└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Awesome Fuzzing Resources 2 | 3 | 记录一些fuzz的工具和论文。[https://github.com/secfigo/Awesome-Fuzzing](https://github.com/secfigo/Awesome-Fuzzing)可能很多人看过,我也提交过一些Pull Request,但是觉得作者维护不是很勤快:有很多过时的信息,新的信息没有及时加入,整体结构也很乱。而且很多paper细节太模糊又不开源,其实也没有参考意义,不用去浪费时间看。所以干脆自己来整理一个,如果没有开源或者没有真正发现到0day,基本我是不会放进来的。欢迎随时提出issue和Pull Request。 4 | 5 | ## books 6 | 7 | [The Fuzzing Book](https://www.fuzzingbook.org/) 8 | 9 | [Fuzzing for Software Security Testing and Quality Assurance(2nd Edition)](https://www.amazon.com/Fuzzing-Software-Security-Testing-Assurance/dp/1608078507) 10 | 11 | [Fuzzing Against the Machine: Automate vulnerability research with emulated IoT devices on Qemu](https://www.amazon.com/Fuzzing-Against-Machine-Automate-vulnerability-ebook/dp/B0BSNNBP1D) 12 | 13 | ## fuzzer 14 | 15 | zzuf(https://github.com/samhocevar/zzuf) 16 | 17 | radamsa(https://gitlab.com/akihe/radamsa) 18 | 19 | certfuzz(https://github.com/CERTCC/certfuzz) 20 | 21 | 这几个都是比较有代表性的dumb fuzzer,但是我们在实际漏洞挖掘过程中也是可以先用dumb fuzzer搞一搞的,之后再考虑代码覆盖率的问题。 22 | 23 | AFL(https://github.com/google/AFL) 24 | 25 | 前project zero成员@lcamtuf编写,可以说是之后各类fuzz工具的开山鼻祖,甚至有人专门总结了由AFL衍生而来的各类工具:https://github.com/Microsvuln/Awesome-AFL 26 | 27 | honggfuzz(https://github.com/google/honggfuzz) 28 | 29 | libFuzzer(http://llvm.org/docs/LibFuzzer.html) 30 | 31 | AFL/honggfuzz/libFuzzer是三大最流行的覆盖率引导的fuzzer并且honggfuzz/libFuzzer的作者也是google的。很多人在开发自己的fuzzer的时候都会参考这三大fuzzer的代码。 32 | 33 | oss-fuzz(https://github.com/google/oss-fuzz) 34 | 35 | google发起的针对开源软件的fuzz,到2023年2月OSS-Fuzz已经发现了850个项目中的超过8900个漏洞和28000个bug。 36 | 37 | fuzztest(https://github.com/google/fuzztest) 38 | 39 | libfuzzer作者不再维护之后开的一个新坑,功能更强大更容易像单元测试那样集成。 40 | 41 | winafl(https://github.com/googleprojectzero/winafl) 42 | 43 | project zero成员@ifratric将AFL移植到Windows上对闭源软件进行覆盖率引导的fuzz,通过DynamoRIO实现动态插桩,后来也支持通过[TinyInst](https://github.com/googleprojectzero/TinyInst)实现动态插桩。@ifratric刚刚把TinyInst搞出来的时候其实就有人把TinyInst和AFL结合到一起了:[TinyAFL](https://github.com/linhlhq/TinyAFL)。 44 | 45 | Jackalope(https://github.com/googleprojectzero/Jackalope) 46 | 47 | Jackalope同样是@ifratric的作品,估计是对AFL/winafl不太满意,写了这个fuzzer(最开始是只支持Windows和macOS,后来也支持Linux和Android),这个也是通过TinyInst实现动态插桩。 48 | 49 | pe-afl(https://github.com/wmliang/pe-afl) 50 | 51 | peafl64(https://github.com/Sentinel-One/peafl64) 52 | 53 | 二进制静态插桩,使得AFL能够在windows系统上对闭源软件进行fuzz,分别支持x32和x64。 54 | 55 | e9patch(https://github.com/GJDuck/e9patch) 56 | 57 | 二进制静态插桩,使得AFL能够fuzz x64的Linux ELF二进制文件。 58 | 59 | zafl(https://git.zephyr-software.com/opensrc/zafl) 60 | 61 | 二进制静态插桩,使得AFL能够fuzz x64的Linux ELF二进制文件。 62 | 63 | retrowrite(https://github.com/HexHive/retrowrite) 64 | 65 | 二进制静态插桩,使得AFL能够fuzz x64和aarch64的Linux ELF二进制文件。 66 | 67 | AFLplusplus(https://github.com/AFLplusplus/AFLplusplus) 68 | 69 | AFL作者离开google无人维护之后社区维护的一个AFL版本。 70 | 71 | AFLplusplus-cs(https://github.com/RICSecLab/AFLplusplus-cs/tree/retrage/cs-mode-support) 72 | 73 | AFL++ CoreSight模式,该项目使用CoreSight(某些基于ARM的处理器上可用的CPU功能)向AFL++添加了新的反馈机制。 74 | 75 | WAFL(https://github.com/fgsect/WAFL) 76 | 77 | 将AFL用于fuzz WebAssembly。 78 | 79 | boofuzz(https://github.com/jtpereyda/boofuzz) 80 | 81 | 一个网络协议fuzz框架,前身是[sulley](https://github.com/OpenRCE/sulley)。 82 | 83 | opcua_network_fuzzer(https://github.com/claroty/opcua_network_fuzzer) 84 | 85 | 基于boofuzz修改fuzz OPC UA协议,用于pwn2own 2022中。 86 | 87 | syzkaller(https://github.com/google/syzkaller) 88 | 89 | google开源的linux内核fuzz工具,也有将其移植到windows/macOS的资料。 90 | 91 | 用syzkaller fuzz ksmbd : [Tickling ksmbd: fuzzing SMB in the Linux kernel](https://pwning.tech/ksmbd-syzkaller/) 92 | 93 | 用syzkaller fuzz NVMe-oF/TCP : [Your NVMe Had Been Syz’ed: Fuzzing NVMe-oF/TCP Driver for Linux with Syzkaller](https://cyberark.com/resources/threat-research-blog/your-nvme-had-been-syzed-fuzzing-nvme-of-tcp-driver-for-linux-with-syzkaller) 94 | 95 | GitLab's protocol fuzzing framework(https://gitlab.com/gitlab-org/security-products/protocol-fuzzer-ce) 96 | 97 | peach是前几年比较流行的协议fuzz工具,分为免费版和收费版,在2020年gitlab收购了开发peach的公司之后于2021年进行了开源。不过从commit记录来看目前gitlab也没有怎么维护。 98 | 99 | buzzer(https://github.com/google/buzzer) 100 | 101 | google开源的eBPF fuzzer。 102 | 103 | wtf(https://github.com/0vercl0k/wtf) 104 | 105 | 基于内存快照的fuzzer,可用于fuzz windows的用户态和内核态程序,很多人通过这个工具也是收获了CVE。类似于winafl这样的工具有两个大的痛点:1.需要对目标软件输入点构造harness,而这对于复杂的闭源软件往往会非常困难;2.有些软件只有先执行特定的函数,harness调用的输入点函数才能够正常运行,这个逻辑很多时候没法绕开。wtf通过对内存快照进行fuzz,不必编写harness,减少了分析成本。当然wtf也不是万能的,例如快照不具备IO访问能力,发生IO操作时wtf无法正确处理,需要用patch的方式修改逻辑(例如printf这种函数都是需要patch的)。 106 | 107 | [基于快照的fuzz工具wtf的基础使用](https://paper.seebug.org/2084/) 108 | 109 | TrapFuzz(https://github.com/googleprojectzero/p0tools/tree/master/TrapFuzz) 110 | 111 | trapfuzzer(https://github.com/hac425xxx/trapfuzzer) 112 | 113 | 通过断点粗略实现统计代码覆盖率。 114 | 115 | go-fuzz(https://github.com/dvyukov/go-fuzz) 116 | 117 | jazzer(https://github.com/CodeIntelligenceTesting/jazzer) 118 | 119 | jazzer.js(https://github.com/CodeIntelligenceTesting/jazzer.js) 120 | 121 | fuzzers(https://gitlab.com/gitlab-org/security-products/analyzers/fuzzers) 122 | 123 | 对不同编程语言的fuzz。 124 | 125 | cryptofuzz(https://github.com/guidovranken/cryptofuzz) 126 | 127 | 对一些密码学库的fuzz。 128 | 129 | (google的另外两个密码学库测试工具: 130 | 131 | https://github.com/google/wycheproof 132 | 133 | https://github.com/google/paranoid_crypto) 134 | 135 | mutiny-fuzzer(https://github.com/Cisco-Talos/mutiny-fuzzer) 136 | 137 | 思科的一款基于变异的网络fuzz框架,其主要原理是通过从数据包(如pcap文件)中解析协议请求并生成一个.fuzzer文件,然后基于该文件对请求进行变异,再发送给待测试的目标。 138 | 139 | domato(https://github.com/googleprojectzero/domato) 140 | 141 | 还是@ifratric的作品,根据语法生成代码,所以可以扩展用来fuzz各种脚本引擎。 142 | 143 | fuzzilli(https://github.com/googleprojectzero/fuzzilli) 144 | 145 | 前project zero又一位大佬的js引擎fuzzer,该fuzzer效果太好,很多人拿着二次开发都发现了很多漏洞,后来他离开project zero在google专门搞V8安全了。 146 | 147 | SMB_Fuzzer(https://github.com/mellowCS/SMB_Fuzzer) 148 | 149 | SMB fuzzer。 150 | 151 | libprotobuf-mutator(https://github.com/google/libprotobuf-mutator) 152 | 153 | 2016年google提出Structure-Aware Fuzzing,并基于libfuzzer与protobuf实现了libprotobuf-mutator,它弥补了peach的无覆盖引导的问题,也弥补了afl对于复杂输入类型的低效变异问题。Structure-Aware Fuzzing并不是什么新技术,跟Peach的实现思路是一样的,只是对输入数据类型作模板定义,以提高变异的准确率。 154 | 155 | h26forge(https://github.com/h26forge/h26forge) 156 | 157 | 也是Structure-Aware Fuzzing,生成畸形H.264文件。 158 | 159 | restler-fuzzer(https://github.com/microsoft/restler-fuzzer) 160 | 161 | 有些时候fuzz还会遇到状态的问题,特别是一些网络协议的fuzz,触发漏洞的路径可能很复杂,所以提出了Stateful Fuzzing的概念,通过程序运行中的状态机来指导fuzz,restler-fuzzer就是微软开发的第一个Stateful REST API Fuzzing工具。 162 | 163 | ## 其他辅助工具 164 | 165 | common-corpus(https://github.com/isosceles-security/common-corpus) 166 | 167 | 通过Common Crawl构建语料库,这个还是挺有意义的,很少有文章提到语料库的问题,但是一个好的语料库是绝对能大大提高发现漏洞的概率的。我有一个private的语料库,主要是收集了一些高质量的常见格式的POC和自己生成的语料,就不公开分享了,这里是我整理的一些参考的语料库:https://github.com/houjingyi233/fuzz-corpus 168 | 169 | BugId(https://github.com/SkyLined/BugId) 170 | 171 | Windows系统上的漏洞分类和可利用性分析工具,编写Windows平台的fuzzer时通常会用到。 172 | 173 | binspector(https://github.com/binspector/binspector) 174 | 175 | 二进制格式分析。 176 | 177 | apicraft(https://github.com/occia/apicraft) 178 | 179 | GraphFuzz(https://github.com/hgarrereyn/GraphFuzz) 180 | 181 | 自动化生成harness。 182 | 183 | ## blog 184 | 185 | ### general 186 | 187 | 一些关于fuzz的资源: 188 | 189 | [https://fuzzing-project.org/](https://fuzzing-project.org/) 190 | 191 | project zero成员@jooru的博客: 192 | 193 | [https://j00ru.vexillium.org/](https://j00ru.vexillium.org/) 194 | 195 | github securitylab有很多关于漏洞挖掘的文章: 196 | 197 | [https://securitylab.github.com/research/](https://securitylab.github.com/research/) 198 | 199 | 一系列关于fuzz的文章,使用fuzz,fuzz评估,patch分析1day漏洞,发现0day漏洞: 200 | 201 | [https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-1-fuzzing-gegl-with-fuzzuf.html](https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-1-fuzzing-gegl-with-fuzzuf.html) 202 | 203 | [https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-2-evaluating-performance.html](https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-2-evaluating-performance.html) 204 | 205 | [https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-3-patch-analysis-and-poc.html](https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-3-patch-analysis-and-poc.html) 206 | 207 | [https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-4-hunting-and-exploiting-0.html](https://ricercasecurity.blogspot.com/2023/07/fuzzing-farm-4-hunting-and-exploiting-0.html) 208 | 209 | AFL++的开发者分析了为什么ossfuzz没有fuzz出libwebp的0day漏洞CVE-2023-4863: 210 | 211 | [ADVANCED FUZZING UNMASKS ELUSIVE VULNERABILITIES](https://www.srlabs.de/blog-post/advanced-fuzzing-unmasks-elusive-vulnerabilities) 212 | 213 | ### windows 214 | 215 | 内核: 216 | 217 | [KernelFuzzer](https://github.com/FSecureLABS/KernelFuzzer) 218 | 219 | [SimpleNTSyscallFuzzer](https://github.com/waleedassar/SimpleNTSyscallFuzzer) 220 | 221 | 微信: 222 | 223 | [Fuzzing WeChat’s Wxam Parser](https://www.signal-labs.com/blog/fuzzing-wechats-wxam-parser) 224 | 225 | RDP: 226 | 227 | [Fuzzing RDPEGFX with "what the fuzz"](https://blog.thalium.re/posts/rdpegfx/) 228 | 229 | [Fuzzing RDP: Holding the Stick at Both Ends](https://www.cyberark.com/resources/threat-research-blog/fuzzing-rdp-holding-the-stick-at-both-ends) 230 | 231 | [Fuzzing Microsoft's RDP Client using Virtual Channels: Overview & Methodology](https://thalium.github.io/blog/posts/fuzzing-microsoft-rdp-client-using-virtual-channels/) 232 | 233 | PDF: 234 | 235 | [Fuzzing Closed Source PDF Viewers](https://www.gosecure.net/blog/2019/07/30/fuzzing-closed-source-pdf-viewers/) 236 | 237 | [50 CVEs in 50 Days: Fuzzing Adobe Reader](https://research.checkpoint.com/2018/50-adobe-cves-in-50-days/) 238 | 239 | [Creating a fuzzing harness for FoxitReader 9.7 ConvertToPDF Function](https://christopher-vella.com/2020/02/28/creating-a-fuzzing-harness-for-foxitreader-9-7-converttopdf-function/) 240 | 241 | 发现了各种pdf阅读器中的100多个漏洞,讲了很多fuzz的技巧 242 | 243 | [Dig Into the Attack Surface of PDF and Gain 100+ CVEs in 1 Year](https://www.blackhat.com/docs/asia-17/materials/asia-17-Liu-Dig-Into-The-Attack-Surface-Of-PDF-And-Gain-100-CVEs-In-1-Year-wp.pdf) 244 | 245 | MSMQ: 246 | 247 | [FortiGuard Labs Discovers Multiple Vulnerabilities in Microsoft Message Queuing Service](https://www.fortinet.com/blog/threat-research/microsoft-message-queuing-service-vulnerabilities) 248 | 249 | Edge: 250 | 251 | [Escaping the sandbox: A bug that speaks for itself](https://microsoftedge.github.io/edgevr/posts/Escaping-the-sandbox-A-bug-that-speaks-for-itself/) 252 | 253 | windows图片解析: 254 | 255 | [Fuzzing Image Parsing in Windows, Part One: Color Profiles](https://www.mandiant.com/resources/fuzzing-image-parsing-in-windows-color-profiles) 256 | 257 | [Fuzzing Image Parsing in Windows, Part Two: Uninitialized Memory](https://www.mandiant.com/resources/fuzzing-image-parsing-in-windows-uninitialized-memory) 258 | 259 | [Fuzzing Image Parsing in Windows, Part Three: RAW and HEIF](https://www.mandiant.com/resources/fuzzing-image-parsing-three) 260 | 261 | [Fuzzing Image Parsing in Windows, Part Four: More HEIF](https://www.mandiant.com/resources/fuzzing-image-parsing-windows-part-four) 262 | 263 | windows office: 264 | 265 | fuzz office中的MSGraph COM 组件 266 | 267 | [Fuzzing the Office Ecosystem](https://research.checkpoint.com/2021/fuzzing-the-office-ecosystem/) 268 | 269 | POC2018,fuzz出了多个文件阅读器的漏洞,fuzzer原理类似前面说的trapfuzz 270 | 271 | [Document parsers "research" as passive income](https://powerofcommunity.net/poc2018/jaanus.pdf) 272 | 273 | HITB2021,也是受到前一个slide的启发,fuzz出了多个excel漏洞 274 | 275 | [How I Found 16 Microsoft Office Excel Vulnerabilities in 6 Months](https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20How%20I%20Found%2016%20Microsoft%20Office%20Excel%20Vulnerabilities%20in%206%20Months%20-%20Quan%20Jin.pdf) 276 | 277 | fuzz文件阅读器中的脚本引擎,fuzz出了多个foxit和adobe的漏洞,比domato先进的地方在于有一套算法去推断文本对象和脚本之间的关系 278 | 279 | [https://github.com/TCA-ISCAS/Cooper](https://github.com/TCA-ISCAS/Cooper) 280 | 281 | [COOPER: Testing the Binding Code of Scripting Languages with Cooperative Mutation](https://www.ndss-symposium.org/wp-content/uploads/2022-353-paper.pdf) 282 | 283 | 开发语法感知的fuzzer,发现解析postscript的漏洞 284 | 285 | [Smash PostScript Interpreters Using A Syntax-Aware Fuzzer](https://www.zscaler.com/blogs/security-research/smash-postscript-interpreters-using-syntax-aware-fuzzer) 286 | 287 | fuzz 3D模型中解析skp文件产生的漏洞 288 | 289 | [ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 1](https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d) 290 | 291 | [ThreatLabz Discovers 117 Vulnerabilities in Microsoft 365 Apps Via the SketchUp 3D Library - Part 2](https://www.zscaler.com/blogs/security-research/threatlabz-discovers-117-vulnerabilities-microsoft-365-apps-sketchup-3d-0) 292 | 293 | windows字体解析: 294 | 295 | [A year of Windows kernel font fuzzing Part-1 the results](https://googleprojectzero.blogspot.com/2016/06/a-year-of-windows-kernel-font-fuzzing-1_27.html) 296 | 297 | [A year of Windows kernel font fuzzing Part-2 the techniques](https://googleprojectzero.blogspot.com/2016/07/a-year-of-windows-kernel-font-fuzzing-2.html) 298 | 299 | ### linux/android 300 | 301 | 使用AFL fuzz linux内核文件系统: 302 | 303 | [Filesystem Fuzzing with American Fuzzy lop](https://events.static.linuxfound.org/sites/events/files/slides/AFL%20filesystem%20fuzzing%2C%20Vault%202016_0.pdf) 304 | 305 | 条件竞争fuzz: 306 | 307 | [KCSAN](https://github.com/google/kernel-sanitizers/blob/master/KCSAN.md) 308 | 309 | [KTSAN](https://github.com/google/kernel-sanitizers/blob/master/KTSAN.md) 310 | 311 | [krace](https://github.com/sslab-gatech/krace) 312 | 313 | [razzer](https://github.com/compsec-snu/razzer) 314 | 315 | linux USB fuzz: 316 | 317 | [https://github.com/purseclab/fuzzusb](https://github.com/purseclab/fuzzusb) 318 | 319 | [FUZZUSB: Hybrid Stateful Fuzzing of USB Gadget Stacks](https://lifeasageek.github.io/papers/kyungtae-fuzzusb.pdf) 320 | 321 | linux设备驱动fuzz: 322 | 323 | [https://github.com/messlabnyu/DrifuzzProject/](https://github.com/messlabnyu/DrifuzzProject/) 324 | 325 | [Drifuzz: Harvesting Bugs in Device Drivers from Golden Seeds](https://www.usenix.org/system/files/sec22-shen-zekun.pdf) 326 | 327 | [https://github.com/secsysresearch/DRFuzz](https://github.com/secsysresearch/DRFuzz) 328 | 329 | [Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators](https://www.ndss-symposium.org/wp-content/uploads/2022-345-paper.pdf) 330 | 331 | 使用honggfuzz fuzz VLC: 332 | 333 | [Double-Free RCE in VLC. A honggfuzz how-to](https://www.pentestpartners.com/security-blog/double-free-rce-in-vlc-a-honggfuzz-how-to/) 334 | 335 | 使用AFL++的frida模式fuzz apk的so库,讨论了三种情况:无JNI、有JNI(不和apk字节码交互)、有JNI(和apk字节码交互): 336 | 337 | [Android greybox fuzzing with AFL++ Frida mode](https://blog.quarkslab.com/android-greybox-fuzzing-with-afl-frida-mode.html) 338 | 339 | fuzz android系统服务: 340 | 341 | [Hunting for Android Privilege Escalation with a 32 Line Fuzzer](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hunting-for-android-privilege-escalation-with-a-32-line-fuzzer/) 342 | 343 | [The Fuzzing Guide to the Galaxy: An Attempt with Android System Services](https://blog.thalium.re/posts/fuzzing-samsung-system-services/) 344 | 345 | fuzz android系统权限: 346 | 347 | [https://github.com/little-leiry/CuPerFuzzer](https://github.com/little-leiry/CuPerFuzzer) 348 | 349 | [Leveraging Android Permissions: A Solver Approach](https://blog.thalium.re/posts/leveraging-android-permissions/) 350 | 351 | ### macOS 352 | 353 | 我专门整理的macOS的漏洞挖掘资料在这里: 354 | 355 | [https://github.com/houjingyi233/macOS-iOS-system-security](https://github.com/houjingyi233/macOS-iOS-system-security) 356 | 357 | ### DBMS 358 | 359 | 关于DBMS的漏洞挖掘资料可以参考这里: 360 | 361 | [https://github.com/zhangysh1995/awesome-database-testing](https://github.com/zhangysh1995/awesome-database-testing) 362 | 363 | ### VM 364 | 365 | 关于VMware的漏洞挖掘资料可以参考这里: 366 | 367 | [https://github.com/xairy/vmware-exploitation](https://github.com/xairy/vmware-exploitation) 368 | 369 | 关于Hyper-V的漏洞挖掘资料可以参考这里: 370 | 371 | [https://github.com/gerhart01/Hyper-V-Internals](https://github.com/gerhart01/Hyper-V-Internals) 372 | 373 | 一些其他的: 374 | 375 | [Hunting for bugs in VirtualBox (First Take)](http://blog.paulch.ru/2020-07-26-hunting-for-bugs-in-virtualbox-first-take.html) 376 | 377 | ### IOT 378 | 379 | 对固件镜像进行自动化fuzz: 380 | 381 | fuzzware(https://github.com/fuzzware-fuzzer/fuzzware/) 382 | 383 | 将嵌入式固件作为Linux用户空间进程运行从而fuzz: 384 | 385 | SAFIREFUZZ(https://github.com/pr0me/SAFIREFUZZ) 386 | 387 | ### browser 388 | 389 | Mozilla是如何fuzz浏览器的: 390 | 391 | [Browser fuzzing at Mozilla](https://blog.mozilla.org/attack-and-defense/2021/05/20/browser-fuzzing-at-mozilla/) 392 | 393 | 通过差分模糊测试来检测错误的JIT优化引起的不一致性: 394 | 395 | [https://github.com/RUB-SysSec/JIT-Picker](https://github.com/RUB-SysSec/JIT-Picker) 396 | 397 | [Jit-Picking: Differential Fuzzing of JavaScript Engines](https://publications.cispa.saarland/3773/1/2022-CCS-JIT-Fuzzing.pdf) 398 | 399 | 将JS种子分裂成代码块,每个代码块有一组约束,表示代码块什么时候可以和其他代码块组合,生成在语义和语法上正确的JS代码: 400 | 401 | [https://github.com/SoftSec-KAIST/CodeAlchemist](https://github.com/SoftSec-KAIST/CodeAlchemist) 402 | 403 | [CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines](https://cseweb.ucsd.edu/~dstefan/cse291-spring21/papers/han:codealchemist.pdf) 404 | 405 | ### bluetooth 406 | 407 | 这人发现了很多厂商的蓝牙漏洞,braktooth是一批传统蓝牙的漏洞,sweyntooth是一批BLE的漏洞。fuzzer没有开源是提供的二进制,不过可以参考一下: 408 | 409 | [https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks](https://github.com/Matheus-Garbelini/braktooth_esp32_bluetooth_classic_attacks) 410 | 411 | [https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks](https://github.com/Matheus-Garbelini/sweyntooth_bluetooth_low_energy_attacks) 412 | 413 | BLE fuzz: 414 | 415 | [Stateful Black-Box Fuzzing of BLE Devices Using Automata Learning](https://git.ist.tugraz.at/apferscher/ble-fuzzing/) 416 | 417 | ### WIFI 418 | 419 | fuzz出了mtk/华为等厂商路由器wifi协议的多个漏洞: 420 | 421 | [https://github.com/efchatz/WPAxFuzz](https://github.com/efchatz/WPAxFuzz) 422 | 423 | 蚂蚁金服的wifi协议fuzz工具,基于openwifi,也fuzz出了多个漏洞: 424 | 425 | [https://github.com/alipay/Owfuzz](https://github.com/alipay/Owfuzz) 426 | 427 | ### CPU 428 | 429 | 生成复杂程序fuzz CPU,仅支持RISC-V,不过效果挺好,已经在5个RISC-V CPU中找到了37个bug(29个CVE): 430 | 431 | [https://github.com/comsec-group/cascade-artifacts](https://github.com/comsec-group/cascade-artifacts) 432 | 433 | ### 编译器 434 | 435 | 生成随机程序fuzz编译器,在gcc/clang等各种编译器中找到了200多个bug: 436 | 437 | [https://github.com/intel/yarpgen](https://github.com/intel/yarpgen) 438 | --------------------------------------------------------------------------------