── README
    ├── env_variables.txt
    ├── historical_notes.txt
    ├── life_pro_tips.txt
    ├── notes_for_asan.txt
    ├── parallel_fuzzing.txt
    ├── perf_tips.txt
    ├── sister_projects.txt
    ├── status_screen.txt
    ├── technical_details.txt
    ├── visualization
    │   └── afl_gzip.png
    └── vuln_samples
    │   ├── bash-cmd-exec.var
    │   ├── bash-uninit-mem.var
    │   ├── ffmpeg-h264-bad-ptr-800m.mp4
    │   ├── ffmpeg-h264-bad-read.mp4
    │   ├── ffmpeg-h264-call-stack-overflow.mp4
    │   ├── file-fpu-exception.elf
    │   ├── firefox-bmp-leak.bmp
    │   ├── firefox-chrome-leak.jpg
    │   ├── firefox-gif-leak.gif
    │   ├── firefox-gif-leak2.gif
    │   ├── jxrlib-crash.jxr
    │   ├── jxrlib-crash2.jxr
    │   ├── jxrlib-crash3.jxr
    │   ├── jxrlib-crash4.jxr
    │   ├── lesspipe-cpio-bad-write.cpio
    │   ├── libjpeg-sos-leak.jpg
    │   ├── libjpeg-turbo-dht-leak.jpg
    │   ├── libtiff-bad-write.tif
    │   ├── libtiff-uninit-mem.tif
    │   ├── libtiff-uninit-mem2.tif
    │   ├── libtiff-uninit-mem3.tif
    │   ├── libtiff-uninit-mem4.tif
    │   ├── libxml2-bad-read.xml
    │   ├── msie-dht-leak.jpg
    │   ├── msie-jxr-mem-leak.jxr
    │   ├── msie-png-mem-leak.png
    │   ├── msie-tiff-mem-leak.tif
    │   ├── msie-zlib-dos.png
    │   ├── openssl-null-ptr.der
    │   ├── openssl-null-ptr2.der
    │   ├── photoshop-mem-leak.jpg
    │   ├── sqlite-bad-free.sql
    │   ├── sqlite-bad-ptr.sql
    │   ├── sqlite-bad-ptr2.sql
    │   ├── sqlite-bad-ptr3.sql
    │   ├── sqlite-heap-overflow.sql
    │   ├── sqlite-heap-overwrite.sql
    │   ├── sqlite-negative-memset.sql
    │   ├── sqlite-null-ptr1.sql
    │   ├── sqlite-null-ptr10.sql
    │   ├── sqlite-null-ptr11.sql
    │   ├── sqlite-null-ptr12.sql
    │   ├── sqlite-null-ptr13.sql
    │   ├── sqlite-null-ptr14.sql
    │   ├── sqlite-null-ptr15.sql
    │   ├── sqlite-null-ptr2.sql
    │   ├── sqlite-null-ptr3.sql
    │   ├── sqlite-null-ptr4.sql
    │   ├── sqlite-null-ptr5.sql
    │   ├── sqlite-null-ptr6.sql
    │   ├── sqlite-null-ptr7.sql
    │   ├── sqlite-null-ptr8.sql
    │   ├── sqlite-null-ptr9.sql
    │   ├── sqlite-oob-read.sql
    │   ├── sqlite-oob-write.sql
    │   ├── sqlite-stack-buf-overflow.sql
    │   ├── sqlite-stack-exhaustion.sql
    │   ├── sqlite-unint-mem.sql
    │   ├── sqlite-use-after-free.sql
    │   ├── strings-bfd-badptr.elf
    │   ├── strings-bfd-badptr2.elf
    │   ├── strings-stack-overflow
    │   ├── strings-unchecked-ctr.elf
    │   ├── tcpdump-arp-crash.pcap
    │   ├── tcpdump-ppp-crash.pcap
    │   ├── unrtf-arbitrary-read.rtf
    │   └── unzip-t-mem-corruption.zip
├── experimental
    ├── README.experiments
    ├── argv_fuzzing
    │   └── argv-fuzz-inl.h
    ├── asan_cgroups
    │   └── limit_memory.sh
    ├── bash_shellshock
    │   └── shellshock-fuzz.diff
    ├── canvas_harness
    │   └── canvas_harness.html
    ├── clang_asm_normalize
    │   └── as
    ├── crash_triage
    │   └── triage_crashes.sh
    ├── distributed_fuzzing
    │   └── sync_script.sh
    ├── libpng_no_checksum
    │   └── libpng-nocrc.patch
    ├── persistent_demo
    │   └── persistent_demo.c
    └── post_library
    │   ├── post_library.so.c
    │   └── post_library_png.so.c
├── img
    ├── beta.png
    ├── beta_pcre2.png
    ├── branches.png
    ├── crashes.png
    ├── e_component.png
    ├── f1.png
    ├── gamma.png
    ├── gamma_pcre2.png
    ├── paths.png
    ├── pcre2.png
    └── seed_generation.png
├── libdislocator
    ├── Makefile
    ├── README.dislocator
    └── libdislocator.so.c
├── libtokencap
    ├── Makefile
    ├── README.tokencap
    └── libtokencap.so.c
├── llvm_mode
    ├── Makefile
    ├── README.llvm
    ├── afl-clang-fast.c
    ├── afl-llvm-pass.so.cc
    └── afl-llvm-rt.o.c
├── qemu_mode
    ├── README.qemu
    ├── build_qemu_support.sh
    └── patches
    │   ├── afl-qemu-cpu-inl.h
    │   ├── cpu-exec.diff
    │   ├── elfload.diff
    │   ├── syscall.diff
    │   └── translate-all.diff
├── seed_generation
    ├── README.md
    ├── install
    └── src
    │   ├── date-build
    │   ├── date-configure
    │   ├── date-fuzz
    │   ├── date-link
    │   ├── date-prepare
    │   ├── date-test-gen
    │   ├── debug-args
    │   ├── lib-common
    │   ├── lib-dyn
    │   └── lib-sym
└── testcases
    ├── README.testcases
    ├── archives
        ├── common
        │   ├── ar
        │   │   └── small_archive.a
        │   ├── bzip2
        │   │   └── small_archive.bz2
        │   ├── cab
        │   │   └── small_archive.cab
        │   ├── compress
        │   │   └── small_archive.Z
        │   ├── cpio
        │   │   └── small_archive.cpio
        │   ├── gzip
        │   │   └── small_archive.gz
        │   ├── lzo
        │   │   └── small_archive.lzo
        │   ├── rar
        │   │   └── small_archive.rar
        │   ├── tar
        │   │   └── small_archive.tar
        │   ├── xz
        │   │   └── small_archive.xz
        │   └── zip
        │   │   └── small_archive.zip
        └── exotic
        │   ├── arj
        │       └── small_archive.arj
        │   ├── lha
        │       └── small_archive.lha
        │   ├── lrzip
        │       └── small_archive.lrz
        │   ├── lzip
        │       └── small_archive.lz
        │   ├── lzma
        │       └── small_archive.lzma
        │   ├── rzip
        │       └── small_archive.rz
        │   └── zoo
        │       └── small_archive.zoo
    ├── images
        ├── bmp
        │   └── not_kitty.bmp
        ├── gif
        │   └── not_kitty.gif
        ├── ico
        │   └── not_kitty.ico
        ├── jp2
        │   └── not_kitty.jp2
        ├── jpeg
        │   └── not_kitty.jpg
        ├── jxr
        │   └── not_kitty.jxr
        ├── png
        │   ├── not_kitty.png
        │   ├── not_kitty_alpha.png
        │   ├── not_kitty_gamma.png
        │   └── not_kitty_icc.png
        ├── tiff
        │   └── not_kitty.tiff
        └── webp
        │   └── not_kitty.webp
    ├── multimedia
        └── h264
        │   └── small_movie.mp4
    └── others
        ├── elf
            └── small_exec.elf
        ├── js
            └── small_script.js
        ├── pcap
            └── small_capture.pcap
        ├── pdf
            └── small.pdf
        ├── rtf
            └── small_document.rtf
        ├── sql
            └── simple_queries.sql
        ├── text
            └── hello_world.txt
        └── xml
            └── small_document.xml


/QuickStartGuide.txt:
--------------------------------------------------------------------------------
1 | docs/QuickStartGuide.txt


--------------------------------------------------------------------------------
/README:
--------------------------------------------------------------------------------
1 | docs/README


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | # DeepFuzzer
 4 | 
 5 | ## Summary
 6 | 
 7 | DeepFuzzer is a fuzzer which combines qualified seed generation, balanced seed selection, hybrid seed mutation and automatic fuzzing environment configuration.
 8 | 
 9 | DeepFuzzer is an extension of AFL which is written and maintained by Michal Zalewski <[lcamtuf@google.com](mailto:lcamtuf@google.com)>, so its basic usage is like AFL, which can be found in http://lcamtuf.coredump.cx/afl/.  
10 | 
11 | To generate high-quality seeds, please use the tool in seed_generation directory. Besides that, if you want to open the balanced seed selection, please add the -F option. And you can also use –D option to open the hybrid seed mutation. We also supply the –P option  to open power schedule, this is another optimization for AFL to calculate the mutation times of a seed. These functions are closed in default, and you can combine them as you like. We believe that in most cases, opening all of them  is the best option. 
12 | 
13 | 
14 | 
15 | ## Some intermediate results
16 | 
17 | **Number of seeds generated over time and the corresponding number of paths executed for fuzzing pcre2.**
18 | 
19 | ![1575944719701](img/seed_generation.png)
20 | 
21 | Let xi be the hit count of the rarest branch for the seed si, n be the number of branches.  gamma is a constant, which diminishes the skip probability equally to increase efficiency. The optimized fair skip probability for seed si is:
22 | 
23 | ![1575946689963](img/gamma_pcre2.png)
24 | 
25 | **The number of paths and branches for fuzzing pcre2 when gamma is assigned different values.**
26 | 
27 | ![1575944923285](img/gamma.png)
28 | 
29 | Let s denote the selected seed that needs to be mutated next, p(s) denote the energy of s , and p AFL (s) denote the original energy calculated by AFL. Given the number of times c(s) which s has previously been chosen from the queue S and the hit number h(s) of the rarest branch covered by s , DeepFuzzer computes p(s) as
30 | 
31 | ![1575946735925](img/beta_pcre2.png)
32 | 
33 | **The number of paths and branches for fuzzing pcre2 when beta is assigned different values.**
34 | 
35 | ![1575945038726](img/beta.png)
36 | 
37 | **Influence of each component**
38 | 
39 | ![1575946935987](img/e_component.png)
40 | 
41 | **Evaluation on ten programs of Google fuzzer-test-suite for 24 hours with one core**
42 | 
43 | ![1575944393258](img/paths.png)
44 | 
45 | ![1575944420346](img/branches.png)
46 | 
47 | ![1575944447180](img/crashes.png)
48 | 
49 | **Performance for different fuzzers on fuzzing pcre2 24 hours with one core**
50 | 
51 | ![1575944566536](img/pcre2.png)


--------------------------------------------------------------------------------
/afl-analyze:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-analyze


--------------------------------------------------------------------------------
/afl-as:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-as


--------------------------------------------------------------------------------
/afl-clang:
--------------------------------------------------------------------------------
1 | afl-gcc


--------------------------------------------------------------------------------
/afl-clang++:
--------------------------------------------------------------------------------
1 | afl-gcc


--------------------------------------------------------------------------------
/afl-fuzz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-fuzz


--------------------------------------------------------------------------------
/afl-g++:
--------------------------------------------------------------------------------
1 | afl-gcc


--------------------------------------------------------------------------------
/afl-gcc:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-gcc


--------------------------------------------------------------------------------
/afl-gotcpu:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-gotcpu


--------------------------------------------------------------------------------
/afl-plot:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | #
  3 | # american fuzzy lop - Advanced Persistent Graphing
  4 | # -------------------------------------------------
  5 | #
  6 | # Written and maintained by Michal Zalewski <lcamtuf@google.com>
  7 | # Based on a design & prototype by Michael Rash.
  8 | #
  9 | # Copyright 2014, 2015 Google Inc. All rights reserved.
 10 | #
 11 | # Licensed under the Apache License, Version 2.0 (the "License");
 12 | # you may not use this file except in compliance with the License.
 13 | # You may obtain a copy of the License at:
 14 | #
 15 | #   http://www.apache.org/licenses/LICENSE-2.0
 16 | #
 17 | 
 18 | echo "progress plotting utility for afl-fuzz by <lcamtuf@google.com>"
 19 | echo
 20 | 
 21 | if [ ! "$#" = "2" ]; then
 22 | 
 23 |   cat 1>&2 <<_EOF_
 24 | This program generates gnuplot images from afl-fuzz output data. Usage:
 25 | 
 26 | $0 afl_state_dir graph_output_dir
 27 | 
 28 | The afl_state_dir parameter should point to an existing state directory for any
 29 | active or stopped instance of afl-fuzz; while graph_output_dir should point to
 30 | an empty directory where this tool can write the resulting plots to.
 31 | 
 32 | The program will put index.html and three PNG images in the output directory;
 33 | you should be able to view it with any web browser of your choice.
 34 | 
 35 | _EOF_
 36 | 
 37 |   exit 1
 38 | 
 39 | fi
 40 | 
 41 | if [ "$AFL_ALLOW_TMP" = "" ]; then
 42 | 
 43 |   echo "$1" | grep -qE '^(/var)?/tmp/'
 44 |   T1="$?"
 45 | 
 46 |   echo "$2" | grep -qE '^(/var)?/tmp/'
 47 |   T2="$?"
 48 | 
 49 |   if [ "$T1" = "0" -o "$T2" = "0" ]; then
 50 | 
 51 |     echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
 52 |     exit 1
 53 | 
 54 |   fi
 55 | 
 56 | fi
 57 | 
 58 | if [ ! -f "$1/plot_data" ]; then
 59 | 
 60 |   echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
 61 |   exit 1
 62 | 
 63 | fi
 64 | 
 65 | BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
 66 | 
 67 | test "$BANNER" = "" && BANNER="(none)"
 68 | 
 69 | GNUPLOT=`which gnuplot 2>/dev/null`
 70 | 
 71 | if [ "$GNUPLOT" = "" ]; then
 72 | 
 73 |   echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
 74 |   exit 1
 75 | 
 76 | fi
 77 | 
 78 | mkdir "$2" 2>/dev/null
 79 | 
 80 | if [ ! -d "$2" ]; then
 81 | 
 82 |   echo "[-] Error: unable to create the output directory - pick another location." 1>&2
 83 |   exit 1
 84 | 
 85 | fi
 86 | 
 87 | rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
 88 | mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
 89 | 
 90 | echo "[*] Generating plots..."
 91 | 
 92 | (
 93 | 
 94 | cat <<_EOF_
 95 | set terminal png truecolor enhanced size 1000,300 butt
 96 | 
 97 | set output '$2/high_freq.png'
 98 | 
 99 | set xdata time
100 | set timefmt '%s'
101 | set format x "%b %d\n%H:%M"
102 | set tics font 'small'
103 | unset mxtics
104 | unset mytics
105 | 
106 | set grid xtics linetype 0 linecolor rgb '#e0e0e0'
107 | set grid ytics linetype 0 linecolor rgb '#e0e0e0'
108 | set border linecolor rgb '#50c0f0'
109 | set tics textcolor rgb '#000000'
110 | set key outside
111 | 
112 | set autoscale xfixmin
113 | set autoscale xfixmax
114 | 
115 | plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
116 |      '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
117 |      '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
118 |      '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
119 |      '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
120 | 
121 | set terminal png truecolor enhanced size 1000,200 butt
122 | set output '$2/low_freq.png'
123 | 
124 | plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
125 |      '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
126 |      '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
127 |      '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
128 | 
129 | set terminal png truecolor enhanced size 1000,200 butt
130 | set output '$2/exec_speed.png'
131 | 
132 | plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
133 |      '$1/plot_data' using 1:11 with lines title '    execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
134 | 
135 | _EOF_
136 | 
137 | ) | gnuplot 
138 | 
139 | if [ ! -s "$2/exec_speed.png" ]; then
140 | 
141 |   echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
142 |   exit 1
143 | 
144 | fi
145 | 
146 | echo "[*] Generating index.html..."
147 | 
148 | cat >"$2/index.html" <<_EOF_
149 | <table style="font-family: 'Trebuchet MS', 'Tahoma', 'Arial', 'Helvetica'">
150 | <tr><td style="width: 18ex"><b>Banner:</b></td><td>$BANNER</td></tr>
151 | <tr><td><b>Directory:</b></td><td>$1</td></tr>
152 | <tr><td><b>Generated on:</b></td><td>`date`</td></tr>
153 | </table>
154 | <p>
155 | <img src="high_freq.png" width=1000 height=300><p>
156 | <img src="low_freq.png" width=1000 height=200><p>
157 | <img src="exec_speed.png" width=1000 height=200>
158 | 
159 | _EOF_
160 | 
161 | # Make it easy to remotely view results when outputting directly to a directory
162 | # served by Apache or other HTTP daemon. Since the plots aren't horribly
163 | # sensitive, this seems like a reasonable trade-off.
164 | 
165 | chmod 755 "$2"
166 | chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
167 | 
168 | echo "[+] All done - enjoy your charts!"
169 | 
170 | exit 0
171 | 


--------------------------------------------------------------------------------
/afl-showmap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-showmap


--------------------------------------------------------------------------------
/afl-tmin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/afl-tmin


--------------------------------------------------------------------------------
/afl-whatsup:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | #
  3 | # american fuzzy lop - status check tool
  4 | # --------------------------------------
  5 | #
  6 | # Written and maintained by Michal Zalewski <lcamtuf@google.com>
  7 | #
  8 | # Copyright 2015 Google Inc. All rights reserved.
  9 | #
 10 | # Licensed under the Apache License, Version 2.0 (the "License");
 11 | # you may not use this file except in compliance with the License.
 12 | # You may obtain a copy of the License at:
 13 | #
 14 | #   http://www.apache.org/licenses/LICENSE-2.0
 15 | #
 16 | # This tool summarizes the status of any locally-running synchronized
 17 | # instances of afl-fuzz.
 18 | #
 19 | 
 20 | echo "status check tool for afl-fuzz by <lcamtuf@google.com>"
 21 | echo
 22 | 
 23 | if [ "$1" = "-s" ]; then
 24 | 
 25 |   SUMMARY_ONLY=1
 26 |   DIR="$2"
 27 | 
 28 | else
 29 | 
 30 |   unset SUMMARY_ONLY
 31 |   DIR="$1"
 32 | 
 33 | fi
 34 | 
 35 | if [ "$DIR" = "" ]; then
 36 | 
 37 |   echo "Usage: $0 [ -s ] afl_sync_dir" 1>&2
 38 |   echo 1>&2
 39 |   echo "The -s option causes the tool to skip all the per-fuzzer trivia and show" 1>&2
 40 |   echo "just the summary results. See docs/parallel_fuzzing.txt for additional tips." 1>&2
 41 |   echo 1>&2
 42 |   exit 1
 43 | 
 44 | fi
 45 | 
 46 | cd "$DIR" || exit 1
 47 | 
 48 | if [ -d queue ]; then
 49 | 
 50 |   echo "[-] Error: parameter is an individual output directory, not a sync dir." 1>&2
 51 |   exit 1
 52 | 
 53 | fi
 54 | 
 55 | CUR_TIME=`date +%s`
 56 | 
 57 | TMP=`mktemp -t .afl-whatsup-XXXXXXXX` || exit 1
 58 | 
 59 | ALIVE_CNT=0
 60 | DEAD_CNT=0
 61 | 
 62 | TOTAL_TIME=0
 63 | TOTAL_EXECS=0
 64 | TOTAL_EPS=0
 65 | TOTAL_CRASHES=0
 66 | TOTAL_PFAV=0
 67 | TOTAL_PENDING=0
 68 | 
 69 | if [ "$SUMMARY_ONLY" = "" ]; then
 70 | 
 71 |   echo "Individual fuzzers"
 72 |   echo "=================="
 73 |   echo
 74 | 
 75 | fi
 76 | 
 77 | for i in `find . -maxdepth 2 -iname fuzzer_stats | sort`; do
 78 | 
 79 |   sed 's/^command_line.*$/_skip:1/;s/[ ]*:[ ]*/="/;s/$/"/' "$i" >"$TMP"
 80 |   . "$TMP"
 81 | 
 82 |   RUN_UNIX=$((CUR_TIME - start_time))
 83 |   RUN_DAYS=$((RUN_UNIX / 60 / 60 / 24))
 84 |   RUN_HRS=$(((RUN_UNIX / 60 / 60) % 24))
 85 | 
 86 |   if [ "$SUMMARY_ONLY" = "" ]; then
 87 | 
 88 |     echo ">>> $afl_banner ($RUN_DAYS days, $RUN_HRS hrs) <<<"
 89 |     echo
 90 | 
 91 |   fi
 92 | 
 93 |   if ! kill -0 "$fuzzer_pid" 2>/dev/null; then
 94 | 
 95 |     if [ "$SUMMARY_ONLY" = "" ]; then
 96 | 
 97 |       echo "  Instance is dead or running remotely, skipping."
 98 |       echo
 99 | 
100 |     fi
101 | 
102 |     DEAD_CNT=$((DEAD_CNT + 1))
103 |     continue
104 | 
105 |   fi
106 | 
107 |   ALIVE_CNT=$((ALIVE_CNT + 1))
108 | 
109 |   EXEC_SEC=$((execs_done / RUN_UNIX))
110 |   PATH_PERC=$((cur_path * 100 / paths_total))
111 | 
112 |   TOTAL_TIME=$((TOTAL_TIME + RUN_UNIX))
113 |   TOTAL_EPS=$((TOTAL_EPS + EXEC_SEC))
114 |   TOTAL_EXECS=$((TOTAL_EXECS + execs_done))
115 |   TOTAL_CRASHES=$((TOTAL_CRASHES + unique_crashes))
116 |   TOTAL_PENDING=$((TOTAL_PENDING + pending_total))
117 |   TOTAL_PFAV=$((TOTAL_PFAV + pending_favs))
118 | 
119 |   if [ "$SUMMARY_ONLY" = "" ]; then
120 | 
121 |     echo "  cycle $((cycles_done + 1)), lifetime speed $EXEC_SEC execs/sec, path $cur_path/$paths_total (${PATH_PERC}%)"
122 | 
123 |     if [ "$unique_crashes" = "0" ]; then
124 |       echo "  pending $pending_favs/$pending_total, coverage $bitmap_cvg, no crashes yet"
125 |     else
126 |       echo "  pending $pending_favs/$pending_total, coverage $bitmap_cvg, crash count $unique_crashes (!)"
127 |     fi
128 | 
129 |     echo
130 | 
131 |   fi
132 | 
133 | done
134 | 
135 | rm -f "$TMP"
136 | 
137 | TOTAL_DAYS=$((TOTAL_TIME / 60 / 60 / 24))
138 | TOTAL_HRS=$(((TOTAL_TIME / 60 / 60) % 24))
139 | 
140 | test "$TOTAL_TIME" = "0" && TOTAL_TIME=1
141 | 
142 | echo "Summary stats"
143 | echo "============="
144 | echo
145 | echo "       Fuzzers alive : $ALIVE_CNT"
146 | 
147 | if [ ! "$DEAD_CNT" = "0" ]; then
148 |   echo "      Dead or remote : $DEAD_CNT (excluded from stats)"
149 | fi
150 | 
151 | echo "      Total run time : $TOTAL_DAYS days, $TOTAL_HRS hours"
152 | echo "         Total execs : $((TOTAL_EXECS / 1000 / 1000)) million"
153 | echo "    Cumulative speed : $TOTAL_EPS execs/sec"
154 | echo "       Pending paths : $TOTAL_PFAV faves, $TOTAL_PENDING total"
155 | 
156 | if [ "$ALIVE_CNT" -gt "1" ]; then
157 |   echo "  Pending per fuzzer : $((TOTAL_PFAV/ALIVE_CNT)) faves, $((TOTAL_PENDING/ALIVE_CNT)) total (on average)"
158 | fi
159 | 
160 | echo "       Crashes found : $TOTAL_CRASHES locally unique"
161 | echo
162 | 
163 | exit 0
164 | 


--------------------------------------------------------------------------------
/as:
--------------------------------------------------------------------------------
1 | afl-as


--------------------------------------------------------------------------------
/dictionaries/README.dictionaries:
--------------------------------------------------------------------------------
 1 | ================
 2 | AFL dictionaries
 3 | ================
 4 | 
 5 |   (See ../docs/README for the general instruction manual.)
 6 | 
 7 | This subdirectory contains a set of dictionaries that can be used in
 8 | conjunction with the -x option to allow the fuzzer to effortlessly explore the
 9 | grammar of some of the more verbose data formats or languages. The basic
10 | principle behind the operation of fuzzer dictionaries is outlined in section 9
11 | of the "main" README for the project.
12 | 
13 | Custom dictionaries can be added at will. They should consist of a
14 | reasonably-sized set of rudimentary syntax units that the fuzzer will then try
15 | to clobber together in various ways. Snippets between 2 and 16 bytes are usually
16 | the sweet spot.
17 | 
18 | Custom dictionaries can be created in two ways:
19 | 
20 |   - By creating a new directory and placing each token in a separate file, in
21 |     which case, there is no need to escape or otherwise format the data.
22 | 
23 |   - By creating a flat text file where tokens are listed one per line in the
24 |     format of name="value". The alphanumeric name is ignored and can be omitted,
25 |     although it is a convenient way to document the meaning of a particular
26 |     token. The value must appear in quotes, with hex escaping (\xNN) applied to
27 |     all non-printable, high-bit, or otherwise problematic characters (\\ and \"
28 |     shorthands are recognized, too).
29 | 
30 | The fuzzer auto-selects the appropriate mode depending on whether the -x
31 | parameter is a file or a directory.
32 | 
33 | In the file mode, every name field can be optionally followed by @<num>, e.g.:
34 | 
35 |   keyword_foo@1 = "foo"
36 | 
37 | Such entries will be loaded only if the requested dictionary level is equal or
38 | higher than this number. The default level is zero; a higher value can be set
39 | by appending @<num> to the dictionary file name, like so:
40 | 
41 |   -x path/to/dictionary.dct@2
42 | 
43 | Good examples of dictionaries can be found in xml.dict and png.dict.
44 | 


--------------------------------------------------------------------------------
/dictionaries/gif.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for GIF images
 3 | # -----------------------------
 4 | #
 5 | # Created by Michal Zalewski <lcamtuf@google.com>
 6 | #
 7 | 
 8 | header_87a="87a"
 9 | header_89a="89a"
10 | header_gif="GIF"
11 | 
12 | marker_2c=","
13 | marker_3b=";"
14 | 
15 | section_2101="!\x01\x12"
16 | section_21f9="!\xf9\x04"
17 | section_21fe="!\xfe"
18 | section_21ff="!\xff\x11"
19 | 


--------------------------------------------------------------------------------
/dictionaries/html_tags.dict:
--------------------------------------------------------------------------------
  1 | #
  2 | # AFL dictionary for HTML parsers (tags only)
  3 | # -------------------------------------------
  4 | #
  5 | # A basic collection of HTML tags likely to matter to HTML parsers. Does *not*
  6 | # include any attributes or attribute values.
  7 | #
  8 | # Created by Michal Zalewski <lcamtuf@google.com>
  9 | #
 10 | 
 11 | tag_a="<a>"
 12 | tag_abbr="<abbr>"
 13 | tag_acronym="<acronym>"
 14 | tag_address="<address>"
 15 | tag_annotation_xml="<annotation-xml>"
 16 | tag_applet="<applet>"
 17 | tag_area="<area>"
 18 | tag_article="<article>"
 19 | tag_aside="<aside>"
 20 | tag_audio="<audio>"
 21 | tag_b="<b>"
 22 | tag_base="<base>"
 23 | tag_basefont="<basefont>"
 24 | tag_bdi="<bdi>"
 25 | tag_bdo="<bdo>"
 26 | tag_bgsound="<bgsound>"
 27 | tag_big="<big>"
 28 | tag_blink="<blink>"
 29 | tag_blockquote="<blockquote>"
 30 | tag_body="<body>"
 31 | tag_br="<br>"
 32 | tag_button="<button>"
 33 | tag_canvas="<canvas>"
 34 | tag_caption="<caption>"
 35 | tag_center="<center>"
 36 | tag_cite="<cite>"
 37 | tag_code="<code>"
 38 | tag_col="<col>"
 39 | tag_colgroup="<colgroup>"
 40 | tag_data="<data>"
 41 | tag_datalist="<datalist>"
 42 | tag_dd="<dd>"
 43 | tag_del="<del>"
 44 | tag_desc="<desc>"
 45 | tag_details="<details>"
 46 | tag_dfn="<dfn>"
 47 | tag_dir="<dir>"
 48 | tag_div="<div>"
 49 | tag_dl="<dl>"
 50 | tag_dt="<dt>"
 51 | tag_em="<em>"
 52 | tag_embed="<embed>"
 53 | tag_fieldset="<fieldset>"
 54 | tag_figcaption="<figcaption>"
 55 | tag_figure="<figure>"
 56 | tag_font="<font>"
 57 | tag_footer="<footer>"
 58 | tag_foreignobject="<foreignobject>"
 59 | tag_form="<form>"
 60 | tag_frame="<frame>"
 61 | tag_frameset="<frameset>"
 62 | tag_h1="<h1>"
 63 | tag_h2="<h2>"
 64 | tag_h3="<h3>"
 65 | tag_h4="<h4>"
 66 | tag_h5="<h5>"
 67 | tag_h6="<h6>"
 68 | tag_head="<head>"
 69 | tag_header="<header>"
 70 | tag_hgroup="<hgroup>"
 71 | tag_hr="<hr>"
 72 | tag_html="<html>"
 73 | tag_i="<i>"
 74 | tag_iframe="<iframe>"
 75 | tag_image="<image>"
 76 | tag_img="<img>"
 77 | tag_input="<input>"
 78 | tag_ins="<ins>"
 79 | tag_isindex="<isindex>"
 80 | tag_kbd="<kbd>"
 81 | tag_keygen="<keygen>"
 82 | tag_label="<label>"
 83 | tag_legend="<legend>"
 84 | tag_li="<li>"
 85 | tag_link="<link>"
 86 | tag_listing="<listing>"
 87 | tag_main="<main>"
 88 | tag_malignmark="<malignmark>"
 89 | tag_map="<map>"
 90 | tag_mark="<mark>"
 91 | tag_marquee="<marquee>"
 92 | tag_math="<math>"
 93 | tag_menu="<menu>"
 94 | tag_menuitem="<menuitem>"
 95 | tag_meta="<meta>"
 96 | tag_meter="<meter>"
 97 | tag_mglyph="<mglyph>"
 98 | tag_mi="<mi>"
 99 | tag_mn="<mn>"
100 | tag_mo="<mo>"
101 | tag_ms="<ms>"
102 | tag_mtext="<mtext>"
103 | tag_multicol="<multicol>"
104 | tag_nav="<nav>"
105 | tag_nextid="<nextid>"
106 | tag_nobr="<nobr>"
107 | tag_noembed="<noembed>"
108 | tag_noframes="<noframes>"
109 | tag_noscript="<noscript>"
110 | tag_object="<object>"
111 | tag_ol="<ol>"
112 | tag_optgroup="<optgroup>"
113 | tag_option="<option>"
114 | tag_output="<output>"
115 | tag_p="<p>"
116 | tag_param="<param>"
117 | tag_plaintext="<plaintext>"
118 | tag_pre="<pre>"
119 | tag_progress="<progress>"
120 | tag_q="<q>"
121 | tag_rb="<rb>"
122 | tag_rp="<rp>"
123 | tag_rt="<rt>"
124 | tag_rtc="<rtc>"
125 | tag_ruby="<ruby>"
126 | tag_s="<s>"
127 | tag_samp="<samp>"
128 | tag_script="<script>"
129 | tag_section="<section>"
130 | tag_select="<select>"
131 | tag_small="<small>"
132 | tag_source="<source>"
133 | tag_spacer="<spacer>"
134 | tag_span="<span>"
135 | tag_strike="<strike>"
136 | tag_strong="<strong>"
137 | tag_style="<style>"
138 | tag_sub="<sub>"
139 | tag_summary="<summary>"
140 | tag_sup="<sup>"
141 | tag_svg="<svg>"
142 | tag_table="<table>"
143 | tag_tbody="<tbody>"
144 | tag_td="<td>"
145 | tag_template="<template>"
146 | tag_textarea="<textarea>"
147 | tag_tfoot="<tfoot>"
148 | tag_th="<th>"
149 | tag_thead="<thead>"
150 | tag_time="<time>"
151 | tag_title="<title>"
152 | tag_tr="<tr>"
153 | tag_track="<track>"
154 | tag_tt="<tt>"
155 | tag_u="<u>"
156 | tag_ul="<ul>"
157 | tag_var="<var>"
158 | tag_video="<video>"
159 | tag_wbr="<wbr>"
160 | tag_xmp="<xmp>"
161 | 


--------------------------------------------------------------------------------
/dictionaries/jpeg.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for JPEG images
 3 | # ------------------------------
 4 | #
 5 | # Created by Michal Zalewski <lcamtuf@google.com>
 6 | #
 7 | 
 8 | header_jfif="JFIF\x00"
 9 | header_jfxx="JFXX\x00"
10 | 
11 | section_ffc0="\xff\xc0"
12 | section_ffc2="\xff\xc2"
13 | section_ffc4="\xff\xc4"
14 | section_ffd0="\xff\xd0"
15 | section_ffd8="\xff\xd8"
16 | section_ffd9="\xff\xd9"
17 | section_ffda="\xff\xda"
18 | section_ffdb="\xff\xdb"
19 | section_ffdd="\xff\xdd"
20 | section_ffe0="\xff\xe0"
21 | section_ffe1="\xff\xe1"
22 | section_fffe="\xff\xfe"
23 | 


--------------------------------------------------------------------------------
/dictionaries/js.dict:
--------------------------------------------------------------------------------
  1 | #
  2 | # AFL dictionary for JavaScript
  3 | # -----------------------------
  4 | #
  5 | # Contains basic reserved keywords and syntax building blocks.
  6 | #
  7 | # Created by Michal Zalewski <lcamtuf@google.com>
  8 | #
  9 | 
 10 | keyword_arguments="arguments"
 11 | keyword_break="break"
 12 | keyword_case="case"
 13 | keyword_catch="catch"
 14 | keyword_const="const"
 15 | keyword_continue="continue"
 16 | keyword_debugger="debugger"
 17 | keyword_decodeURI="decodeURI"
 18 | keyword_default="default"
 19 | keyword_delete="delete"
 20 | keyword_do="do"
 21 | keyword_else="else"
 22 | keyword_escape="escape"
 23 | keyword_eval="eval"
 24 | keyword_export="export"
 25 | keyword_finally="finally"
 26 | keyword_for="for (a=0;a<2;a++)"
 27 | keyword_function="function"
 28 | keyword_if="if"
 29 | keyword_in="in"
 30 | keyword_instanceof="instanceof"
 31 | keyword_isNaN="isNaN"
 32 | keyword_let="let"
 33 | keyword_new="new"
 34 | keyword_parseInt="parseInt"
 35 | keyword_return="return"
 36 | keyword_switch="switch"
 37 | keyword_this="this"
 38 | keyword_throw="throw"
 39 | keyword_try="try"
 40 | keyword_typeof="typeof"
 41 | keyword_var="var"
 42 | keyword_void="void"
 43 | keyword_while="while"
 44 | keyword_with="with"
 45 | 
 46 | misc_1=" 1"
 47 | misc_a="a"
 48 | misc_array=" [1]"
 49 | misc_assign=" a=1"
 50 | misc_code_block=" {1}"
 51 | misc_colon_num=" 1:"
 52 | misc_colon_string=" 'a':"
 53 | misc_comma=" ,"
 54 | misc_comment_block=" /* */"
 55 | misc_comment_line=" //"
 56 | misc_cond=" 1?2:3"
 57 | misc_dec=" --"
 58 | misc_div=" /"
 59 | misc_equals=" ="
 60 | misc_fn=" a()"
 61 | misc_identical=" ==="
 62 | misc_inc=" ++"
 63 | misc_minus=" -"
 64 | misc_modulo=" %"
 65 | misc_parentheses=" ()"
 66 | misc_parentheses_1=" (1)"
 67 | misc_parentheses_1x4=" (1,1,1,1)"
 68 | misc_parentheses_a=" (a)"
 69 | misc_period="."
 70 | misc_plus=" +"
 71 | misc_plus_assign=" +="
 72 | misc_regex=" /a/g"
 73 | misc_rol=" <<<"
 74 | misc_semicolon=" ;"
 75 | misc_serialized_object=" {'a': 1}"
 76 | misc_string=" 'a'"
 77 | misc_unicode=" '\\u0001'"
 78 | 
 79 | object_Array=" Array"
 80 | object_Boolean=" Boolean"
 81 | object_Date=" Date"
 82 | object_Function=" Function"
 83 | object_Infinity=" Infinity"
 84 | object_Int8Array=" Int8Array"
 85 | object_Math=" Math"
 86 | object_NaN=" NaN"
 87 | object_Number=" Number"
 88 | object_Object=" Object"
 89 | object_RegExp=" RegExp"
 90 | object_String=" String"
 91 | object_Symbol=" Symbol"
 92 | object_false=" false"
 93 | object_null=" null"
 94 | object_true=" true"
 95 | 
 96 | prop_charAt=".charAt"
 97 | prop_concat=".concat"
 98 | prop_constructor=".constructor"
 99 | prop_destructor=".destructor"
100 | prop_length=".length"
101 | prop_match=".match"
102 | prop_proto=".__proto__"
103 | prop_prototype=".prototype"
104 | prop_slice=".slice"
105 | prop_toCode=".toCode"
106 | prop_toString=".toString"
107 | prop_valueOf=".valueOf"
108 | 


--------------------------------------------------------------------------------
/dictionaries/json.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for JSON
 3 | # -----------------------
 4 | #
 5 | # Just the very basics.
 6 | #
 7 | # Inspired by a dictionary by Jakub Wilk <jwilk@jwilk.net>
 8 | #
 9 | 
10 | "0"
11 | ",0"
12 | ":0"
13 | "0:"
14 | "-1.2e+3"
15 | 
16 | "true"
17 | "false"
18 | "null"
19 | 
20 | "\"\""
21 | ",\"\""
22 | ":\"\""
23 | "\"\":"
24 | 
25 | "{}"
26 | ",{}"
27 | ":{}"
28 | "{\"\":0}"
29 | "{{}}"
30 | 
31 | "[]"
32 | ",[]"
33 | ":[]"
34 | "[0]"
35 | "[[]]"
36 | 
37 | "''"
38 | "\\"
39 | "\\b"
40 | "\\f"
41 | "\\n"
42 | "\\r"
43 | "\\t"
44 | "\\u0000"
45 | "\\x00"
46 | "\\0"
47 | "\\uD800\\uDC00"
48 | "\\uDBFF\\uDFFF"
49 | 
50 | "\"\":0"
51 | "//"
52 | "/**/"
53 | 


--------------------------------------------------------------------------------
/dictionaries/png.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for PNG images
 3 | # -----------------------------
 4 | #
 5 | # Just the basic, standard-originating sections; does not include vendor
 6 | # extensions.
 7 | #
 8 | # Created by Michal Zalewski <lcamtuf@google.com>
 9 | #
10 | 
11 | header_png="\x89PNG\x0d\x0a\x1a\x0a"
12 | 
13 | section_IDAT="IDAT"
14 | section_IEND="IEND"
15 | section_IHDR="IHDR"
16 | section_PLTE="PLTE"
17 | section_bKGD="bKGD"
18 | section_cHRM="cHRM"
19 | section_fRAc="fRAc"
20 | section_gAMA="gAMA"
21 | section_gIFg="gIFg"
22 | section_gIFt="gIFt"
23 | section_gIFx="gIFx"
24 | section_hIST="hIST"
25 | section_iCCP="iCCP"
26 | section_iTXt="iTXt"
27 | section_oFFs="oFFs"
28 | section_pCAL="pCAL"
29 | section_pHYs="pHYs"
30 | section_sBIT="sBIT"
31 | section_sCAL="sCAL"
32 | section_sPLT="sPLT"
33 | section_sRGB="sRGB"
34 | section_sTER="sTER"
35 | section_tEXt="tEXt"
36 | section_tIME="tIME"
37 | section_tRNS="tRNS"
38 | section_zTXt="zTXt"
39 | 


--------------------------------------------------------------------------------
/dictionaries/tiff.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for TIFF images
 3 | # ------------------------------
 4 | #
 5 | # Just the basic, standard-originating sections; does not include vendor
 6 | # extensions.
 7 | #
 8 | # Created by Michal Zalewski <lcamtuf@google.com>
 9 | #
10 | 
11 | header_ii="II*\x00"
12 | header_mm="MM\x00*"
13 | 
14 | section_100="\x00\x01"
15 | section_101="\x01\x01"
16 | section_102="\x02\x01"
17 | section_103="\x03\x01"
18 | section_106="\x06\x01"
19 | section_107="\x07\x01"
20 | section_10D="\x0d\x01"
21 | section_10E="\x0e\x01"
22 | section_10F="\x0f\x01"
23 | section_110="\x10\x01"
24 | section_111="\x11\x01"
25 | section_112="\x12\x01"
26 | section_115="\x15\x01"
27 | section_116="\x16\x01"
28 | section_117="\x17\x01"
29 | section_11A="\x1a\x01"
30 | section_11B="\x1b\x01"
31 | section_11C="\x1c\x01"
32 | section_11D="\x1d\x01"
33 | section_11E="\x1e\x01"
34 | section_11F="\x1f\x01"
35 | section_122="\"\x01"
36 | section_123="#\x01"
37 | section_124="$\x01"
38 | section_125="%\x01"
39 | section_128="(\x01"
40 | section_129=")\x01"
41 | section_12D="-\x01"
42 | section_131="1\x01"
43 | section_132="2\x01"
44 | section_13B=";\x01"
45 | section_13C="<\x01"
46 | section_13D="=\x01"
47 | section_13E=">\x01"
48 | section_13F="?\x01"
49 | section_140="@\x01"
50 | section_FE="\xfe\x00"
51 | section_FF="\xff\x00"
52 | 


--------------------------------------------------------------------------------
/dictionaries/webp.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for WebP images
 3 | # ------------------------------
 4 | #
 5 | # Created by Michal Zalewski <lcamtuf@google.com>
 6 | #
 7 | 
 8 | header_RIFF="RIFF"
 9 | header_WEBP="WEBP"
10 | 
11 | section_ALPH="ALPH"
12 | section_ANIM="ANIM"
13 | section_ANMF="ANMF"
14 | section_EXIF="EXIF"
15 | section_FRGM="FRGM"
16 | section_ICCP="ICCP"
17 | section_VP8="VP8 "
18 | section_VP8L="VP8L"
19 | section_VP8X="VP8X"
20 | section_XMP="XMP "
21 | 


--------------------------------------------------------------------------------
/dictionaries/xml.dict:
--------------------------------------------------------------------------------
 1 | #
 2 | # AFL dictionary for XML
 3 | # ----------------------
 4 | #
 5 | # Several basic syntax elements and attributes, modeled on libxml2.
 6 | #
 7 | # Created by Michal Zalewski <lcamtuf@google.com>
 8 | #
 9 | 
10 | attr_encoding=" encoding=\"1\""
11 | attr_generic=" a=\"1\""
12 | attr_href=" href=\"1\""
13 | attr_standalone=" standalone=\"no\""
14 | attr_version=" version=\"1\""
15 | attr_xml_base=" xml:base=\"1\""
16 | attr_xml_id=" xml:id=\"1\""
17 | attr_xml_lang=" xml:lang=\"1\""
18 | attr_xml_space=" xml:space=\"1\""
19 | attr_xmlns=" xmlns=\"1\""
20 | 
21 | entity_builtin="&lt;"
22 | entity_decimal="&#1;"
23 | entity_external="&a;"
24 | entity_hex="&#x1;"
25 | 
26 | string_any="ANY"
27 | string_brackets="[]"
28 | string_cdata="CDATA"
29 | string_col_fallback=":fallback"
30 | string_col_generic=":a"
31 | string_col_include=":include"
32 | string_dashes="--"
33 | string_empty="EMPTY"
34 | string_empty_dblquotes="\"\""
35 | string_empty_quotes="''"
36 | string_entities="ENTITIES"
37 | string_entity="ENTITY"
38 | string_fixed="#FIXED"
39 | string_id="ID"
40 | string_idref="IDREF"
41 | string_idrefs="IDREFS"
42 | string_implied="#IMPLIED"
43 | string_nmtoken="NMTOKEN"
44 | string_nmtokens="NMTOKENS"
45 | string_notation="NOTATION"
46 | string_parentheses="()"
47 | string_pcdata="#PCDATA"
48 | string_percent="%a"
49 | string_public="PUBLIC"
50 | string_required="#REQUIRED"
51 | string_schema=":schema"
52 | string_system="SYSTEM"
53 | string_ucs4="UCS-4"
54 | string_utf16="UTF-16"
55 | string_utf8="UTF-8"
56 | string_xmlns="xmlns:"
57 | 
58 | tag_attlist="<!ATTLIST"
59 | tag_cdata="<![CDATA["
60 | tag_close="</a>"
61 | tag_doctype="<!DOCTYPE"
62 | tag_element="<!ELEMENT"
63 | tag_entity="<!ENTITY"
64 | tag_ignore="<![IGNORE["
65 | tag_include="<![INCLUDE["
66 | tag_notation="<!NOTATION"
67 | tag_open="<a>"
68 | tag_open_close="<a />"
69 | tag_open_exclamation="<!"
70 | tag_open_q="<?"
71 | tag_sq2_close="]]>"
72 | tag_xml_q="<?xml?>"
73 | 


--------------------------------------------------------------------------------
/docs/INSTALL:
--------------------------------------------------------------------------------
  1 | =========================
  2 | Installation instructions
  3 | =========================
  4 | 
  5 |   This document provides basic installation instructions and discusses known
  6 |   issues for a variety of platforms. See README for the general instruction
  7 |   manual.
  8 | 
  9 | 1) Linux on x86
 10 | ---------------
 11 | 
 12 | This platform is expected to work well. Compile the program with:
 13 | 
 14 | $ make
 15 | 
 16 | You can start using the fuzzer without installation, but it is also possible to
 17 | install it with:
 18 | 
 19 | # make install
 20 | 
 21 | There are no special dependencies to speak of; you will need GNU make and a
 22 | working compiler (gcc or clang). Some of the optional scripts bundled with the
 23 | program may depend on bash, gdb, and similar basic tools.
 24 | 
 25 | If you are using clang, please review llvm_mode/README.llvm; the LLVM
 26 | integration mode can offer substantial performance gains compared to the
 27 | traditional approach.
 28 | 
 29 | You may have to change several settings to get optimal results (most notably,
 30 | disable crash reporting utilities and switch to a different CPU governor), but
 31 | afl-fuzz will guide you through that if necessary.
 32 | 
 33 | 2) OpenBSD, FreeBSD, NetBSD on x86
 34 | ----------------------------------
 35 | 
 36 | Similarly to Linux, these platforms are expected to work well and are
 37 | regularly tested. Compile everything with GNU make:
 38 | 
 39 | $ gmake
 40 | 
 41 | Note that BSD make will *not* work; if you do not have gmake on your system,
 42 | please install it first. As on Linux, you can use the fuzzer itself without
 43 | installation, or install it with:
 44 | 
 45 | # gmake install
 46 | 
 47 | Keep in mind that if you are using csh as your shell, the syntax of some of the
 48 | shell commands given in the README and other docs will be different.
 49 | 
 50 | The llvm_mode requires a dynamically linked, fully-operational installation of
 51 | clang. At least on FreeBSD, the clang binaries are static and do not include
 52 | some of the essential tools, so if you want to make it work, you may need to
 53 | follow the instructions in llvm_mode/README.llvm.
 54 | 
 55 | Beyond that, everything should work as advertised.
 56 | 
 57 | The QEMU mode is currently supported only on Linux. I think it's just a QEMU
 58 | problem, I couldn't get a vanilla copy of user-mode emulation support working
 59 | correctly on BSD at all.
 60 | 
 61 | 3) MacOS X on x86
 62 | -----------------
 63 | 
 64 | MacOS X should work, but there are some gotchas due to the idiosyncrasies of
 65 | the platform. On top of this, I have limited release testing capabilities
 66 | and depend mostly on user feedback.
 67 | 
 68 | To build AFL, install Xcode and follow the general instructions for Linux.
 69 | 
 70 | The Xcode 'gcc' tool is just a wrapper for clang, so be sure to use afl-clang
 71 | to compile any instrumented binaries; afl-gcc will fail unless you have GCC
 72 | installed from another source (in which case, please specify AFL_CC and
 73 | AFL_CXX to point to the "real" GCC binaries).
 74 | 
 75 | Only 64-bit compilation will work on the platform; porting the 32-bit
 76 | instrumentation would require a fair amount of work due to the way OS X
 77 | handles relocations, and today, virtually all MacOS X boxes are 64-bit.
 78 | 
 79 | The crash reporting daemon that comes by default with MacOS X will cause
 80 | problems with fuzzing. You need to turn it off by following the instructions
 81 | provided here: http://goo.gl/CCcd5u
 82 | 
 83 | The fork() semantics on OS X are a bit unusual compared to other unix systems
 84 | and definitely don't look POSIX-compliant. This means two things:
 85 | 
 86 |   - Fuzzing will be probably slower than on Linux. In fact, some folks report
 87 |     considerable performance gains by running the jobs inside a Linux VM on
 88 |     MacOS X.
 89 | 
 90 |   - Some non-portable, platform-specific code may be incompatible with the
 91 |     AFL forkserver. If you run into any problems, set AFL_NO_FORKSRV=1 in the
 92 |     environment before starting afl-fuzz.
 93 | 
 94 | User emulation mode of QEMU does not appear to be supported on MacOS X, so
 95 | black-box instrumentation mode (-Q) will not work.
 96 | 
 97 | The llvm_mode requires a fully-operational installation of clang. The one that
 98 | comes with Xcode is missing some of the essential headers and helper tools.
 99 | See llvm_mode/README.llvm for advice on how to build the compiler from scratch.
100 | 
101 | 4) Linux or *BSD on non-x86 systems
102 | -----------------------------------
103 | 
104 | Standard build will fail on non-x86 systems, but you should be able to
105 | leverage two other options:
106 | 
107 |   - The LLVM mode (see llvm_mode/README.llvm), which does not rely on
108 |     x86-specific assembly shims. It's fast and robust, but requires a
109 |     complete installation of clang.
110 | 
111 |   - The QEMU mode (see qemu_mode/README.qemu), which can be also used for
112 |     fuzzing cross-platform binaries. It's slower and more fragile, but
113 |     can be used even when you don't have the source for the tested app.
114 | 
115 | If you're not sure what you need, you need the LLVM mode. To get it, try:
116 | 
117 | $ AFL_NO_X86=1 gmake && gmake -C llvm_mode
118 | 
119 | ...and compile your target program with afl-clang-fast or afl-clang-fast++
120 | instead of the traditional afl-gcc or afl-clang wrappers.
121 | 
122 | 5) Solaris on x86
123 | -----------------
124 | 
125 | The fuzzer reportedly works on Solaris, but I have not tested this first-hand,
126 | and the user base is fairly small, so I don't have a lot of feedback.
127 | 
128 | To get the ball rolling, you will need to use GNU make and GCC or clang. I'm
129 | being told that the stock version of GCC that comes with the platform does not
130 | work properly due to its reliance on a hardcoded location for 'as' (completely
131 | ignoring the -B parameter or $PATH).
132 | 
133 | To fix this, you may want to build stock GCC from the source, like so:
134 | 
135 | $ ./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \
136 |   --with-gmp-include=/usr/include/gmp --with-mpfr-include=/usr/include/mpfr
137 | $ make
138 | $ sudo make install
139 | 
140 | Do *not* specify --with-as=/usr/gnu/bin/as - this will produce a GCC binary that
141 | ignores the -B flag and you will be back to square one.
142 | 
143 | Note that Solaris reportedly comes with crash reporting enabled, which causes
144 | problems with crashes being misinterpreted as hangs, similarly to the gotchas
145 | for Linux and MacOS X. AFL does not auto-detect crash reporting on this
146 | particular platform, but you may need to run the following command:
147 | 
148 | $ coreadm -d global -d global-setid -d process -d proc-setid \
149 |   -d kzone -d log
150 | 
151 | User emulation mode of QEMU is not available on Solaris, so black-box
152 | instrumentation mode (-Q) will not work.
153 | 
154 | 6) Everything else
155 | ------------------
156 | 
157 | You're on your own. On POSIX-compliant systems, you may be able to compile and
158 | run the fuzzer; and the LLVM mode may offer a way to instrument non-x86 code.
159 | 
160 | The fuzzer will not run on Windows. It will also not work under Cygwin. It
161 | could be ported to the latter platform fairly easily, but it's a pretty bad
162 | idea, because Cygwin is extremely slow. It makes much more sense to use
163 | VirtualBox or so to run a hardware-accelerated Linux VM; it will run around
164 | 20x faster or so. If you have a *really* compelling use case for Cygwin, let
165 | me know.
166 | 
167 | Although Android on x86 should theoretically work, the stock kernel may have
168 | SHM support compiled out, and if so, you may have to address that issue first.
169 | It's possible that all you need is this workaround:
170 | 
171 |   https://github.com/pelya/android-shmem
172 | 
173 | Joshua J. Drake notes that the Android linker adds a shim that automatically
174 | intercepts SIGSEGV and related signals. To fix this issue and be able to see
175 | crashes, you need to put this at the beginning of the fuzzed program:
176 | 
177 |   signal(SIGILL, SIG_DFL);
178 |   signal(SIGABRT, SIG_DFL);
179 |   signal(SIGBUS, SIG_DFL);
180 |   signal(SIGFPE, SIG_DFL);
181 |   signal(SIGSEGV, SIG_DFL);
182 | 
183 | You may need to #include <signal.h> first.
184 | 


--------------------------------------------------------------------------------
/docs/QuickStartGuide.txt:
--------------------------------------------------------------------------------
 1 | =====================
 2 | AFL quick start guide
 3 | =====================
 4 | 
 5 | You should read docs/README. It's pretty short. If you really can't, here's
 6 | how to hit the ground running:
 7 | 
 8 | 1) Compile AFL with 'make'. If build fails, see docs/INSTALL for tips.
 9 | 
10 | 2) Find or write a reasonably fast and simple program that takes data from
11 |    a file or stdin, processes it in a test-worthy way, then exits cleanly.
12 |    If testing a network service, modify it to run in the foreground and read
13 |    from stdin. When fuzzing a format that uses checksums, comment out the
14 |    checksum verification code, too.
15 | 
16 |    The program must crash properly when a fault is encountered. Watch out for
17 |    custom SIGSEGV or SIGABRT handlers and background processes. For tips on
18 |    detecting non-crashing flaws, see section 11 in docs/README.
19 | 
20 | 3) Compile the program / library to be fuzzed using afl-gcc. A common way to
21 |    do this would be:
22 | 
23 |    CC=/path/to/afl-gcc CXX=/path/to/afl-g++ ./configure --disable-shared
24 |    make clean all
25 | 
26 |    If program build fails, ping <afl-users@googlegroups.com>.
27 | 
28 | 4) Get a small but valid input file that makes sense to the program. When
29 |    fuzzing verbose syntax (SQL, HTTP, etc), create a dictionary as described in
30 |    dictionaries/README.dictionaries, too.
31 | 
32 | 5) If the program reads from stdin, run 'afl-fuzz' like so:
33 | 
34 |    ./afl-fuzz -i testcase_dir -o findings_dir -- \
35 |      /path/to/tested/program [...program's cmdline...]
36 | 
37 |    If the program takes input from a file, you can put @@ in the program's
38 |    command line; AFL will put an auto-generated file name in there for you.
39 | 
40 | 6) Investigate anything shown in red in the fuzzer UI by promptly consulting
41 |    docs/status_screen.txt.
42 | 
43 | That's it. Sit back, relax, and - time permitting - try to skim through the
44 | following files:
45 | 
46 |   - docs/README               - A general introduction to AFL,
47 |   - docs/perf_tips.txt        - Simple tips on how to fuzz more quickly,
48 |   - docs/status_screen.txt    - An explanation of the tidbits shown in the UI,
49 |   - docs/parallel_fuzzing.txt - Advice on running AFL on multiple cores.
50 | 


--------------------------------------------------------------------------------
/docs/historical_notes.txt:
--------------------------------------------------------------------------------
  1 | ================
  2 | Historical notes
  3 | ================
  4 | 
  5 |   This doc talks about the rationale of some of the high-level design decisions
  6 |   for American Fuzzy Lop. It's adopted from a discussion with Rob Graham.
  7 |   See README for the general instruction manual, and technical_details.txt for
  8 |   additional implementation-level insights.
  9 | 
 10 | 1) Influences
 11 | -------------
 12 | 
 13 | In short, afl-fuzz is inspired chiefly by the work done by Tavis Ormandy back
 14 | in 2007. Tavis did some very persuasive experiments using gcov block coverage
 15 | to select optimal test cases out of a large corpus of data, and then using
 16 | them as a starting point for traditional fuzzing workflows.
 17 | 
 18 | (By "persuasive", I mean: netting a significant number of interesting
 19 | vulnerabilities.)
 20 | 
 21 | In parallel to this, both Tavis and I were interested in evolutionary fuzzing.
 22 | Tavis had his experiments, and I was working on a tool called bunny-the-fuzzer,
 23 | released somewhere in 2007.
 24 | 
 25 | Bunny used a generational algorithm not much different from afl-fuzz, but
 26 | also tried to reason about the relationship between various input bits and
 27 | the internal state of the program, with hopes of deriving some additional value
 28 | from that. The reasoning / correlation part was probably in part inspired by
 29 | other projects done around the same time by Will Drewry and Chris Evans.
 30 | 
 31 | The state correlation approach sounded very sexy on paper, but ultimately, made
 32 | the fuzzer complicated, brittle, and cumbersome to use; every other target
 33 | program would require a tweak or two. Because Bunny didn't fare a whole lot
 34 | better than less sophisticated brute-force tools, I eventually decided to write
 35 | it off. You can still find its original documentation at:
 36 | 
 37 |   https://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc
 38 | 
 39 | There has been a fair amount of independent work, too. Most notably, a few
 40 | weeks earlier that year, Jared DeMott had a Defcon presentation about a
 41 | coverage-driven fuzzer that relied on coverage as a fitness function.
 42 | 
 43 | Jared's approach was by no means identical to what afl-fuzz does, but it was in
 44 | the same ballpark. His fuzzer tried to explicitly solve for the maximum coverage
 45 | with a single input file; in comparison, afl simply selects for cases that do
 46 | something new (which yields better results - see technical_details.txt).
 47 | 
 48 | A few years later, Gabriel Campana released fuzzgrind, a tool that relied purely
 49 | on Valgrind and a constraint solver to maximize coverage without any brute-force
 50 | bits; and Microsoft Research folks talked extensively about their still
 51 | non-public, solver-based SAGE framework.
 52 | 
 53 | In the past six years or so, I've also seen a fair number of academic papers
 54 | that dealt with smart fuzzing (focusing chiefly on symbolic execution) and a
 55 | couple papers that discussed proof-of-concept applications of genetic
 56 | algorithms with the same goals in mind. I'm unconvinced how practical most of
 57 | these experiments were; I suspect that many of them suffer from the
 58 | bunny-the-fuzzer's curse of being cool on paper and in carefully designed
 59 | experiments, but failing the ultimate test of being able to find new,
 60 | worthwhile security bugs in otherwise well-fuzzed, real-world software.
 61 | 
 62 | In some ways, the baseline that the "cool" solutions have to compete against is
 63 | a lot more impressive than it may seem, making it difficult for competitors to
 64 | stand out. For a singular example, check out the work by Gynvael and Mateusz
 65 | Jurczyk, applying "dumb" fuzzing to ffmpeg, a prominent and security-critical
 66 | component of modern browsers and media players:
 67 | 
 68 |   http://googleonlinesecurity.blogspot.com/2014/01/ffmpeg-and-thousand-fixes.html
 69 | 
 70 | Effortlessly getting comparable results with state-of-the-art symbolic execution
 71 | in equally complex software still seems fairly unlikely, and hasn't been
 72 | demonstrated in practice so far.
 73 | 
 74 | But I digress; ultimately, attribution is hard, and glorying the fundamental
 75 | concepts behind AFL is probably a waste of time. The devil is very much in the
 76 | often-overlooked details, which brings us to...
 77 | 
 78 | 2) Design goals for afl-fuzz
 79 | ----------------------------
 80 | 
 81 | In short, I believe that the current implementation of afl-fuzz takes care of
 82 | several itches that seemed impossible to scratch with other tools:
 83 | 
 84 | 1) Speed. It's genuinely hard to compete with brute force when your "smart"
 85 |    approach is resource-intensive. If your instrumentation makes it 10x more
 86 |    likely to find a bug, but runs 100x slower, your users are getting a bad
 87 |    deal.
 88 | 
 89 |    To avoid starting with a handicap, afl-fuzz is meant to let you fuzz most of
 90 |    the intended targets at roughly their native speed - so even if it doesn't
 91 |    add value, you do not lose much.
 92 | 
 93 |    On top of this, the tool leverages instrumentation to actually reduce the
 94 |    amount of work in a couple of ways: for example, by carefully trimming the
 95 |    corpus or skipping non-functional but non-trimmable regions in the input
 96 |    files.
 97 | 
 98 | 2) Rock-solid reliability. It's hard to compete with brute force if your
 99 |    approach is brittle and fails unexpectedly. Automated testing is attractive
100 |    because it's simple to use and scalable; anything that goes against these
101 |    principles is an unwelcome trade-off and means that your tool will be used
102 |    less often and with less consistent results.
103 | 
104 |    Most of the approaches based on symbolic execution, taint tracking, or
105 |    complex syntax-aware instrumentation are currently fairly unreliable with
106 |    real-world targets. Perhaps more importantly, their failure modes can render
107 |    them strictly worse than "dumb" tools, and such degradation can be difficult
108 |    for less experienced users to notice and correct.
109 | 
110 |    In contrast, afl-fuzz is designed to be rock solid, chiefly by keeping it
111 |    simple. In fact, at its core, it's designed to be just a very good
112 |    traditional fuzzer with a wide range of interesting, well-researched
113 |    strategies to go by. The fancy parts just help it focus the effort in
114 |    places where it matters the most.
115 | 
116 | 3) Simplicity. The author of a testing framework is probably the only person
117 |    who truly understands the impact of all the settings offered by the tool -
118 |    and who can dial them in just right. Yet, even the most rudimentary fuzzer
119 |    frameworks often come with countless knobs and fuzzing ratios that need to
120 |    be guessed by the operator ahead of the time. This can do more harm than 
121 |    good.
122 | 
123 |    AFL is designed to avoid this as much as possible. The three knobs you
124 |    can play with are the output file, the memory limit, and the ability to
125 |    override the default, auto-calibrated timeout. The rest is just supposed to
126 |    work. When it doesn't, user-friendly error messages outline the probable
127 |    causes and workarounds, and get you back on track right away.
128 | 
129 | 4) Chainability. Most general-purpose fuzzers can't be easily employed
130 |    against resource-hungry or interaction-heavy tools, necessitating the
131 |    creation of custom in-process fuzzers or the investment of massive CPU
132 |    power (most of which is wasted on tasks not directly related to the code
133 |    we actually want to test).
134 | 
135 |    AFL tries to scratch this itch by allowing users to use more lightweight
136 |    targets (e.g., standalone image parsing libraries) to create small
137 |    corpora of interesting test cases that can be fed into a manual testing
138 |    process or a UI harness later on.
139 | 
140 | As mentioned in technical_details.txt, AFL does all this not by systematically
141 | applying a single overarching CS concept, but by experimenting with a variety
142 | of small, complementary methods that were shown to reliably yields results
143 | better than chance. The use of instrumentation is a part of that toolkit, but is
144 | far from being the most important one.
145 | 
146 | Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and
147 | has a pretty robust track record of doing just that.
148 | 


--------------------------------------------------------------------------------
/docs/life_pro_tips.txt:
--------------------------------------------------------------------------------
  1 | # ===================
  2 | # AFL "Life Pro Tips"
  3 | # ===================
  4 | #
  5 | # Bite-sized advice for those who understand the basics, but can't be bothered
  6 | # to read or memorize every other piece of documentation for AFL.
  7 | #
  8 | 
  9 | %
 10 | 
 11 | Get more bang for your buck by using fuzzing dictionaries.
 12 | See dictionaries/README.dictionaries to learn how.
 13 | 
 14 | %
 15 | 
 16 | You can get the most out of your hardware by parallelizing AFL jobs.
 17 | See docs/parallel_fuzzing.txt for step-by-step tips.
 18 | 
 19 | %
 20 | 
 21 | Improve the odds of spotting memory corruption bugs with libdislocator.so!
 22 | It's easy. Consult libdislocator/README.dislocator for usage tips.
 23 | 
 24 | %
 25 | 
 26 | Want to understand how your target parses a particular input file?
 27 | Try the bundled afl-analyze tool; it's got colors and all!
 28 | 
 29 | %
 30 | 
 31 | You can visually monitor the progress of your fuzzing jobs.
 32 | Run the bundled afl-plot utility to generate browser-friendly graphs.
 33 | 
 34 | %
 35 | 
 36 | Need to monitor AFL jobs programmatically? Check out the fuzzer_stats file
 37 | in the AFL output dir or try afl-whatsup.
 38 | 
 39 | %
 40 | 
 41 | Puzzled by something showing up in red or purple in the AFL UI?
 42 | It could be important - consult docs/status_screen.txt right away!
 43 | 
 44 | %
 45 | 
 46 | Know your target? Convert it to persistent mode for a huge performance gain!
 47 | Consult section #5 in llvm_mode/README.llvm for tips.
 48 | 
 49 | %
 50 | 
 51 | Using clang? Check out llvm_mode/ for a faster alternative to afl-gcc!
 52 | 
 53 | %
 54 | 
 55 | Did you know that AFL can fuzz closed-source or cross-platform binaries?
 56 | Check out qemu_mode/README.qemu for more.
 57 | 
 58 | %
 59 | 
 60 | Did you know that afl-fuzz can minimize any test case for you?
 61 | Try the bundled afl-tmin tool - and get small repro files fast!
 62 | 
 63 | %
 64 | 
 65 | Not sure if a crash is exploitable? AFL can help you figure it out. Specify
 66 | -C to enable the peruvian were-rabbit mode. See section #10 in README for more.
 67 | 
 68 | %
 69 | 
 70 | Trouble dealing with a machine uprising? Relax, we've all been there.
 71 | Find essential survival tips at http://lcamtuf.coredump.cx/prep/.
 72 | 
 73 | %
 74 | 
 75 | AFL-generated corpora can be used to power other testing processes.
 76 | See section #2 in README for inspiration - it tends to pay off!
 77 | 
 78 | %
 79 | 
 80 | Want to automatically spot non-crashing memory handling bugs?
 81 | Try running an AFL-generated corpus through ASAN, MSAN, or Valgrind.
 82 | 
 83 | %
 84 | 
 85 | Good selection of input files is critical to a successful fuzzing job.
 86 | See section #5 in README (or docs/perf_tips.txt) for pro tips.
 87 | 
 88 | %
 89 | 
 90 | You can improve the odds of automatically spotting stack corruption issues.
 91 | Specify AFL_HARDEN=1 in the environment to enable hardening flags.
 92 | 
 93 | %
 94 | 
 95 | Bumping into problems with non-reproducible crashes? It happens, but usually
 96 | isn't hard to diagnose. See section #7 in README for tips.
 97 | 
 98 | %
 99 | 
100 | Fuzzing is not just about memory corruption issues in the codebase. Add some
101 | sanity-checking assert() / abort() statements to effortlessly catch logic bugs.
102 | 
103 | %
104 | 
105 | Hey kid... pssst... want to figure out how AFL really works?
106 | Check out docs/technical_details.txt for all the gory details in one place!
107 | 
108 | %
109 | 
110 | There's a ton of third-party helper tools designed to work with AFL!
111 | Be sure to check out docs/sister_projects.txt before writing your own.
112 | 
113 | %
114 | 
115 | Need to fuzz the command-line arguments of a particular program?
116 | You can find a simple solution in experimental/argv_fuzzing.
117 | 
118 | %
119 | 
120 | Attacking a format that uses checksums? Remove the checksum-checking code or
121 | use a postprocessor! See experimental/post_library/ for more.
122 | 
123 | %
124 | 
125 | Dealing with a very slow target or hoping for instant results? Specify -d
126 | when calling afl-fuzz!
127 | 
128 | %
129 | 


--------------------------------------------------------------------------------
/docs/notes_for_asan.txt:
--------------------------------------------------------------------------------
  1 | ==================================
  2 | Notes for using ASAN with afl-fuzz
  3 | ==================================
  4 | 
  5 |   This file discusses some of the caveats for fuzzing under ASAN, and suggests
  6 |   a handful of alternatives. See README for the general instruction manual.
  7 | 
  8 | 1) Short version
  9 | ----------------
 10 | 
 11 | ASAN on 64-bit systems requests a lot of memory in a way that can't be easily
 12 | distinguished from a misbehaving program bent on crashing your system.
 13 | 
 14 | Because of this, fuzzing with ASAN is recommended only in four scenarios:
 15 | 
 16 |   - On 32-bit systems, where we can always enforce a reasonable memory limit
 17 |     (-m 800 or so is a good starting point),
 18 | 
 19 |   - On 64-bit systems only if you can do one of the following:
 20 | 
 21 |     - Compile the binary in 32-bit mode (gcc -m32),
 22 | 
 23 |     - Precisely gauge memory needs using http://jwilk.net/software/recidivm .
 24 | 
 25 |     - Limit the memory available to process using cgroups on Linux (see
 26 |       experimental/asan_cgroups).
 27 | 
 28 | To compile with ASAN, set AFL_USE_ASAN=1 before calling 'make clean all'. The
 29 | afl-gcc / afl-clang wrappers will pick that up and add the appropriate flags.
 30 | Note that ASAN is incompatible with -static, so be mindful of that.
 31 | 
 32 | (You can also use AFL_USE_MSAN=1 to enable MSAN instead.)
 33 | 
 34 | There is also the option of generating a corpus using a non-ASAN binary, and
 35 | then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
 36 | and can give you somewhat comparable results. You can also try using
 37 | libdislocator (see libdislocator/README.dislocator in the parent directory) as a
 38 | lightweight and hassle-free (but less thorough) alternative.
 39 | 
 40 | 2) Long version
 41 | ---------------
 42 | 
 43 | ASAN allocates a huge region of virtual address space for bookkeeping purposes.
 44 | Most of this is never actually accessed, so the OS never has to allocate any
 45 | real pages of memory for the process, and the VM grabbed by ASAN is essentially
 46 | "free" - but the mapping counts against the standard OS-enforced limit
 47 | (RLIMIT_AS, aka ulimit -v).
 48 | 
 49 | On our end, afl-fuzz tries to protect you from processes that go off-rails
 50 | and start consuming all the available memory in a vain attempt to parse a
 51 | malformed input file. This happens surprisingly often, so enforcing such a limit
 52 | is important for almost any fuzzer: the alternative is for the kernel OOM
 53 | handler to step in and start killing random processes to free up resources.
 54 | Needless to say, that's not a very nice prospect to live with.
 55 | 
 56 | Unfortunately, un*x systems offer no portable way to limit the amount of
 57 | pages actually given to a process in a way that distinguishes between that
 58 | and the harmless "land grab" done by ASAN. In principle, there are three standard
 59 | ways to limit the size of the heap:
 60 | 
 61 |   - The RLIMIT_AS mechanism (ulimit -v) caps the size of the virtual space -
 62 |     but as noted, this pays no attention to the number of pages actually
 63 |     in use by the process, and doesn't help us here.
 64 | 
 65 |   - The RLIMIT_DATA mechanism (ulimit -d) seems like a good fit, but it applies
 66 |     only to the traditional sbrk() / brk() methods of requesting heap space;
 67 |     modern allocators, including the one in glibc, routinely rely on mmap()
 68 |     instead, and circumvent this limit completely.
 69 | 
 70 |   - Finally, the RLIMIT_RSS limit (ulimit -m) sounds like what we need, but
 71 |     doesn't work on Linux - mostly because nobody felt like implementing it.
 72 | 
 73 | There are also cgroups, but they are Linux-specific, not universally available
 74 | even on Linux systems, and they require root permissions to set up; I'm a bit
 75 | hesitant to make afl-fuzz require root permissions just for that. That said,
 76 | if you are on Linux and want to use cgroups, check out the contributed script
 77 | that ships in experimental/asan_cgroups/.
 78 | 
 79 | In settings where cgroups aren't available, we have no nice, portable way to
 80 | avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for
 81 | binaries compiled in 32-bit mode (-m32), this is not a big deal: ASAN needs
 82 | around 600-800 MB or so, depending on the compiler - so all you need to do is
 83 | to specify -m that is a bit higher than that.
 84 | 
 85 | On 64-bit systems, the situation is more murky, because the ASAN allocation
 86 | is completely outlandish - around 17.5 TB in older versions, and closer to
 87 | 20 TB with newest ones. The actual amount of memory on your system is
 88 | (probably!) just a tiny fraction of that - so unless you dial the limit
 89 | with surgical precision, you will get no protection from OOM bugs.
 90 | 
 91 | On my system, the amount of memory grabbed by ASAN with a slightly older
 92 | version of gcc is around 17,825,850 MB; for newest clang, it's 20,971,600.
 93 | But there is no guarantee that these numbers are stable, and if you get them
 94 | wrong by "just" a couple gigs or so, you will be at risk.
 95 | 
 96 | To get the precise number, you can use the recidivm tool developed by Jakub
 97 | Wilk (http://jwilk.net/software/recidivm). In absence of this, ASAN is *not*
 98 | recommended when fuzzing 64-bit binaries, unless you are confident that they
 99 | are robust and enforce reasonable memory limits (in which case, you can
100 | specify '-m none' when calling afl-fuzz).
101 | 
102 | Using recidivm or running with no limits aside, there are two other decent
103 | alternatives: build a corpus of test cases using a non-ASAN binary, and then
104 | examine them with ASAN, Valgrind, or other heavy-duty tools in a more
105 | controlled setting; or compile the target program with -m32 (32-bit mode)
106 | if your system supports that.
107 | 
108 | 3) Interactions with the QEMU mode
109 | ----------------------------------
110 | 
111 | ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user
112 | emulation, so please do not try to use them with the -Q option; QEMU doesn't
113 | seem to appreciate the shadow VM trick used by these tools, and will likely
114 | just allocate all your physical memory, then crash.
115 | 
116 | 4) ASAN and OOM crashes
117 | -----------------------
118 | 
119 | By default, ASAN treats memory allocation failures as fatal errors, immediately
120 | causing the program to crash. Since this is a departure from normal POSIX
121 | semantics (and creates the appearance of security issues in otherwise
122 | properly-behaving programs), we try to disable this by specifying 
123 | allocator_may_return_null=1 in ASAN_OPTIONS.
124 | 
125 | Unfortunately, it's been reported that this setting still causes ASAN to
126 | trigger phantom crashes in situations where the standard allocator would
127 | simply return NULL. If this is interfering with your fuzzing jobs, you may
128 | want to cc: yourself on this bug:
129 | 
130 |   https://bugs.llvm.org/show_bug.cgi?id=22026
131 | 
132 | 5) What about UBSAN?
133 | --------------------
134 | 
135 | Some folks expressed interest in fuzzing with UBSAN. This isn't officially
136 | supported, because many installations of UBSAN don't offer a consistent way
137 | to abort() on fault conditions or to terminate with a distinctive exit code.
138 | 
139 | That said, some versions of the library can be binary-patched to address this
140 | issue, while newer releases support explicit compile-time flags - see this
141 | mailing list thread for tips:
142 | 
143 |   https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38
144 | 


--------------------------------------------------------------------------------
/docs/visualization/afl_gzip.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/visualization/afl_gzip.png


--------------------------------------------------------------------------------
/docs/vuln_samples/bash-cmd-exec.var:
--------------------------------------------------------------------------------
1 | () { _; } >_[$($())] { id; }


--------------------------------------------------------------------------------
/docs/vuln_samples/bash-uninit-mem.var:
--------------------------------------------------------------------------------
1 | () { x() { _; }; x() { _; } <<a; }


--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/ffmpeg-h264-bad-ptr-800m.mp4


--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-bad-read.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/ffmpeg-h264-bad-read.mp4


--------------------------------------------------------------------------------
/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/ffmpeg-h264-call-stack-overflow.mp4


--------------------------------------------------------------------------------
/docs/vuln_samples/file-fpu-exception.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/file-fpu-exception.elf


--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-bmp-leak.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/firefox-bmp-leak.bmp


--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-chrome-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/firefox-chrome-leak.jpg


--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-gif-leak.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/firefox-gif-leak.gif


--------------------------------------------------------------------------------
/docs/vuln_samples/firefox-gif-leak2.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/firefox-gif-leak2.gif


--------------------------------------------------------------------------------
/docs/vuln_samples/jxrlib-crash.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/jxrlib-crash.jxr


--------------------------------------------------------------------------------
/docs/vuln_samples/jxrlib-crash2.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/jxrlib-crash2.jxr


--------------------------------------------------------------------------------
/docs/vuln_samples/jxrlib-crash3.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/jxrlib-crash3.jxr


--------------------------------------------------------------------------------
/docs/vuln_samples/jxrlib-crash4.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/jxrlib-crash4.jxr


--------------------------------------------------------------------------------
/docs/vuln_samples/lesspipe-cpio-bad-write.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/lesspipe-cpio-bad-write.cpio


--------------------------------------------------------------------------------
/docs/vuln_samples/libjpeg-sos-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libjpeg-sos-leak.jpg


--------------------------------------------------------------------------------
/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libjpeg-turbo-dht-leak.jpg


--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-bad-write.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libtiff-bad-write.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libtiff-uninit-mem.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem2.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libtiff-uninit-mem2.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem3.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libtiff-uninit-mem3.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/libtiff-uninit-mem4.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/libtiff-uninit-mem4.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/libxml2-bad-read.xml:
--------------------------------------------------------------------------------
1 | <!DOCTYPEd[<!ENTITY
2 | S	""><!ENTITY %
3 | N	"<!ELEMENT<![INCLUDE0"<!ENTITYL%N;


--------------------------------------------------------------------------------
/docs/vuln_samples/msie-dht-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/msie-dht-leak.jpg


--------------------------------------------------------------------------------
/docs/vuln_samples/msie-jxr-mem-leak.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/msie-jxr-mem-leak.jxr


--------------------------------------------------------------------------------
/docs/vuln_samples/msie-png-mem-leak.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/msie-png-mem-leak.png


--------------------------------------------------------------------------------
/docs/vuln_samples/msie-tiff-mem-leak.tif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/msie-tiff-mem-leak.tif


--------------------------------------------------------------------------------
/docs/vuln_samples/msie-zlib-dos.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/msie-zlib-dos.png


--------------------------------------------------------------------------------
/docs/vuln_samples/openssl-null-ptr.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/openssl-null-ptr.der


--------------------------------------------------------------------------------
/docs/vuln_samples/openssl-null-ptr2.der:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/openssl-null-ptr2.der


--------------------------------------------------------------------------------
/docs/vuln_samples/photoshop-mem-leak.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/photoshop-mem-leak.jpg


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-free.sql:
--------------------------------------------------------------------------------
1 | create table t0(o CHar(0)CHECK(0&O>O));insert into t0
2 | select randomblob(0)-trim(0);
3 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-ptr.sql:
--------------------------------------------------------------------------------
1 | SELECT 0 UNION SELECT 0 ORDER BY 1 COLLATE"""""""";
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-ptr2.sql:
--------------------------------------------------------------------------------
1 | PRAGMA foreign_keys=1;CREATE TABLE t1("""0"PRIMARY KEy REFERENCES t1 ON DELETE SET NULL);REPLACE INTO t1 SELECT(0);
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-bad-ptr3.sql:
--------------------------------------------------------------------------------
1 | create table t(l);PRAGMA writable_schema=ON;
2 | UPDATE sqlite_master SET sql='00000000000000000000000000000000000000000000000000000000000000000000000000000000[%S';PRAGMA t;SAVEPOINT x;ROLLBACK;VACUUM;
3 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-heap-overflow.sql:
--------------------------------------------------------------------------------
1 | DROP TABLE IF EXISTS t;CREATE VIRTUAL TABLE t0 USING fts4();insert into t0 select zeroblob(0);SAVEPOINT O;insert into t0
2 | select(0);SAVEPOINT E;insert into t0 SELECT 0 UNION SELECT 0'x'ORDER BY x;
3 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-heap-overwrite.sql:
--------------------------------------------------------------------------------
1 | ATTACH "file:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?mode=memory&cache=shared" AS x;


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-negative-memset.sql:
--------------------------------------------------------------------------------
1 | SELECT*from(select"",zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(150000000),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0)),(select"",zeroblob(1E9),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(1E9),(0),zeroblob(150000000),(0),zeroblob(0),(0)EXCEPT select zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0),zeroblob(0));
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr1.sql:
--------------------------------------------------------------------------------
1 | create table t0(t);insert into t0
2 | select strftime();
3 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr10.sql:
--------------------------------------------------------------------------------
1 | SELECT fts3_tokenizer(@0());
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr11.sql:
--------------------------------------------------------------------------------
1 | select''like''like''like#0;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr12.sql:
--------------------------------------------------------------------------------
1 | PRAGMA e;select lower(0);select lower(0)"a",""GROUP BY a ORDER BY a;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr13.sql:
--------------------------------------------------------------------------------
1 | WITH x AS(SELECT*FROM t)SELECT""EXCEPT SELECT 0 ORDER BY 0 COLLATE"";
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr14.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE x USING fts4();VALUES(0,0),(0,0),(0,0),(0,0);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql=''WHERE name='';UPDATE sqlite_master SET sql='CREATE table t(d CHECK(T(#0)';SAVEPOINT K;SAVEPOINT T;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr15.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t4 USING fts4(0,b,c,notindexed=0);INSERT INTO t4 VALUES('','','0');BEGIN;INSERT INTO t4 VALUES('','','0');INSERT INTO t4(t4)VALUES('integrity-check');
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr2.sql:
--------------------------------------------------------------------------------
1 | DETACH(select group_concat(q));
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr3.sql:
--------------------------------------------------------------------------------
1 | select(select strftime());
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr4.sql:
--------------------------------------------------------------------------------
1 | select n()AND+#00;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr5.sql:
--------------------------------------------------------------------------------
1 | select e.*,0 from(s,(L))e;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr6.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/sqlite-null-ptr6.sql


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr7.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t USING fts4(tokenize=);
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr8.sql:
--------------------------------------------------------------------------------
1 | CREATE TABLE p(a UNIQUE,PRIMARY KEY('a'))WITHOUT rowid;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-null-ptr9.sql:
--------------------------------------------------------------------------------
1 | CREATE TABLE t0(z);WITH d(x)AS(SELECT*UNION SELECT 0)INSERT INTO t0 SELECT 0 FROM d;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-oob-read.sql:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/sqlite-oob-read.sql


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-oob-write.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t0 USING fts4(x,order=DESC);
2 | INSERT INTO t0(docid,x)VALUES(-1E0,'0(o');
3 | INSERT INTO t0 VALUES('');
4 | INSERT INTO t0 VALUES('');
5 | INSeRT INTO t0 VALUES('o');
6 | SELECT docid FROM t0 WHERE t0 MATCH'"0*o"';
7 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-stack-buf-overflow.sql:
--------------------------------------------------------------------------------
1 | SELECT printf('%*.*f',90000||006000000&6600000000,00000000000000000909000000000000.0000000000000000)""WHERE"">"";
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-stack-exhaustion.sql:
--------------------------------------------------------------------------------
1 | CREATE VIRTUAL TABLE t0 USING fts4(content=t0);
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-unint-mem.sql:
--------------------------------------------------------------------------------
1 | REATE VIRTUAL TABLE t0 USING fts4(prefix=0);INSERT INTO t0 VALUES(0);
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/sqlite-use-after-free.sql:
--------------------------------------------------------------------------------
1 | create table t(s);PRAGMA writable_schema=ON;UPDATE sqlite_master SET sql='ANALYZE;CREATE VIRTUAL TABLE t USING fts3;DROP TABLE t;DROP TABLE EXISTS t';PRAGMA r;SAVEPOINT T;ANALYZE;ROLLBACK;SAVEPOINT E;DROP TABLE IF EXISTS t;
2 | 


--------------------------------------------------------------------------------
/docs/vuln_samples/strings-bfd-badptr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/strings-bfd-badptr.elf


--------------------------------------------------------------------------------
/docs/vuln_samples/strings-bfd-badptr2.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/strings-bfd-badptr2.elf


--------------------------------------------------------------------------------
/docs/vuln_samples/strings-stack-overflow:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/strings-stack-overflow


--------------------------------------------------------------------------------
/docs/vuln_samples/strings-unchecked-ctr.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/strings-unchecked-ctr.elf


--------------------------------------------------------------------------------
/docs/vuln_samples/tcpdump-arp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/tcpdump-arp-crash.pcap


--------------------------------------------------------------------------------
/docs/vuln_samples/tcpdump-ppp-crash.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/tcpdump-ppp-crash.pcap


--------------------------------------------------------------------------------
/docs/vuln_samples/unrtf-arbitrary-read.rtf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/unrtf-arbitrary-read.rtf


--------------------------------------------------------------------------------
/docs/vuln_samples/unzip-t-mem-corruption.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/docs/vuln_samples/unzip-t-mem-corruption.zip


--------------------------------------------------------------------------------
/experimental/README.experiments:
--------------------------------------------------------------------------------
 1 | Here's a quick overview of the stuff you can find in this directory:
 2 | 
 3 |   - argv_fuzzing         - a simple wrapper to allow cmdline to be fuzzed
 4 |                            (e.g., to test setuid programs).
 5 | 
 6 |   - asan_cgroups         - a contributed script to simplify fuzzing ASAN
 7 |                            binaries with robust memory limits on Linux.
 8 | 
 9 |   - bash_shellshock      - a simple hack used to find a bunch of
10 |                            post-Shellshock bugs in bash.
11 | 
12 |   - canvas_harness       - a test harness used to find browser bugs with a 
13 |                            corpus generated using simple image parsing 
14 |                            binaries & afl-fuzz.
15 | 
16 |   - clang_asm_normalize  - a script that makes it easy to instrument
17 |                            hand-written assembly, provided that you have clang.
18 | 
19 |   - crash_triage         - a very rudimentary example of how to annotate crashes
20 |                            with additional gdb metadata.
21 | 
22 |   - distributed_fuzzing  - a sample script for synchronizing fuzzer instances
23 |                            across multiple machines (see parallel_fuzzing.txt).
24 | 
25 |   - libpng_no_checksum   - a sample patch for removing CRC checks in libpng.
26 | 
27 |   - persistent_demo      - an example of how to use the LLVM persistent process
28 |                            mode to speed up certain fuzzing jobs.
29 | 
30 |   - post_library         - an example of how to build postprocessors for AFL.
31 | 
32 | Note that the minimize_corpus.sh tool has graduated from the experimental/
33 | directory and is now available as ../afl-cmin. The LLVM mode has likewise
34 | graduated to ../llvm_mode/*.
35 | 
36 | Most of the tools in this directory are meant chiefly as examples that need to
37 | be tweaked for your specific needs. They come with some basic documentation,
38 | but are not necessarily production-grade.
39 | 


--------------------------------------------------------------------------------
/experimental/argv_fuzzing/argv-fuzz-inl.h:
--------------------------------------------------------------------------------
 1 | /*
 2 |    american fuzzy lop - sample argv fuzzing wrapper
 3 |    ------------------------------------------------
 4 | 
 5 |    Written by Michal Zalewski <lcamtuf@google.com>
 6 | 
 7 |    Copyright 2015 Google Inc. All rights reserved.
 8 | 
 9 |    Licensed under the Apache License, Version 2.0 (the "License");
10 |    you may not use this file except in compliance with the License.
11 |    You may obtain a copy of the License at:
12 | 
13 |      http://www.apache.org/licenses/LICENSE-2.0
14 | 
15 |    This file shows a simple way to fuzz command-line parameters with stock
16 |    afl-fuzz. To use, add:
17 | 
18 |    #include "/path/to/argv-fuzz-inl.h"
19 | 
20 |    ...to the file containing main(), ideally placing it after all the 
21 |    standard includes. Next, put AFL_INIT_ARGV(); near the very beginning of
22 |    main().
23 | 
24 |    This will cause the program to read NUL-delimited input from stdin and
25 |    put it in argv[]. Two subsequent NULs terminate the array. Empty
26 |    params are encoded as a lone 0x02. Lone 0x02 can't be generated, but
27 |    that shouldn't matter in real life.
28 | 
29 |    If you would like to always preserve argv[0], use this instead:
30 |    AFL_INIT_SET0("prog_name");
31 | 
32 | */
33 | 
34 | #ifndef _HAVE_ARGV_FUZZ_INL
35 | #define _HAVE_ARGV_FUZZ_INL
36 | 
37 | #include <unistd.h>
38 | 
39 | #define AFL_INIT_ARGV() do { argv = afl_init_argv(&argc); } while (0)
40 | 
41 | #define AFL_INIT_SET0(_p) do { \
42 |     argv = afl_init_argv(&argc); \
43 |     argv[0] = (_p); \
44 |     if (!argc) argc = 1; \
45 |   } while (0)
46 | 
47 | #define MAX_CMDLINE_LEN 100000
48 | #define MAX_CMDLINE_PAR 1000
49 | 
50 | static char** afl_init_argv(int* argc) {
51 | 
52 |   static char  in_buf[MAX_CMDLINE_LEN];
53 |   static char* ret[MAX_CMDLINE_PAR];
54 | 
55 |   char* ptr = in_buf;
56 |   int   rc  = 0;
57 | 
58 |   if (read(0, in_buf, MAX_CMDLINE_LEN - 2) < 0);
59 | 
60 |   while (*ptr) {
61 | 
62 |     ret[rc] = ptr;
63 |     if (ret[rc][0] == 0x02 && !ret[rc][1]) ret[rc]++;
64 |     rc++;
65 | 
66 |     while (*ptr) ptr++;
67 |     ptr++;
68 | 
69 |   }
70 | 
71 |   *argc = rc;
72 | 
73 |   return ret;
74 | 
75 | }
76 | 
77 | #undef MAX_CMDLINE_LEN
78 | #undef MAX_CMDLINE_PAR
79 | 
80 | #endif /* !_HAVE_ARGV_FUZZ_INL */
81 | 


--------------------------------------------------------------------------------
/experimental/asan_cgroups/limit_memory.sh:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env bash
  2 | #
  3 | # american fuzzy lop - limit memory using cgroups
  4 | # -----------------------------------------------
  5 | #
  6 | # Written by Samir Khakimov <samir.hakim@nyu.edu> and
  7 | #            David A. Wheeler <dwheeler@ida.org>
  8 | #
  9 | # Edits to bring the script in line with afl-cmin and other companion scripts
 10 | # by Michal Zalewski <lcamtuf@google.com>. All bugs are my fault.
 11 | #
 12 | # Copyright 2015 Institute for Defense Analyses.
 13 | #
 14 | # Licensed under the Apache License, Version 2.0 (the "License");
 15 | # you may not use this file except in compliance with the License.
 16 | # You may obtain a copy of the License at:
 17 | #
 18 | #   http://www.apache.org/licenses/LICENSE-2.0
 19 | #
 20 | # This tool allows the amount of actual memory allocated to a program
 21 | # to be limited on Linux systems using cgroups, instead of the traditional
 22 | # setrlimit() API. This helps avoid the address space problems discussed in
 23 | # docs/notes_for_asan.txt.
 24 | #
 25 | # Important: the limit covers *both* afl-fuzz and the fuzzed binary. In some
 26 | # hopefully rare circumstances, afl-fuzz could be killed before the fuzzed
 27 | # task.
 28 | #
 29 | 
 30 | echo "cgroup tool for afl-fuzz by <samir.hakim@nyu.edu> and <dwheeler@ida.org>"
 31 | echo
 32 | 
 33 | unset NEW_USER
 34 | MEM_LIMIT="50"
 35 | 
 36 | while getopts "+u:m:" opt; do
 37 | 
 38 |   case "$opt" in
 39 | 
 40 |     "u")
 41 |          NEW_USER="$OPTARG"
 42 |          ;;
 43 | 
 44 |     "m")
 45 |          MEM_LIMIT="$[OPTARG]"
 46 |          ;;
 47 | 
 48 |     "?")
 49 |          exit 1
 50 |          ;;
 51 | 
 52 |    esac
 53 | 
 54 | done
 55 | 
 56 | if [ "$MEM_LIMIT" -lt "5" ]; then
 57 |   echo "[-] Error: malformed or dangerously low value of -m." 1>&2
 58 |   exit 1
 59 | fi
 60 | 
 61 | shift $((OPTIND-1))
 62 | 
 63 | TARGET_BIN="$1"
 64 | 
 65 | if [ "$TARGET_BIN" = "" -o "$NEW_USER" = "" ]; then
 66 | 
 67 |   cat 1>&2 <<_EOF_
 68 | Usage: $0 [ options ] -- /path/to/afl-fuzz [ ...afl options... ]
 69 | 
 70 | Required parameters:
 71 | 
 72 |   -u user   - run the fuzzer as a specific user after setting up limits
 73 | 
 74 | Optional parameters:
 75 | 
 76 |   -m megs   - set memory limit to a specified value ($MEM_LIMIT MB)
 77 | 
 78 | This tool configures cgroups-based memory limits for a fuzzing job to simplify
 79 | the task of fuzzing ASAN or MSAN binaries. You would normally want to use it in
 80 | conjunction with '-m none' passed to the afl-fuzz binary itself, say:
 81 | 
 82 |   $0 -u joe ./afl-fuzz -i input -o output -m none /path/to/target
 83 | 
 84 | _EOF_
 85 | 
 86 |   exit 1
 87 | 
 88 | fi
 89 | 
 90 | # Basic sanity checks
 91 | 
 92 | if [ ! "`uname -s`" = "Linux" ]; then
 93 |  echo "[-] Error: this tool does not support non-Linux systems." 1>&2
 94 |  exit 1
 95 | fi
 96 | 
 97 | if [ ! "`id -u`" = "0" ]; then
 98 |  echo "[-] Error: you need to run this script as root (sorry!)." 1>&2
 99 |  exit 1
100 | fi
101 | 
102 | if ! type cgcreate 2>/dev/null 1>&2; then
103 | 
104 |   echo "[-] Error: you need to install cgroup tools first." 1>&2
105 | 
106 |   if type apt-get 2>/dev/null 1>&2; then
107 |     echo "    (Perhaps 'apt-get install cgroup-bin' will work.)" 1>&2
108 |   elif type yum 2>/dev/null 1>&2; then
109 |     echo "    (Perhaps 'yum install libcgroup-tools' will work.)" 1>&2
110 |   fi
111 | 
112 |   exit 1
113 | 
114 | fi
115 | 
116 | if ! id -u "$NEW_USER" 2>/dev/null 1>&2; then
117 |   echo "[-] Error: user '$NEW_USER' does not seem to exist." 1>&2
118 |   exit 1
119 | fi
120 | 
121 | # Create a new cgroup path if necessary... We used PID-keyed groups to keep
122 | # parallel afl-fuzz tasks separate from each other.
123 | 
124 | CID="afl-$NEW_USER-$$"
125 | 
126 | CPATH="/sys/fs/cgroup/memory/$CID"
127 | 
128 | if [ ! -d "$CPATH" ]; then
129 | 
130 |   cgcreate -a "$NEW_USER" -g memory:"$CID" || exit 1
131 | 
132 | fi
133 | 
134 | # Set the appropriate limit...
135 | 
136 | if [ -f "$CPATH/memory.memsw.limit_in_bytes" ]; then
137 | 
138 |   echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" 2>/dev/null
139 |   echo "${MEM_LIMIT}M" > "$CPATH/memory.memsw.limit_in_bytes" || exit 1
140 |   echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1
141 | 
142 | elif grep -qE 'partition|file' /proc/swaps; then
143 | 
144 |   echo "[-] Error: your system requires swap to be disabled first (swapoff -a)." 1>&2
145 |   exit 1
146 | 
147 | else
148 | 
149 |   echo "${MEM_LIMIT}M" > "$CPATH/memory.limit_in_bytes" || exit 1
150 | 
151 | fi
152 | 
153 | # All right. At this point, we can just run the command.
154 | 
155 | cgexec -g "memory:$CID" su -c "$*" "$NEW_USER"
156 | 
157 | cgdelete -g "memory:$CID"
158 | 


--------------------------------------------------------------------------------
/experimental/bash_shellshock/shellshock-fuzz.diff:
--------------------------------------------------------------------------------
 1 | This patch shows a very simple way to find post-Shellshock bugs in bash, as
 2 | discussed here:
 3 | 
 4 |   http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
 5 | 
 6 | In essence, it shows a way to fuzz environmental variables. Instructions:
 7 | 
 8 | 1) Download bash 4.3, apply this patch, compile with:
 9 | 
10 |    CC=/path/to/afl-gcc ./configure
11 |    make clean all
12 | 
13 |    Note that the harness puts the fuzzed output in $TEST_VARIABLE. With
14 |    Florian's Shellshock patch (bash43-028), this is no longer passed down
15 |    to the parser.
16 | 
17 | 2) Create and cd to an empty directory, put the compiled bash binary in
18 |    there, and run these commands:
19 | 
20 |    mkdir in_dir
21 |    echo -n '() { a() { a; }; : >b; }' >in_dir/script.txt
22 | 
23 | 3) Run the fuzzer with:
24 | 
25 |    /path/to/afl-fuzz -d -i in_dir -o out_dir ./bash -c :
26 | 
27 |    The -d parameter is advisable only if the tested shell is fairly slow
28 |    or if you are in a hurry; will cover more ground faster, but
29 |    less systematically.
30 | 
31 | 4) Watch for crashes in out_dir/crashes/. Also watch for any new files
32 |    created in cwd if you're interested in non-crash RCEs (files will be
33 |    created whenever the shell executes "foo>bar" or something like
34 |    that). You can correlate their creation date with new entries in
35 |    out_dir/queue/.
36 | 
37 |    You can also modify the bash binary to directly check for more subtle
38 |    fault conditions, or use the synthesized entries in out_dir/queue/
39 |    as a seed for other, possibly slower or more involved testing regimes.
40 | 
41 |    Expect several hours to get decent coverage.
42 | 
43 | --- bash-4.3/shell.c.orig	2014-01-14 14:04:32.000000000 +0100
44 | +++ bash-4.3/shell.c	2015-04-30 05:56:46.000000000 +0200
45 | @@ -371,6 +371,14 @@
46 |    env = environ;
47 |  #endif /* __OPENNT */
48 |  
49 | +  {
50 | +
51 | +    static char val[1024 * 16];
52 | +    read(0, val, sizeof(val) - 1);
53 | +    setenv("TEST_VARIABLE", val, 1);
54 | +
55 | +  }
56 | +
57 |    USE_VAR(argc);
58 |    USE_VAR(argv);
59 |    USE_VAR(env);
60 | 


--------------------------------------------------------------------------------
/experimental/canvas_harness/canvas_harness.html:
--------------------------------------------------------------------------------
  1 | <html>
  2 | <!--
  3 | 
  4 |   american fuzzy lop - <canvas> harness
  5 |   -------------------------------------
  6 |  
  7 |   Written and maintained by Michal Zalewski <lcamtuf@google.com>
  8 |  
  9 |   Copyright 2013, 2014 Google Inc. All rights reserved.
 10 |  
 11 |   Licensed under the Apache License, Version 2.0 (the "License");
 12 |   you may not use this file except in compliance with the License.
 13 |   You may obtain a copy of the License at:
 14 |  
 15 |     http://www.apache.org/licenses/LICENSE-2.0
 16 |  
 17 |   A simple harness for going through afl-generated test cases, rendering them in
 18 |   the browser environment, and discovering the use of uninitialized memory and
 19 |   similar bugs. This code led to the discovery of a fair number of library and
 20 |   browser security bugs!
 21 | 
 22 |   The url_list[] array is a placeholder; for this to work properly, it needs to
 23 |   be initialized with web-reachable paths to individual test cases. This can
 24 |   be done manually or with a simple script.
 25 | 
 26 | -->
 27 | 
 28 | <body onload="set_images()">
 29 | 
 30 | <div id="status"></div>
 31 | 
 32 | <div id="image_div"></div>
 33 | 
 34 | <canvas height=64 width=64 id=cvs></canvas>
 35 | 
 36 | <h2>Results</h2>
 37 | 
 38 | <ul id="output"></ul>
 39 | 
 40 | <script>
 41 | 
 42 | var c = document.getElementById('cvs');
 43 | var ctx = c.getContext('2d');
 44 | 
 45 | var url_list = [
 46 |   "images/id:000000,[...].jpg",
 47 |   "images/id:000001,[...].jpg",
 48 |   /* ... */
 49 |   null
 50 | ];
 51 | 
 52 | var USE_IMAGES = 50;
 53 | var cur_image = 0;
 54 | 
 55 | if (location.hash) cur_image = parseInt(location.hash.substr(1));
 56 | 
 57 | var loaded = 0;
 58 | var image_obj = [];
 59 | 
 60 | var msie_cleanup;
 61 | 
 62 | function check_results() {
 63 | 
 64 |   var uniques = [];
 65 | 
 66 |   clearTimeout(msie_cleanup);
 67 | 
 68 |   ctx.clearRect(0, 0, 64, 64);
 69 | 
 70 |   uniques.push(image_obj[0].imgdata);
 71 | 
 72 |   for (var i = 1; i < USE_IMAGES; i++) {
 73 | 
 74 |     if (!image_obj[i].imgdata) continue;
 75 | 
 76 |     if (image_obj[0].imgdata != image_obj[i].imgdata) {
 77 | 
 78 |       for (var j = 1; j < uniques.length; j++)
 79 |         if (uniques[j] == image_obj[i].imgdata) break;
 80 | 
 81 |       if (j == uniques.length) uniques.push(image_obj[i].imgdata);
 82 | 
 83 | 
 84 |     }
 85 | 
 86 |   }
 87 | 
 88 |   if (uniques.length > 1) {
 89 | 
 90 |     var str = '<li> Image ' + url_list[cur_image] + ' has ' + uniques.length + ' variants: ';
 91 | 
 92 |     for (var i = 0; i < uniques.length; i++)
 93 |       str += '<img src="' + uniques[i] + '">';
 94 | 
 95 |     document.getElementById('output').innerHTML += str;
 96 | 
 97 |   }
 98 | 
 99 |   cur_image++;
100 |   set_images();
101 | }
102 | 
103 | 
104 | function count_image() {
105 | 
106 |   if (!this.complete || this.counted) return;
107 | 
108 |   this.counted = true;
109 | 
110 |   loaded++;
111 | 
112 |   ctx.clearRect(0, 0, 64, 64);
113 | 
114 |   try {
115 |     ctx.drawImage(this, 0, 0, 64, 64);
116 |   } catch (e) { }
117 | 
118 |   this.imgdata = c.toDataURL();
119 | 
120 |   if (loaded == USE_IMAGES) check_results();
121 | }
122 | 
123 | 
124 | function set_images() {
125 | 
126 |   loaded = 0;
127 | 
128 |   document.getElementById('status').innerHTML = 'Now processing ' + cur_image + '...';
129 |   location.hash = '#' + cur_image;
130 | 
131 |   if (url_list[cur_image] == null) {
132 |     alert('Done!');
133 |     return;
134 |   }
135 | 
136 |   restart_images();
137 | 
138 |   msie_cleanup = setTimeout(check_results, 5000);
139 | 
140 |   for (var i = 0; i < USE_IMAGES; i++)
141 |     image_obj[i].src = url_list[cur_image] + '?' + Math.random();
142 | 
143 | }
144 | 
145 | 
146 | function restart_images() {
147 | 
148 |   for (var i = 0; i < USE_IMAGES; i++) 
149 |     if (image_obj[i]) image_obj[i].counted = true;
150 | 
151 |   document.getElementById('image_div').innerHTML = '';
152 |   image_obj = [];
153 | 
154 |   for (var i = 0; i < USE_IMAGES; i++) {
155 | 
156 |     image_obj[i] = new Image();
157 |     image_obj[i].height = 64;
158 |     image_obj[i].width = 64;
159 |     image_obj[i].onerror = count_image;
160 |     image_obj[i].onload = count_image;
161 | 
162 |     document.getElementById('image_div').appendChild(image_obj[i]);
163 | 
164 |   }
165 | 
166 | }
167 | 
168 | </script>
169 | 
170 | <iframe src='http://www.cnn.com/'></iframe>
171 | 


--------------------------------------------------------------------------------
/experimental/clang_asm_normalize/as:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #
 3 | # american fuzzy lop - clang assembly normalizer
 4 | # ----------------------------------------------
 5 | #
 6 | # Written and maintained by Michal Zalewski <lcamtuf@google.com>
 7 | # The idea for this wrapper comes from Ryan Govostes.
 8 | #
 9 | # Copyright 2013, 2014 Google Inc. All rights reserved.
10 | #
11 | # Licensed under the Apache License, Version 2.0 (the "License");
12 | # you may not use this file except in compliance with the License.
13 | # You may obtain a copy of the License at:
14 | #
15 | #   http://www.apache.org/licenses/LICENSE-2.0
16 | #
17 | # This 'as' wrapper should allow you to instrument unruly, hand-written
18 | # assembly with afl-as.
19 | #
20 | # Usage:
21 | #
22 | # export AFL_REAL_PATH=/path/to/directory/with/afl-as/
23 | # AFL_PATH=/path/to/this/directory/ make clean all
24 | 
25 | if [ "$#" -lt "2" ]; then
26 |   echo "[-] Error: this utility can't be called directly." 1>&2
27 |   exit 1
28 | fi
29 | 
30 | if [ "$AFL_REAL_PATH" = "" ]; then
31 |   echo "[-] Error: AFL_REAL_PATH not set!" 1>&2
32 |   exit 1
33 | fi
34 | 
35 | if [ ! -x "$AFL_REAL_PATH/afl-as" ]; then
36 |   echo "[-] Error: AFL_REAL_PATH does not contain the 'afl-as' binary." 1>&2
37 |   exit 1
38 | fi
39 | 
40 | unset __AFL_AS_CMDLINE __AFL_FNAME
41 | 
42 | while [ ! "$#" = "0" ]; do
43 | 
44 |   if [ "$#" = "1" ]; then
45 |     __AFL_FNAME="$1"
46 |   else
47 |     __AFL_AS_CMDLINE="${__AFL_AS_CMDLINE} $1"
48 |   fi
49 | 
50 |   shift
51 | 
52 | done
53 | 
54 | test "$TMPDIR" = "" && TMPDIR=/tmp
55 | 
56 | TMPFILE=`mktemp $TMPDIR/.afl-XXXXXXXXXX.s`
57 | 
58 | test "$TMPFILE" = "" && exit 1
59 | 
60 | clang -cc1as -filetype asm -output-asm-variant 0 "${__AFL_FNAME}" >"$TMPFILE"
61 | 
62 | ERR="$?"
63 | 
64 | if [ ! "$ERR" = "0" ]; then
65 |   rm -f "$TMPFILE"
66 |   exit $ERR
67 | fi
68 | 
69 | "$AFL_REAL_PATH/afl-as" ${__AFL_AS_CMDLINE} "$TMPFILE"
70 | 
71 | ERR="$?"
72 | 
73 | rm -f "$TMPFILE"
74 | 
75 | exit "$ERR"
76 | 


--------------------------------------------------------------------------------
/experimental/crash_triage/triage_crashes.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #
 3 | # american fuzzy lop - crash triage utility
 4 | # -----------------------------------------
 5 | #
 6 | # Written and maintained by Michal Zalewski <lcamtuf@google.com>
 7 | #
 8 | # Copyright 2013, 2014 Google Inc. All rights reserved.
 9 | #
10 | # Licensed under the Apache License, Version 2.0 (the "License");
11 | # you may not use this file except in compliance with the License.
12 | # You may obtain a copy of the License at:
13 | #
14 | #   http://www.apache.org/licenses/LICENSE-2.0
15 | #
16 | # Note that this assumes that the targeted application reads from stdin
17 | # and requires no other cmdline parameters. Modify as needed if this is
18 | # not the case.
19 | #
20 | # Note that on OpenBSD, you may need to install a newer version of gdb
21 | # (e.g., from ports). You can set GDB=/some/path to point to it if
22 | # necessary.
23 | #
24 | 
25 | echo "crash triage utility for afl-fuzz by <lcamtuf@google.com>"
26 | echo
27 | 
28 | ulimit -v 100000 2>/dev/null
29 | ulimit -d 100000 2>/dev/null
30 | 
31 | if [ ! "$#" = "2" ]; then
32 |   echo "Usage: $0 /path/to/afl_output_dir /path/to/tested_binary" 1>&2
33 |   echo 1>&2
34 |   echo "Note: the tested binary must accept input on stdin and require no additional" 1>&2
35 |   echo "parameters. For more complex use cases, you need to edit this script." 1>&2
36 |   echo 1>&2
37 |   exit 1
38 | fi
39 | 
40 | DIR="$1"
41 | BIN="$2"
42 | 
43 | 
44 | if [ "$AFL_ALLOW_TMP" = "" ]; then
45 | 
46 |   echo "$DIR" | grep -qE '^(/var)?/tmp/'
47 |   T1="$?"
48 | 
49 |   echo "$BIN" | grep -qE '^(/var)?/tmp/'
50 |   T2="$?"
51 | 
52 |   if [ "$T1" = "0" -o "$T2" = "0" ]; then
53 |     echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
54 |     exit 1
55 |   fi
56 | 
57 | fi
58 | 
59 | if
60 |  [ "$GDB" = "" ]; then
61 |   GDB=gdb
62 | fi
63 | 
64 | if [ ! -f "$BIN" -o ! -x "$BIN" ]; then
65 |   echo "[-] Error: binary '$2' not found or is not executable." 1>&2
66 |   exit 1
67 | fi
68 | 
69 | if [ ! -d "$DIR/queue" ]; then
70 |   echo "[-] Error: directory '$1' not found or not created by afl-fuzz." 1>&2
71 |   exit 1
72 | fi
73 | 
74 | CCOUNT=$((`ls -- "$DIR/crashes" 2>/dev/null | wc -l`))
75 | 
76 | if [ "$CCOUNT" = "0" ]; then
77 |   echo "No crashes recorded in the target directory - nothing to be done."
78 |   exit 0
79 | fi
80 | 
81 | echo
82 | 
83 | for crash in $DIR/crashes/id:*; do
84 | 
85 |   id=`basename -- "$crash" | cut -d, -f1 | cut -d: -f2`
86 |   sig=`basename -- "$crash" | cut -d, -f2 | cut -d: -f2`
87 | 
88 |   echo "+++ ID $id, SIGNAL $sig +++"
89 |   echo
90 | 
91 |   $GDB --batch -q --ex "r <$crash" --ex 'back' --ex 'disass $pc, $pc+16' --ex 'info reg' --ex 'quit' "$BIN" 0</dev/null
92 |   echo
93 | 
94 | done
95 | 
96 | 


--------------------------------------------------------------------------------
/experimental/distributed_fuzzing/sync_script.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | #
 3 | # american fuzzy lop - fuzzer synchronization tool
 4 | # ------------------------------------------------
 5 | #
 6 | # Written and maintained by Michal Zalewski <lcamtuf@google.com>
 7 | #
 8 | # Copyright 2014 Google Inc. All rights reserved.
 9 | #
10 | # Licensed under the Apache License, Version 2.0 (the "License");
11 | # you may not use this file except in compliance with the License.
12 | # You may obtain a copy of the License at:
13 | #
14 | #   http://www.apache.org/licenses/LICENSE-2.0
15 | #
16 | # To make this script work:
17 | #
18 | # - Edit FUZZ_HOSTS, FUZZ_DOMAIN, FUZZ_USER, and SYNC_DIR to reflect your
19 | #   environment.
20 | #
21 | # - Make sure that the system you are running this on can log into FUZZ_HOSTS
22 | #   without a password (authorized_keys or otherwise).
23 | #
24 | # - Make sure that every fuzzer is running with -o pointing to SYNC_DIR and -S
25 | #   that consists of its local host name, followed by an underscore, and then
26 | #   by some host-local fuzzer ID.
27 | #
28 | 
29 | # Hosts to synchronize the data across.
30 | FUZZ_HOSTS='host1 host2 host3 host4'
31 | 
32 | # Domain for all hosts
33 | FUZZ_DOMAIN='example.com'
34 | 
35 | # Remote user for SSH
36 | FUZZ_USER=bob
37 | 
38 | # Directory to synchronize
39 | SYNC_DIR='/home/bob/sync_dir'
40 | 
41 | # Interval (seconds) between sync attempts
42 | SYNC_INTERVAL=$((30 * 60))
43 | 
44 | if [ "$AFL_ALLOW_TMP" = "" ]; then
45 | 
46 |   if [ "$PWD" = "/tmp" -o "$PWD" = "/var/tmp" ]; then
47 |     echo "[-] Error: do not use shared /tmp or /var/tmp directories with this script." 1>&2
48 |     exit 1
49 |   fi
50 | 
51 | fi
52 | 
53 | rm -rf .sync_tmp 2>/dev/null
54 | mkdir .sync_tmp || exit 1
55 | 
56 | while :; do
57 | 
58 |   # Pull data in...
59 | 
60 |   for host in $FUZZ_HOSTS; do
61 | 
62 |     echo "[*] Retrieving data from ${host}.${FUZZ_DOMAIN}..."
63 | 
64 |     ssh -o 'passwordauthentication no' ${FUZZ_USER}@${host}.$FUZZ_DOMAIN \
65 |       "cd '$SYNC_DIR' && tar -czf - ${host}_*/[qf]*" >".sync_tmp/${host}.tgz"
66 | 
67 |   done
68 | 
69 |   # Distribute data. For large fleets, see tips in the docs/ directory.
70 | 
71 |   for dst_host in $FUZZ_HOSTS; do
72 | 
73 |     echo "[*] Distributing data to ${dst_host}.${FUZZ_DOMAIN}..."
74 | 
75 |     for src_host in $FUZZ_HOSTS; do
76 | 
77 |       test "$src_host" = "$dst_host" && continue
78 | 
79 |       echo "    Sending fuzzer data from ${src_host}.${FUZZ_DOMAIN}..."
80 | 
81 |       ssh -o 'passwordauthentication no' ${FUZZ_USER}@$dst_host \
82 |         "cd '$SYNC_DIR' && tar -xkzf -" <".sync_tmp/${src_host}.tgz"
83 | 
84 |     done
85 | 
86 |   done
87 | 
88 |   echo "[+] Done. Sleeping for $SYNC_INTERVAL seconds (Ctrl-C to quit)."
89 | 
90 |   sleep $SYNC_INTERVAL
91 | 
92 | done
93 | 
94 | 


--------------------------------------------------------------------------------
/experimental/libpng_no_checksum/libpng-nocrc.patch:
--------------------------------------------------------------------------------
 1 | --- pngrutil.c.orig	2014-06-12 03:35:16.000000000 +0200
 2 | +++ pngrutil.c	2014-07-01 05:08:31.000000000 +0200
 3 | @@ -268,7 +268,11 @@
 4 |     if (need_crc != 0)
 5 |     {
 6 |        crc = png_get_uint_32(crc_bytes);
 7 | -      return ((int)(crc != png_ptr->crc));
 8 | +
 9 | +      if (crc != png_ptr->crc)
10 | +        fprintf(stderr, "NOTE: CRC in the file is 0x%08x, change to 0x%08x\n", crc, png_ptr->crc);
11 | +
12 | +      return ((int)(1 != 1));
13 |     }
14 |  
15 |     else
16 | 


--------------------------------------------------------------------------------
/experimental/persistent_demo/persistent_demo.c:
--------------------------------------------------------------------------------
 1 | /*
 2 |    american fuzzy lop - persistent mode example
 3 |    --------------------------------------------
 4 | 
 5 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
 6 | 
 7 |    Copyright 2015 Google Inc. All rights reserved.
 8 | 
 9 |    Licensed under the Apache License, Version 2.0 (the "License");
10 |    you may not use this file except in compliance with the License.
11 |    You may obtain a copy of the License at:
12 | 
13 |      http://www.apache.org/licenses/LICENSE-2.0
14 | 
15 |    This file demonstrates the high-performance "persistent mode" that may be
16 |    suitable for fuzzing certain fast and well-behaved libraries, provided that
17 |    they are stateless or that their internal state can be easily reset
18 |    across runs.
19 | 
20 |    To make this work, the library and this shim need to be compiled in LLVM
21 |    mode using afl-clang-fast (other compiler wrappers will *not* work).
22 | 
23 |  */
24 | 
25 | #include <stdio.h>
26 | #include <stdlib.h>
27 | #include <unistd.h>
28 | #include <signal.h>
29 | #include <string.h>
30 | 
31 | 
32 | /* Main entry point. */
33 | 
34 | int main(int argc, char** argv) {
35 | 
36 |   char buf[100]; /* Example-only buffer, you'd replace it with other global or
37 |                     local variables appropriate for your use case. */
38 | 
39 |   /* The number passed to __AFL_LOOP() controls the maximum number of
40 |      iterations before the loop exits and the program is allowed to
41 |      terminate normally. This limits the impact of accidental memory leaks
42 |      and similar hiccups. */
43 | 
44 |   while (__AFL_LOOP(1000)) {
45 | 
46 |     /*** PLACEHOLDER CODE ***/
47 | 
48 |     /* STEP 1: Fully re-initialize all critical variables. In our example, this
49 |                involves zeroing buf[], our input buffer. */
50 | 
51 |     memset(buf, 0, 100);
52 | 
53 |     /* STEP 2: Read input data. When reading from stdin, no special preparation
54 |                is required. When reading from a named file, you need to close
55 |                the old descriptor and reopen the file first!
56 | 
57 |                Beware of reading from buffered FILE* objects such as stdin. Use
58 |                raw file descriptors or call fopen() / fdopen() in every pass. */
59 | 
60 |     read(0, buf, 100);
61 | 
62 |     /* STEP 3: This is where we'd call the tested library on the read data.
63 |                We just have some trivial inline code that faults on 'foo!'. */
64 | 
65 |     if (buf[0] == 'f') {
66 |       printf("one\n");
67 |       if (buf[1] == 'o') {
68 |         printf("two\n");
69 |         if (buf[2] == 'o') {
70 |           printf("three\n");
71 |           if (buf[3] == '!') {
72 |             printf("four\n");
73 |             abort();
74 |           }
75 |         }
76 |       }
77 |     }
78 | 
79 |     /*** END PLACEHOLDER CODE ***/
80 | 
81 |   }
82 | 
83 |   /* Once the loop is exited, terminate normally - AFL will restart the process
84 |      when this happens, with a clean slate when it comes to allocated memory,
85 |      leftover file descriptors, etc. */
86 | 
87 |   return 0;
88 | 
89 | }
90 | 


--------------------------------------------------------------------------------
/experimental/post_library/post_library.so.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |    american fuzzy lop - postprocessor library example
  3 |    --------------------------------------------------
  4 | 
  5 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
  6 | 
  7 |    Copyright 2015 Google Inc. All rights reserved.
  8 | 
  9 |    Licensed under the Apache License, Version 2.0 (the "License");
 10 |    you may not use this file except in compliance with the License.
 11 |    You may obtain a copy of the License at:
 12 | 
 13 |      http://www.apache.org/licenses/LICENSE-2.0
 14 | 
 15 |    Postprocessor libraries can be passed to afl-fuzz to perform final cleanup
 16 |    of any mutated test cases - for example, to fix up checksums in PNG files.
 17 | 
 18 |    Please heed the following warnings:
 19 | 
 20 |    1) In almost all cases, it is more productive to comment out checksum logic
 21 |       in the targeted binary (as shown in ../libpng_no_checksum/). One possible
 22 |       exception is the process of fuzzing binary-only software in QEMU mode.
 23 | 
 24 |    2) The use of postprocessors for anything other than checksums is questionable
 25 |       and may cause more harm than good. AFL is normally pretty good about
 26 |       dealing with length fields, magic values, etc.
 27 | 
 28 |    3) Postprocessors that do anything non-trivial must be extremely robust to
 29 |       gracefully handle malformed data and other error conditions - otherwise,
 30 |       they will crash and take afl-fuzz down with them. Be wary of reading past
 31 |       *len and of integer overflows when calculating file offsets.
 32 | 
 33 |    In other words, THIS IS PROBABLY NOT WHAT YOU WANT - unless you really,
 34 |    honestly know what you're doing =)
 35 | 
 36 |    With that out of the way: the postprocessor library is passed to afl-fuzz
 37 |    via AFL_POST_LIBRARY. The library must be compiled with:
 38 | 
 39 |      gcc -shared -Wall -O3 post_library.so.c -o post_library.so
 40 | 
 41 |    AFL will call the afl_postprocess() function for every mutated output buffer.
 42 |    From there, you have three choices:
 43 | 
 44 |    1) If you don't want to modify the test case, simply return the original
 45 |       buffer pointer ('in_buf').
 46 | 
 47 |    2) If you want to skip this test case altogether and have AFL generate a
 48 |       new one, return NULL. Use this sparingly - it's faster than running
 49 |       the target program with patently useless inputs, but still wastes CPU
 50 |       time.
 51 | 
 52 |    3) If you want to modify the test case, allocate an appropriately-sized
 53 |       buffer, move the data into that buffer, make the necessary changes, and
 54 |       then return the new pointer. You can update *len if necessary, too.
 55 | 
 56 |       Note that the buffer will *not* be freed for you. To avoid memory leaks,
 57 |       you need to free it or reuse it on subsequent calls (as shown below).
 58 | 
 59 |       *** DO NOT MODIFY THE ORIGINAL 'in_buf' BUFFER. ***
 60 | 
 61 |     Aight. The example below shows a simple postprocessor that tries to make
 62 |     sure that all input files start with "GIF89a".
 63 | 
 64 |     PS. If you don't like C, you can try out the unix-based wrapper from
 65 |     Ben Nagy instead: https://github.com/bnagy/aflfix
 66 | 
 67 |  */
 68 | 
 69 | #include <stdio.h>
 70 | #include <stdlib.h>
 71 | #include <string.h>
 72 | 
 73 | /* Header that must be present at the beginning of every test case: */
 74 | 
 75 | #define HEADER "GIF89a"
 76 | 
 77 | /* The actual postprocessor routine called by afl-fuzz: */
 78 | 
 79 | const unsigned char* afl_postprocess(const unsigned char* in_buf,
 80 |                                      unsigned int* len) {
 81 | 
 82 |   static unsigned char* saved_buf;
 83 |   unsigned char* new_buf;
 84 | 
 85 |   /* Skip execution altogether for buffers shorter than 6 bytes (just to
 86 |      show how it's done). We can trust *len to be sane. */
 87 | 
 88 |   if (*len < strlen(HEADER)) return NULL;
 89 | 
 90 |   /* Do nothing for buffers that already start with the expected header. */
 91 | 
 92 |   if (!memcmp(in_buf, HEADER, strlen(HEADER))) return in_buf;
 93 | 
 94 |   /* Allocate memory for new buffer, reusing previous allocation if
 95 |      possible. */
 96 | 
 97 |   new_buf = realloc(saved_buf, *len);
 98 | 
 99 |   /* If we're out of memory, the most graceful thing to do is to return the
100 |      original buffer and give up on modifying it. Let AFL handle OOM on its
101 |      own later on. */
102 | 
103 |   if (!new_buf) return in_buf;
104 |   saved_buf = new_buf;
105 | 
106 |   /* Copy the original data to the new location. */
107 | 
108 |   memcpy(new_buf, in_buf, *len);
109 | 
110 |   /* Insert the new header. */
111 | 
112 |   memcpy(new_buf, HEADER, strlen(HEADER));
113 | 
114 |   /* Return modified buffer. No need to update *len in this particular case,
115 |      as we're not changing it. */
116 | 
117 |   return new_buf;
118 | 
119 | }
120 | 


--------------------------------------------------------------------------------
/experimental/post_library/post_library_png.so.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |    american fuzzy lop - postprocessor for PNG
  3 |    ------------------------------------------
  4 | 
  5 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
  6 | 
  7 |    Copyright 2015 Google Inc. All rights reserved.
  8 | 
  9 |    Licensed under the Apache License, Version 2.0 (the "License");
 10 |    you may not use this file except in compliance with the License.
 11 |    You may obtain a copy of the License at:
 12 | 
 13 |      http://www.apache.org/licenses/LICENSE-2.0
 14 | 
 15 |    See post_library.so.c for a general discussion of how to implement
 16 |    postprocessors. This specific postprocessor attempts to fix up PNG
 17 |    checksums, providing a slightly more complicated example than found
 18 |    in post_library.so.c.
 19 | 
 20 |    Compile with:
 21 | 
 22 |      gcc -shared -Wall -O3 post_library_png.so.c -o post_library_png.so -lz
 23 | 
 24 |  */
 25 | 
 26 | #include <stdio.h>
 27 | #include <stdlib.h>
 28 | #include <stdint.h>
 29 | #include <string.h>
 30 | #include <zlib.h>
 31 | 
 32 | #include <arpa/inet.h>
 33 | 
 34 | /* A macro to round an integer up to 4 kB. */
 35 | 
 36 | #define UP4K(_i) ((((_i) >> 12) + 1) << 12)
 37 | 
 38 | const unsigned char* afl_postprocess(const unsigned char* in_buf,
 39 |                                      unsigned int* len) {
 40 | 
 41 |   static unsigned char* saved_buf;
 42 |   static unsigned int   saved_len;
 43 | 
 44 |   unsigned char* new_buf = (unsigned char*)in_buf;
 45 |   unsigned int pos = 8;
 46 | 
 47 |   /* Don't do anything if there's not enough room for the PNG header
 48 |      (8 bytes). */
 49 | 
 50 |   if (*len < 8) return in_buf;
 51 | 
 52 |   /* Minimum size of a zero-length PNG chunk is 12 bytes; if we
 53 |      don't have that, we can bail out. */
 54 | 
 55 |   while (pos + 12 <= *len) {
 56 | 
 57 |     unsigned int chunk_len, real_cksum, file_cksum;
 58 | 
 59 |     /* Chunk length is the first big-endian dword in the chunk. */
 60 | 
 61 |     chunk_len = ntohl(*(uint32_t*)(in_buf + pos));
 62 | 
 63 |     /* Bail out if chunk size is too big or goes past EOF. */
 64 | 
 65 |     if (chunk_len > 1024 * 1024 || pos + 12 + chunk_len > *len) break;
 66 | 
 67 |     /* Chunk checksum is calculated for chunk ID (dword) and the actual
 68 |        payload. */
 69 | 
 70 |     real_cksum = htonl(crc32(0, in_buf + pos + 4, chunk_len + 4));
 71 | 
 72 |     /* The in-file checksum is the last dword past the chunk data. */
 73 | 
 74 |     file_cksum = *(uint32_t*)(in_buf + pos + 8 + chunk_len);
 75 | 
 76 |     /* If the checksums do not match, we need to fix the file. */
 77 | 
 78 |     if (real_cksum != file_cksum) {
 79 | 
 80 |       /* First modification? Make a copy of the input buffer. Round size
 81 |          up to 4 kB to minimize the number of reallocs needed. */
 82 | 
 83 |       if (new_buf == in_buf) {
 84 | 
 85 |         if (*len <= saved_len) {
 86 | 
 87 |           new_buf = saved_buf;
 88 | 
 89 |         } else {
 90 | 
 91 |           new_buf = realloc(saved_buf, UP4K(*len));
 92 |           if (!new_buf) return in_buf;
 93 |           saved_buf = new_buf;
 94 |           saved_len = UP4K(*len);
 95 |           memcpy(new_buf, in_buf, *len);
 96 | 
 97 |         }
 98 | 
 99 |       }
100 | 
101 |       *(uint32_t*)(new_buf + pos + 8 + chunk_len) = real_cksum;
102 | 
103 |     }
104 | 
105 |     /* Skip the entire chunk and move to the next one. */
106 | 
107 |     pos += 12 + chunk_len;
108 | 
109 |   }
110 | 
111 |   return new_buf;
112 | 
113 | }
114 | 


--------------------------------------------------------------------------------
/img/beta.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/beta.png


--------------------------------------------------------------------------------
/img/beta_pcre2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/beta_pcre2.png


--------------------------------------------------------------------------------
/img/branches.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/branches.png


--------------------------------------------------------------------------------
/img/crashes.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/crashes.png


--------------------------------------------------------------------------------
/img/e_component.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/e_component.png


--------------------------------------------------------------------------------
/img/f1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/f1.png


--------------------------------------------------------------------------------
/img/gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/gamma.png


--------------------------------------------------------------------------------
/img/gamma_pcre2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/gamma_pcre2.png


--------------------------------------------------------------------------------
/img/paths.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/paths.png


--------------------------------------------------------------------------------
/img/pcre2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/pcre2.png


--------------------------------------------------------------------------------
/img/seed_generation.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/img/seed_generation.png


--------------------------------------------------------------------------------
/libdislocator/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # american fuzzy lop - libdislocator
 3 | # ----------------------------------
 4 | #
 5 | # Written by Michal Zalewski <lcamtuf@google.com>
 6 | #
 7 | # Copyright 2016 Google Inc. All rights reserved.
 8 | #
 9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | #   http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 | 
16 | PREFIX      ?= /usr/local
17 | HELPER_PATH  = $(PREFIX)/lib/afl
18 | 
19 | VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
20 | 
21 | CFLAGS      ?= -O3 -funroll-loops
22 | CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
23 | 
24 | all: libdislocator.so
25 | 
26 | libdislocator.so: libdislocator.so.c ../config.h
27 | 	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
28 | 
29 | .NOTPARALLEL: clean
30 | 
31 | clean:
32 | 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
33 | 	rm -f libdislocator.so
34 | 
35 | install: all
36 | 	install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH)
37 | 	install -m 644 README.dislocator $${DESTDIR}$(HELPER_PATH)
38 | 
39 | 


--------------------------------------------------------------------------------
/libdislocator/README.dislocator:
--------------------------------------------------------------------------------
 1 | ===================================
 2 | libdislocator, an abusive allocator
 3 | ===================================
 4 | 
 5 |   (See ../docs/README for the general instruction manual.)
 6 | 
 7 | This is a companion library that can be used as a drop-in replacement for the
 8 | libc allocator in the fuzzed binaries. It improves the odds of bumping into
 9 | heap-related security bugs in several ways:
10 | 
11 |   - It allocates all buffers so that they are immediately adjacent to a
12 |     subsequent PROT_NONE page, causing most off-by-one reads and writes to
13 |     immediately segfault,
14 | 
15 |   - It adds a canary immediately below the allocated buffer, to catch writes
16 |     to negative offsets (won't catch reads, though),
17 | 
18 |   - It sets the memory returned by malloc() to garbage values, improving the
19 |     odds of crashing when the target accesses uninitialized data,
20 | 
21 |   - It sets freed memory to PROT_NONE and does not actually reuse it, causing
22 |     most use-after-free bugs to segfault right away,
23 | 
24 |   - It forces all realloc() calls to return a new address - and sets
25 |     PROT_NONE on the original block. This catches use-after-realloc bugs,
26 | 
27 |   - It checks for calloc() overflows and can cause soft or hard failures
28 |     of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
29 |     AFL_LD_HARD_FAIL).
30 | 
31 | Basically, it is inspired by some of the non-default options available for the
32 | OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
33 | also somewhat similar to several other debugging libraries, such as gmalloc
34 | and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing
35 | jobs.
36 | 
37 | Note that it does nothing for stack-based memory handling errors. The
38 | -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
39 | can catch some subset of that.
40 | 
41 | The allocator is slow and memory-intensive (even the tiniest allocation uses up
42 | 4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable
43 | for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN
44 | when fuzzing small, self-contained binaries.
45 | 
46 | To use this library, run AFL like so:
47 | 
48 | AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
49 | 
50 | You *have* to specify path, even if it's just ./libdislocator.so or
51 | $PWD/libdislocator.so.
52 | 
53 | Similarly to afl-tmin, the library is not "proprietary" and can be used with
54 | other fuzzers or testing tools without the need for any code tweaks. It does not
55 | require AFL-instrumented binaries to work.
56 | 
57 | Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or
58 | DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
59 | dynamically linked. Otherwise, attempting to use the library will have no
60 | effect.
61 | 


--------------------------------------------------------------------------------
/libdislocator/libdislocator.so.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | 
  3 |    american fuzzy lop - dislocator, an abusive allocator
  4 |    -----------------------------------------------------
  5 | 
  6 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
  7 | 
  8 |    Copyright 2016 Google Inc. All rights reserved.
  9 | 
 10 |    Licensed under the Apache License, Version 2.0 (the "License");
 11 |    you may not use this file except in compliance with the License.
 12 |    You may obtain a copy of the License at:
 13 | 
 14 |      http://www.apache.org/licenses/LICENSE-2.0
 15 | 
 16 |    This is a companion library that can be used as a drop-in replacement
 17 |    for the libc allocator in the fuzzed binaries. See README.dislocator for
 18 |    more info.
 19 | 
 20 |  */
 21 | 
 22 | #include <stdio.h>
 23 | #include <stdlib.h>
 24 | #include <string.h>
 25 | #include <limits.h>
 26 | #include <sys/mman.h>
 27 | 
 28 | #include "../config.h"
 29 | #include "../types.h"
 30 | 
 31 | #ifndef PAGE_SIZE
 32 | #  define PAGE_SIZE 4096
 33 | #endif /* !PAGE_SIZE */
 34 | 
 35 | #ifndef MAP_ANONYMOUS
 36 | #  define MAP_ANONYMOUS MAP_ANON
 37 | #endif /* !MAP_ANONYMOUS */
 38 | 
 39 | /* Error / message handling: */
 40 | 
 41 | #define DEBUGF(_x...) do { \
 42 |     if (alloc_verbose) { \
 43 |       if (++call_depth == 1) { \
 44 |         fprintf(stderr, "[AFL] " _x); \
 45 |         fprintf(stderr, "\n"); \
 46 |       } \
 47 |       call_depth--; \
 48 |     } \
 49 |   } while (0)
 50 | 
 51 | #define FATAL(_x...) do { \
 52 |     if (++call_depth == 1) { \
 53 |       fprintf(stderr, "*** [AFL] " _x); \
 54 |       fprintf(stderr, " ***\n"); \
 55 |       abort(); \
 56 |     } \
 57 |     call_depth--; \
 58 |   } while (0)
 59 | 
 60 | /* Macro to count the number of pages needed to store a buffer: */
 61 | 
 62 | #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE)
 63 | 
 64 | /* Canary & clobber bytes: */
 65 | 
 66 | #define ALLOC_CANARY  0xAACCAACC
 67 | #define ALLOC_CLOBBER 0xCC
 68 | 
 69 | #define PTR_C(_p) (((u32*)(_p))[-1])
 70 | #define PTR_L(_p) (((u32*)(_p))[-2])
 71 | 
 72 | /* Configurable stuff (use AFL_LD_* to set): */
 73 | 
 74 | static u32 max_mem = MAX_ALLOC;         /* Max heap usage to permit         */
 75 | static u8  alloc_verbose,               /* Additional debug messages        */
 76 |            hard_fail,                   /* abort() when max_mem exceeded?   */
 77 |            no_calloc_over;              /* abort() on calloc() overflows?   */
 78 | 
 79 | static __thread size_t total_mem;       /* Currently allocated mem          */
 80 | 
 81 | static __thread u32 call_depth;         /* To avoid recursion via fprintf() */
 82 | 
 83 | 
 84 | /* This is the main alloc function. It allocates one page more than necessary,
 85 |    sets that tailing page to PROT_NONE, and then increments the return address
 86 |    so that it is right-aligned to that boundary. Since it always uses mmap(),
 87 |    the returned memory will be zeroed. */
 88 | 
 89 | static void* __dislocator_alloc(size_t len) {
 90 | 
 91 |   void* ret;
 92 | 
 93 | 
 94 |   if (total_mem + len > max_mem || total_mem + len < total_mem) {
 95 | 
 96 |     if (hard_fail)
 97 |       FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024);
 98 | 
 99 |     DEBUGF("total allocs exceed %u MB, returning NULL",
100 |            max_mem / 1024 / 1024);
101 | 
102 |     return NULL;
103 | 
104 |   }
105 | 
106 |   /* We will also store buffer length and a canary below the actual buffer, so
107 |      let's add 8 bytes for that. */
108 | 
109 |   ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE,
110 |              MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
111 | 
112 |   if (ret == (void*)-1) {
113 | 
114 |     if (hard_fail) FATAL("mmap() failed on alloc (OOM?)");
115 | 
116 |     DEBUGF("mmap() failed on alloc (OOM?)");
117 | 
118 |     return NULL;
119 | 
120 |   }
121 | 
122 |   /* Set PROT_NONE on the last page. */
123 | 
124 |   if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
125 |     FATAL("mprotect() failed when allocating memory");
126 | 
127 |   /* Offset the return pointer so that it's right-aligned to the page
128 |      boundary. */
129 | 
130 |   ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
131 | 
132 |   /* Store allocation metadata. */
133 | 
134 |   ret += 8;
135 | 
136 |   PTR_L(ret) = len;
137 |   PTR_C(ret) = ALLOC_CANARY;
138 | 
139 |   total_mem += len;
140 | 
141 |   return ret;
142 | 
143 | }
144 | 
145 | 
146 | /* The "user-facing" wrapper for calloc(). This just checks for overflows and
147 |    displays debug messages if requested. */
148 | 
149 | void* calloc(size_t elem_len, size_t elem_cnt) {
150 | 
151 |   void* ret;
152 | 
153 |   size_t len = elem_len * elem_cnt;
154 | 
155 |   /* Perform some sanity checks to detect obvious issues... */
156 | 
157 |   if (elem_cnt && len / elem_cnt != elem_len) {
158 | 
159 |     if (no_calloc_over) {
160 |       DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
161 |       return NULL;
162 |     }
163 | 
164 |     FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
165 | 
166 |   }
167 | 
168 |   ret = __dislocator_alloc(len);
169 | 
170 |   DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret,
171 |          total_mem);
172 | 
173 |   return ret;
174 | 
175 | }
176 | 
177 | 
178 | /* The wrapper for malloc(). Roughly the same, also clobbers the returned
179 |    memory (unlike calloc(), malloc() is not guaranteed to return zeroed
180 |    memory). */
181 | 
182 | void* malloc(size_t len) {
183 | 
184 |   void* ret;
185 | 
186 |   ret = __dislocator_alloc(len);
187 | 
188 |   DEBUGF("malloc(%zu) = %p [%zu total]", len, ret, total_mem);
189 | 
190 |   if (ret && len) memset(ret, ALLOC_CLOBBER, len);
191 | 
192 |   return ret;
193 | 
194 | }
195 | 
196 | 
197 | /* The wrapper for free(). This simply marks the entire region as PROT_NONE.
198 |    If the region is already freed, the code will segfault during the attempt to
199 |    read the canary. Not very graceful, but works, right? */
200 | 
201 | void free(void* ptr) {
202 | 
203 |   u32 len;
204 | 
205 |   DEBUGF("free(%p)", ptr);
206 | 
207 |   if (!ptr) return;
208 | 
209 |   if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on free()");
210 | 
211 |   len = PTR_L(ptr);
212 | 
213 |   total_mem -= len;
214 | 
215 |   /* Protect everything. Note that the extra page at the end is already
216 |      set as PROT_NONE, so we don't need to touch that. */
217 | 
218 |   ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
219 | 
220 |   if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
221 |     FATAL("mprotect() failed when freeing memory");
222 | 
223 |   /* Keep the mapping; this is wasteful, but prevents ptr reuse. */
224 | 
225 | }
226 | 
227 | 
228 | /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
229 |    move data, and then free (aka mprotect()) the original one. */
230 | 
231 | void* realloc(void* ptr, size_t len) {
232 | 
233 |   void* ret;
234 | 
235 |   ret = malloc(len);
236 | 
237 |   if (ret && ptr) {
238 | 
239 |     if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on realloc()");
240 | 
241 |     memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
242 |     free(ptr);
243 | 
244 |   }
245 | 
246 |   DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem);
247 | 
248 |   return ret;
249 | 
250 | }
251 | 
252 | 
253 | __attribute__((constructor)) void __dislocator_init(void) {
254 | 
255 |   u8* tmp = getenv("AFL_LD_LIMIT_MB");
256 | 
257 |   if (tmp) {
258 | 
259 |     max_mem = atoi(tmp) * 1024 * 1024;
260 |     if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB");
261 | 
262 |   }
263 | 
264 |   alloc_verbose = !!getenv("AFL_LD_VERBOSE");
265 |   hard_fail = !!getenv("AFL_LD_HARD_FAIL");
266 |   no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
267 | 
268 | }
269 | 


--------------------------------------------------------------------------------
/libtokencap/Makefile:
--------------------------------------------------------------------------------
 1 | #
 2 | # american fuzzy lop - libtokencap
 3 | # --------------------------------
 4 | #
 5 | # Written by Michal Zalewski <lcamtuf@google.com>
 6 | #
 7 | # Copyright 2016 Google Inc. All rights reserved.
 8 | #
 9 | # Licensed under the Apache License, Version 2.0 (the "License");
10 | # you may not use this file except in compliance with the License.
11 | # You may obtain a copy of the License at:
12 | #
13 | #   http://www.apache.org/licenses/LICENSE-2.0
14 | #
15 | 
16 | PREFIX      ?= /usr/local
17 | HELPER_PATH  = $(PREFIX)/lib/afl
18 | 
19 | VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
20 | 
21 | CFLAGS      ?= -O3 -funroll-loops
22 | CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign
23 | 
24 | all: libtokencap.so
25 | 
26 | libtokencap.so: libtokencap.so.c ../config.h
27 | 	$(CC) $(CFLAGS) -shared -fPIC $< -o $@ $(LDFLAGS)
28 | 
29 | .NOTPARALLEL: clean
30 | 
31 | clean:
32 | 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]*
33 | 	rm -f libtokencap.so
34 | 
35 | install: all
36 | 	install -m 755 libtokencap.so $${DESTDIR}$(HELPER_PATH)
37 | 	install -m 644 README.tokencap $${DESTDIR}$(HELPER_PATH)
38 | 
39 | 


--------------------------------------------------------------------------------
/libtokencap/README.tokencap:
--------------------------------------------------------------------------------
 1 | =========================================
 2 | strcmp() / memcmp() token capture library
 3 | =========================================
 4 | 
 5 |   (See ../docs/README for the general instruction manual.)
 6 | 
 7 | This Linux-only companion library allows you to instrument strcmp(), memcmp(),
 8 | and related functions to automatically extract syntax tokens passed to any of
 9 | these libcalls. The resulting list of tokens may be then given as a starting
10 | dictionary to afl-fuzz (the -x option) to improve coverage on subsequent
11 | fuzzing runs.
12 | 
13 | This may help improving coverage in some targets, and do precisely nothing in
14 | others. In some cases, it may even make things worse: if libtokencap picks up
15 | syntax tokens that are not used to process the input data, but that are a part
16 | of - say - parsing a config file... well, you're going to end up wasting a lot
17 | of CPU time on trying them out in the input stream. In other words, use this
18 | feature with care. Manually screening the resulting dictionary is almost
19 | always a necessity.
20 | 
21 | As for the actual operation: the library stores tokens, without any deduping,
22 | by appending them to a file specified via AFL_TOKEN_FILE. If the variable is not
23 | set, the tool uses stderr (which is probably not what you want).
24 | 
25 | Similarly to afl-tmin, the library is not "proprietary" and can be used with
26 | other fuzzers or testing tools without the need for any code tweaks. It does not
27 | require AFL-instrumented binaries to work.
28 | 
29 | To use the library, you *need* to make sure that your fuzzing target is compiled
30 | with -fno-builtin and is linked dynamically. If you wish to automate the first
31 | part without mucking with CFLAGS in Makefiles, you can set AFL_NO_BUILTIN=1
32 | when using afl-gcc. This setting specifically adds the following flags:
33 | 
34 |   -fno-builtin-strcmp -fno-builtin-strncmp -fno-builtin-strcasecmp
35 |   -fno-builtin-strcasencmp -fno-builtin-memcmp -fno-builtin-strstr
36 |   -fno-builtin-strcasestr
37 | 
38 | The next step is simply loading this library via LD_PRELOAD. The optimal usage
39 | pattern is to allow afl-fuzz to fuzz normally for a while and build up a corpus,
40 | and then fire off the target binary, with libtokencap.so loaded, on every file
41 | found by AFL in that earlier run. This demonstrates the basic principle:
42 | 
43 |   export AFL_TOKEN_FILE=$PWD/temp_output.txt
44 | 
45 |   for i in <out_dir>/queue/id*; do
46 |     LD_PRELOAD=/path/to/libtokencap.so \
47 |       /path/to/target/program [...params, including $i...]
48 |   done
49 | 
50 |   sort -u temp_output.txt >afl_dictionary.txt
51 | 
52 | If you don't get any results, the target library is probably not using strcmp()
53 | and memcmp() to parse input; or you haven't compiled it with -fno-builtin; or
54 | the whole thing isn't dynamically linked, and LD_PRELOAD is having no effect.
55 | 
56 | PS. The library is Linux-only because there is probably no particularly portable
57 | and non-invasive way to distinguish between read-only and read-write memory
58 | mappings. The __tokencap_load_mappings() function is the only thing that would
59 | need to be changed for other OSes. Porting to platforms with /proc/<pid>/maps
60 | (e.g., FreeBSD) should be trivial.
61 | 
62 | 


--------------------------------------------------------------------------------
/libtokencap/libtokencap.so.c:
--------------------------------------------------------------------------------
  1 | /*
  2 | 
  3 |    american fuzzy lop - extract tokens passed to strcmp / memcmp
  4 |    -------------------------------------------------------------
  5 | 
  6 |    Written and maintained by Michal Zalewski <lcamtuf@google.com>
  7 | 
  8 |    Copyright 2016 Google Inc. All rights reserved.
  9 | 
 10 |    Licensed under the Apache License, Version 2.0 (the "License");
 11 |    you may not use this file except in compliance with the License.
 12 |    You may obtain a copy of the License at:
 13 | 
 14 |      http://www.apache.org/licenses/LICENSE-2.0
 15 | 
 16 |    This Linux-only companion library allows you to instrument strcmp(),
 17 |    memcmp(), and related functions to automatically extract tokens.
 18 |    See README.tokencap for more info.
 19 | 
 20 |  */
 21 | 
 22 | #include <stdio.h>
 23 | #include <string.h>
 24 | #include <ctype.h>
 25 | 
 26 | #include "../types.h"
 27 | #include "../config.h"
 28 | 
 29 | #ifndef __linux__
 30 | #  error "Sorry, this library is Linux-specific for now!"
 31 | #endif /* !__linux__ */
 32 | 
 33 | 
 34 | /* Mapping data and such */
 35 | 
 36 | #define MAX_MAPPINGS 1024
 37 | 
 38 | static struct mapping {
 39 |   void *st, *en;
 40 | } __tokencap_ro[MAX_MAPPINGS];
 41 | 
 42 | static u32   __tokencap_ro_cnt;
 43 | static u8    __tokencap_ro_loaded;
 44 | static FILE* __tokencap_out_file;
 45 | 
 46 | 
 47 | /* Identify read-only regions in memory. Only parameters that fall into these
 48 |    ranges are worth dumping when passed to strcmp() and so on. Read-write
 49 |    regions are far more likely to contain user input instead. */
 50 | 
 51 | static void __tokencap_load_mappings(void) {
 52 | 
 53 |   u8 buf[MAX_LINE];
 54 |   FILE* f = fopen("/proc/self/maps", "r");
 55 | 
 56 |   __tokencap_ro_loaded = 1;
 57 | 
 58 |   if (!f) return;
 59 | 
 60 |   while (fgets(buf, MAX_LINE, f)) {
 61 | 
 62 |     u8 rf, wf;
 63 |     void* st, *en;
 64 | 
 65 |     if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
 66 |     if (wf == 'w' || rf != 'r') continue;
 67 | 
 68 |     __tokencap_ro[__tokencap_ro_cnt].st = (void*)st;
 69 |     __tokencap_ro[__tokencap_ro_cnt].en = (void*)en;
 70 | 
 71 |     if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
 72 | 
 73 |   }
 74 | 
 75 |   fclose(f);
 76 | 
 77 | }
 78 | 
 79 | 
 80 | /* Check an address against the list of read-only mappings. */
 81 | 
 82 | static u8 __tokencap_is_ro(const void* ptr) {
 83 | 
 84 |   u32 i;
 85 | 
 86 |   if (!__tokencap_ro_loaded) __tokencap_load_mappings();
 87 | 
 88 |   for (i = 0; i < __tokencap_ro_cnt; i++) 
 89 |     if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
 90 | 
 91 |   return 0;
 92 | 
 93 | }
 94 | 
 95 | 
 96 | /* Dump an interesting token to output file, quoting and escaping it
 97 |    properly. */
 98 | 
 99 | static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
100 | 
101 |   u8 buf[MAX_AUTO_EXTRA * 4 + 1];
102 |   u32 i;
103 |   u32 pos = 0;
104 | 
105 |   if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
106 |     return;
107 | 
108 |   for (i = 0; i < len; i++) {
109 | 
110 |     if (is_text && !ptr[i]) break;
111 | 
112 |     switch (ptr[i]) {
113 | 
114 |       case 0 ... 31:
115 |       case 127 ... 255:
116 |       case '\"':
117 |       case '\\':
118 | 
119 |         sprintf(buf + pos, "\\x%02x", ptr[i]);
120 |         pos += 4;
121 |         break;
122 | 
123 |       default:
124 | 
125 |         buf[pos++] = ptr[i];
126 | 
127 |     }
128 | 
129 |   }
130 | 
131 |   buf[pos] = 0;
132 | 
133 |   fprintf(__tokencap_out_file, "\"%s\"\n", buf);    
134 | 
135 | }
136 | 
137 | 
138 | /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
139 |    only if the target is compiled with -fno-builtins and linked dynamically. */
140 | 
141 | #undef strcmp
142 | 
143 | int strcmp(const char* str1, const char* str2) {
144 | 
145 |   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
146 |   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
147 | 
148 |   while (1) {
149 | 
150 |     unsigned char c1 = *str1, c2 = *str2;
151 | 
152 |     if (c1 != c2) return (c1 > c2) ? 1 : -1;
153 |     if (!c1) return 0;
154 |     str1++; str2++;
155 | 
156 |   }
157 | 
158 | }
159 | 
160 | 
161 | #undef strncmp
162 | 
163 | int strncmp(const char* str1, const char* str2, size_t len) {
164 | 
165 |   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
166 |   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
167 | 
168 |   while (len--) {
169 | 
170 |     unsigned char c1 = *str1, c2 = *str2;
171 | 
172 |     if (!c1) return 0;
173 |     if (c1 != c2) return (c1 > c2) ? 1 : -1;
174 |     str1++; str2++;
175 | 
176 |   }
177 | 
178 |   return 0;
179 | 
180 | }
181 | 
182 | 
183 | #undef strcasecmp
184 | 
185 | int strcasecmp(const char* str1, const char* str2) {
186 | 
187 |   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
188 |   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
189 | 
190 |   while (1) {
191 | 
192 |     unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
193 | 
194 |     if (c1 != c2) return (c1 > c2) ? 1 : -1;
195 |     if (!c1) return 0;
196 |     str1++; str2++;
197 | 
198 |   }
199 | 
200 | }
201 | 
202 | 
203 | #undef strncasecmp
204 | 
205 | int strncasecmp(const char* str1, const char* str2, size_t len) {
206 | 
207 |   if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
208 |   if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
209 | 
210 |   while (len--) {
211 | 
212 |     unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
213 | 
214 |     if (!c1) return 0;
215 |     if (c1 != c2) return (c1 > c2) ? 1 : -1;
216 |     str1++; str2++;
217 | 
218 |   }
219 | 
220 |   return 0;
221 | 
222 | }
223 | 
224 | 
225 | #undef memcmp
226 | 
227 | int memcmp(const void* mem1, const void* mem2, size_t len) {
228 | 
229 |   if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
230 |   if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
231 | 
232 |   while (len--) {
233 | 
234 |     unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
235 |     if (c1 != c2) return (c1 > c2) ? 1 : -1;
236 |     mem1++; mem2++;
237 | 
238 |   }
239 | 
240 |   return 0;
241 | 
242 | }
243 | 
244 | 
245 | #undef strstr
246 | 
247 | char* strstr(const char* haystack, const char* needle) {
248 | 
249 |   if (__tokencap_is_ro(haystack))
250 |     __tokencap_dump(haystack, strlen(haystack), 1);
251 | 
252 |   if (__tokencap_is_ro(needle))
253 |     __tokencap_dump(needle, strlen(needle), 1);
254 | 
255 |   do {
256 |     const char* n = needle;
257 |     const char* h = haystack;
258 | 
259 |     while(*n && *h && *n == *h) n++, h++;
260 | 
261 |     if(!*n) return (char*)haystack;
262 | 
263 |   } while (*(haystack++));
264 | 
265 |   return 0;
266 | 
267 | }
268 | 
269 | 
270 | #undef strcasestr
271 | 
272 | char* strcasestr(const char* haystack, const char* needle) {
273 | 
274 |   if (__tokencap_is_ro(haystack))
275 |     __tokencap_dump(haystack, strlen(haystack), 1);
276 | 
277 |   if (__tokencap_is_ro(needle))
278 |     __tokencap_dump(needle, strlen(needle), 1);
279 | 
280 |   do {
281 | 
282 |     const char* n = needle;
283 |     const char* h = haystack;
284 | 
285 |     while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
286 | 
287 |     if(!*n) return (char*)haystack;
288 | 
289 |   } while(*(haystack++));
290 | 
291 |   return 0;
292 | 
293 | }
294 | 
295 | 
296 | /* Init code to open the output file (or default to stderr). */
297 | 
298 | __attribute__((constructor)) void __tokencap_init(void) {
299 | 
300 |   u8* fn = getenv("AFL_TOKEN_FILE");
301 |   if (fn) __tokencap_out_file = fopen(fn, "a");
302 |   if (!__tokencap_out_file) __tokencap_out_file = stderr;
303 | 
304 | }
305 | 
306 | 


--------------------------------------------------------------------------------
/llvm_mode/Makefile:
--------------------------------------------------------------------------------
  1 | #
  2 | # american fuzzy lop - LLVM instrumentation
  3 | # -----------------------------------------
  4 | #
  5 | # Written by Laszlo Szekeres <lszekeres@google.com> and
  6 | #            Michal Zalewski <lcamtuf@google.com>
  7 | #
  8 | # LLVM integration design comes from Laszlo Szekeres.
  9 | #
 10 | # Copyright 2015, 2016 Google Inc. All rights reserved.
 11 | #
 12 | # Licensed under the Apache License, Version 2.0 (the "License");
 13 | # you may not use this file except in compliance with the License.
 14 | # You may obtain a copy of the License at:
 15 | #
 16 | #   http://www.apache.org/licenses/LICENSE-2.0
 17 | #
 18 | 
 19 | PREFIX      ?= /usr/local
 20 | HELPER_PATH  = $(PREFIX)/lib/afl
 21 | BIN_PATH     = $(PREFIX)/bin
 22 | 
 23 | VERSION     = $(shell grep '^\#define VERSION ' ../config.h | cut -d '"' -f2)
 24 | 
 25 | LLVM_CONFIG ?= llvm-config
 26 | 
 27 | CFLAGS      ?= -O3 -funroll-loops
 28 | CFLAGS      += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
 29 |                -DAFL_PATH=\"$(HELPER_PATH)\" -DBIN_PATH=\"$(BIN_PATH)\" \
 30 |                -DVERSION=\"$(VERSION)\" 
 31 | ifdef AFL_TRACE_PC
 32 |   CFLAGS    += -DUSE_TRACE_PC=1
 33 | endif
 34 | 
 35 | CXXFLAGS    ?= -O3 -funroll-loops
 36 | CXXFLAGS    += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
 37 |                -DVERSION=\"$(VERSION)\" -Wno-variadic-macros
 38 | 
 39 | CLANG_CFL    = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
 40 | CLANG_LFL    = `$(LLVM_CONFIG) --ldflags` $(LDFLAGS)
 41 | 
 42 | # User teor2345 reports that this is required to make things work on MacOS X.
 43 | 
 44 | ifeq "$(shell uname)" "Darwin"
 45 |   CLANG_LFL += -Wl,-flat_namespace -Wl,-undefined,suppress
 46 | endif
 47 | 
 48 | # We were using llvm-config --bindir to get the location of clang, but
 49 | # this seems to be busted on some distros, so using the one in $PATH is
 50 | # probably better.
 51 | 
 52 | ifeq "$(origin CC)" "default"
 53 |   CC         = clang
 54 |   CXX        = clang++
 55 | endif
 56 | 
 57 | ifndef AFL_TRACE_PC
 58 |   PROGS      = ../afl-clang-fast ../afl-llvm-pass.so ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
 59 | else
 60 |   PROGS      = ../afl-clang-fast ../afl-llvm-rt.o ../afl-llvm-rt-32.o ../afl-llvm-rt-64.o
 61 | endif
 62 | 
 63 | all: test_deps $(PROGS) test_build all_done
 64 | 
 65 | test_deps:
 66 | ifndef AFL_TRACE_PC
 67 | 	@echo "[*] Checking for working 'llvm-config'..."
 68 | 	@which $(LLVM_CONFIG) >/dev/null 2>&1 || ( echo "[-] Oops, can't find 'llvm-config'. Install clang or set \$$LLVM_CONFIG or \$$PATH beforehand."; echo "    (Sometimes, the binary will be named llvm-config-3.5 or something like that.)"; exit 1 )
 69 | else
 70 | 	@echo "[!] Note: using -fsanitize=trace-pc mode (this will fail with older LLVM)."
 71 | endif
 72 | 	@echo "[*] Checking for working '$(CC)'..."
 73 | 	@which $(CC) >/dev/null 2>&1 || ( echo "[-] Oops, can't find '$(CC)'. Make sure that it's in your \$$PATH (or set \$$CC and \$$CXX)."; exit 1 )
 74 | 	@echo "[*] Checking for '../afl-showmap'..."
 75 | 	@test -f ../afl-showmap || ( echo "[-] Oops, can't find '../afl-showmap'. Be sure to compile AFL first."; exit 1 )
 76 | 	@echo "[+] All set and ready to build."
 77 | 
 78 | ../afl-clang-fast: afl-clang-fast.c | test_deps
 79 | 	$(CC) $(CFLAGS) $< -o $@ $(LDFLAGS)
 80 | 	ln -sf afl-clang-fast ../afl-clang-fast++
 81 | 
 82 | ../afl-llvm-pass.so: afl-llvm-pass.so.cc | test_deps
 83 | 	$(CXX) $(CLANG_CFL) -shared $< -o $@ $(CLANG_LFL)
 84 | 
 85 | ../afl-llvm-rt.o: afl-llvm-rt.o.c | test_deps
 86 | 	$(CC) $(CFLAGS) -fPIC -c $< -o $@
 87 | 
 88 | ../afl-llvm-rt-32.o: afl-llvm-rt.o.c | test_deps
 89 | 	@printf "[*] Building 32-bit variant of the runtime (-m32)... "
 90 | 	@$(CC) $(CFLAGS) -m32 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
 91 | 
 92 | ../afl-llvm-rt-64.o: afl-llvm-rt.o.c | test_deps
 93 | 	@printf "[*] Building 64-bit variant of the runtime (-m64)... "
 94 | 	@$(CC) $(CFLAGS) -m64 -fPIC -c $< -o $@ 2>/dev/null; if [ "$$?" = "0" ]; then echo "success!"; else echo "failed (that's fine)"; fi
 95 | 
 96 | test_build: $(PROGS)
 97 | 	@echo "[*] Testing the CC wrapper and instrumentation output..."
 98 | 	unset AFL_USE_ASAN AFL_USE_MSAN AFL_INST_RATIO; AFL_QUIET=1 AFL_PATH=. AFL_CC=$(CC) ../afl-clang-fast $(CFLAGS) ../test-instr.c -o test-instr $(LDFLAGS)
 99 | 	echo 0 | ../afl-showmap -m none -q -o .test-instr0 ./test-instr
100 | 	echo 1 | ../afl-showmap -m none -q -o .test-instr1 ./test-instr
101 | 	@rm -f test-instr
102 | 	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
103 | 	@echo "[+] All right, the instrumentation seems to be working!"
104 | 
105 | all_done: test_build
106 | 	@echo "[+] All done! You can now use '../afl-clang-fast' to compile programs."
107 | 
108 | .NOTPARALLEL: clean
109 | 
110 | clean:
111 | 	rm -f *.o *.so *~ a.out core core.[1-9][0-9]* test-instr .test-instr0 .test-instr1 
112 | 	rm -f $(PROGS) ../afl-clang-fast++
113 | 


--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-pass.so.cc:
--------------------------------------------------------------------------------
  1 | /*
  2 |    american fuzzy lop - LLVM-mode instrumentation pass
  3 |    ---------------------------------------------------
  4 | 
  5 |    Written by Laszlo Szekeres <lszekeres@google.com> and
  6 |               Michal Zalewski <lcamtuf@google.com>
  7 | 
  8 |    LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
  9 |    from afl-as.c are Michal's fault.
 10 | 
 11 |    Copyright 2015, 2016 Google Inc. All rights reserved.
 12 | 
 13 |    Licensed under the Apache License, Version 2.0 (the "License");
 14 |    you may not use this file except in compliance with the License.
 15 |    You may obtain a copy of the License at:
 16 | 
 17 |      http://www.apache.org/licenses/LICENSE-2.0
 18 | 
 19 |    This library is plugged into LLVM when invoking clang through afl-clang-fast.
 20 |    It tells the compiler to add code roughly equivalent to the bits discussed
 21 |    in ../afl-as.h.
 22 | 
 23 |  */
 24 | 
 25 | #define AFL_LLVM_PASS
 26 | 
 27 | #include "../config.h"
 28 | #include "../debug.h"
 29 | 
 30 | #include <stdio.h>
 31 | #include <stdlib.h>
 32 | #include <unistd.h>
 33 | 
 34 | #include "llvm/ADT/Statistic.h"
 35 | #include "llvm/IR/IRBuilder.h"
 36 | #include "llvm/IR/LegacyPassManager.h"
 37 | #include "llvm/IR/Module.h"
 38 | #include "llvm/Support/Debug.h"
 39 | #include "llvm/Transforms/IPO/PassManagerBuilder.h"
 40 | 
 41 | using namespace llvm;
 42 | 
 43 | namespace {
 44 | 
 45 |   class AFLCoverage : public ModulePass {
 46 | 
 47 |     public:
 48 | 
 49 |       static char ID;
 50 |       AFLCoverage() : ModulePass(ID) { }
 51 | 
 52 |       bool runOnModule(Module &M) override;
 53 | 
 54 |       // StringRef getPassName() const override {
 55 |       //  return "American Fuzzy Lop Instrumentation";
 56 |       // }
 57 | 
 58 |   };
 59 | 
 60 | }
 61 | 
 62 | 
 63 | char AFLCoverage::ID = 0;
 64 | 
 65 | 
 66 | bool AFLCoverage::runOnModule(Module &M) {
 67 | 
 68 |   LLVMContext &C = M.getContext();
 69 | 
 70 |   IntegerType *Int8Ty  = IntegerType::getInt8Ty(C);
 71 |   IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
 72 | 
 73 |   /* Show a banner */
 74 | 
 75 |   char be_quiet = 0;
 76 | 
 77 |   if (isatty(2) && !getenv("AFL_QUIET")) {
 78 | 
 79 |     SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " by <lszekeres@google.com>\n");
 80 | 
 81 |   } else be_quiet = 1;
 82 | 
 83 |   /* Decide instrumentation ratio */
 84 | 
 85 |   char* inst_ratio_str = getenv("AFL_INST_RATIO");
 86 |   unsigned int inst_ratio = 100;
 87 | 
 88 |   if (inst_ratio_str) {
 89 | 
 90 |     if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
 91 |         inst_ratio > 100)
 92 |       FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
 93 | 
 94 |   }
 95 | 
 96 |   /* Get globals for the SHM region and the previous location. Note that
 97 |      __afl_prev_loc is thread-local. */
 98 | 
 99 |   GlobalVariable *AFLMapPtr =
100 |       new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
101 |                          GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
102 | 
103 |   GlobalVariable *AFLPrevLoc = new GlobalVariable(
104 |       M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
105 |       0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
106 | 
107 |   /* Instrument all the things! */
108 | 
109 |   int inst_blocks = 0;
110 | 
111 |   for (auto &F : M)
112 |     for (auto &BB : F) {
113 | 
114 |       BasicBlock::iterator IP = BB.getFirstInsertionPt();
115 |       IRBuilder<> IRB(&(*IP));
116 | 
117 |       if (AFL_R(100) >= inst_ratio) continue;
118 | 
119 |       /* Make up cur_loc */
120 | 
121 |       unsigned int cur_loc = AFL_R(MAP_SIZE);
122 | 
123 |       ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
124 | 
125 |       /* Load prev_loc */
126 | 
127 |       LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
128 |       PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
129 |       Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
130 | 
131 |       /* Load SHM pointer */
132 | 
133 |       LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
134 |       MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
135 |       Value *MapPtrIdx =
136 |           IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
137 | 
138 |       /* Update bitmap */
139 | 
140 |       LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
141 |       Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
142 |       Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
143 |       IRB.CreateStore(Incr, MapPtrIdx)
144 |           ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
145 | 
146 |       /* Set prev_loc to cur_loc >> 1 */
147 | 
148 |       StoreInst *Store =
149 |           IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
150 |       Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
151 | 
152 |       inst_blocks++;
153 | 
154 |     }
155 | 
156 |   /* Say something nice. */
157 | 
158 |   if (!be_quiet) {
159 | 
160 |     if (!inst_blocks) WARNF("No instrumentation targets found.");
161 |     else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
162 |              inst_blocks, getenv("AFL_HARDEN") ? "hardened" :
163 |              ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
164 |               "ASAN/MSAN" : "non-hardened"), inst_ratio);
165 | 
166 |   }
167 | 
168 |   return true;
169 | 
170 | }
171 | 
172 | 
173 | static void registerAFLPass(const PassManagerBuilder &,
174 |                             legacy::PassManagerBase &PM) {
175 | 
176 |   PM.add(new AFLCoverage());
177 | 
178 | }
179 | 
180 | 
181 | static RegisterStandardPasses RegisterAFLPass(
182 |     PassManagerBuilder::EP_OptimizerLast, registerAFLPass);
183 | 
184 | static RegisterStandardPasses RegisterAFLPass0(
185 |     PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
186 | 


--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-rt.o.c:
--------------------------------------------------------------------------------
  1 | /*
  2 |    american fuzzy lop - LLVM instrumentation bootstrap
  3 |    ---------------------------------------------------
  4 | 
  5 |    Written by Laszlo Szekeres <lszekeres@google.com> and
  6 |               Michal Zalewski <lcamtuf@google.com>
  7 | 
  8 |    LLVM integration design comes from Laszlo Szekeres.
  9 | 
 10 |    Copyright 2015, 2016 Google Inc. All rights reserved.
 11 | 
 12 |    Licensed under the Apache License, Version 2.0 (the "License");
 13 |    you may not use this file except in compliance with the License.
 14 |    You may obtain a copy of the License at:
 15 | 
 16 |      http://www.apache.org/licenses/LICENSE-2.0
 17 | 
 18 |    This code is the rewrite of afl-as.h's main_payload.
 19 | 
 20 | */
 21 | 
 22 | #include "../config.h"
 23 | #include "../types.h"
 24 | 
 25 | #include <stdio.h>
 26 | #include <stdlib.h>
 27 | #include <signal.h>
 28 | #include <unistd.h>
 29 | #include <string.h>
 30 | #include <assert.h>
 31 | 
 32 | #include <sys/mman.h>
 33 | #include <sys/shm.h>
 34 | #include <sys/wait.h>
 35 | #include <sys/types.h>
 36 | 
 37 | /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode.
 38 |    Basically, we need to make sure that the forkserver is initialized after
 39 |    the LLVM-generated runtime initialization pass, not before. */
 40 | 
 41 | #ifdef USE_TRACE_PC
 42 | #  define CONST_PRIO 5
 43 | #else
 44 | #  define CONST_PRIO 0
 45 | #endif /* ^USE_TRACE_PC */
 46 | 
 47 | 
 48 | /* Globals needed by the injected instrumentation. The __afl_area_initial region
 49 |    is used for instrumentation output before __afl_map_shm() has a chance to run.
 50 |    It will end up as .comm, so it shouldn't be too wasteful. */
 51 | 
 52 | u8  __afl_area_initial[MAP_SIZE];
 53 | u8* __afl_area_ptr = __afl_area_initial;
 54 | 
 55 | __thread u32 __afl_prev_loc;
 56 | 
 57 | 
 58 | /* Running in persistent mode? */
 59 | 
 60 | static u8 is_persistent;
 61 | 
 62 | 
 63 | /* SHM setup. */
 64 | 
 65 | static void __afl_map_shm(void) {
 66 | 
 67 |   u8 *id_str = getenv(SHM_ENV_VAR);
 68 | 
 69 |   /* If we're running under AFL, attach to the appropriate region, replacing the
 70 |      early-stage __afl_area_initial region that is needed to allow some really
 71 |      hacky .init code to work correctly in projects such as OpenSSL. */
 72 | 
 73 |   if (id_str) {
 74 | 
 75 |     u32 shm_id = atoi(id_str);
 76 | 
 77 |     __afl_area_ptr = shmat(shm_id, NULL, 0);
 78 | 
 79 |     /* Whooooops. */
 80 | 
 81 |     if (__afl_area_ptr == (void *)-1) _exit(1);
 82 | 
 83 |     /* Write something into the bitmap so that even with low AFL_INST_RATIO,
 84 |        our parent doesn't give up on us. */
 85 | 
 86 |     __afl_area_ptr[0] = 1;
 87 | 
 88 |   }
 89 | 
 90 | }
 91 | 
 92 | 
 93 | /* Fork server logic. */
 94 | 
 95 | static void __afl_start_forkserver(void) {
 96 | 
 97 |   static u8 tmp[4];
 98 |   s32 child_pid;
 99 | 
100 |   u8  child_stopped = 0;
101 | 
102 |   /* Phone home and tell the parent that we're OK. If parent isn't there,
103 |      assume we're not running in forkserver mode and just execute program. */
104 | 
105 |   if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
106 | 
107 |   while (1) {
108 | 
109 |     u32 was_killed;
110 |     int status;
111 | 
112 |     /* Wait for parent by reading from the pipe. Abort if read fails. */
113 | 
114 |     if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
115 | 
116 |     /* If we stopped the child in persistent mode, but there was a race
117 |        condition and afl-fuzz already issued SIGKILL, write off the old
118 |        process. */
119 | 
120 |     if (child_stopped && was_killed) {
121 |       child_stopped = 0;
122 |       if (waitpid(child_pid, &status, 0) < 0) _exit(1);
123 |     }
124 | 
125 |     if (!child_stopped) {
126 | 
127 |       /* Once woken up, create a clone of our process. */
128 | 
129 |       child_pid = fork();
130 |       if (child_pid < 0) _exit(1);
131 | 
132 |       /* In child process: close fds, resume execution. */
133 | 
134 |       if (!child_pid) {
135 | 
136 |         close(FORKSRV_FD);
137 |         close(FORKSRV_FD + 1);
138 |         return;
139 |   
140 |       }
141 | 
142 |     } else {
143 | 
144 |       /* Special handling for persistent mode: if the child is alive but
145 |          currently stopped, simply restart it with SIGCONT. */
146 | 
147 |       kill(child_pid, SIGCONT);
148 |       child_stopped = 0;
149 | 
150 |     }
151 | 
152 |     /* In parent process: write PID to pipe, then wait for child. */
153 | 
154 |     if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) _exit(1);
155 | 
156 |     if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0)
157 |       _exit(1);
158 | 
159 |     /* In persistent mode, the child stops itself with SIGSTOP to indicate
160 |        a successful run. In this case, we want to wake it up without forking
161 |        again. */
162 | 
163 |     if (WIFSTOPPED(status)) child_stopped = 1;
164 | 
165 |     /* Relay wait status to pipe, then loop back. */
166 | 
167 |     if (write(FORKSRV_FD + 1, &status, 4) != 4) _exit(1);
168 | 
169 |   }
170 | 
171 | }
172 | 
173 | 
174 | /* A simplified persistent mode handler, used as explained in README.llvm. */
175 | 
176 | int __afl_persistent_loop(unsigned int max_cnt) {
177 | 
178 |   static u8  first_pass = 1;
179 |   static u32 cycle_cnt;
180 | 
181 |   if (first_pass) {
182 | 
183 |     /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
184 |        On subsequent calls, the parent will take care of that, but on the first
185 |        iteration, it's our job to erase any trace of whatever happened
186 |        before the loop. */
187 | 
188 |     if (is_persistent) {
189 | 
190 |       memset(__afl_area_ptr, 0, MAP_SIZE);
191 |       __afl_area_ptr[0] = 1;
192 |       __afl_prev_loc = 0;
193 |     }
194 | 
195 |     cycle_cnt  = max_cnt;
196 |     first_pass = 0;
197 |     return 1;
198 | 
199 |   }
200 | 
201 |   if (is_persistent) {
202 | 
203 |     if (--cycle_cnt) {
204 | 
205 |       raise(SIGSTOP);
206 | 
207 |       __afl_area_ptr[0] = 1;
208 |       __afl_prev_loc = 0;
209 | 
210 |       return 1;
211 | 
212 |     } else {
213 | 
214 |       /* When exiting __AFL_LOOP(), make sure that the subsequent code that
215 |          follows the loop is not traced. We do that by pivoting back to the
216 |          dummy output region. */
217 | 
218 |       __afl_area_ptr = __afl_area_initial;
219 | 
220 |     }
221 | 
222 |   }
223 | 
224 |   return 0;
225 | 
226 | }
227 | 
228 | 
229 | /* This one can be called from user code when deferred forkserver mode
230 |     is enabled. */
231 | 
232 | void __afl_manual_init(void) {
233 | 
234 |   static u8 init_done;
235 | 
236 |   if (!init_done) {
237 | 
238 |     __afl_map_shm();
239 |     __afl_start_forkserver();
240 |     init_done = 1;
241 | 
242 |   }
243 | 
244 | }
245 | 
246 | 
247 | /* Proper initialization routine. */
248 | 
249 | __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
250 | 
251 |   is_persistent = !!getenv(PERSIST_ENV_VAR);
252 | 
253 |   if (getenv(DEFER_ENV_VAR)) return;
254 | 
255 |   __afl_manual_init();
256 | 
257 | }
258 | 
259 | 
260 | /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
261 |    It remains non-operational in the traditional, plugin-backed LLVM mode.
262 |    For more info about 'trace-pc-guard', see README.llvm.
263 | 
264 |    The first function (__sanitizer_cov_trace_pc_guard) is called back on every
265 |    edge (as opposed to every basic block). */
266 | 
267 | void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
268 |   __afl_area_ptr[*guard]++;
269 | }
270 | 
271 | 
272 | /* Init callback. Populates instrumentation IDs. Note that we're using
273 |    ID of 0 as a special value to indicate non-instrumented bits. That may
274 |    still touch the bitmap, but in a fairly harmless way. */
275 | 
276 | void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
277 | 
278 |   u32 inst_ratio = 100;
279 |   u8* x;
280 | 
281 |   if (start == stop || *start) return;
282 | 
283 |   x = getenv("AFL_INST_RATIO");
284 |   if (x) inst_ratio = atoi(x);
285 | 
286 |   if (!inst_ratio || inst_ratio > 100) {
287 |     fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
288 |     abort();
289 |   }
290 | 
291 |   /* Make sure that the first element in the range is always set - we use that
292 |      to avoid duplicate calls (which can happen as an artifact of the underlying
293 |      implementation in LLVM). */
294 | 
295 |   *(start++) = R(MAP_SIZE - 1) + 1;
296 | 
297 |   while (start < stop) {
298 | 
299 |     if (R(100) < inst_ratio) *start = R(MAP_SIZE - 1) + 1;
300 |     else *start = 0;
301 | 
302 |     start++;
303 | 
304 |   }
305 | 
306 | }
307 | 


--------------------------------------------------------------------------------
/qemu_mode/README.qemu:
--------------------------------------------------------------------------------
  1 | =========================================================
  2 | High-performance binary-only instrumentation for afl-fuzz
  3 | =========================================================
  4 | 
  5 |   (See ../docs/README for the general instruction manual.)
  6 | 
  7 | 1) Introduction
  8 | ---------------
  9 | 
 10 | The code in this directory allows you to build a standalone feature that
 11 | leverages the QEMU "user emulation" mode and allows callers to obtain
 12 | instrumentation output for black-box, closed-source binaries. This mechanism
 13 | can be then used by afl-fuzz to stress-test targets that couldn't be built
 14 | with afl-gcc.
 15 | 
 16 | The usual performance cost is 2-5x, which is considerably better than
 17 | seen so far in experiments with tools such as DynamoRIO and PIN.
 18 | 
 19 | The idea and much of the implementation comes from Andrew Griffiths.
 20 | 
 21 | 2) How to use
 22 | -------------
 23 | 
 24 | The feature is implemented with a fairly simple patch to QEMU 2.3.0. The
 25 | simplest way to build it is to run ./build_qemu_support.sh. The script will
 26 | download, configure, and compile the QEMU binary for you.
 27 | 
 28 | QEMU is a big project, so this will take a while, and you may have to
 29 | resolve a couple of dependencies (most notably, you will definitely need
 30 | libtool and glib2-devel).
 31 | 
 32 | Once the binaries are compiled, you can leverage the QEMU tool by calling
 33 | afl-fuzz and all the related utilities with -Q in the command line.
 34 | 
 35 | Note that QEMU requires a generous memory limit to run; somewhere around
 36 | 200 MB is a good starting point, but considerably more may be needed for
 37 | more complex programs. The default -m limit will be automatically bumped up
 38 | to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
 39 | 
 40 | In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
 41 | you should get a build capable of running non-native binaries (say, you
 42 | can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
 43 | on a 64-bit system (CPU_TARGET=i386).
 44 | 
 45 | Note: if you want the QEMU helper to be installed on your system for all
 46 | users, you need to build it before issuing 'make install' in the parent
 47 | directory.
 48 | 
 49 | 3) Notes on linking
 50 | -------------------
 51 | 
 52 | The feature is supported only on Linux. Supporting BSD may amount to porting
 53 | the changes made to linux-user/elfload.c and applying them to
 54 | bsd-user/elfload.c, but I have not looked into this yet.
 55 | 
 56 | The instrumentation follows only the .text section of the first ELF binary
 57 | encountered in the linking process. It does not trace shared libraries. In
 58 | practice, this means two things:
 59 | 
 60 |   - Any libraries you want to analyze *must* be linked statically into the
 61 |     executed ELF file (this will usually be the case for closed-source
 62 |     apps).
 63 | 
 64 |   - Standard C libraries and other stuff that is wasteful to instrument
 65 |     should be linked dynamically - otherwise, AFL will have no way to avoid
 66 |     peeking into them.
 67 | 
 68 | Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
 69 | and instrument every basic block encountered.
 70 | 
 71 | 4) Benchmarking
 72 | ---------------
 73 | 
 74 | If you want to compare the performance of the QEMU instrumentation with that of
 75 | afl-gcc compiled code against the same target, you need to build the
 76 | non-instrumented binary with the same optimization flags that are normally
 77 | injected by afl-gcc, and make sure that the bits to be tested are statically
 78 | linked into the binary. A common way to do this would be:
 79 | 
 80 | $ CFLAGS="-O3 -funroll-loops" ./configure --disable-shared
 81 | $ make clean all
 82 | 
 83 | Comparative measurements of execution speed or instrumentation coverage will be
 84 | fairly meaningless if the optimization levels or instrumentation scopes don't
 85 | match.
 86 | 
 87 | 5) Gotchas, feedback, bugs
 88 | --------------------------
 89 | 
 90 | If you need to fix up checksums or do other cleanup on mutated test cases, see
 91 | experimental/post_library/ for a viable solution.
 92 | 
 93 | Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate
 94 | the "shadow VM" trick employed by the sanitizers and will probably just
 95 | run out of memory.
 96 | 
 97 | Compared to fully-fledged virtualization, the user emulation mode is *NOT* a
 98 | security boundary. The binaries can freely interact with the host OS. If you
 99 | somehow need to fuzz an untrusted binary, put everything in a sandbox first.
100 | 
101 | QEMU does not necessarily support all CPU or hardware features that your
102 | target program may be utilizing. In particular, it does not appear to have
103 | full support for AVX2 / FMA3. Using binaries for older CPUs, or recompiling them
104 | with -march=core2, can help.
105 | 
106 | Beyond that, this is an early-stage mechanism, so fields reports are welcome.
107 | You can send them to <afl-users@googlegroups.com>.
108 | 
109 | 6) Alternatives: static rewriting
110 | ---------------------------------
111 | 
112 | Statically rewriting binaries just once, instead of attempting to translate
113 | them at run time, can be a faster alternative. That said, static rewriting is
114 | fraught with peril, because it depends on being able to properly and fully model
115 | program control flow without actually executing each and every code path.
116 | 
117 | If you want to experiment with this mode of operation, there is a module
118 | contributed by Aleksandar Nikolich:
119 | 
120 |   https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
121 |   https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
122 | 
123 | At this point, the author reports the possibility of hiccups with stripped
124 | binaries. That said, if we can get it to be comparably reliable to QEMU, we may
125 | decide to switch to this mode, but I had no time to play with it yet.
126 | 


--------------------------------------------------------------------------------
/qemu_mode/build_qemu_support.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/sh
  2 | #
  3 | # american fuzzy lop - QEMU build script
  4 | # --------------------------------------
  5 | #
  6 | # Written by Andrew Griffiths <agriffiths@google.com> and
  7 | #            Michal Zalewski <lcamtuf@google.com>
  8 | #
  9 | # Copyright 2015, 2016 Google Inc. All rights reserved.
 10 | #
 11 | # Licensed under the Apache License, Version 2.0 (the "License");
 12 | # you may not use this file except in compliance with the License.
 13 | # You may obtain a copy of the License at:
 14 | #
 15 | #   http://www.apache.org/licenses/LICENSE-2.0
 16 | #
 17 | # This script downloads, patches, and builds a version of QEMU with
 18 | # minor tweaks to allow non-instrumented binaries to be run under
 19 | # afl-fuzz. 
 20 | #
 21 | # The modifications reside in patches/*. The standalone QEMU binary
 22 | # will be written to ../afl-qemu-trace.
 23 | #
 24 | 
 25 | QEMU_URL="http://wiki.qemu-project.org/download/qemu-2.3.0.tar.bz2"
 26 | QEMU_SHA384="7a0f0c900f7e2048463cc32ff3e904965ab466c8428847400a0f2dcfe458108a68012c4fddb2a7e7c822b4fd1a49639b"
 27 | 
 28 | echo "================================================="
 29 | echo "AFL binary-only instrumentation QEMU build script"
 30 | echo "================================================="
 31 | echo
 32 | 
 33 | echo "[*] Performing basic sanity checks..."
 34 | 
 35 | if [ ! "`uname -s`" = "Linux" ]; then
 36 | 
 37 |   echo "[-] Error: QEMU instrumentation is supported only on Linux."
 38 |   exit 1
 39 | 
 40 | fi
 41 | 
 42 | if [ ! -f "patches/afl-qemu-cpu-inl.h" -o ! -f "../config.h" ]; then
 43 | 
 44 |   echo "[-] Error: key files not found - wrong working directory?"
 45 |   exit 1
 46 | 
 47 | fi
 48 | 
 49 | if [ ! -f "../afl-showmap" ]; then
 50 | 
 51 |   echo "[-] Error: ../afl-showmap not found - compile AFL first!"
 52 |   exit 1
 53 | 
 54 | fi
 55 | 
 56 | 
 57 | for i in libtool wget python automake autoconf sha384sum bison iconv; do
 58 | 
 59 |   T=`which "$i" 2>/dev/null`
 60 | 
 61 |   if [ "$T" = "" ]; then
 62 | 
 63 |     echo "[-] Error: '$i' not found, please install first."
 64 |     exit 1
 65 | 
 66 |   fi
 67 | 
 68 | done
 69 | 
 70 | if [ ! -d "/usr/include/glib-2.0/" -a ! -d "/usr/local/include/glib-2.0/" ]; then
 71 | 
 72 |   echo "[-] Error: devel version of 'glib2' not found, please install first."
 73 |   exit 1
 74 | 
 75 | fi
 76 | 
 77 | if echo "$CC" | grep -qF /afl-; then
 78 | 
 79 |   echo "[-] Error: do not use afl-gcc or afl-clang to compile this tool."
 80 |   exit 1
 81 | 
 82 | fi
 83 | 
 84 | echo "[+] All checks passed!"
 85 | 
 86 | ARCHIVE="`basename -- "$QEMU_URL"`"
 87 | 
 88 | CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
 89 | 
 90 | if [ ! "$CKSUM" = "$QEMU_SHA384" ]; then
 91 | 
 92 |   echo "[*] Downloading QEMU 2.3.0 from the web..."
 93 |   rm -f "$ARCHIVE"
 94 |   wget -O "$ARCHIVE" -- "$QEMU_URL" || exit 1
 95 | 
 96 |   CKSUM=`sha384sum -- "$ARCHIVE" 2>/dev/null | cut -d' ' -f1`
 97 | 
 98 | fi
 99 | 
100 | if [ "$CKSUM" = "$QEMU_SHA384" ]; then
101 | 
102 |   echo "[+] Cryptographic signature on $ARCHIVE checks out."
103 | 
104 | else
105 | 
106 |   echo "[-] Error: signature mismatch on $ARCHIVE (perhaps download error?)."
107 |   exit 1
108 | 
109 | fi
110 | 
111 | echo "[*] Uncompressing archive (this will take a while)..."
112 | 
113 | rm -rf "qemu-2.3.0" || exit 1
114 | tar xf "$ARCHIVE" || exit 1
115 | 
116 | echo "[+] Unpacking successful."
117 | 
118 | echo "[*] Applying patches..."
119 | 
120 | patch -p0 <patches/elfload.diff || exit 1
121 | patch -p0 <patches/cpu-exec.diff || exit 1
122 | patch -p0 <patches/translate-all.diff || exit 1
123 | patch -p0 <patches/syscall.diff || exit 1
124 | 
125 | echo "[+] Patching done."
126 | 
127 | ORIG_CPU_TARGET="$CPU_TARGET"
128 | 
129 | test "$CPU_TARGET" = "" && CPU_TARGET="`uname -m`"
130 | test "$CPU_TARGET" = "i686" && CPU_TARGET="i386"
131 | 
132 | echo "[*] Configuring QEMU for $CPU_TARGET..."
133 | 
134 | cd qemu-2.3.0 || exit 1
135 | 
136 | CFLAGS="-O3" ./configure --disable-system --enable-linux-user \
137 |   --enable-guest-base --disable-gtk --disable-sdl --disable-vnc \
138 |   --target-list="${CPU_TARGET}-linux-user" || exit 1
139 | 
140 | echo "[+] Configuration complete."
141 | 
142 | echo "[*] Attempting to build QEMU (fingers crossed!)..."
143 | 
144 | make || exit 1
145 | 
146 | echo "[+] Build process successful!"
147 | 
148 | echo "[*] Copying binary..."
149 | 
150 | cp -f "${CPU_TARGET}-linux-user/qemu-${CPU_TARGET}" "../../afl-qemu-trace" || exit 1
151 | 
152 | cd ..
153 | ls -l ../afl-qemu-trace || exit 1
154 | 
155 | echo "[+] Successfully created '../afl-qemu-trace'."
156 | 
157 | if [ "$ORIG_CPU_TARGET" = "" ]; then
158 | 
159 |   echo "[*] Testing the build..."
160 | 
161 |   cd ..
162 | 
163 |   make >/dev/null || exit 1
164 | 
165 |   gcc test-instr.c -o test-instr || exit 1
166 | 
167 |   unset AFL_INST_RATIO
168 | 
169 |   echo 0 | ./afl-showmap -m none -Q -q -o .test-instr0 ./test-instr || exit 1
170 |   echo 1 | ./afl-showmap -m none -Q -q -o .test-instr1 ./test-instr || exit 1
171 | 
172 |   rm -f test-instr
173 | 
174 |   cmp -s .test-instr0 .test-instr1
175 |   DR="$?"
176 | 
177 |   rm -f .test-instr0 .test-instr1
178 | 
179 |   if [ "$DR" = "0" ]; then
180 | 
181 |     echo "[-] Error: afl-qemu-trace instrumentation doesn't seem to work!"
182 |     exit 1
183 | 
184 |   fi
185 | 
186 |   echo "[+] Instrumentation tests passed. "
187 |   echo "[+] All set, you can now use the -Q mode in afl-fuzz!"
188 | 
189 | else
190 | 
191 |   echo "[!] Note: can't test instrumentation when CPU_TARGET set."
192 |   echo "[+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!"
193 | 
194 | fi
195 | 
196 | exit 0
197 | 


--------------------------------------------------------------------------------
/qemu_mode/patches/afl-qemu-cpu-inl.h:
--------------------------------------------------------------------------------
  1 | /*
  2 |    american fuzzy lop - high-performance binary-only instrumentation
  3 |    -----------------------------------------------------------------
  4 | 
  5 |    Written by Andrew Griffiths <agriffiths@google.com> and
  6 |               Michal Zalewski <lcamtuf@google.com>
  7 | 
  8 |    Idea & design very much by Andrew Griffiths.
  9 | 
 10 |    Copyright 2015, 2016 Google Inc. All rights reserved.
 11 | 
 12 |    Licensed under the Apache License, Version 2.0 (the "License");
 13 |    you may not use this file except in compliance with the License.
 14 |    You may obtain a copy of the License at:
 15 | 
 16 |      http://www.apache.org/licenses/LICENSE-2.0
 17 | 
 18 |    This code is a shim patched into the separately-distributed source
 19 |    code of QEMU 2.2.0. It leverages the built-in QEMU tracing functionality
 20 |    to implement AFL-style instrumentation and to take care of the remaining
 21 |    parts of the AFL fork server logic.
 22 | 
 23 |    The resulting QEMU binary is essentially a standalone instrumentation
 24 |    tool; for an example of how to leverage it for other purposes, you can
 25 |    have a look at afl-showmap.c.
 26 | 
 27 |  */
 28 | 
 29 | #include <sys/shm.h>
 30 | #include "../../config.h"
 31 | 
 32 | /***************************
 33 |  * VARIOUS AUXILIARY STUFF *
 34 |  ***************************/
 35 | 
 36 | /* A snippet patched into tb_find_slow to inform the parent process that
 37 |    we have hit a new block that hasn't been translated yet, and to tell
 38 |    it to translate within its own context, too (this avoids translation
 39 |    overhead in the next forked-off copy). */
 40 | 
 41 | #define AFL_QEMU_CPU_SNIPPET1 do { \
 42 |     afl_request_tsl(pc, cs_base, flags); \
 43 |   } while (0)
 44 | 
 45 | /* This snippet kicks in when the instruction pointer is positioned at
 46 |    _start and does the usual forkserver stuff, not very different from
 47 |    regular instrumentation injected via afl-as.h. */
 48 | 
 49 | #define AFL_QEMU_CPU_SNIPPET2 do { \
 50 |     if(tb->pc == afl_entry_point) { \
 51 |       afl_setup(); \
 52 |       afl_forkserver(env); \
 53 |     } \
 54 |     afl_maybe_log(tb->pc); \
 55 |   } while (0)
 56 | 
 57 | /* We use one additional file descriptor to relay "needs translation"
 58 |    messages between the child and the fork server. */
 59 | 
 60 | #define TSL_FD (FORKSRV_FD - 1)
 61 | 
 62 | /* This is equivalent to afl-as.h: */
 63 | 
 64 | static unsigned char *afl_area_ptr;
 65 | 
 66 | /* Exported variables populated by the code patched into elfload.c: */
 67 | 
 68 | abi_ulong afl_entry_point, /* ELF entry point (_start) */
 69 |           afl_start_code,  /* .text start pointer      */
 70 |           afl_end_code;    /* .text end pointer        */
 71 | 
 72 | /* Set in the child process in forkserver mode: */
 73 | 
 74 | static unsigned char afl_fork_child;
 75 | unsigned int afl_forksrv_pid;
 76 | 
 77 | /* Instrumentation ratio: */
 78 | 
 79 | static unsigned int afl_inst_rms = MAP_SIZE;
 80 | 
 81 | /* Function declarations. */
 82 | 
 83 | static void afl_setup(void);
 84 | static void afl_forkserver(CPUArchState*);
 85 | static inline void afl_maybe_log(abi_ulong);
 86 | 
 87 | static void afl_wait_tsl(CPUArchState*, int);
 88 | static void afl_request_tsl(target_ulong, target_ulong, uint64_t);
 89 | 
 90 | static TranslationBlock *tb_find_slow(CPUArchState*, target_ulong,
 91 |                                       target_ulong, uint64_t);
 92 | 
 93 | 
 94 | /* Data structure passed around by the translate handlers: */
 95 | 
 96 | struct afl_tsl {
 97 |   target_ulong pc;
 98 |   target_ulong cs_base;
 99 |   uint64_t flags;
100 | };
101 | 
102 | 
103 | /*************************
104 |  * ACTUAL IMPLEMENTATION *
105 |  *************************/
106 | 
107 | 
108 | /* Set up SHM region and initialize other stuff. */
109 | 
110 | static void afl_setup(void) {
111 | 
112 |   char *id_str = getenv(SHM_ENV_VAR),
113 |        *inst_r = getenv("AFL_INST_RATIO");
114 | 
115 |   int shm_id;
116 | 
117 |   if (inst_r) {
118 | 
119 |     unsigned int r;
120 | 
121 |     r = atoi(inst_r);
122 | 
123 |     if (r > 100) r = 100;
124 |     if (!r) r = 1;
125 | 
126 |     afl_inst_rms = MAP_SIZE * r / 100;
127 | 
128 |   }
129 | 
130 |   if (id_str) {
131 | 
132 |     shm_id = atoi(id_str);
133 |     afl_area_ptr = shmat(shm_id, NULL, 0);
134 | 
135 |     if (afl_area_ptr == (void*)-1) exit(1);
136 | 
137 |     /* With AFL_INST_RATIO set to a low value, we want to touch the bitmap
138 |        so that the parent doesn't give up on us. */
139 | 
140 |     if (inst_r) afl_area_ptr[0] = 1;
141 | 
142 | 
143 |   }
144 | 
145 |   if (getenv("AFL_INST_LIBS")) {
146 | 
147 |     afl_start_code = 0;
148 |     afl_end_code   = (abi_ulong)-1;
149 | 
150 |   }
151 | 
152 | }
153 | 
154 | 
155 | /* Fork server logic, invoked once we hit _start. */
156 | 
157 | static void afl_forkserver(CPUArchState *env) {
158 | 
159 |   static unsigned char tmp[4];
160 | 
161 |   if (!afl_area_ptr) return;
162 | 
163 |   /* Tell the parent that we're alive. If the parent doesn't want
164 |      to talk, assume that we're not running in forkserver mode. */
165 | 
166 |   if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
167 | 
168 |   afl_forksrv_pid = getpid();
169 | 
170 |   /* All right, let's await orders... */
171 | 
172 |   while (1) {
173 | 
174 |     pid_t child_pid;
175 |     int status, t_fd[2];
176 | 
177 |     /* Whoops, parent dead? */
178 | 
179 |     if (read(FORKSRV_FD, tmp, 4) != 4) exit(2);
180 | 
181 |     /* Establish a channel with child to grab translation commands. We'll 
182 |        read from t_fd[0], child will write to TSL_FD. */
183 | 
184 |     if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
185 |     close(t_fd[1]);
186 | 
187 |     child_pid = fork();
188 |     if (child_pid < 0) exit(4);
189 | 
190 |     if (!child_pid) {
191 | 
192 |       /* Child process. Close descriptors and run free. */
193 | 
194 |       afl_fork_child = 1;
195 |       close(FORKSRV_FD);
196 |       close(FORKSRV_FD + 1);
197 |       close(t_fd[0]);
198 |       return;
199 | 
200 |     }
201 | 
202 |     /* Parent. */
203 | 
204 |     close(TSL_FD);
205 | 
206 |     if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5);
207 | 
208 |     /* Collect translation requests until child dies and closes the pipe. */
209 | 
210 |     afl_wait_tsl(env, t_fd[0]);
211 | 
212 |     /* Get and relay exit status to parent. */
213 | 
214 |     if (waitpid(child_pid, &status, 0) < 0) exit(6);
215 |     if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);
216 | 
217 |   }
218 | 
219 | }
220 | 
221 | 
222 | /* The equivalent of the tuple logging routine from afl-as.h. */
223 | 
224 | static inline void afl_maybe_log(abi_ulong cur_loc) {
225 | 
226 |   static __thread abi_ulong prev_loc;
227 | 
228 |   /* Optimize for cur_loc > afl_end_code, which is the most likely case on
229 |      Linux systems. */
230 | 
231 |   if (cur_loc > afl_end_code || cur_loc < afl_start_code || !afl_area_ptr)
232 |     return;
233 | 
234 |   /* Looks like QEMU always maps to fixed locations, so ASAN is not a
235 |      concern. Phew. But instruction addresses may be aligned. Let's mangle
236 |      the value to get something quasi-uniform. */
237 | 
238 |   cur_loc  = (cur_loc >> 4) ^ (cur_loc << 8);
239 |   cur_loc &= MAP_SIZE - 1;
240 | 
241 |   /* Implement probabilistic instrumentation by looking at scrambled block
242 |      address. This keeps the instrumented locations stable across runs. */
243 | 
244 |   if (cur_loc >= afl_inst_rms) return;
245 | 
246 |   afl_area_ptr[cur_loc ^ prev_loc]++;
247 |   prev_loc = cur_loc >> 1;
248 | 
249 | }
250 | 
251 | 
252 | /* This code is invoked whenever QEMU decides that it doesn't have a
253 |    translation of a particular block and needs to compute it. When this happens,
254 |    we tell the parent to mirror the operation, so that the next fork() has a
255 |    cached copy. */
256 | 
257 | static void afl_request_tsl(target_ulong pc, target_ulong cb, uint64_t flags) {
258 | 
259 |   struct afl_tsl t;
260 | 
261 |   if (!afl_fork_child) return;
262 | 
263 |   t.pc      = pc;
264 |   t.cs_base = cb;
265 |   t.flags   = flags;
266 | 
267 |   if (write(TSL_FD, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
268 |     return;
269 | 
270 | }
271 | 
272 | 
273 | /* This is the other side of the same channel. Since timeouts are handled by
274 |    afl-fuzz simply killing the child, we can just wait until the pipe breaks. */
275 | 
276 | static void afl_wait_tsl(CPUArchState *env, int fd) {
277 | 
278 |   struct afl_tsl t;
279 | 
280 |   while (1) {
281 | 
282 |     /* Broken pipe means it's time to return to the fork server routine. */
283 | 
284 |     if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
285 |       break;
286 | 
287 |     tb_find_slow(env, t.pc, t.cs_base, t.flags);
288 | 
289 |   }
290 | 
291 |   close(fd);
292 | 
293 | }
294 | 
295 | 


--------------------------------------------------------------------------------
/qemu_mode/patches/cpu-exec.diff:
--------------------------------------------------------------------------------
 1 | --- qemu-2.3.0/cpu-exec.c.orig     2014-12-09 14:45:40.000000000 +0000
 2 | +++ qemu-2.3.0/cpu-exec.c  2015-02-20 22:07:02.966000000 +0000
 3 | @@ -28,6 +28,8 @@
 4 |  #include "exec/memory-internal.h"
 5 |  #include "qemu/rcu.h"
 6 | 
 7 | +#include "../patches/afl-qemu-cpu-inl.h"
 8 | +
 9 |  /* -icount align implementation. */
10 | 
11 |  typedef struct SyncClocks {
12 | @@ -296,8 +298,11 @@
13 |      }
14 |   not_found:
15 |     /* if no translated code available, then translate it now */
16 | +
17 |      tb = tb_gen_code(cpu, pc, cs_base, flags, 0);
18 | 
19 | +    AFL_QEMU_CPU_SNIPPET1;
20 | +
21 |   found:
22 |      /* Move the last found TB to the head of the list */
23 |      if (likely(*ptb1)) {
24 | @@ -492,6 +497,9 @@
25 |                      next_tb = 0;
26 |                      tcg_ctx.tb_ctx.tb_invalidated_flag = 0;
27 |                  }
28 | +
29 | +                AFL_QEMU_CPU_SNIPPET2;
30 | +
31 |                  if (qemu_loglevel_mask(CPU_LOG_EXEC)) {
32 |                      qemu_log("Trace %p [" TARGET_FMT_lx "] %s\n",
33 |                               tb->tc_ptr, tb->pc, lookup_symbol(tb->pc));
34 | 


--------------------------------------------------------------------------------
/qemu_mode/patches/elfload.diff:
--------------------------------------------------------------------------------
 1 | --- qemu-2.3.0/linux-user/elfload.c.orig	2014-12-09 14:45:42.000000000 +0000
 2 | +++ qemu-2.3.0/linux-user/elfload.c	2015-01-28 02:51:23.719000000 +0000
 3 | @@ -28,6 +28,8 @@
 4 |  
 5 |  #define ELF_OSABI   ELFOSABI_SYSV
 6 |  
 7 | +extern abi_ulong afl_entry_point, afl_start_code, afl_end_code;
 8 | +
 9 |  /* from personality.h */
10 |  
11 |  /*
12 | @@ -1889,6 +1891,8 @@
13 |      info->brk = 0;
14 |      info->elf_flags = ehdr->e_flags;
15 |  
16 | +    if (!afl_entry_point) afl_entry_point = info->entry;
17 | +
18 |      for (i = 0; i < ehdr->e_phnum; i++) {
19 |          struct elf_phdr *eppnt = phdr + i;
20 |          if (eppnt->p_type == PT_LOAD) {
21 | @@ -1922,9 +1926,11 @@
22 |              if (elf_prot & PROT_EXEC) {
23 |                  if (vaddr < info->start_code) {
24 |                      info->start_code = vaddr;
25 | +                    if (!afl_start_code) afl_start_code = vaddr;
26 |                  }
27 |                  if (vaddr_ef > info->end_code) {
28 |                      info->end_code = vaddr_ef;
29 | +                    if (!afl_end_code) afl_end_code = vaddr_ef;
30 |                  }
31 |              }
32 |              if (elf_prot & PROT_WRITE) {
33 | 


--------------------------------------------------------------------------------
/qemu_mode/patches/syscall.diff:
--------------------------------------------------------------------------------
 1 | --- qemu-2.3.0/linux-user/syscall.c.orig	2014-12-09 14:45:43.000000000 +0000
 2 | +++ qemu-2.3.0/linux-user/syscall.c	2015-03-27 06:33:00.736000000 +0000
 3 | @@ -227,7 +227,21 @@
 4 |  _syscall3(int,sys_rt_sigqueueinfo,int,pid,int,sig,siginfo_t *,uinfo)
 5 |  _syscall3(int,sys_syslog,int,type,char*,bufp,int,len)
 6 |  #if defined(TARGET_NR_tgkill) && defined(__NR_tgkill)
 7 | -_syscall3(int,sys_tgkill,int,tgid,int,pid,int,sig)
 8 | +
 9 | +extern unsigned int afl_forksrv_pid;
10 | +
11 | +static int sys_tgkill(int tgid, int pid, int sig) {
12 | +
13 | +  /* Workaround for -lpthread to make abort() work properly, without
14 | +     killing the forkserver due to a prematurely cached PID. */
15 | +
16 | +  if (afl_forksrv_pid && afl_forksrv_pid == pid && sig == SIGABRT)
17 | +    pid = tgid = getpid();
18 | +
19 | +  return syscall(__NR_sys_tgkill, pid, tgid, sig);
20 | +
21 | +}
22 | +
23 |  #endif
24 |  #if defined(TARGET_NR_tkill) && defined(__NR_tkill)
25 |  _syscall2(int,sys_tkill,int,tid,int,sig)
26 | 


--------------------------------------------------------------------------------
/qemu_mode/patches/translate-all.diff:
--------------------------------------------------------------------------------
 1 | --- qemu-2.3.0/translate-all.c.orig     2014-12-09 14:45:46.000000000 +0000
 2 | +++ qemu-2.3.0/translate-all.c  2015-01-28 22:37:42.383000000 +0000
 3 | @@ -393,8 +393,13 @@
 4 |      /* We can't use g_malloc because it may recurse into a locked mutex. */
 5 |  # define ALLOC(P, SIZE)                                 \
 6 |      do {                                                \
 7 | -        P = mmap(NULL, SIZE, PROT_READ | PROT_WRITE,    \
 8 | -                 MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);   \
 9 | +      void* _tmp = mmap(NULL, SIZE, PROT_READ | PROT_WRITE, \
10 | +                        MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); \
11 | +      if (_tmp == (void*)-1) { \
12 | +        qemu_log(">>> Out of memory for stack, bailing out. <<<\n"); \
13 | +        exit(1); \
14 | +      } \
15 | +      (P) = _tmp; \
16 |      } while (0)
17 |  #else
18 |  # define ALLOC(P, SIZE) \
19 | 


--------------------------------------------------------------------------------
/seed_generation/README.md:
--------------------------------------------------------------------------------
  1 | DeepFuzzer Seed Generator
  2 | ==================
  3 | 
  4 | ## Install
  5 | DeepFuzzer Seed Generator should be extracted to the root directory of your OS.  Please configure the `PATH` environment variable in your shell first, to include `/opt/tsmart-date/`.
  6 | 
  7 | Execute in shell:
  8 | 
  9 | ```sh
 10 | export PATH="/opt/tsmart-date:$PATH"
 11 | ```
 12 | 
 13 | Or you can directly insert the content above in configuration files such as `~/.bashrc`.
 14 | 
 15 | ## Symbolic execution
 16 | 
 17 | ### Configure and Build
 18 | DeepFuzzer uses symbolic execution to build high-quality seeds as the input for fuzzer, thus the first step is to configure the size of the input. For example, execute the following command when you want 10 bytes:
 19 | 
 20 | 
 21 | ```sh
 22 | ~/test/c-ares root@DTG
 23 | ❯ date-prepare sym 10
 24 | [*] Toolchain is at /tmp/toolchain
 25 | [+] Saving configuration (symbolic, size is 10)
 26 | ```
 27 | 
 28 | Next, let's configure the project before build. Just like normal configuration procedure, you only need to insert `date-configure` before the command.
 29 | 
 30 | ```sh
 31 | ~/test/c-ares/src heads/master* root@DTG
 32 | ❯ date-configure ./configure
 33 | [*] Config: sym 10
 34 | [+] Setting up bitcode toolchain (unfiltered)
 35 | [*] LLVM is at /opt/llvm
 36 | [*] Toolchain is at /tmp/toolchain
 37 | [*] Additional argument(s) to pass:
 38 | [*]     CXXFLAGS=-stdlib=libc++ -nostdinc -I/opt/llvm/include/c++/v1 -Qunused-arguments
 39 | [*]     LDFLAGS=-stdlib=libc++ -nostdinc -L/opt/llvm/lib -Wl,-rpath,/opt/llvm/lib
 40 | [*]     CC=/tmp/toolchain/clang
 41 | [*]     CXX=/tmp/toolchain/clang++
 42 | [+] Running target program
 43 | checking whether to enable maintainer-specific portions of Makefiles... no
 44 | [...]
 45 | config.status: executing libtool commands
 46 | configure: amending ./Makefile
 47 | ```
 48 | 
 49 | The next step is compilation. Just like normal configuration procedure, you need to insert `date-build` before the command.
 50 | 
 51 | 
 52 | ```sh
 53 | ❯ date-build make -j
 54 | [*] Config: sym 10
 55 | [+] Setting up bitcode toolchain
 56 | [*] WLLVM is at /opt/wllvm
 57 | [*] Toolchain is at /tmp/toolchain
 58 | [+] Custom build comand, ignoring
 59 | [+] Running target program
 60 | make  all-recursive
 61 | [...]
 62 | make[1]: Leaving directory '/home/hugh/test/c-ares/src'
 63 | ```
 64 | 
 65 | After building the library file, you may need to compiler additional test harness. Just like the normal `g++` or `clang` invocation, but you need to insert `date-build` before the command.
 66 | 
 67 | ```sh
 68 | ~/test/c-ares root@DTG
 69 | ❯ date-build g++ target.cc -I src -c
 70 | [*] Config: sym 10
 71 | [+] Setting up bitcode toolchain
 72 | [*] WLLVM is at /opt/wllvm
 73 | [*] Toolchain is at /tmp/toolchain
 74 | [+] C++ compiler intercepted
 75 | [*] Command to execute:
 76 | [*]     /tmp/toolchain/clang++
 77 | [*]     -stdlib=libc++
 78 | [*]     -nostdinc++
 79 | [*]     -I/opt/llvm/include/c++/v1
 80 | [*]     -Qunused-arguments
 81 | [*]     target.cc
 82 | [*]     -I
 83 | [*]     src
 84 | [*]     -c
 85 | ```
 86 | 
 87 | Finally, let's link the object files together! Caveat: DeepFuzzer uses a customized driver instead of the built-in version of clang, so you can't link with the standard toolchain. You should use `date-link` instead.
 88 | 
 89 | The following example links the test harness `target.o` and library `src/.libs/libcares.a` together into binary `app`, and output the LLVM bitcode file `app.bc`.
 90 | 
 91 | ```sh
 92 | ~/test/c-ares root@DTG 
 93 | ❯ date-link target.o src/.libs/libcares.a
 94 | [*] Config: sym 10
 95 | [+] Setting up bitcode toolchain
 96 | [*] WLLVM is at /opt/wllvm
 97 | [*] Toolchain is at /tmp/toolchain
 98 | [+] Generating driver, symbolic argument size = 10
 99 | [*] Command to execute:
100 | [*]     /tmp/toolchain/clang
101 | [*]     -xc
102 | [*]     -c
103 | [*]     -o
104 | [*]     /tmp/toolchain/driver.o
105 | [*]     /tmp/toolchain/driver.c
106 | [+] Linking objects
107 | [*] Command to execute:
108 | [*]     /tmp/toolchain/clang++
109 | [*]     -stdlib=libc++
110 | [*]     -nostdinc++
111 | [*]     -I/opt/llvm/include/c++/v1
112 | [*]     -Qunused-arguments
113 | [*]     -stdlib=libc++
114 | [*]     -nostdinc++
115 | [*]     -L/opt/llvm/lib
116 | [*]     -Wl,-rpath,/opt/llvm/lib
117 | [*]     /tmp/toolchain/driver.o
118 | [*]     target.o
119 | [*]     src/.libs/libcares.a
120 | [*]     -o
121 | [*]     app
122 | [+] Extracting bitcode
123 | Loading '/tmp/toolchain/.driver.o.bc'
124 | Loading '/home/hugh/test/c-ares/.target.o.bc'
125 | Linking in '/home/hugh/test/c-ares/.target.o.bc'
126 | Loading '/home/hugh/test/c-ares/src/.libcares_la-ares_create_query.o.bc'
127 | Linking in '/home/hugh/test/c-ares/src/.libcares_la-ares_create_query.o.bc'
128 | Loading '/home/hugh/test/c-ares/src/.libcares_la-ares_library_init.o.bc'
129 | Linking in '/home/hugh/test/c-ares/src/.libcares_la-ares_library_init.o.bc'
130 | Writing bitcode...
131 | ```
132 | 
133 | ### Start Symbolic execution
134 | Create a new directory for intermediate files for symbolic execution, then place the linked bitcode here. For example, the following command uses `sym` as the directory.
135 | 
136 | ```sh
137 | ~/test/c-ares root@DTG
138 | ❯ mkdir sym && cd sym
139 | 
140 | ~/test/c-ares/sym root@DTG
141 | ❯ cp ../app.bc .
142 | ```
143 | 
144 | Use command `date-fuzz` to start symbolic execution. To get better results, you may re-run it several times.
145 | 
146 | ```sh
147 | ~/test/c-ares/sym root@DTG
148 | ❯ date-fuzz app
149 | [*] Config: sym 10
150 | [*] Symbolic argument size = 10
151 | [*] Application is at app.bc
152 | [+] Starting symbolic execution
153 | [*] KLEE cmdline:
154 | [*]     /opt/klee/bin/klee
155 | [*]     -only-output-states-covering-new
156 | [*]     -libc=uclibc
157 | [*]     -posix-runtime
158 | [*]     -simplify-sym-indices
159 | [*]     app.bc
160 | [*]     -sym-arg
161 | [*]     10
162 | KLEE: NOTE: Using klee-uclibc : /opt/klee/lib64/klee/runtime/klee-uclibc.bca
163 | KLEE: NOTE: Using model: /opt/klee/lib64/klee/runtime/libkleeRuntimePOSIX.bca
164 | KLEE: output directory is "/home/hugh/test/c-ares/sym/klee-out-0"
165 | KLEE: Using Z3 solver backend
166 | [...]
167 | ^CKLEE: ctrl-c detected, requesting interpreter to halt.
168 | KLEE: halting execution, dumping remaining states
169 | 
170 | KLEE: done: total instructions = 224686
171 | KLEE: done: completed paths = 1371
172 | KLEE: done: generated tests = 6
173 | ```
174 | 
175 | ### Generate seeds
176 | Symbolic execution outputs testcases. You need to use `date-test-gen` to convert the testcases into seeds that can be used in fuzzing. The following example generates 6 seeds in `seed` directory.
177 | 
178 | ```sh
179 | ~/test/c-ares/sym root@DTG
180 | ❯ ls
181 | klee-out-0  app.bc  klee-last
182 | 
183 | ~/test/c-ares/sym root@DTG
184 | ❯ mkdir seed
185 | 
186 | ~/test/c-ares/sym root@DTG
187 | ❯ date-test-gen klee-out-*/*.ktest --output seed
188 | 
189 | ~/test/c-ares/sym root@DTG
190 | ❯ ls seed
191 | test000001.symseed  test000003.symseed  test000005.symseed
192 | test000002.symseed  test000004.symseed  test000006.symseed
193 | ```
194 | 
195 | These seeds can be used as inputs for fuzzing.
196 | 


--------------------------------------------------------------------------------
/seed_generation/install:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | cp -rv src -T /opt/tsmart-date
4 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-build:
--------------------------------------------------------------------------------
 1 | #!/opt/tsmart-date/tbash
 2 | . $(dirname "$0")/lib-common
 3 | 
 4 | [[ "$#" == 0 ]] && log-error "No build command" && exit
 5 | 
 6 | load-config
 7 | if [[ "$MODE" == sym ]]; then
 8 |     . $(dirname "$0")/lib-sym
 9 |     setup-wllvm
10 |     setup-sym-flags
11 | else
12 |     . $(dirname "$0")/lib-dyn
13 |     setup-allvm
14 |     setup-dyn-flags
15 | fi
16 | 
17 | case "$1" in
18 |     'gcc')
19 |         ;&
20 |     'clang')
21 |         log-info "C compiler intercepted"
22 |         run-cc "${@:2}"
23 |         ;;
24 |     'g++')
25 |         ;&
26 |     'clang++')
27 |         log-info "C++ compiler intercepted"
28 |         run-cxx "${@:2}"
29 |         ;;
30 |     'make')
31 |         log-info "Make intercepted"
32 |         inject-flags
33 |         inject-compilers
34 |         run-program "$@"
35 |         ;;
36 |     *)
37 |         log-info "Custom build comand, ignoring"
38 |         inject-flags
39 |         run-program "$@"
40 |         ;;
41 | esac
42 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-configure:
--------------------------------------------------------------------------------
 1 | #!/opt/tsmart-date/tbash
 2 | . $(dirname "$0")/lib-common
 3 | 
 4 | [[ "$#" == 0 ]] && log-error "No configure command" && exit
 5 | 
 6 | load-config
 7 | if [[ "$MODE" == sym ]]; then
 8 |     . $(dirname "$0")/lib-sym
 9 |     setup-kllvm
10 |     setup-sym-flags
11 |     inject-flags
12 |     inject-compilers
13 | else
14 |     . $(dirname "$0")/lib-dyn
15 |     setup-allvm
16 |     setup-dyn-flags
17 |     inject-flags
18 |     inject-compilers
19 | fi
20 | 
21 | run-program "$@"
22 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-fuzz:
--------------------------------------------------------------------------------
 1 | #!/opt/tsmart-date/tbash
 2 | set -eu
 3 | . $(dirname "$0")/lib-common
 4 | 
 5 | sym-fuzz() {
 6 |     local klee_args=(
 7 |         "-only-output-states-covering-new"
 8 |         "-libc=uclibc"
 9 |         "-posix-runtime"
10 |         "-simplify-sym-indices"
11 |     )
12 | 
13 |     local arg_max_memory="${MAX_MEM:-2000}"
14 |     local arg_max_time="${MAX_TIME:-1200}"
15 |     local app_bc_path="$1"
16 | 
17 |     log-debug "Symbolic argument size = $SYM_ARG_SIZE"
18 |     log-debug "Application is at $app_bc_path"
19 | 
20 |     log-info "Starting symbolic execution"
21 |     klee_args+=(
22 |         "-max-instruction-time=30"
23 |         "-max-memory=$arg_max_memory"
24 |         "-max-time=$arg_max_time"
25 |         "-max-sym-array-size=4096"
26 |     )
27 | 
28 |     local args=("$KLEE" "${klee_args[@]}" "$app_bc_path" -sym-arg "$SYM_ARG_SIZE")
29 |     print-args "KLEE cmdline:" "${args[@]}"
30 |     "${args[@]}"
31 | }
32 | 
33 | dyn-fuzz() {
34 |     if [[ "$1" != "-afl_mode" ]]; then
35 |         # local args=("$AFL_PREFIX/bin/afl-fuzz" "-m 20981520 -t 1000" "$@")
36 |         # print-args "AFL cmdline:" "${args[@]}"
37 |         # "${args[@]}"
38 |         tmux new -s deep_fuzzer -d
39 | 
40 |         tmux send -t "deep_fuzzer" "$AFL_PREFIX/bin/afl-fuzz -i ../sym/seed -o out -m 20981520 -t 1000  -M master $@" Enter
41 | 
42 |         tmux split-window -h -t "deep_fuzzer"
43 |         tmux send -t "deep_fuzzer" "$AFL_PREFIX/bin/afl-fuzz -i ../sym/seed -o out  -m 20981520 -t 1000 -S fuzzer1 $@" Enter
44 |         # 默认上下分屏
45 |         tmux split-window -t "deep_fuzzer"
46 |         tmux select-pane -L
47 |         tmux split-window -t "deep_fuzzer"
48 |         tmux send -t "deep_fuzzer" "$AFL_PREFIX/bin/afl-fuzz -i ../sym/seed -o out -m 20981520 -t 1000  -S fuzzer2 $@" Enter
49 |         tmux select-pane -R
50 |         tmux send -t "deep_fuzzer" "$AFL_PREFIX/bin/afl-fuzz -i ../sym/seed -o out  -m 20981520 -t 1000  -S fuzzer3 $@" Enter
51 | 
52 |         tmux attach -t deep_fuzzer
53 | 
54 |      else
55 |         local args=("$AFL_PREFIX/bin/afl-fuzz" "-m 20981520" "${@:2}")
56 |         print-args "AFL cmdline:" "${args[@]}"
57 |         "${args[@]}"
58 |      fi
59 | 
60 | }
61 | 
62 | usage() {
63 |     local prog="$(basename "$0")"
64 |     log-error "Usage\n" \
65 |               "    $prog app\n"
66 | }
67 | 
68 | [[ "$#" == 0 ]] && usage
69 | 
70 | load-config
71 | if [[ "$MODE" == sym ]]; then
72 |     . $(dirname "$0")/lib-sym
73 |     sym-fuzz "$1.bc"
74 | else
75 |     . $(dirname "$0")/lib-dyn
76 |     dyn-fuzz "$@"
77 | fi
78 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-link:
--------------------------------------------------------------------------------
 1 | #!/opt/tsmart-date/tbash
 2 | set -eu
 3 | . $(dirname "$0")/lib-common
 4 | 
 5 | usage() {
 6 |     local prog="$(basename "$0")"
 7 |     log-error "Usage\n" \
 8 |               "    $prog obj-file [...]\n"
 9 | }
10 | 
11 | generate-sym-driver() {
12 |     local src_path="$TOOLCHAIN_PREFIX/driver.c"
13 |     log-info "Generating driver, symbolic argument size = $SYM_ARG_SIZE"
14 | 
15 |     cat > "$src_path" <<EOF
16 | #include <stdlib.h>
17 | #include <stdint.h>
18 | 
19 | int LLVMFuzzerTestOneInput(const char *Data, size_t Size);
20 | 
21 | int main(int argc, char **argv) {
22 |   LLVMFuzzerTestOneInput(argv[1], $SYM_ARG_SIZE);
23 | }
24 | EOF
25 |     run-cc -xc -c -o "$OBJ_PATH" "$src_path"
26 | }
27 | 
28 | link-objects() {
29 |     log-info "Linking objects"
30 |     args=("$@" -o app)
31 |     run-cxx "${ARR_LDFLAGS[@]}" "${args[@]}"
32 | }
33 | 
34 | extract-bitcode() {
35 |     log-info "Extracting bitcode"
36 |     "$WLLVM_PREFIX/bin/extract-bc" -v app
37 | }
38 | 
39 | [[ "$#" == 0 ]] && usage
40 | 
41 | load-config
42 | if [[ "$MODE" == sym ]]; then
43 |     . $(dirname "$0")/lib-sym
44 |     setup-wllvm
45 |     setup-sym-flags
46 |     OBJ_PATH="$TOOLCHAIN_PREFIX/driver.o"
47 |     generate-sym-driver "$OBJ_PATH"
48 |     link-objects "$OBJ_PATH" "$@"
49 |     extract-bitcode
50 | else
51 |     . $(dirname "$0")/lib-dyn
52 |     setup-allvm
53 |     setup-dyn-flags
54 |     OBJ_PATH="$AFL_PREFIX/bin/afl-driver-64.o"
55 |     link-objects "$OBJ_PATH" "$@"
56 | fi
57 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-prepare:
--------------------------------------------------------------------------------
 1 | #!/opt/tsmart-date/tbash
 2 | . $(dirname "$0")/lib-common
 3 | # PATH="$( cd "$( dirname "$_" )" && pwd ):$PATH"
 4 | 
 5 | usage() {
 6 |     local PROG="$(basename "$0")"
 7 |     log-error "Usage\n" \
 8 |               "    $PROG sym SYM_SIZE  -- symbolic mode\n" \
 9 |               "    $PROG dyn           -- dynamic mode"
10 | }
11 | 
12 | [[ "$#" == 0 ]] && usage
13 | 
14 | setup-toolchain
15 | 
16 | case "$1" in
17 |     'sym')
18 |         [[ "$2" =~ ^[0-9]*$ ]] || log-error "symbolic argument size not a number"
19 |         [[ "$2" -ge 1 && "$2" -le 4095 ]] || log-error "Symbolic argument size too big or small"
20 |         log-info "Saving configuration (symbolic, size is $2)"
21 |         save-config "$1" "$2"
22 |     ;;
23 |     'dyn')
24 |         log-info "Saving configuration (dynamic)"
25 |         save-config "$1" ""
26 |     ;;
27 |     *)
28 |         usage
29 |     ;;
30 | esac
31 | 


--------------------------------------------------------------------------------
/seed_generation/src/date-test-gen:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | import os
 4 | import struct
 5 | import sys
 6 | 
 7 | version_no=3
 8 | 
 9 | class KTestError(Exception):
10 |     pass
11 | 
12 | class KTest:
13 |     @staticmethod
14 |     def fromfile(path):
15 |         if not os.path.exists(path):
16 |             print("ERROR: file %s not found" % (path))
17 |             sys.exit(1)
18 |             
19 |         f = open(path,'rb')
20 |         hdr = f.read(5)
21 |         if len(hdr)!=5 or (hdr!=b'KTEST' and hdr != b"BOUT\n"):
22 |             raise KTestError('unrecognized file')
23 |         version, = struct.unpack('>i', f.read(4))
24 |         if version > version_no:
25 |             raise KTestError('unrecognized version')
26 |         numArgs, = struct.unpack('>i', f.read(4))
27 |         args = []
28 |         for i in range(numArgs):
29 |             size, = struct.unpack('>i', f.read(4))
30 |             args.append(str(f.read(size).decode(encoding='ascii')))
31 |             
32 |         if version >= 2:
33 |             symArgvs, = struct.unpack('>i', f.read(4))
34 |             symArgvLen, = struct.unpack('>i', f.read(4))
35 |         else:
36 |             symArgvs = 0
37 |             symArgvLen = 0
38 | 
39 |         numObjects, = struct.unpack('>i', f.read(4))
40 |         objects = []
41 |         for i in range(numObjects):
42 |             size, = struct.unpack('>i', f.read(4))
43 |             name = f.read(size)
44 |             size, = struct.unpack('>i', f.read(4))
45 |             bytes = f.read(size)
46 |             objects.append( (name,bytes) )
47 | 
48 |         # Create an instance
49 |         b = KTest(version, args, symArgvs, symArgvLen, objects)
50 |         # Augment with extra filename field
51 |         b.filename = path
52 |         return b
53 |     
54 |     def __init__(self, version, args, symArgvs, symArgvLen, objects):
55 |         self.version = version
56 |         self.symArgvs = symArgvs
57 |         self.symArgvLen = symArgvLen
58 |         self.args = args
59 |         self.objects = objects
60 | 
61 |         # add a field that represents the name of the program used to
62 |         # generate this .ktest file:
63 |         program_full_path = self.args[0]
64 |         program_name = os.path.basename(program_full_path)
65 |         # sometimes program names end in .bc, so strip them
66 |         if program_name.endswith('.bc'):
67 |           program_name = program_name[:-3]
68 |         self.programName = program_name
69 |         
70 | def trimZeros(str):
71 |     for i in range(len(str))[::-1]:
72 |         if str[i] != '\x00':
73 |             return str[:i+1]
74 |     return ''
75 |     
76 | def main(args):
77 |     import argparse
78 |     parser = argparse.ArgumentParser(description='Testcase generator')
79 |     parser.add_argument('inputs', metavar='input-file', nargs='+',
80 |                         help='ktest files extract testcase')
81 |     parser.add_argument('--output', metavar='output-dir', required=True,
82 |                         help='output directory of AFL to store seeds')
83 |     args = parser.parse_args()
84 | 
85 |     for input_path in args.inputs:
86 |         case = KTest.fromfile(input_path)
87 |         output_path = os.path.basename(input_path)
88 |         output_path = os.path.splitext(output_path)[0]
89 |         output_path = os.path.join(args.output, output_path) + '.symseed'
90 |         for name, data in case.objects:
91 |             if name == b'arg0':
92 |                 open(output_path, 'wb').write(data)
93 | 
94 | 
95 | if __name__=='__main__':
96 |     main(sys.argv)
97 | 


--------------------------------------------------------------------------------
/seed_generation/src/debug-args:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | n=1
4 | for i in "$@"; do
5 |     echo "#$n: $i"
6 |     n=`expr $n + 1`
7 | done
8 | 


--------------------------------------------------------------------------------
/seed_generation/src/lib-common:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | set -eu
  3 | export LD_LIBRARY_PATH=/opt/lib
  4 | 
  5 | # =========== Configuration ===========
  6 | 
  7 | TOOLCHAIN_PREFIX=/tmp/toolchain
  8 | CONFIG_PATH="$TOOLCHAIN_PREFIX/config"
  9 | AS_PREFIX=/usr
 10 | SLLVM_PREFIX=/opt/llvm5
 11 | 
 12 | # =========== Constants ===========
 13 | 
 14 | AS="$TOOLCHAIN_PREFIX/as"
 15 | CC="$TOOLCHAIN_PREFIX/clang"
 16 | CXX="$TOOLCHAIN_PREFIX/clang++"
 17 | 
 18 | # =========== Variables ===========
 19 | 
 20 | declare -a ARR_CFLAGS=()
 21 | declare -a ARR_CXXFLAGS=()
 22 | declare -a ARR_LDFLAGS=()
 23 | declare -a ARR_EXT_ARGS=()
 24 | 
 25 | # =========== Loggers ===========
 26 | 
 27 | log-debug() {
 28 |     echo -e "\e[94m[*]\e[0m $*"
 29 | }
 30 | 
 31 | log-info() {
 32 |     echo -e "\e[92m[+]\e[0m $*"
 33 | }
 34 | 
 35 | log-error() {
 36 |     echo -e "\e[91m[!]\e[0m $*"
 37 |     exit 1
 38 | }
 39 | 
 40 | print-args() {
 41 |     [[ "$#" -le 2 ]] && return
 42 |     log-debug "$1"
 43 |     for arg in "${@:2}"; do
 44 |         log-debug "\t$arg"
 45 |     done
 46 | }
 47 | 
 48 | # =========== Setup ===========
 49 | 
 50 | inject-flags() {
 51 |     local opts=("CXXFLAGS=${ARR_CXXFLAGS[*]} ${CXXFLAGS:-}"
 52 |                 "CFLAGS=${ARR_CFLAGS[*]} ${CFLAGS:-}"
 53 |                 "LDFLAGS=${ARR_LDFLAGS[*]} ${LDFLAGS:-}")
 54 |     export "${opts[@]}"
 55 | }
 56 | 
 57 | inject-compilers() {
 58 |     local opts=("CC=$CC" "CXX=$CXX" "AS=$AS")
 59 |     export "${opts[@]}"
 60 | }
 61 | 
 62 | setup-toolchain() {
 63 | 	log-debug "Toolchain is at $TOOLCHAIN_PREFIX"
 64 | 	mkdir -p "$TOOLCHAIN_PREFIX"
 65 | 	rm -f "$AS" "$CXX" "$CC"
 66 | }
 67 | 
 68 | # Config
 69 | 
 70 | save-config() {
 71 |     cat > "$TOOLCHAIN_PREFIX/config" <<EOF
 72 | # Configuration for TSmart-DATE, don't edit!
 73 | MODE="$1"
 74 | SYM_ARG_SIZE="$2"
 75 | EOF
 76 | }
 77 | 
 78 | load-config() {
 79 |     [[ -e "$CONFIG_PATH" ]] || log-error "Run date-prepare first"
 80 |     . "$TOOLCHAIN_PREFIX/config"
 81 |     log-debug "Config: $MODE $SYM_ARG_SIZE"
 82 | }
 83 | 
 84 | # =========== Wrapper ===========
 85 | 
 86 | run-program() {
 87 |     print-args "Additional argument(s) to pass:" "${ARR_EXT_ARGS[@]}"
 88 |     log-info "Running target program"
 89 |     "$@" "${ARR_EXT_ARGS[@]}"
 90 | }
 91 | 
 92 | run-cc() {
 93 |     args=("$CC" "${ARR_CFLAGS[@]}" "${ARR_EXT_ARGS[@]}" "${@}")
 94 |     print-args "Command to execute:" "${args[@]}"
 95 |     "${args[@]}"
 96 | }
 97 | 
 98 | run-cxx() {
 99 |     args=("$CXX" "${ARR_CXXFLAGS[@]}" "${ARR_EXT_ARGS[@]}" "${@}")
100 |     print-args "Command to execute:" "${args[@]}"
101 |     "${args[@]}"
102 | }
103 | 


--------------------------------------------------------------------------------
/seed_generation/src/lib-dyn:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | . $(dirname "$0")/lib-common
 3 | 
 4 | AFL_PREFIX=/opt/afl
 5 | 
 6 | # Quiet by default
 7 | export AFL_QUIET="${AFL_QUIET:-1}"
 8 | [[ "$AFL_QUIET" == "0" ]] && unset AFL_QUIET
 9 | 
10 | setup-dyn-flags() {
11 |     local opts=(
12 |         "-fno-omit-frame-pointer"
13 |         "-g"
14 |         "-fsanitize=address")
15 |     ARR_CFLAGS=("${opts[@]}")
16 |     ARR_CXXFLAGS=("${opts[@]}")
17 |     ARR_LDFLAGS=("${opts[@]}")
18 | }
19 | 
20 | setup-allvm() {
21 |     log-info "Setting up AFL toolchain"
22 |     log-debug "AFL LLVM is at $AFL_PREFIX"
23 | 
24 |     setup-toolchain
25 |     ln -s "$AFL_PREFIX"/bin/afl-clang-fast   "$CC"
26 |     ln -s "$AFL_PREFIX"/bin/afl-clang-fast++ "$CXX"
27 |     ln -s "$AS_PREFIX"/bin/as                "$AS"
28 | 
29 |     export AFL_CXX="$SLLVM_PREFIX/bin/clang++" \
30 |            AFL_CC="$SLLVM_PREFIX/bin/clang" \
31 |            AFL_AS="$AS_PREFIX/bin/as" \
32 |            AFL_PATH="$AFL_PREFIX/bin"
33 | }
34 | 


--------------------------------------------------------------------------------
/seed_generation/src/lib-sym:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | . $(dirname "$0")/lib-common
 3 | 
 4 | KLLVM_PREFIX=/opt/llvm
 5 | WLLVM_PREFIX=/opt/wllvm
 6 | 
 7 | KLEE_PREFIX=/opt/klee
 8 | KLEE="$KLEE_PREFIX"/bin/klee
 9 | 
10 | setup-sym-flags() {
11 |     ARR_CXXFLAGS=("-stdlib=libc++" "-I$KLLVM_PREFIX/include/c++/v1" "-Qunused-arguments")
12 |     ARR_LDFLAGS=("-L$KLLVM_PREFIX/lib" "-Wl,-rpath,$KLLVM_PREFIX/lib")
13 | }
14 | 
15 | setup-kllvm() {
16 |     log-info "Setting up bitcode toolchain (unfiltered)"
17 |     log-debug "LLVM is at $KLLVM_PREFIX"
18 | 
19 |     setup-toolchain
20 |     ln -s "$KLLVM_PREFIX"/bin/clang   "$CC"
21 |     ln -s "$KLLVM_PREFIX"/bin/clang++ "$CXX"
22 |     ln -s "$AS_PREFIX"/bin/as         "$AS"
23 | }
24 | 
25 | setup-wllvm() {
26 |     log-info "Setting up bitcode toolchain"
27 |     log-debug "WLLVM is at $WLLVM_PREFIX"
28 | 
29 |     setup-toolchain
30 |     ln -s "$WLLVM_PREFIX"/bin/wllvm    "$CC"
31 |     ln -s "$WLLVM_PREFIX"/bin/wllvm++  "$CXX"
32 |     ln -s "$AS_PREFIX"/bin/wllvm-as    "$AS"
33 | 
34 |     export LLVM_COMPILER=clang LLVM_COMPILER_PATH="$KLLVM_PREFIX"/bin
35 | }
36 | 


--------------------------------------------------------------------------------
/testcases/README.testcases:
--------------------------------------------------------------------------------
 1 | =======================
 2 | AFL starting test cases
 3 | =======================
 4 | 
 5 |   (See ../docs/README for the general instruction manual.)
 6 | 
 7 | The archives/, images/, multimedia/, and others/ subdirectories contain small,
 8 | standalone files that can be used to seed afl-fuzz when testing parsers for a
 9 | variety of common data formats.
10 | 
11 | There is probably not much to be said about these files, except that they were
12 | optimized for size and stripped of any non-essential fluff. Some directories
13 | contain several examples that exercise various features of the underlying format.
14 | For example, there is a PNG file with and without a color profile.
15 | 
16 | Additional test cases are always welcome.
17 | 
18 | In addition to well-chosen starting files, many fuzzing jobs benefit from a
19 | small and concise dictionary. See ../dictionaries/README.dictionaries for more.
20 | 


--------------------------------------------------------------------------------
/testcases/archives/common/ar/small_archive.a:
--------------------------------------------------------------------------------
1 | !<arch>
2 | limerick/       1415337776  500   500   100640  191       `
3 | There was a young man from Japan
4 | Whose limericks never would scan.
5 | When asked why that was,
6 | He replied "It's because
7 | I always try to cram as many words into the last line as I possibly can."
8 | 
9 | 


--------------------------------------------------------------------------------
/testcases/archives/common/bzip2/small_archive.bz2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/bzip2/small_archive.bz2


--------------------------------------------------------------------------------
/testcases/archives/common/cab/small_archive.cab:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/cab/small_archive.cab


--------------------------------------------------------------------------------
/testcases/archives/common/compress/small_archive.Z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/compress/small_archive.Z


--------------------------------------------------------------------------------
/testcases/archives/common/cpio/small_archive.cpio:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/cpio/small_archive.cpio


--------------------------------------------------------------------------------
/testcases/archives/common/gzip/small_archive.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/gzip/small_archive.gz


--------------------------------------------------------------------------------
/testcases/archives/common/lzo/small_archive.lzo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/lzo/small_archive.lzo


--------------------------------------------------------------------------------
/testcases/archives/common/rar/small_archive.rar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/rar/small_archive.rar


--------------------------------------------------------------------------------
/testcases/archives/common/tar/small_archive.tar:
--------------------------------------------------------------------------------
1 | limerick0000640000076400007640000000027712427053460012465 0ustar  lcamtuflcamtufThere was a young man from Japan
2 | Whose limericks never would scan.
3 | When asked why that was,
4 | He replied "It's because
5 | I always try to cram as many words into the last line as I possibly can."
6 | 


--------------------------------------------------------------------------------
/testcases/archives/common/xz/small_archive.xz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/xz/small_archive.xz


--------------------------------------------------------------------------------
/testcases/archives/common/zip/small_archive.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/common/zip/small_archive.zip


--------------------------------------------------------------------------------
/testcases/archives/exotic/arj/small_archive.arj:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/arj/small_archive.arj


--------------------------------------------------------------------------------
/testcases/archives/exotic/lha/small_archive.lha:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/lha/small_archive.lha


--------------------------------------------------------------------------------
/testcases/archives/exotic/lrzip/small_archive.lrz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/lrzip/small_archive.lrz


--------------------------------------------------------------------------------
/testcases/archives/exotic/lzip/small_archive.lz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/lzip/small_archive.lz


--------------------------------------------------------------------------------
/testcases/archives/exotic/lzma/small_archive.lzma:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/lzma/small_archive.lzma


--------------------------------------------------------------------------------
/testcases/archives/exotic/rzip/small_archive.rz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/rzip/small_archive.rz


--------------------------------------------------------------------------------
/testcases/archives/exotic/zoo/small_archive.zoo:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/archives/exotic/zoo/small_archive.zoo


--------------------------------------------------------------------------------
/testcases/images/bmp/not_kitty.bmp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/bmp/not_kitty.bmp


--------------------------------------------------------------------------------
/testcases/images/gif/not_kitty.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/gif/not_kitty.gif


--------------------------------------------------------------------------------
/testcases/images/ico/not_kitty.ico:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/ico/not_kitty.ico


--------------------------------------------------------------------------------
/testcases/images/jp2/not_kitty.jp2:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/jp2/not_kitty.jp2


--------------------------------------------------------------------------------
/testcases/images/jpeg/not_kitty.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/jpeg/not_kitty.jpg


--------------------------------------------------------------------------------
/testcases/images/jxr/not_kitty.jxr:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/jxr/not_kitty.jxr


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/png/not_kitty.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_alpha.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/png/not_kitty_alpha.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_gamma.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/png/not_kitty_gamma.png


--------------------------------------------------------------------------------
/testcases/images/png/not_kitty_icc.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/png/not_kitty_icc.png


--------------------------------------------------------------------------------
/testcases/images/tiff/not_kitty.tiff:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/tiff/not_kitty.tiff


--------------------------------------------------------------------------------
/testcases/images/webp/not_kitty.webp:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/images/webp/not_kitty.webp


--------------------------------------------------------------------------------
/testcases/multimedia/h264/small_movie.mp4:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/multimedia/h264/small_movie.mp4


--------------------------------------------------------------------------------
/testcases/others/elf/small_exec.elf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/others/elf/small_exec.elf


--------------------------------------------------------------------------------
/testcases/others/js/small_script.js:
--------------------------------------------------------------------------------
1 | if (1==1) eval('1');


--------------------------------------------------------------------------------
/testcases/others/pcap/small_capture.pcap:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Ljiee/deepfuzz/9ce7eb17f5e862ec26df7db4682ca9fb7c929727/testcases/others/pcap/small_capture.pcap


--------------------------------------------------------------------------------
/testcases/others/pdf/small.pdf:
--------------------------------------------------------------------------------
1 | %PDF-1.0
2 | 1 0 obj<</Type/Catalog/Pages 2 0 R>>endobj 2 0 obj<</Type/Pages/Kids[3 0 R]/Count 1>>endobj 3 0 obj<</Type/Page/MediaBox[0 0 3 3]>>endobj trailer<</Size 4/Root 1 0 R>>


--------------------------------------------------------------------------------
/testcases/others/rtf/small_document.rtf:
--------------------------------------------------------------------------------
1 | {\rtf1\pard Test\par}


--------------------------------------------------------------------------------
/testcases/others/sql/simple_queries.sql:
--------------------------------------------------------------------------------
1 | create table t1(one smallint);
2 | insert into t1 values(1);
3 | select * from t1;
4 | 


--------------------------------------------------------------------------------
/testcases/others/text/hello_world.txt:
--------------------------------------------------------------------------------
1 | hello
2 | 


--------------------------------------------------------------------------------
/testcases/others/xml/small_document.xml:
--------------------------------------------------------------------------------
1 | <a b="c">d</a>
2 | 


--------------------------------------------------------------------------------