"
19 | echo
20 |
21 | if [ ! "$#" = "2" ]; then
22 |
23 | cat 1>&2 <<_EOF_
24 | This program generates gnuplot images from afl-fuzz output data. Usage:
25 |
26 | $0 afl_state_dir graph_output_dir
27 |
28 | The afl_state_dir parameter should point to an existing state directory for any
29 | active or stopped instance of afl-fuzz; while graph_output_dir should point to
30 | an empty directory where this tool can write the resulting plots to.
31 |
32 | The program will put index.html and three PNG images in the output directory;
33 | you should be able to view it with any web browser of your choice.
34 |
35 | _EOF_
36 |
37 | exit 1
38 |
39 | fi
40 |
41 | if [ "$AFL_ALLOW_TMP" = "" ]; then
42 |
43 | echo "$1" | grep -qE '^(/var)?/tmp/'
44 | T1="$?"
45 |
46 | echo "$2" | grep -qE '^(/var)?/tmp/'
47 | T2="$?"
48 |
49 | if [ "$T1" = "0" -o "$T2" = "0" ]; then
50 |
51 | echo "[-] Error: this script shouldn't be used with shared /tmp directories." 1>&2
52 | exit 1
53 |
54 | fi
55 |
56 | fi
57 |
58 | if [ ! -f "$1/plot_data" ]; then
59 |
60 | echo "[-] Error: input directory is not valid (missing 'plot_data')." 1>&2
61 | exit 1
62 |
63 | fi
64 |
65 | BANNER="`cat "$1/fuzzer_stats" | grep '^afl_banner ' | cut -d: -f2- | cut -b2-`"
66 |
67 | test "$BANNER" = "" && BANNER="(none)"
68 |
69 | GNUPLOT=`which gnuplot 2>/dev/null`
70 |
71 | if [ "$GNUPLOT" = "" ]; then
72 |
73 | echo "[-] Error: can't find 'gnuplot' in your \$PATH." 1>&2
74 | exit 1
75 |
76 | fi
77 |
78 | mkdir "$2" 2>/dev/null
79 |
80 | if [ ! -d "$2" ]; then
81 |
82 | echo "[-] Error: unable to create the output directory - pick another location." 1>&2
83 | exit 1
84 |
85 | fi
86 |
87 | rm -f "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png"
88 | mv -f "$2/index.html" "$2/index.html.orig" 2>/dev/null
89 |
90 | echo "[*] Generating plots..."
91 |
92 | (
93 |
94 | cat <<_EOF_
95 | set terminal png truecolor enhanced size 1000,300 butt
96 |
97 | set output '$2/high_freq.png'
98 |
99 | set xdata time
100 | set timefmt '%s'
101 | set format x "%b %d\n%H:%M"
102 | set tics font 'small'
103 | unset mxtics
104 | unset mytics
105 |
106 | set grid xtics linetype 0 linecolor rgb '#e0e0e0'
107 | set grid ytics linetype 0 linecolor rgb '#e0e0e0'
108 | set border linecolor rgb '#50c0f0'
109 | set tics textcolor rgb '#000000'
110 | set key outside
111 |
112 | set autoscale xfixmin
113 | set autoscale xfixmax
114 |
115 | plot '$1/plot_data' using 1:4 with filledcurve x1 title 'total paths' linecolor rgb '#000000' fillstyle transparent solid 0.2 noborder, \\
116 | '' using 1:3 with filledcurve x1 title 'current path' linecolor rgb '#f0f0f0' fillstyle transparent solid 0.5 noborder, \\
117 | '' using 1:5 with lines title 'pending paths' linecolor rgb '#0090ff' linewidth 3, \\
118 | '' using 1:6 with lines title 'pending favs' linecolor rgb '#c00080' linewidth 3, \\
119 | '' using 1:2 with lines title 'cycles done' linecolor rgb '#c000f0' linewidth 3
120 |
121 | set terminal png truecolor enhanced size 1000,200 butt
122 | set output '$2/low_freq.png'
123 |
124 | plot '$1/plot_data' using 1:8 with filledcurve x1 title '' linecolor rgb '#c00080' fillstyle transparent solid 0.2 noborder, \\
125 | '' using 1:8 with lines title ' uniq crashes' linecolor rgb '#c00080' linewidth 3, \\
126 | '' using 1:9 with lines title 'uniq hangs' linecolor rgb '#c000f0' linewidth 3, \\
127 | '' using 1:10 with lines title 'levels' linecolor rgb '#0090ff' linewidth 3
128 |
129 | set terminal png truecolor enhanced size 1000,200 butt
130 | set output '$2/exec_speed.png'
131 |
132 | plot '$1/plot_data' using 1:11 with filledcurve x1 title '' linecolor rgb '#0090ff' fillstyle transparent solid 0.2 noborder, \\
133 | '$1/plot_data' using 1:11 with lines title ' execs/sec' linecolor rgb '#0090ff' linewidth 3 smooth bezier;
134 |
135 | _EOF_
136 |
137 | ) | gnuplot
138 |
139 | if [ ! -s "$2/exec_speed.png" ]; then
140 |
141 | echo "[-] Error: something went wrong! Perhaps you have an ancient version of gnuplot?" 1>&2
142 | exit 1
143 |
144 | fi
145 |
146 | echo "[*] Generating index.html..."
147 |
148 | cat >"$2/index.html" <<_EOF_
149 |
150 | | Banner: | $BANNER |
151 | | Directory: | $1 |
152 | | Generated on: | `date` |
153 |
154 |
155 | 
156 | 
157 | 
158 |
159 | _EOF_
160 |
161 | # Make it easy to remotely view results when outputting directly to a directory
162 | # served by Apache or other HTTP daemon. Since the plots aren't horribly
163 | # sensitive, this seems like a reasonable trade-off.
164 |
165 | chmod 755 "$2"
166 | chmod 644 "$2/high_freq.png" "$2/low_freq.png" "$2/exec_speed.png" "$2/index.html"
167 |
168 | echo "[+] All done - enjoy your charts!"
169 |
170 | exit 0
171 |
--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-pass.so.cc:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - LLVM-mode instrumentation pass
3 | ---------------------------------------------------
4 |
5 | Written by Laszlo Szekeres and
6 | Michal Zalewski
7 |
8 | LLVM integration design comes from Laszlo Szekeres. C bits copied-and-pasted
9 | from afl-as.c are Michal's fault.
10 |
11 | Copyright 2015, 2016 Google Inc. All rights reserved.
12 |
13 | Licensed under the Apache License, Version 2.0 (the "License");
14 | you may not use this file except in compliance with the License.
15 | You may obtain a copy of the License at:
16 |
17 | http://www.apache.org/licenses/LICENSE-2.0
18 |
19 | This library is plugged into LLVM when invoking clang through afl-clang-fast.
20 | It tells the compiler to add code roughly equivalent to the bits discussed
21 | in ../afl-as.h.
22 |
23 | */
24 |
25 | #define AFL_LLVM_PASS
26 |
27 | #include "../config.h"
28 | #include "../debug.h"
29 |
30 | #include
31 | #include
32 | #include
33 |
34 | #include "llvm/ADT/Statistic.h"
35 | #include "llvm/IR/IRBuilder.h"
36 | #include "llvm/IR/LegacyPassManager.h"
37 | #include "llvm/IR/Module.h"
38 | #include "llvm/Support/Debug.h"
39 | #include "llvm/Transforms/IPO/PassManagerBuilder.h"
40 |
41 | using namespace llvm;
42 |
43 | namespace {
44 |
45 | class AFLCoverage : public ModulePass {
46 |
47 | public:
48 |
49 | static char ID;
50 | AFLCoverage() : ModulePass(ID) { }
51 |
52 | bool runOnModule(Module &M) override;
53 |
54 | // StringRef getPassName() const override {
55 | // return "American Fuzzy Lop Instrumentation";
56 | // }
57 |
58 | };
59 |
60 | }
61 |
62 |
63 | char AFLCoverage::ID = 0;
64 |
65 |
66 | bool AFLCoverage::runOnModule(Module &M) {
67 |
68 | LLVMContext &C = M.getContext();
69 |
70 | IntegerType *Int8Ty = IntegerType::getInt8Ty(C);
71 | IntegerType *Int32Ty = IntegerType::getInt32Ty(C);
72 |
73 | /* Show a banner */
74 |
75 | char be_quiet = 0;
76 |
77 | if (isatty(2) && !getenv("AFL_QUIET")) {
78 |
79 | SAYF(cCYA "afl-llvm-pass " cBRI VERSION cRST " by \n");
80 |
81 | } else be_quiet = 1;
82 |
83 | /* Decide instrumentation ratio */
84 |
85 | char* inst_ratio_str = getenv("AFL_INST_RATIO");
86 | unsigned int inst_ratio = 100;
87 |
88 | if (inst_ratio_str) {
89 |
90 | if (sscanf(inst_ratio_str, "%u", &inst_ratio) != 1 || !inst_ratio ||
91 | inst_ratio > 100)
92 | FATAL("Bad value of AFL_INST_RATIO (must be between 1 and 100)");
93 |
94 | }
95 |
96 | /* Get globals for the SHM region and the previous location. Note that
97 | __afl_prev_loc is thread-local. */
98 |
99 | GlobalVariable *AFLMapPtr =
100 | new GlobalVariable(M, PointerType::get(Int8Ty, 0), false,
101 | GlobalValue::ExternalLinkage, 0, "__afl_area_ptr");
102 |
103 | GlobalVariable *AFLPrevLoc = new GlobalVariable(
104 | M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc",
105 | 0, GlobalVariable::GeneralDynamicTLSModel, 0, false);
106 |
107 | /* Instrument all the things! */
108 |
109 | int inst_blocks = 0;
110 |
111 | for (auto &F : M)
112 | for (auto &BB : F) {
113 |
114 | BasicBlock::iterator IP = BB.getFirstInsertionPt();
115 | IRBuilder<> IRB(&(*IP));
116 |
117 | if (AFL_R(100) >= inst_ratio) continue;
118 |
119 | /* Make up cur_loc */
120 |
121 | unsigned int cur_loc = AFL_R(MAP_SIZE);
122 |
123 | ConstantInt *CurLoc = ConstantInt::get(Int32Ty, cur_loc);
124 |
125 | /* Load prev_loc */
126 |
127 | LoadInst *PrevLoc = IRB.CreateLoad(AFLPrevLoc);
128 | PrevLoc->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
129 | Value *PrevLocCasted = IRB.CreateZExt(PrevLoc, IRB.getInt32Ty());
130 |
131 | /* Load SHM pointer */
132 |
133 | LoadInst *MapPtr = IRB.CreateLoad(AFLMapPtr);
134 | MapPtr->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
135 | Value *MapPtrIdx =
136 | IRB.CreateGEP(MapPtr, IRB.CreateXor(PrevLocCasted, CurLoc));
137 |
138 | /* Update bitmap */
139 |
140 | LoadInst *Counter = IRB.CreateLoad(MapPtrIdx);
141 | Counter->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
142 | Value *Incr = IRB.CreateAdd(Counter, ConstantInt::get(Int8Ty, 1));
143 | IRB.CreateStore(Incr, MapPtrIdx)
144 | ->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
145 |
146 | /* Set prev_loc to cur_loc >> 1 */
147 |
148 | StoreInst *Store =
149 | IRB.CreateStore(ConstantInt::get(Int32Ty, cur_loc >> 1), AFLPrevLoc);
150 | Store->setMetadata(M.getMDKindID("nosanitize"), MDNode::get(C, None));
151 |
152 | inst_blocks++;
153 |
154 | }
155 |
156 | /* Say something nice. */
157 |
158 | if (!be_quiet) {
159 |
160 | if (!inst_blocks) WARNF("No instrumentation targets found.");
161 | else OKF("Instrumented %u locations (%s mode, ratio %u%%).",
162 | inst_blocks, getenv("AFL_HARDEN") ? "hardened" :
163 | ((getenv("AFL_USE_ASAN") || getenv("AFL_USE_MSAN")) ?
164 | "ASAN/MSAN" : "non-hardened"), inst_ratio);
165 |
166 | }
167 |
168 | return true;
169 |
170 | }
171 |
172 |
173 | static void registerAFLPass(const PassManagerBuilder &,
174 | legacy::PassManagerBase &PM) {
175 |
176 | PM.add(new AFLCoverage());
177 |
178 | }
179 |
180 |
181 | static RegisterStandardPasses RegisterAFLPass(
182 | PassManagerBuilder::EP_OptimizerLast, registerAFLPass);
183 |
184 | static RegisterStandardPasses RegisterAFLPass0(
185 | PassManagerBuilder::EP_EnabledOnOptLevel0, registerAFLPass);
186 |
--------------------------------------------------------------------------------
/qemu_mode/README.qemu:
--------------------------------------------------------------------------------
1 | =========================================================
2 | High-performance binary-only instrumentation for afl-fuzz
3 | =========================================================
4 |
5 | (See ../docs/README for the general instruction manual.)
6 |
7 | 1) Introduction
8 | ---------------
9 |
10 | The code in this directory allows you to build a standalone feature that
11 | leverages the QEMU "user emulation" mode and allows callers to obtain
12 | instrumentation output for black-box, closed-source binaries. This mechanism
13 | can be then used by afl-fuzz to stress-test targets that couldn't be built
14 | with afl-gcc.
15 |
16 | The usual performance cost is 2-5x, which is considerably better than
17 | seen so far in experiments with tools such as DynamoRIO and PIN.
18 |
19 | The idea and much of the implementation comes from Andrew Griffiths.
20 |
21 | 2) How to use
22 | -------------
23 |
24 | The feature is implemented with a fairly simple patch to QEMU 2.3.0. The
25 | simplest way to build it is to run ./build_qemu_support.sh. The script will
26 | download, configure, and compile the QEMU binary for you.
27 |
28 | QEMU is a big project, so this will take a while, and you may have to
29 | resolve a couple of dependencies (most notably, you will definitely need
30 | libtool and glib2-devel).
31 |
32 | Once the binaries are compiled, you can leverage the QEMU tool by calling
33 | afl-fuzz and all the related utilities with -Q in the command line.
34 |
35 | Note that QEMU requires a generous memory limit to run; somewhere around
36 | 200 MB is a good starting point, but considerably more may be needed for
37 | more complex programs. The default -m limit will be automatically bumped up
38 | to 200 MB when specifying -Q to afl-fuzz; be careful when overriding this.
39 |
40 | In principle, if you set CPU_TARGET before calling ./build_qemu_support.sh,
41 | you should get a build capable of running non-native binaries (say, you
42 | can try CPU_TARGET=arm). This is also necessary for running 32-bit binaries
43 | on a 64-bit system (CPU_TARGET=i386).
44 |
45 | Note: if you want the QEMU helper to be installed on your system for all
46 | users, you need to build it before issuing 'make install' in the parent
47 | directory.
48 |
49 | 3) Notes on linking
50 | -------------------
51 |
52 | The feature is supported only on Linux. Supporting BSD may amount to porting
53 | the changes made to linux-user/elfload.c and applying them to
54 | bsd-user/elfload.c, but I have not looked into this yet.
55 |
56 | The instrumentation follows only the .text section of the first ELF binary
57 | encountered in the linking process. It does not trace shared libraries. In
58 | practice, this means two things:
59 |
60 | - Any libraries you want to analyze *must* be linked statically into the
61 | executed ELF file (this will usually be the case for closed-source
62 | apps).
63 |
64 | - Standard C libraries and other stuff that is wasteful to instrument
65 | should be linked dynamically - otherwise, AFL will have no way to avoid
66 | peeking into them.
67 |
68 | Setting AFL_INST_LIBS=1 can be used to circumvent the .text detection logic
69 | and instrument every basic block encountered.
70 |
71 | 4) Benchmarking
72 | ---------------
73 |
74 | If you want to compare the performance of the QEMU instrumentation with that of
75 | afl-gcc compiled code against the same target, you need to build the
76 | non-instrumented binary with the same optimization flags that are normally
77 | injected by afl-gcc, and make sure that the bits to be tested are statically
78 | linked into the binary. A common way to do this would be:
79 |
80 | $ CFLAGS="-O3 -funroll-loops" ./configure --disable-shared
81 | $ make clean all
82 |
83 | Comparative measurements of execution speed or instrumentation coverage will be
84 | fairly meaningless if the optimization levels or instrumentation scopes don't
85 | match.
86 |
87 | 5) Gotchas, feedback, bugs
88 | --------------------------
89 |
90 | If you need to fix up checksums or do other cleanup on mutated test cases, see
91 | experimental/post_library/ for a viable solution.
92 |
93 | Do not mix QEMU mode with ASAN, MSAN, or the likes; QEMU doesn't appreciate
94 | the "shadow VM" trick employed by the sanitizers and will probably just
95 | run out of memory.
96 |
97 | Compared to fully-fledged virtualization, the user emulation mode is *NOT* a
98 | security boundary. The binaries can freely interact with the host OS. If you
99 | somehow need to fuzz an untrusted binary, put everything in a sandbox first.
100 |
101 | QEMU does not necessarily support all CPU or hardware features that your
102 | target program may be utilizing. In particular, it does not appear to have
103 | full support for AVX2 / FMA3. Using binaries for older CPUs, or recompiling them
104 | with -march=core2, can help.
105 |
106 | Beyond that, this is an early-stage mechanism, so fields reports are welcome.
107 | You can send them to .
108 |
109 | 6) Alternatives: static rewriting
110 | ---------------------------------
111 |
112 | Statically rewriting binaries just once, instead of attempting to translate
113 | them at run time, can be a faster alternative. That said, static rewriting is
114 | fraught with peril, because it depends on being able to properly and fully model
115 | program control flow without actually executing each and every code path.
116 |
117 | If you want to experiment with this mode of operation, there is a module
118 | contributed by Aleksandar Nikolich:
119 |
120 | https://github.com/vrtadmin/moflow/tree/master/afl-dyninst
121 | https://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg
122 |
123 | At this point, the author reports the possibility of hiccups with stripped
124 | binaries. That said, if we can get it to be comparably reliable to QEMU, we may
125 | decide to switch to this mode, but I had no time to play with it yet.
126 |
--------------------------------------------------------------------------------
/seed_generation/README.md:
--------------------------------------------------------------------------------
1 | DeepFuzzer Seed Generator
2 | ==================
3 |
4 | ## Install
5 | DeepFuzzer Seed Generator should be extracted to the root directory of your OS. Please configure the `PATH` environment variable in your shell first, to include `/opt/tsmart-date/`.
6 |
7 | Execute in shell:
8 |
9 | ```sh
10 | export PATH="/opt/tsmart-date:$PATH"
11 | ```
12 |
13 | Or you can directly insert the content above in configuration files such as `~/.bashrc`.
14 |
15 | ## Symbolic execution
16 |
17 | ### Configure and Build
18 | DeepFuzzer uses symbolic execution to build high-quality seeds as the input for fuzzer, thus the first step is to configure the size of the input. For example, execute the following command when you want 10 bytes:
19 |
20 |
21 | ```sh
22 | ~/test/c-ares root@DTG
23 | ❯ date-prepare sym 10
24 | [*] Toolchain is at /tmp/toolchain
25 | [+] Saving configuration (symbolic, size is 10)
26 | ```
27 |
28 | Next, let's configure the project before build. Just like normal configuration procedure, you only need to insert `date-configure` before the command.
29 |
30 | ```sh
31 | ~/test/c-ares/src heads/master* root@DTG
32 | ❯ date-configure ./configure
33 | [*] Config: sym 10
34 | [+] Setting up bitcode toolchain (unfiltered)
35 | [*] LLVM is at /opt/llvm
36 | [*] Toolchain is at /tmp/toolchain
37 | [*] Additional argument(s) to pass:
38 | [*] CXXFLAGS=-stdlib=libc++ -nostdinc -I/opt/llvm/include/c++/v1 -Qunused-arguments
39 | [*] LDFLAGS=-stdlib=libc++ -nostdinc -L/opt/llvm/lib -Wl,-rpath,/opt/llvm/lib
40 | [*] CC=/tmp/toolchain/clang
41 | [*] CXX=/tmp/toolchain/clang++
42 | [+] Running target program
43 | checking whether to enable maintainer-specific portions of Makefiles... no
44 | [...]
45 | config.status: executing libtool commands
46 | configure: amending ./Makefile
47 | ```
48 |
49 | The next step is compilation. Just like normal configuration procedure, you need to insert `date-build` before the command.
50 |
51 |
52 | ```sh
53 | ❯ date-build make -j
54 | [*] Config: sym 10
55 | [+] Setting up bitcode toolchain
56 | [*] WLLVM is at /opt/wllvm
57 | [*] Toolchain is at /tmp/toolchain
58 | [+] Custom build comand, ignoring
59 | [+] Running target program
60 | make all-recursive
61 | [...]
62 | make[1]: Leaving directory '/home/hugh/test/c-ares/src'
63 | ```
64 |
65 | After building the library file, you may need to compiler additional test harness. Just like the normal `g++` or `clang` invocation, but you need to insert `date-build` before the command.
66 |
67 | ```sh
68 | ~/test/c-ares root@DTG
69 | ❯ date-build g++ target.cc -I src -c
70 | [*] Config: sym 10
71 | [+] Setting up bitcode toolchain
72 | [*] WLLVM is at /opt/wllvm
73 | [*] Toolchain is at /tmp/toolchain
74 | [+] C++ compiler intercepted
75 | [*] Command to execute:
76 | [*] /tmp/toolchain/clang++
77 | [*] -stdlib=libc++
78 | [*] -nostdinc++
79 | [*] -I/opt/llvm/include/c++/v1
80 | [*] -Qunused-arguments
81 | [*] target.cc
82 | [*] -I
83 | [*] src
84 | [*] -c
85 | ```
86 |
87 | Finally, let's link the object files together! Caveat: DeepFuzzer uses a customized driver instead of the built-in version of clang, so you can't link with the standard toolchain. You should use `date-link` instead.
88 |
89 | The following example links the test harness `target.o` and library `src/.libs/libcares.a` together into binary `app`, and output the LLVM bitcode file `app.bc`.
90 |
91 | ```sh
92 | ~/test/c-ares root@DTG
93 | ❯ date-link target.o src/.libs/libcares.a
94 | [*] Config: sym 10
95 | [+] Setting up bitcode toolchain
96 | [*] WLLVM is at /opt/wllvm
97 | [*] Toolchain is at /tmp/toolchain
98 | [+] Generating driver, symbolic argument size = 10
99 | [*] Command to execute:
100 | [*] /tmp/toolchain/clang
101 | [*] -xc
102 | [*] -c
103 | [*] -o
104 | [*] /tmp/toolchain/driver.o
105 | [*] /tmp/toolchain/driver.c
106 | [+] Linking objects
107 | [*] Command to execute:
108 | [*] /tmp/toolchain/clang++
109 | [*] -stdlib=libc++
110 | [*] -nostdinc++
111 | [*] -I/opt/llvm/include/c++/v1
112 | [*] -Qunused-arguments
113 | [*] -stdlib=libc++
114 | [*] -nostdinc++
115 | [*] -L/opt/llvm/lib
116 | [*] -Wl,-rpath,/opt/llvm/lib
117 | [*] /tmp/toolchain/driver.o
118 | [*] target.o
119 | [*] src/.libs/libcares.a
120 | [*] -o
121 | [*] app
122 | [+] Extracting bitcode
123 | Loading '/tmp/toolchain/.driver.o.bc'
124 | Loading '/home/hugh/test/c-ares/.target.o.bc'
125 | Linking in '/home/hugh/test/c-ares/.target.o.bc'
126 | Loading '/home/hugh/test/c-ares/src/.libcares_la-ares_create_query.o.bc'
127 | Linking in '/home/hugh/test/c-ares/src/.libcares_la-ares_create_query.o.bc'
128 | Loading '/home/hugh/test/c-ares/src/.libcares_la-ares_library_init.o.bc'
129 | Linking in '/home/hugh/test/c-ares/src/.libcares_la-ares_library_init.o.bc'
130 | Writing bitcode...
131 | ```
132 |
133 | ### Start Symbolic execution
134 | Create a new directory for intermediate files for symbolic execution, then place the linked bitcode here. For example, the following command uses `sym` as the directory.
135 |
136 | ```sh
137 | ~/test/c-ares root@DTG
138 | ❯ mkdir sym && cd sym
139 |
140 | ~/test/c-ares/sym root@DTG
141 | ❯ cp ../app.bc .
142 | ```
143 |
144 | Use command `date-fuzz` to start symbolic execution. To get better results, you may re-run it several times.
145 |
146 | ```sh
147 | ~/test/c-ares/sym root@DTG
148 | ❯ date-fuzz app
149 | [*] Config: sym 10
150 | [*] Symbolic argument size = 10
151 | [*] Application is at app.bc
152 | [+] Starting symbolic execution
153 | [*] KLEE cmdline:
154 | [*] /opt/klee/bin/klee
155 | [*] -only-output-states-covering-new
156 | [*] -libc=uclibc
157 | [*] -posix-runtime
158 | [*] -simplify-sym-indices
159 | [*] app.bc
160 | [*] -sym-arg
161 | [*] 10
162 | KLEE: NOTE: Using klee-uclibc : /opt/klee/lib64/klee/runtime/klee-uclibc.bca
163 | KLEE: NOTE: Using model: /opt/klee/lib64/klee/runtime/libkleeRuntimePOSIX.bca
164 | KLEE: output directory is "/home/hugh/test/c-ares/sym/klee-out-0"
165 | KLEE: Using Z3 solver backend
166 | [...]
167 | ^CKLEE: ctrl-c detected, requesting interpreter to halt.
168 | KLEE: halting execution, dumping remaining states
169 |
170 | KLEE: done: total instructions = 224686
171 | KLEE: done: completed paths = 1371
172 | KLEE: done: generated tests = 6
173 | ```
174 |
175 | ### Generate seeds
176 | Symbolic execution outputs testcases. You need to use `date-test-gen` to convert the testcases into seeds that can be used in fuzzing. The following example generates 6 seeds in `seed` directory.
177 |
178 | ```sh
179 | ~/test/c-ares/sym root@DTG
180 | ❯ ls
181 | klee-out-0 app.bc klee-last
182 |
183 | ~/test/c-ares/sym root@DTG
184 | ❯ mkdir seed
185 |
186 | ~/test/c-ares/sym root@DTG
187 | ❯ date-test-gen klee-out-*/*.ktest --output seed
188 |
189 | ~/test/c-ares/sym root@DTG
190 | ❯ ls seed
191 | test000001.symseed test000003.symseed test000005.symseed
192 | test000002.symseed test000004.symseed test000006.symseed
193 | ```
194 |
195 | These seeds can be used as inputs for fuzzing.
196 |
--------------------------------------------------------------------------------
/docs/notes_for_asan.txt:
--------------------------------------------------------------------------------
1 | ==================================
2 | Notes for using ASAN with afl-fuzz
3 | ==================================
4 |
5 | This file discusses some of the caveats for fuzzing under ASAN, and suggests
6 | a handful of alternatives. See README for the general instruction manual.
7 |
8 | 1) Short version
9 | ----------------
10 |
11 | ASAN on 64-bit systems requests a lot of memory in a way that can't be easily
12 | distinguished from a misbehaving program bent on crashing your system.
13 |
14 | Because of this, fuzzing with ASAN is recommended only in four scenarios:
15 |
16 | - On 32-bit systems, where we can always enforce a reasonable memory limit
17 | (-m 800 or so is a good starting point),
18 |
19 | - On 64-bit systems only if you can do one of the following:
20 |
21 | - Compile the binary in 32-bit mode (gcc -m32),
22 |
23 | - Precisely gauge memory needs using http://jwilk.net/software/recidivm .
24 |
25 | - Limit the memory available to process using cgroups on Linux (see
26 | experimental/asan_cgroups).
27 |
28 | To compile with ASAN, set AFL_USE_ASAN=1 before calling 'make clean all'. The
29 | afl-gcc / afl-clang wrappers will pick that up and add the appropriate flags.
30 | Note that ASAN is incompatible with -static, so be mindful of that.
31 |
32 | (You can also use AFL_USE_MSAN=1 to enable MSAN instead.)
33 |
34 | There is also the option of generating a corpus using a non-ASAN binary, and
35 | then feeding it to an ASAN-instrumented one to check for bugs. This is faster,
36 | and can give you somewhat comparable results. You can also try using
37 | libdislocator (see libdislocator/README.dislocator in the parent directory) as a
38 | lightweight and hassle-free (but less thorough) alternative.
39 |
40 | 2) Long version
41 | ---------------
42 |
43 | ASAN allocates a huge region of virtual address space for bookkeeping purposes.
44 | Most of this is never actually accessed, so the OS never has to allocate any
45 | real pages of memory for the process, and the VM grabbed by ASAN is essentially
46 | "free" - but the mapping counts against the standard OS-enforced limit
47 | (RLIMIT_AS, aka ulimit -v).
48 |
49 | On our end, afl-fuzz tries to protect you from processes that go off-rails
50 | and start consuming all the available memory in a vain attempt to parse a
51 | malformed input file. This happens surprisingly often, so enforcing such a limit
52 | is important for almost any fuzzer: the alternative is for the kernel OOM
53 | handler to step in and start killing random processes to free up resources.
54 | Needless to say, that's not a very nice prospect to live with.
55 |
56 | Unfortunately, un*x systems offer no portable way to limit the amount of
57 | pages actually given to a process in a way that distinguishes between that
58 | and the harmless "land grab" done by ASAN. In principle, there are three standard
59 | ways to limit the size of the heap:
60 |
61 | - The RLIMIT_AS mechanism (ulimit -v) caps the size of the virtual space -
62 | but as noted, this pays no attention to the number of pages actually
63 | in use by the process, and doesn't help us here.
64 |
65 | - The RLIMIT_DATA mechanism (ulimit -d) seems like a good fit, but it applies
66 | only to the traditional sbrk() / brk() methods of requesting heap space;
67 | modern allocators, including the one in glibc, routinely rely on mmap()
68 | instead, and circumvent this limit completely.
69 |
70 | - Finally, the RLIMIT_RSS limit (ulimit -m) sounds like what we need, but
71 | doesn't work on Linux - mostly because nobody felt like implementing it.
72 |
73 | There are also cgroups, but they are Linux-specific, not universally available
74 | even on Linux systems, and they require root permissions to set up; I'm a bit
75 | hesitant to make afl-fuzz require root permissions just for that. That said,
76 | if you are on Linux and want to use cgroups, check out the contributed script
77 | that ships in experimental/asan_cgroups/.
78 |
79 | In settings where cgroups aren't available, we have no nice, portable way to
80 | avoid counting the ASAN allocation toward the limit. On 32-bit systems, or for
81 | binaries compiled in 32-bit mode (-m32), this is not a big deal: ASAN needs
82 | around 600-800 MB or so, depending on the compiler - so all you need to do is
83 | to specify -m that is a bit higher than that.
84 |
85 | On 64-bit systems, the situation is more murky, because the ASAN allocation
86 | is completely outlandish - around 17.5 TB in older versions, and closer to
87 | 20 TB with newest ones. The actual amount of memory on your system is
88 | (probably!) just a tiny fraction of that - so unless you dial the limit
89 | with surgical precision, you will get no protection from OOM bugs.
90 |
91 | On my system, the amount of memory grabbed by ASAN with a slightly older
92 | version of gcc is around 17,825,850 MB; for newest clang, it's 20,971,600.
93 | But there is no guarantee that these numbers are stable, and if you get them
94 | wrong by "just" a couple gigs or so, you will be at risk.
95 |
96 | To get the precise number, you can use the recidivm tool developed by Jakub
97 | Wilk (http://jwilk.net/software/recidivm). In absence of this, ASAN is *not*
98 | recommended when fuzzing 64-bit binaries, unless you are confident that they
99 | are robust and enforce reasonable memory limits (in which case, you can
100 | specify '-m none' when calling afl-fuzz).
101 |
102 | Using recidivm or running with no limits aside, there are two other decent
103 | alternatives: build a corpus of test cases using a non-ASAN binary, and then
104 | examine them with ASAN, Valgrind, or other heavy-duty tools in a more
105 | controlled setting; or compile the target program with -m32 (32-bit mode)
106 | if your system supports that.
107 |
108 | 3) Interactions with the QEMU mode
109 | ----------------------------------
110 |
111 | ASAN, MSAN, and other sanitizers appear to be incompatible with QEMU user
112 | emulation, so please do not try to use them with the -Q option; QEMU doesn't
113 | seem to appreciate the shadow VM trick used by these tools, and will likely
114 | just allocate all your physical memory, then crash.
115 |
116 | 4) ASAN and OOM crashes
117 | -----------------------
118 |
119 | By default, ASAN treats memory allocation failures as fatal errors, immediately
120 | causing the program to crash. Since this is a departure from normal POSIX
121 | semantics (and creates the appearance of security issues in otherwise
122 | properly-behaving programs), we try to disable this by specifying
123 | allocator_may_return_null=1 in ASAN_OPTIONS.
124 |
125 | Unfortunately, it's been reported that this setting still causes ASAN to
126 | trigger phantom crashes in situations where the standard allocator would
127 | simply return NULL. If this is interfering with your fuzzing jobs, you may
128 | want to cc: yourself on this bug:
129 |
130 | https://bugs.llvm.org/show_bug.cgi?id=22026
131 |
132 | 5) What about UBSAN?
133 | --------------------
134 |
135 | Some folks expressed interest in fuzzing with UBSAN. This isn't officially
136 | supported, because many installations of UBSAN don't offer a consistent way
137 | to abort() on fault conditions or to terminate with a distinctive exit code.
138 |
139 | That said, some versions of the library can be binary-patched to address this
140 | issue, while newer releases support explicit compile-time flags - see this
141 | mailing list thread for tips:
142 |
143 | https://groups.google.com/forum/#!topic/afl-users/GyeSBJt4M38
144 |
--------------------------------------------------------------------------------
/libtokencap/libtokencap.so.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | american fuzzy lop - extract tokens passed to strcmp / memcmp
4 | -------------------------------------------------------------
5 |
6 | Written and maintained by Michal Zalewski
7 |
8 | Copyright 2016 Google Inc. All rights reserved.
9 |
10 | Licensed under the Apache License, Version 2.0 (the "License");
11 | you may not use this file except in compliance with the License.
12 | You may obtain a copy of the License at:
13 |
14 | http://www.apache.org/licenses/LICENSE-2.0
15 |
16 | This Linux-only companion library allows you to instrument strcmp(),
17 | memcmp(), and related functions to automatically extract tokens.
18 | See README.tokencap for more info.
19 |
20 | */
21 |
22 | #include
23 | #include
24 | #include
25 |
26 | #include "../types.h"
27 | #include "../config.h"
28 |
29 | #ifndef __linux__
30 | # error "Sorry, this library is Linux-specific for now!"
31 | #endif /* !__linux__ */
32 |
33 |
34 | /* Mapping data and such */
35 |
36 | #define MAX_MAPPINGS 1024
37 |
38 | static struct mapping {
39 | void *st, *en;
40 | } __tokencap_ro[MAX_MAPPINGS];
41 |
42 | static u32 __tokencap_ro_cnt;
43 | static u8 __tokencap_ro_loaded;
44 | static FILE* __tokencap_out_file;
45 |
46 |
47 | /* Identify read-only regions in memory. Only parameters that fall into these
48 | ranges are worth dumping when passed to strcmp() and so on. Read-write
49 | regions are far more likely to contain user input instead. */
50 |
51 | static void __tokencap_load_mappings(void) {
52 |
53 | u8 buf[MAX_LINE];
54 | FILE* f = fopen("/proc/self/maps", "r");
55 |
56 | __tokencap_ro_loaded = 1;
57 |
58 | if (!f) return;
59 |
60 | while (fgets(buf, MAX_LINE, f)) {
61 |
62 | u8 rf, wf;
63 | void* st, *en;
64 |
65 | if (sscanf(buf, "%p-%p %c%c", &st, &en, &rf, &wf) != 4) continue;
66 | if (wf == 'w' || rf != 'r') continue;
67 |
68 | __tokencap_ro[__tokencap_ro_cnt].st = (void*)st;
69 | __tokencap_ro[__tokencap_ro_cnt].en = (void*)en;
70 |
71 | if (++__tokencap_ro_cnt == MAX_MAPPINGS) break;
72 |
73 | }
74 |
75 | fclose(f);
76 |
77 | }
78 |
79 |
80 | /* Check an address against the list of read-only mappings. */
81 |
82 | static u8 __tokencap_is_ro(const void* ptr) {
83 |
84 | u32 i;
85 |
86 | if (!__tokencap_ro_loaded) __tokencap_load_mappings();
87 |
88 | for (i = 0; i < __tokencap_ro_cnt; i++)
89 | if (ptr >= __tokencap_ro[i].st && ptr <= __tokencap_ro[i].en) return 1;
90 |
91 | return 0;
92 |
93 | }
94 |
95 |
96 | /* Dump an interesting token to output file, quoting and escaping it
97 | properly. */
98 |
99 | static void __tokencap_dump(const u8* ptr, size_t len, u8 is_text) {
100 |
101 | u8 buf[MAX_AUTO_EXTRA * 4 + 1];
102 | u32 i;
103 | u32 pos = 0;
104 |
105 | if (len < MIN_AUTO_EXTRA || len > MAX_AUTO_EXTRA || !__tokencap_out_file)
106 | return;
107 |
108 | for (i = 0; i < len; i++) {
109 |
110 | if (is_text && !ptr[i]) break;
111 |
112 | switch (ptr[i]) {
113 |
114 | case 0 ... 31:
115 | case 127 ... 255:
116 | case '\"':
117 | case '\\':
118 |
119 | sprintf(buf + pos, "\\x%02x", ptr[i]);
120 | pos += 4;
121 | break;
122 |
123 | default:
124 |
125 | buf[pos++] = ptr[i];
126 |
127 | }
128 |
129 | }
130 |
131 | buf[pos] = 0;
132 |
133 | fprintf(__tokencap_out_file, "\"%s\"\n", buf);
134 |
135 | }
136 |
137 |
138 | /* Replacements for strcmp(), memcmp(), and so on. Note that these will be used
139 | only if the target is compiled with -fno-builtins and linked dynamically. */
140 |
141 | #undef strcmp
142 |
143 | int strcmp(const char* str1, const char* str2) {
144 |
145 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
146 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
147 |
148 | while (1) {
149 |
150 | unsigned char c1 = *str1, c2 = *str2;
151 |
152 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
153 | if (!c1) return 0;
154 | str1++; str2++;
155 |
156 | }
157 |
158 | }
159 |
160 |
161 | #undef strncmp
162 |
163 | int strncmp(const char* str1, const char* str2, size_t len) {
164 |
165 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
166 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
167 |
168 | while (len--) {
169 |
170 | unsigned char c1 = *str1, c2 = *str2;
171 |
172 | if (!c1) return 0;
173 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
174 | str1++; str2++;
175 |
176 | }
177 |
178 | return 0;
179 |
180 | }
181 |
182 |
183 | #undef strcasecmp
184 |
185 | int strcasecmp(const char* str1, const char* str2) {
186 |
187 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, strlen(str1), 1);
188 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, strlen(str2), 1);
189 |
190 | while (1) {
191 |
192 | unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
193 |
194 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
195 | if (!c1) return 0;
196 | str1++; str2++;
197 |
198 | }
199 |
200 | }
201 |
202 |
203 | #undef strncasecmp
204 |
205 | int strncasecmp(const char* str1, const char* str2, size_t len) {
206 |
207 | if (__tokencap_is_ro(str1)) __tokencap_dump(str1, len, 1);
208 | if (__tokencap_is_ro(str2)) __tokencap_dump(str2, len, 1);
209 |
210 | while (len--) {
211 |
212 | unsigned char c1 = tolower(*str1), c2 = tolower(*str2);
213 |
214 | if (!c1) return 0;
215 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
216 | str1++; str2++;
217 |
218 | }
219 |
220 | return 0;
221 |
222 | }
223 |
224 |
225 | #undef memcmp
226 |
227 | int memcmp(const void* mem1, const void* mem2, size_t len) {
228 |
229 | if (__tokencap_is_ro(mem1)) __tokencap_dump(mem1, len, 0);
230 | if (__tokencap_is_ro(mem2)) __tokencap_dump(mem2, len, 0);
231 |
232 | while (len--) {
233 |
234 | unsigned char c1 = *(const char*)mem1, c2 = *(const char*)mem2;
235 | if (c1 != c2) return (c1 > c2) ? 1 : -1;
236 | mem1++; mem2++;
237 |
238 | }
239 |
240 | return 0;
241 |
242 | }
243 |
244 |
245 | #undef strstr
246 |
247 | char* strstr(const char* haystack, const char* needle) {
248 |
249 | if (__tokencap_is_ro(haystack))
250 | __tokencap_dump(haystack, strlen(haystack), 1);
251 |
252 | if (__tokencap_is_ro(needle))
253 | __tokencap_dump(needle, strlen(needle), 1);
254 |
255 | do {
256 | const char* n = needle;
257 | const char* h = haystack;
258 |
259 | while(*n && *h && *n == *h) n++, h++;
260 |
261 | if(!*n) return (char*)haystack;
262 |
263 | } while (*(haystack++));
264 |
265 | return 0;
266 |
267 | }
268 |
269 |
270 | #undef strcasestr
271 |
272 | char* strcasestr(const char* haystack, const char* needle) {
273 |
274 | if (__tokencap_is_ro(haystack))
275 | __tokencap_dump(haystack, strlen(haystack), 1);
276 |
277 | if (__tokencap_is_ro(needle))
278 | __tokencap_dump(needle, strlen(needle), 1);
279 |
280 | do {
281 |
282 | const char* n = needle;
283 | const char* h = haystack;
284 |
285 | while(*n && *h && tolower(*n) == tolower(*h)) n++, h++;
286 |
287 | if(!*n) return (char*)haystack;
288 |
289 | } while(*(haystack++));
290 |
291 | return 0;
292 |
293 | }
294 |
295 |
296 | /* Init code to open the output file (or default to stderr). */
297 |
298 | __attribute__((constructor)) void __tokencap_init(void) {
299 |
300 | u8* fn = getenv("AFL_TOKEN_FILE");
301 | if (fn) __tokencap_out_file = fopen(fn, "a");
302 | if (!__tokencap_out_file) __tokencap_out_file = stderr;
303 |
304 | }
305 |
306 |
--------------------------------------------------------------------------------
/libdislocator/libdislocator.so.c:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | american fuzzy lop - dislocator, an abusive allocator
4 | -----------------------------------------------------
5 |
6 | Written and maintained by Michal Zalewski
7 |
8 | Copyright 2016 Google Inc. All rights reserved.
9 |
10 | Licensed under the Apache License, Version 2.0 (the "License");
11 | you may not use this file except in compliance with the License.
12 | You may obtain a copy of the License at:
13 |
14 | http://www.apache.org/licenses/LICENSE-2.0
15 |
16 | This is a companion library that can be used as a drop-in replacement
17 | for the libc allocator in the fuzzed binaries. See README.dislocator for
18 | more info.
19 |
20 | */
21 |
22 | #include
23 | #include
24 | #include
25 | #include
26 | #include
27 |
28 | #include "../config.h"
29 | #include "../types.h"
30 |
31 | #ifndef PAGE_SIZE
32 | # define PAGE_SIZE 4096
33 | #endif /* !PAGE_SIZE */
34 |
35 | #ifndef MAP_ANONYMOUS
36 | # define MAP_ANONYMOUS MAP_ANON
37 | #endif /* !MAP_ANONYMOUS */
38 |
39 | /* Error / message handling: */
40 |
41 | #define DEBUGF(_x...) do { \
42 | if (alloc_verbose) { \
43 | if (++call_depth == 1) { \
44 | fprintf(stderr, "[AFL] " _x); \
45 | fprintf(stderr, "\n"); \
46 | } \
47 | call_depth--; \
48 | } \
49 | } while (0)
50 |
51 | #define FATAL(_x...) do { \
52 | if (++call_depth == 1) { \
53 | fprintf(stderr, "*** [AFL] " _x); \
54 | fprintf(stderr, " ***\n"); \
55 | abort(); \
56 | } \
57 | call_depth--; \
58 | } while (0)
59 |
60 | /* Macro to count the number of pages needed to store a buffer: */
61 |
62 | #define PG_COUNT(_l) (((_l) + (PAGE_SIZE - 1)) / PAGE_SIZE)
63 |
64 | /* Canary & clobber bytes: */
65 |
66 | #define ALLOC_CANARY 0xAACCAACC
67 | #define ALLOC_CLOBBER 0xCC
68 |
69 | #define PTR_C(_p) (((u32*)(_p))[-1])
70 | #define PTR_L(_p) (((u32*)(_p))[-2])
71 |
72 | /* Configurable stuff (use AFL_LD_* to set): */
73 |
74 | static u32 max_mem = MAX_ALLOC; /* Max heap usage to permit */
75 | static u8 alloc_verbose, /* Additional debug messages */
76 | hard_fail, /* abort() when max_mem exceeded? */
77 | no_calloc_over; /* abort() on calloc() overflows? */
78 |
79 | static __thread size_t total_mem; /* Currently allocated mem */
80 |
81 | static __thread u32 call_depth; /* To avoid recursion via fprintf() */
82 |
83 |
84 | /* This is the main alloc function. It allocates one page more than necessary,
85 | sets that tailing page to PROT_NONE, and then increments the return address
86 | so that it is right-aligned to that boundary. Since it always uses mmap(),
87 | the returned memory will be zeroed. */
88 |
89 | static void* __dislocator_alloc(size_t len) {
90 |
91 | void* ret;
92 |
93 |
94 | if (total_mem + len > max_mem || total_mem + len < total_mem) {
95 |
96 | if (hard_fail)
97 | FATAL("total allocs exceed %u MB", max_mem / 1024 / 1024);
98 |
99 | DEBUGF("total allocs exceed %u MB, returning NULL",
100 | max_mem / 1024 / 1024);
101 |
102 | return NULL;
103 |
104 | }
105 |
106 | /* We will also store buffer length and a canary below the actual buffer, so
107 | let's add 8 bytes for that. */
108 |
109 | ret = mmap(NULL, (1 + PG_COUNT(len + 8)) * PAGE_SIZE, PROT_READ | PROT_WRITE,
110 | MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
111 |
112 | if (ret == (void*)-1) {
113 |
114 | if (hard_fail) FATAL("mmap() failed on alloc (OOM?)");
115 |
116 | DEBUGF("mmap() failed on alloc (OOM?)");
117 |
118 | return NULL;
119 |
120 | }
121 |
122 | /* Set PROT_NONE on the last page. */
123 |
124 | if (mprotect(ret + PG_COUNT(len + 8) * PAGE_SIZE, PAGE_SIZE, PROT_NONE))
125 | FATAL("mprotect() failed when allocating memory");
126 |
127 | /* Offset the return pointer so that it's right-aligned to the page
128 | boundary. */
129 |
130 | ret += PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
131 |
132 | /* Store allocation metadata. */
133 |
134 | ret += 8;
135 |
136 | PTR_L(ret) = len;
137 | PTR_C(ret) = ALLOC_CANARY;
138 |
139 | total_mem += len;
140 |
141 | return ret;
142 |
143 | }
144 |
145 |
146 | /* The "user-facing" wrapper for calloc(). This just checks for overflows and
147 | displays debug messages if requested. */
148 |
149 | void* calloc(size_t elem_len, size_t elem_cnt) {
150 |
151 | void* ret;
152 |
153 | size_t len = elem_len * elem_cnt;
154 |
155 | /* Perform some sanity checks to detect obvious issues... */
156 |
157 | if (elem_cnt && len / elem_cnt != elem_len) {
158 |
159 | if (no_calloc_over) {
160 | DEBUGF("calloc(%zu, %zu) would overflow, returning NULL", elem_len, elem_cnt);
161 | return NULL;
162 | }
163 |
164 | FATAL("calloc(%zu, %zu) would overflow", elem_len, elem_cnt);
165 |
166 | }
167 |
168 | ret = __dislocator_alloc(len);
169 |
170 | DEBUGF("calloc(%zu, %zu) = %p [%zu total]", elem_len, elem_cnt, ret,
171 | total_mem);
172 |
173 | return ret;
174 |
175 | }
176 |
177 |
178 | /* The wrapper for malloc(). Roughly the same, also clobbers the returned
179 | memory (unlike calloc(), malloc() is not guaranteed to return zeroed
180 | memory). */
181 |
182 | void* malloc(size_t len) {
183 |
184 | void* ret;
185 |
186 | ret = __dislocator_alloc(len);
187 |
188 | DEBUGF("malloc(%zu) = %p [%zu total]", len, ret, total_mem);
189 |
190 | if (ret && len) memset(ret, ALLOC_CLOBBER, len);
191 |
192 | return ret;
193 |
194 | }
195 |
196 |
197 | /* The wrapper for free(). This simply marks the entire region as PROT_NONE.
198 | If the region is already freed, the code will segfault during the attempt to
199 | read the canary. Not very graceful, but works, right? */
200 |
201 | void free(void* ptr) {
202 |
203 | u32 len;
204 |
205 | DEBUGF("free(%p)", ptr);
206 |
207 | if (!ptr) return;
208 |
209 | if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on free()");
210 |
211 | len = PTR_L(ptr);
212 |
213 | total_mem -= len;
214 |
215 | /* Protect everything. Note that the extra page at the end is already
216 | set as PROT_NONE, so we don't need to touch that. */
217 |
218 | ptr -= PAGE_SIZE * PG_COUNT(len + 8) - len - 8;
219 |
220 | if (mprotect(ptr - 8, PG_COUNT(len + 8) * PAGE_SIZE, PROT_NONE))
221 | FATAL("mprotect() failed when freeing memory");
222 |
223 | /* Keep the mapping; this is wasteful, but prevents ptr reuse. */
224 |
225 | }
226 |
227 |
228 | /* Realloc is pretty straightforward, too. We forcibly reallocate the buffer,
229 | move data, and then free (aka mprotect()) the original one. */
230 |
231 | void* realloc(void* ptr, size_t len) {
232 |
233 | void* ret;
234 |
235 | ret = malloc(len);
236 |
237 | if (ret && ptr) {
238 |
239 | if (PTR_C(ptr) != ALLOC_CANARY) FATAL("bad allocator canary on realloc()");
240 |
241 | memcpy(ret, ptr, MIN(len, PTR_L(ptr)));
242 | free(ptr);
243 |
244 | }
245 |
246 | DEBUGF("realloc(%p, %zu) = %p [%zu total]", ptr, len, ret, total_mem);
247 |
248 | return ret;
249 |
250 | }
251 |
252 |
253 | __attribute__((constructor)) void __dislocator_init(void) {
254 |
255 | u8* tmp = getenv("AFL_LD_LIMIT_MB");
256 |
257 | if (tmp) {
258 |
259 | max_mem = atoi(tmp) * 1024 * 1024;
260 | if (!max_mem) FATAL("Bad value for AFL_LD_LIMIT_MB");
261 |
262 | }
263 |
264 | alloc_verbose = !!getenv("AFL_LD_VERBOSE");
265 | hard_fail = !!getenv("AFL_LD_HARD_FAIL");
266 | no_calloc_over = !!getenv("AFL_LD_NO_CALLOC_OVER");
267 |
268 | }
269 |
--------------------------------------------------------------------------------
/docs/INSTALL:
--------------------------------------------------------------------------------
1 | =========================
2 | Installation instructions
3 | =========================
4 |
5 | This document provides basic installation instructions and discusses known
6 | issues for a variety of platforms. See README for the general instruction
7 | manual.
8 |
9 | 1) Linux on x86
10 | ---------------
11 |
12 | This platform is expected to work well. Compile the program with:
13 |
14 | $ make
15 |
16 | You can start using the fuzzer without installation, but it is also possible to
17 | install it with:
18 |
19 | # make install
20 |
21 | There are no special dependencies to speak of; you will need GNU make and a
22 | working compiler (gcc or clang). Some of the optional scripts bundled with the
23 | program may depend on bash, gdb, and similar basic tools.
24 |
25 | If you are using clang, please review llvm_mode/README.llvm; the LLVM
26 | integration mode can offer substantial performance gains compared to the
27 | traditional approach.
28 |
29 | You may have to change several settings to get optimal results (most notably,
30 | disable crash reporting utilities and switch to a different CPU governor), but
31 | afl-fuzz will guide you through that if necessary.
32 |
33 | 2) OpenBSD, FreeBSD, NetBSD on x86
34 | ----------------------------------
35 |
36 | Similarly to Linux, these platforms are expected to work well and are
37 | regularly tested. Compile everything with GNU make:
38 |
39 | $ gmake
40 |
41 | Note that BSD make will *not* work; if you do not have gmake on your system,
42 | please install it first. As on Linux, you can use the fuzzer itself without
43 | installation, or install it with:
44 |
45 | # gmake install
46 |
47 | Keep in mind that if you are using csh as your shell, the syntax of some of the
48 | shell commands given in the README and other docs will be different.
49 |
50 | The llvm_mode requires a dynamically linked, fully-operational installation of
51 | clang. At least on FreeBSD, the clang binaries are static and do not include
52 | some of the essential tools, so if you want to make it work, you may need to
53 | follow the instructions in llvm_mode/README.llvm.
54 |
55 | Beyond that, everything should work as advertised.
56 |
57 | The QEMU mode is currently supported only on Linux. I think it's just a QEMU
58 | problem, I couldn't get a vanilla copy of user-mode emulation support working
59 | correctly on BSD at all.
60 |
61 | 3) MacOS X on x86
62 | -----------------
63 |
64 | MacOS X should work, but there are some gotchas due to the idiosyncrasies of
65 | the platform. On top of this, I have limited release testing capabilities
66 | and depend mostly on user feedback.
67 |
68 | To build AFL, install Xcode and follow the general instructions for Linux.
69 |
70 | The Xcode 'gcc' tool is just a wrapper for clang, so be sure to use afl-clang
71 | to compile any instrumented binaries; afl-gcc will fail unless you have GCC
72 | installed from another source (in which case, please specify AFL_CC and
73 | AFL_CXX to point to the "real" GCC binaries).
74 |
75 | Only 64-bit compilation will work on the platform; porting the 32-bit
76 | instrumentation would require a fair amount of work due to the way OS X
77 | handles relocations, and today, virtually all MacOS X boxes are 64-bit.
78 |
79 | The crash reporting daemon that comes by default with MacOS X will cause
80 | problems with fuzzing. You need to turn it off by following the instructions
81 | provided here: http://goo.gl/CCcd5u
82 |
83 | The fork() semantics on OS X are a bit unusual compared to other unix systems
84 | and definitely don't look POSIX-compliant. This means two things:
85 |
86 | - Fuzzing will be probably slower than on Linux. In fact, some folks report
87 | considerable performance gains by running the jobs inside a Linux VM on
88 | MacOS X.
89 |
90 | - Some non-portable, platform-specific code may be incompatible with the
91 | AFL forkserver. If you run into any problems, set AFL_NO_FORKSRV=1 in the
92 | environment before starting afl-fuzz.
93 |
94 | User emulation mode of QEMU does not appear to be supported on MacOS X, so
95 | black-box instrumentation mode (-Q) will not work.
96 |
97 | The llvm_mode requires a fully-operational installation of clang. The one that
98 | comes with Xcode is missing some of the essential headers and helper tools.
99 | See llvm_mode/README.llvm for advice on how to build the compiler from scratch.
100 |
101 | 4) Linux or *BSD on non-x86 systems
102 | -----------------------------------
103 |
104 | Standard build will fail on non-x86 systems, but you should be able to
105 | leverage two other options:
106 |
107 | - The LLVM mode (see llvm_mode/README.llvm), which does not rely on
108 | x86-specific assembly shims. It's fast and robust, but requires a
109 | complete installation of clang.
110 |
111 | - The QEMU mode (see qemu_mode/README.qemu), which can be also used for
112 | fuzzing cross-platform binaries. It's slower and more fragile, but
113 | can be used even when you don't have the source for the tested app.
114 |
115 | If you're not sure what you need, you need the LLVM mode. To get it, try:
116 |
117 | $ AFL_NO_X86=1 gmake && gmake -C llvm_mode
118 |
119 | ...and compile your target program with afl-clang-fast or afl-clang-fast++
120 | instead of the traditional afl-gcc or afl-clang wrappers.
121 |
122 | 5) Solaris on x86
123 | -----------------
124 |
125 | The fuzzer reportedly works on Solaris, but I have not tested this first-hand,
126 | and the user base is fairly small, so I don't have a lot of feedback.
127 |
128 | To get the ball rolling, you will need to use GNU make and GCC or clang. I'm
129 | being told that the stock version of GCC that comes with the platform does not
130 | work properly due to its reliance on a hardcoded location for 'as' (completely
131 | ignoring the -B parameter or $PATH).
132 |
133 | To fix this, you may want to build stock GCC from the source, like so:
134 |
135 | $ ./configure --prefix=$HOME/gcc --with-gnu-as --with-gnu-ld \
136 | --with-gmp-include=/usr/include/gmp --with-mpfr-include=/usr/include/mpfr
137 | $ make
138 | $ sudo make install
139 |
140 | Do *not* specify --with-as=/usr/gnu/bin/as - this will produce a GCC binary that
141 | ignores the -B flag and you will be back to square one.
142 |
143 | Note that Solaris reportedly comes with crash reporting enabled, which causes
144 | problems with crashes being misinterpreted as hangs, similarly to the gotchas
145 | for Linux and MacOS X. AFL does not auto-detect crash reporting on this
146 | particular platform, but you may need to run the following command:
147 |
148 | $ coreadm -d global -d global-setid -d process -d proc-setid \
149 | -d kzone -d log
150 |
151 | User emulation mode of QEMU is not available on Solaris, so black-box
152 | instrumentation mode (-Q) will not work.
153 |
154 | 6) Everything else
155 | ------------------
156 |
157 | You're on your own. On POSIX-compliant systems, you may be able to compile and
158 | run the fuzzer; and the LLVM mode may offer a way to instrument non-x86 code.
159 |
160 | The fuzzer will not run on Windows. It will also not work under Cygwin. It
161 | could be ported to the latter platform fairly easily, but it's a pretty bad
162 | idea, because Cygwin is extremely slow. It makes much more sense to use
163 | VirtualBox or so to run a hardware-accelerated Linux VM; it will run around
164 | 20x faster or so. If you have a *really* compelling use case for Cygwin, let
165 | me know.
166 |
167 | Although Android on x86 should theoretically work, the stock kernel may have
168 | SHM support compiled out, and if so, you may have to address that issue first.
169 | It's possible that all you need is this workaround:
170 |
171 | https://github.com/pelya/android-shmem
172 |
173 | Joshua J. Drake notes that the Android linker adds a shim that automatically
174 | intercepts SIGSEGV and related signals. To fix this issue and be able to see
175 | crashes, you need to put this at the beginning of the fuzzed program:
176 |
177 | signal(SIGILL, SIG_DFL);
178 | signal(SIGABRT, SIG_DFL);
179 | signal(SIGBUS, SIG_DFL);
180 | signal(SIGFPE, SIG_DFL);
181 | signal(SIGSEGV, SIG_DFL);
182 |
183 | You may need to #include first.
184 |
--------------------------------------------------------------------------------
/docs/historical_notes.txt:
--------------------------------------------------------------------------------
1 | ================
2 | Historical notes
3 | ================
4 |
5 | This doc talks about the rationale of some of the high-level design decisions
6 | for American Fuzzy Lop. It's adopted from a discussion with Rob Graham.
7 | See README for the general instruction manual, and technical_details.txt for
8 | additional implementation-level insights.
9 |
10 | 1) Influences
11 | -------------
12 |
13 | In short, afl-fuzz is inspired chiefly by the work done by Tavis Ormandy back
14 | in 2007. Tavis did some very persuasive experiments using gcov block coverage
15 | to select optimal test cases out of a large corpus of data, and then using
16 | them as a starting point for traditional fuzzing workflows.
17 |
18 | (By "persuasive", I mean: netting a significant number of interesting
19 | vulnerabilities.)
20 |
21 | In parallel to this, both Tavis and I were interested in evolutionary fuzzing.
22 | Tavis had his experiments, and I was working on a tool called bunny-the-fuzzer,
23 | released somewhere in 2007.
24 |
25 | Bunny used a generational algorithm not much different from afl-fuzz, but
26 | also tried to reason about the relationship between various input bits and
27 | the internal state of the program, with hopes of deriving some additional value
28 | from that. The reasoning / correlation part was probably in part inspired by
29 | other projects done around the same time by Will Drewry and Chris Evans.
30 |
31 | The state correlation approach sounded very sexy on paper, but ultimately, made
32 | the fuzzer complicated, brittle, and cumbersome to use; every other target
33 | program would require a tweak or two. Because Bunny didn't fare a whole lot
34 | better than less sophisticated brute-force tools, I eventually decided to write
35 | it off. You can still find its original documentation at:
36 |
37 | https://code.google.com/p/bunny-the-fuzzer/wiki/BunnyDoc
38 |
39 | There has been a fair amount of independent work, too. Most notably, a few
40 | weeks earlier that year, Jared DeMott had a Defcon presentation about a
41 | coverage-driven fuzzer that relied on coverage as a fitness function.
42 |
43 | Jared's approach was by no means identical to what afl-fuzz does, but it was in
44 | the same ballpark. His fuzzer tried to explicitly solve for the maximum coverage
45 | with a single input file; in comparison, afl simply selects for cases that do
46 | something new (which yields better results - see technical_details.txt).
47 |
48 | A few years later, Gabriel Campana released fuzzgrind, a tool that relied purely
49 | on Valgrind and a constraint solver to maximize coverage without any brute-force
50 | bits; and Microsoft Research folks talked extensively about their still
51 | non-public, solver-based SAGE framework.
52 |
53 | In the past six years or so, I've also seen a fair number of academic papers
54 | that dealt with smart fuzzing (focusing chiefly on symbolic execution) and a
55 | couple papers that discussed proof-of-concept applications of genetic
56 | algorithms with the same goals in mind. I'm unconvinced how practical most of
57 | these experiments were; I suspect that many of them suffer from the
58 | bunny-the-fuzzer's curse of being cool on paper and in carefully designed
59 | experiments, but failing the ultimate test of being able to find new,
60 | worthwhile security bugs in otherwise well-fuzzed, real-world software.
61 |
62 | In some ways, the baseline that the "cool" solutions have to compete against is
63 | a lot more impressive than it may seem, making it difficult for competitors to
64 | stand out. For a singular example, check out the work by Gynvael and Mateusz
65 | Jurczyk, applying "dumb" fuzzing to ffmpeg, a prominent and security-critical
66 | component of modern browsers and media players:
67 |
68 | http://googleonlinesecurity.blogspot.com/2014/01/ffmpeg-and-thousand-fixes.html
69 |
70 | Effortlessly getting comparable results with state-of-the-art symbolic execution
71 | in equally complex software still seems fairly unlikely, and hasn't been
72 | demonstrated in practice so far.
73 |
74 | But I digress; ultimately, attribution is hard, and glorying the fundamental
75 | concepts behind AFL is probably a waste of time. The devil is very much in the
76 | often-overlooked details, which brings us to...
77 |
78 | 2) Design goals for afl-fuzz
79 | ----------------------------
80 |
81 | In short, I believe that the current implementation of afl-fuzz takes care of
82 | several itches that seemed impossible to scratch with other tools:
83 |
84 | 1) Speed. It's genuinely hard to compete with brute force when your "smart"
85 | approach is resource-intensive. If your instrumentation makes it 10x more
86 | likely to find a bug, but runs 100x slower, your users are getting a bad
87 | deal.
88 |
89 | To avoid starting with a handicap, afl-fuzz is meant to let you fuzz most of
90 | the intended targets at roughly their native speed - so even if it doesn't
91 | add value, you do not lose much.
92 |
93 | On top of this, the tool leverages instrumentation to actually reduce the
94 | amount of work in a couple of ways: for example, by carefully trimming the
95 | corpus or skipping non-functional but non-trimmable regions in the input
96 | files.
97 |
98 | 2) Rock-solid reliability. It's hard to compete with brute force if your
99 | approach is brittle and fails unexpectedly. Automated testing is attractive
100 | because it's simple to use and scalable; anything that goes against these
101 | principles is an unwelcome trade-off and means that your tool will be used
102 | less often and with less consistent results.
103 |
104 | Most of the approaches based on symbolic execution, taint tracking, or
105 | complex syntax-aware instrumentation are currently fairly unreliable with
106 | real-world targets. Perhaps more importantly, their failure modes can render
107 | them strictly worse than "dumb" tools, and such degradation can be difficult
108 | for less experienced users to notice and correct.
109 |
110 | In contrast, afl-fuzz is designed to be rock solid, chiefly by keeping it
111 | simple. In fact, at its core, it's designed to be just a very good
112 | traditional fuzzer with a wide range of interesting, well-researched
113 | strategies to go by. The fancy parts just help it focus the effort in
114 | places where it matters the most.
115 |
116 | 3) Simplicity. The author of a testing framework is probably the only person
117 | who truly understands the impact of all the settings offered by the tool -
118 | and who can dial them in just right. Yet, even the most rudimentary fuzzer
119 | frameworks often come with countless knobs and fuzzing ratios that need to
120 | be guessed by the operator ahead of the time. This can do more harm than
121 | good.
122 |
123 | AFL is designed to avoid this as much as possible. The three knobs you
124 | can play with are the output file, the memory limit, and the ability to
125 | override the default, auto-calibrated timeout. The rest is just supposed to
126 | work. When it doesn't, user-friendly error messages outline the probable
127 | causes and workarounds, and get you back on track right away.
128 |
129 | 4) Chainability. Most general-purpose fuzzers can't be easily employed
130 | against resource-hungry or interaction-heavy tools, necessitating the
131 | creation of custom in-process fuzzers or the investment of massive CPU
132 | power (most of which is wasted on tasks not directly related to the code
133 | we actually want to test).
134 |
135 | AFL tries to scratch this itch by allowing users to use more lightweight
136 | targets (e.g., standalone image parsing libraries) to create small
137 | corpora of interesting test cases that can be fed into a manual testing
138 | process or a UI harness later on.
139 |
140 | As mentioned in technical_details.txt, AFL does all this not by systematically
141 | applying a single overarching CS concept, but by experimenting with a variety
142 | of small, complementary methods that were shown to reliably yields results
143 | better than chance. The use of instrumentation is a part of that toolkit, but is
144 | far from being the most important one.
145 |
146 | Ultimately, what matters is that afl-fuzz is designed to find cool bugs - and
147 | has a pretty robust track record of doing just that.
148 |
--------------------------------------------------------------------------------
/llvm_mode/afl-llvm-rt.o.c:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - LLVM instrumentation bootstrap
3 | ---------------------------------------------------
4 |
5 | Written by Laszlo Szekeres and
6 | Michal Zalewski
7 |
8 | LLVM integration design comes from Laszlo Szekeres.
9 |
10 | Copyright 2015, 2016 Google Inc. All rights reserved.
11 |
12 | Licensed under the Apache License, Version 2.0 (the "License");
13 | you may not use this file except in compliance with the License.
14 | You may obtain a copy of the License at:
15 |
16 | http://www.apache.org/licenses/LICENSE-2.0
17 |
18 | This code is the rewrite of afl-as.h's main_payload.
19 |
20 | */
21 |
22 | #include "../config.h"
23 | #include "../types.h"
24 |
25 | #include
26 | #include
27 | #include
28 | #include
29 | #include
30 | #include
31 |
32 | #include
33 | #include
34 | #include
35 | #include
36 |
37 | /* This is a somewhat ugly hack for the experimental 'trace-pc-guard' mode.
38 | Basically, we need to make sure that the forkserver is initialized after
39 | the LLVM-generated runtime initialization pass, not before. */
40 |
41 | #ifdef USE_TRACE_PC
42 | # define CONST_PRIO 5
43 | #else
44 | # define CONST_PRIO 0
45 | #endif /* ^USE_TRACE_PC */
46 |
47 |
48 | /* Globals needed by the injected instrumentation. The __afl_area_initial region
49 | is used for instrumentation output before __afl_map_shm() has a chance to run.
50 | It will end up as .comm, so it shouldn't be too wasteful. */
51 |
52 | u8 __afl_area_initial[MAP_SIZE];
53 | u8* __afl_area_ptr = __afl_area_initial;
54 |
55 | __thread u32 __afl_prev_loc;
56 |
57 |
58 | /* Running in persistent mode? */
59 |
60 | static u8 is_persistent;
61 |
62 |
63 | /* SHM setup. */
64 |
65 | static void __afl_map_shm(void) {
66 |
67 | u8 *id_str = getenv(SHM_ENV_VAR);
68 |
69 | /* If we're running under AFL, attach to the appropriate region, replacing the
70 | early-stage __afl_area_initial region that is needed to allow some really
71 | hacky .init code to work correctly in projects such as OpenSSL. */
72 |
73 | if (id_str) {
74 |
75 | u32 shm_id = atoi(id_str);
76 |
77 | __afl_area_ptr = shmat(shm_id, NULL, 0);
78 |
79 | /* Whooooops. */
80 |
81 | if (__afl_area_ptr == (void *)-1) _exit(1);
82 |
83 | /* Write something into the bitmap so that even with low AFL_INST_RATIO,
84 | our parent doesn't give up on us. */
85 |
86 | __afl_area_ptr[0] = 1;
87 |
88 | }
89 |
90 | }
91 |
92 |
93 | /* Fork server logic. */
94 |
95 | static void __afl_start_forkserver(void) {
96 |
97 | static u8 tmp[4];
98 | s32 child_pid;
99 |
100 | u8 child_stopped = 0;
101 |
102 | /* Phone home and tell the parent that we're OK. If parent isn't there,
103 | assume we're not running in forkserver mode and just execute program. */
104 |
105 | if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
106 |
107 | while (1) {
108 |
109 | u32 was_killed;
110 | int status;
111 |
112 | /* Wait for parent by reading from the pipe. Abort if read fails. */
113 |
114 | if (read(FORKSRV_FD, &was_killed, 4) != 4) _exit(1);
115 |
116 | /* If we stopped the child in persistent mode, but there was a race
117 | condition and afl-fuzz already issued SIGKILL, write off the old
118 | process. */
119 |
120 | if (child_stopped && was_killed) {
121 | child_stopped = 0;
122 | if (waitpid(child_pid, &status, 0) < 0) _exit(1);
123 | }
124 |
125 | if (!child_stopped) {
126 |
127 | /* Once woken up, create a clone of our process. */
128 |
129 | child_pid = fork();
130 | if (child_pid < 0) _exit(1);
131 |
132 | /* In child process: close fds, resume execution. */
133 |
134 | if (!child_pid) {
135 |
136 | close(FORKSRV_FD);
137 | close(FORKSRV_FD + 1);
138 | return;
139 |
140 | }
141 |
142 | } else {
143 |
144 | /* Special handling for persistent mode: if the child is alive but
145 | currently stopped, simply restart it with SIGCONT. */
146 |
147 | kill(child_pid, SIGCONT);
148 | child_stopped = 0;
149 |
150 | }
151 |
152 | /* In parent process: write PID to pipe, then wait for child. */
153 |
154 | if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) _exit(1);
155 |
156 | if (waitpid(child_pid, &status, is_persistent ? WUNTRACED : 0) < 0)
157 | _exit(1);
158 |
159 | /* In persistent mode, the child stops itself with SIGSTOP to indicate
160 | a successful run. In this case, we want to wake it up without forking
161 | again. */
162 |
163 | if (WIFSTOPPED(status)) child_stopped = 1;
164 |
165 | /* Relay wait status to pipe, then loop back. */
166 |
167 | if (write(FORKSRV_FD + 1, &status, 4) != 4) _exit(1);
168 |
169 | }
170 |
171 | }
172 |
173 |
174 | /* A simplified persistent mode handler, used as explained in README.llvm. */
175 |
176 | int __afl_persistent_loop(unsigned int max_cnt) {
177 |
178 | static u8 first_pass = 1;
179 | static u32 cycle_cnt;
180 |
181 | if (first_pass) {
182 |
183 | /* Make sure that every iteration of __AFL_LOOP() starts with a clean slate.
184 | On subsequent calls, the parent will take care of that, but on the first
185 | iteration, it's our job to erase any trace of whatever happened
186 | before the loop. */
187 |
188 | if (is_persistent) {
189 |
190 | memset(__afl_area_ptr, 0, MAP_SIZE);
191 | __afl_area_ptr[0] = 1;
192 | __afl_prev_loc = 0;
193 | }
194 |
195 | cycle_cnt = max_cnt;
196 | first_pass = 0;
197 | return 1;
198 |
199 | }
200 |
201 | if (is_persistent) {
202 |
203 | if (--cycle_cnt) {
204 |
205 | raise(SIGSTOP);
206 |
207 | __afl_area_ptr[0] = 1;
208 | __afl_prev_loc = 0;
209 |
210 | return 1;
211 |
212 | } else {
213 |
214 | /* When exiting __AFL_LOOP(), make sure that the subsequent code that
215 | follows the loop is not traced. We do that by pivoting back to the
216 | dummy output region. */
217 |
218 | __afl_area_ptr = __afl_area_initial;
219 |
220 | }
221 |
222 | }
223 |
224 | return 0;
225 |
226 | }
227 |
228 |
229 | /* This one can be called from user code when deferred forkserver mode
230 | is enabled. */
231 |
232 | void __afl_manual_init(void) {
233 |
234 | static u8 init_done;
235 |
236 | if (!init_done) {
237 |
238 | __afl_map_shm();
239 | __afl_start_forkserver();
240 | init_done = 1;
241 |
242 | }
243 |
244 | }
245 |
246 |
247 | /* Proper initialization routine. */
248 |
249 | __attribute__((constructor(CONST_PRIO))) void __afl_auto_init(void) {
250 |
251 | is_persistent = !!getenv(PERSIST_ENV_VAR);
252 |
253 | if (getenv(DEFER_ENV_VAR)) return;
254 |
255 | __afl_manual_init();
256 |
257 | }
258 |
259 |
260 | /* The following stuff deals with supporting -fsanitize-coverage=trace-pc-guard.
261 | It remains non-operational in the traditional, plugin-backed LLVM mode.
262 | For more info about 'trace-pc-guard', see README.llvm.
263 |
264 | The first function (__sanitizer_cov_trace_pc_guard) is called back on every
265 | edge (as opposed to every basic block). */
266 |
267 | void __sanitizer_cov_trace_pc_guard(uint32_t* guard) {
268 | __afl_area_ptr[*guard]++;
269 | }
270 |
271 |
272 | /* Init callback. Populates instrumentation IDs. Note that we're using
273 | ID of 0 as a special value to indicate non-instrumented bits. That may
274 | still touch the bitmap, but in a fairly harmless way. */
275 |
276 | void __sanitizer_cov_trace_pc_guard_init(uint32_t* start, uint32_t* stop) {
277 |
278 | u32 inst_ratio = 100;
279 | u8* x;
280 |
281 | if (start == stop || *start) return;
282 |
283 | x = getenv("AFL_INST_RATIO");
284 | if (x) inst_ratio = atoi(x);
285 |
286 | if (!inst_ratio || inst_ratio > 100) {
287 | fprintf(stderr, "[-] ERROR: Invalid AFL_INST_RATIO (must be 1-100).\n");
288 | abort();
289 | }
290 |
291 | /* Make sure that the first element in the range is always set - we use that
292 | to avoid duplicate calls (which can happen as an artifact of the underlying
293 | implementation in LLVM). */
294 |
295 | *(start++) = R(MAP_SIZE - 1) + 1;
296 |
297 | while (start < stop) {
298 |
299 | if (R(100) < inst_ratio) *start = R(MAP_SIZE - 1) + 1;
300 | else *start = 0;
301 |
302 | start++;
303 |
304 | }
305 |
306 | }
307 |
--------------------------------------------------------------------------------
/qemu_mode/patches/afl-qemu-cpu-inl.h:
--------------------------------------------------------------------------------
1 | /*
2 | american fuzzy lop - high-performance binary-only instrumentation
3 | -----------------------------------------------------------------
4 |
5 | Written by Andrew Griffiths and
6 | Michal Zalewski
7 |
8 | Idea & design very much by Andrew Griffiths.
9 |
10 | Copyright 2015, 2016 Google Inc. All rights reserved.
11 |
12 | Licensed under the Apache License, Version 2.0 (the "License");
13 | you may not use this file except in compliance with the License.
14 | You may obtain a copy of the License at:
15 |
16 | http://www.apache.org/licenses/LICENSE-2.0
17 |
18 | This code is a shim patched into the separately-distributed source
19 | code of QEMU 2.2.0. It leverages the built-in QEMU tracing functionality
20 | to implement AFL-style instrumentation and to take care of the remaining
21 | parts of the AFL fork server logic.
22 |
23 | The resulting QEMU binary is essentially a standalone instrumentation
24 | tool; for an example of how to leverage it for other purposes, you can
25 | have a look at afl-showmap.c.
26 |
27 | */
28 |
29 | #include
30 | #include "../../config.h"
31 |
32 | /***************************
33 | * VARIOUS AUXILIARY STUFF *
34 | ***************************/
35 |
36 | /* A snippet patched into tb_find_slow to inform the parent process that
37 | we have hit a new block that hasn't been translated yet, and to tell
38 | it to translate within its own context, too (this avoids translation
39 | overhead in the next forked-off copy). */
40 |
41 | #define AFL_QEMU_CPU_SNIPPET1 do { \
42 | afl_request_tsl(pc, cs_base, flags); \
43 | } while (0)
44 |
45 | /* This snippet kicks in when the instruction pointer is positioned at
46 | _start and does the usual forkserver stuff, not very different from
47 | regular instrumentation injected via afl-as.h. */
48 |
49 | #define AFL_QEMU_CPU_SNIPPET2 do { \
50 | if(tb->pc == afl_entry_point) { \
51 | afl_setup(); \
52 | afl_forkserver(env); \
53 | } \
54 | afl_maybe_log(tb->pc); \
55 | } while (0)
56 |
57 | /* We use one additional file descriptor to relay "needs translation"
58 | messages between the child and the fork server. */
59 |
60 | #define TSL_FD (FORKSRV_FD - 1)
61 |
62 | /* This is equivalent to afl-as.h: */
63 |
64 | static unsigned char *afl_area_ptr;
65 |
66 | /* Exported variables populated by the code patched into elfload.c: */
67 |
68 | abi_ulong afl_entry_point, /* ELF entry point (_start) */
69 | afl_start_code, /* .text start pointer */
70 | afl_end_code; /* .text end pointer */
71 |
72 | /* Set in the child process in forkserver mode: */
73 |
74 | static unsigned char afl_fork_child;
75 | unsigned int afl_forksrv_pid;
76 |
77 | /* Instrumentation ratio: */
78 |
79 | static unsigned int afl_inst_rms = MAP_SIZE;
80 |
81 | /* Function declarations. */
82 |
83 | static void afl_setup(void);
84 | static void afl_forkserver(CPUArchState*);
85 | static inline void afl_maybe_log(abi_ulong);
86 |
87 | static void afl_wait_tsl(CPUArchState*, int);
88 | static void afl_request_tsl(target_ulong, target_ulong, uint64_t);
89 |
90 | static TranslationBlock *tb_find_slow(CPUArchState*, target_ulong,
91 | target_ulong, uint64_t);
92 |
93 |
94 | /* Data structure passed around by the translate handlers: */
95 |
96 | struct afl_tsl {
97 | target_ulong pc;
98 | target_ulong cs_base;
99 | uint64_t flags;
100 | };
101 |
102 |
103 | /*************************
104 | * ACTUAL IMPLEMENTATION *
105 | *************************/
106 |
107 |
108 | /* Set up SHM region and initialize other stuff. */
109 |
110 | static void afl_setup(void) {
111 |
112 | char *id_str = getenv(SHM_ENV_VAR),
113 | *inst_r = getenv("AFL_INST_RATIO");
114 |
115 | int shm_id;
116 |
117 | if (inst_r) {
118 |
119 | unsigned int r;
120 |
121 | r = atoi(inst_r);
122 |
123 | if (r > 100) r = 100;
124 | if (!r) r = 1;
125 |
126 | afl_inst_rms = MAP_SIZE * r / 100;
127 |
128 | }
129 |
130 | if (id_str) {
131 |
132 | shm_id = atoi(id_str);
133 | afl_area_ptr = shmat(shm_id, NULL, 0);
134 |
135 | if (afl_area_ptr == (void*)-1) exit(1);
136 |
137 | /* With AFL_INST_RATIO set to a low value, we want to touch the bitmap
138 | so that the parent doesn't give up on us. */
139 |
140 | if (inst_r) afl_area_ptr[0] = 1;
141 |
142 |
143 | }
144 |
145 | if (getenv("AFL_INST_LIBS")) {
146 |
147 | afl_start_code = 0;
148 | afl_end_code = (abi_ulong)-1;
149 |
150 | }
151 |
152 | }
153 |
154 |
155 | /* Fork server logic, invoked once we hit _start. */
156 |
157 | static void afl_forkserver(CPUArchState *env) {
158 |
159 | static unsigned char tmp[4];
160 |
161 | if (!afl_area_ptr) return;
162 |
163 | /* Tell the parent that we're alive. If the parent doesn't want
164 | to talk, assume that we're not running in forkserver mode. */
165 |
166 | if (write(FORKSRV_FD + 1, tmp, 4) != 4) return;
167 |
168 | afl_forksrv_pid = getpid();
169 |
170 | /* All right, let's await orders... */
171 |
172 | while (1) {
173 |
174 | pid_t child_pid;
175 | int status, t_fd[2];
176 |
177 | /* Whoops, parent dead? */
178 |
179 | if (read(FORKSRV_FD, tmp, 4) != 4) exit(2);
180 |
181 | /* Establish a channel with child to grab translation commands. We'll
182 | read from t_fd[0], child will write to TSL_FD. */
183 |
184 | if (pipe(t_fd) || dup2(t_fd[1], TSL_FD) < 0) exit(3);
185 | close(t_fd[1]);
186 |
187 | child_pid = fork();
188 | if (child_pid < 0) exit(4);
189 |
190 | if (!child_pid) {
191 |
192 | /* Child process. Close descriptors and run free. */
193 |
194 | afl_fork_child = 1;
195 | close(FORKSRV_FD);
196 | close(FORKSRV_FD + 1);
197 | close(t_fd[0]);
198 | return;
199 |
200 | }
201 |
202 | /* Parent. */
203 |
204 | close(TSL_FD);
205 |
206 | if (write(FORKSRV_FD + 1, &child_pid, 4) != 4) exit(5);
207 |
208 | /* Collect translation requests until child dies and closes the pipe. */
209 |
210 | afl_wait_tsl(env, t_fd[0]);
211 |
212 | /* Get and relay exit status to parent. */
213 |
214 | if (waitpid(child_pid, &status, 0) < 0) exit(6);
215 | if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(7);
216 |
217 | }
218 |
219 | }
220 |
221 |
222 | /* The equivalent of the tuple logging routine from afl-as.h. */
223 |
224 | static inline void afl_maybe_log(abi_ulong cur_loc) {
225 |
226 | static __thread abi_ulong prev_loc;
227 |
228 | /* Optimize for cur_loc > afl_end_code, which is the most likely case on
229 | Linux systems. */
230 |
231 | if (cur_loc > afl_end_code || cur_loc < afl_start_code || !afl_area_ptr)
232 | return;
233 |
234 | /* Looks like QEMU always maps to fixed locations, so ASAN is not a
235 | concern. Phew. But instruction addresses may be aligned. Let's mangle
236 | the value to get something quasi-uniform. */
237 |
238 | cur_loc = (cur_loc >> 4) ^ (cur_loc << 8);
239 | cur_loc &= MAP_SIZE - 1;
240 |
241 | /* Implement probabilistic instrumentation by looking at scrambled block
242 | address. This keeps the instrumented locations stable across runs. */
243 |
244 | if (cur_loc >= afl_inst_rms) return;
245 |
246 | afl_area_ptr[cur_loc ^ prev_loc]++;
247 | prev_loc = cur_loc >> 1;
248 |
249 | }
250 |
251 |
252 | /* This code is invoked whenever QEMU decides that it doesn't have a
253 | translation of a particular block and needs to compute it. When this happens,
254 | we tell the parent to mirror the operation, so that the next fork() has a
255 | cached copy. */
256 |
257 | static void afl_request_tsl(target_ulong pc, target_ulong cb, uint64_t flags) {
258 |
259 | struct afl_tsl t;
260 |
261 | if (!afl_fork_child) return;
262 |
263 | t.pc = pc;
264 | t.cs_base = cb;
265 | t.flags = flags;
266 |
267 | if (write(TSL_FD, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
268 | return;
269 |
270 | }
271 |
272 |
273 | /* This is the other side of the same channel. Since timeouts are handled by
274 | afl-fuzz simply killing the child, we can just wait until the pipe breaks. */
275 |
276 | static void afl_wait_tsl(CPUArchState *env, int fd) {
277 |
278 | struct afl_tsl t;
279 |
280 | while (1) {
281 |
282 | /* Broken pipe means it's time to return to the fork server routine. */
283 |
284 | if (read(fd, &t, sizeof(struct afl_tsl)) != sizeof(struct afl_tsl))
285 | break;
286 |
287 | tb_find_slow(env, t.pc, t.cs_base, t.flags);
288 |
289 | }
290 |
291 | close(fd);
292 |
293 | }
294 |
295 |
--------------------------------------------------------------------------------