一、AFL相关参数
1. plot_data中的参数
unix_time, 当前时间
cycles_done, 对测试用例队列选择的循环次数
cur_path, 当前被选择用于变异的测试用例id
paths_total, 截至当前时间变异生成的有效测试用例个数
pending_total, 从其他模糊器导入的测试用例个数
pending_favs, 导入测试用例中标记为favs的个数
map_size, 基本块的覆盖情况,通过(执行基本块个数/MAP_SIZE)计算获得
unique_crashes, 发现的不同crash的总个数,此处的不同是通过基本块的执行情况计算的,因此对于同一个漏铜,从不同分支进入,会判断为不同crash
unique_hangs, 发现的不同挂起行为的总个数
max_depth, 最大的测试用例深度,此处深度代表测试用例的代数,即初始测试用例为第一代(老祖宗),初始测试用例变异生成测试用例都是第二代(老祖宗的儿子)...简单的树形关系,初始测试用例是根节点,依次向下,节点(测试用例)在树中的深度即当前测试用例的深度。
execs_per_sec, 每秒执行测试用例的个数
二、目标程序配置
- binutils
mkdir build
`CC=gcc ./configure --prefix=/build --with-sysroot=$LFS --with-lib-path=/build/lib --target=$LFS_TGT CFLAGS='-g -fsanitize=address' --disable-werror`
`./configure --prefix=`pwd`/build CFLAGS='-g -fsanitize=address -fno-omit-frame-pointer -Wno-implicit-fallthrough'`
# -fno-omit-frame-pointer: 解决'error: this statement may fall through [-Werror=implicit-fallthrough=]'
# --disable-werror: 解决'error: right-hand operand of comma expression has no effect [-Werror=unused-value]'
- gif2png-3.0.0 go语言编写
CC=gcc CXX=g++ ./configure --prefix=/build --with-sysroot=$LFS --with-lib-path=/build/lib --target=$LFS_TGT CFLAGS='-g -fsanitize=address' --disable-werror
-
xpdf-4.00
mkdir build
cd build
cmake -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS='-g -fsanitize=address -fno-omit-frame-pointer' ../
-
jhead-2.97
110依旧存在-1在新版本中已在188处完成检查
114依旧存在-2在新版本中跟
109已申报CVE-2020-6624
188-已修复-4
所以,在/etc/ld.so.conf.d/目录下加入的任何以.conf为后缀的文件都能被识别到。
本人的作法:
- 将所有的用户需要用到的库放到/usr/loca/lib;
- 在/etc/ld.so.conf.d/目录下新建文件usr-libs.conf,内容是:/usr/local/lib
- sudo ldconfig
LD_PRELOAD=/usr/lib64/libasan.so.4ld.so
开发环境:
linux16.04
AFL2.52b安装
1.下载 http://lcamtuf.coredump.cx/afl/ 或者 wget http://lcamtuf.coredump.cx/afl.tgz
2.解压 tar -xfz afl.tgz
3.cd afl-2.5.2b
4.编译 make clean
make
5.安装 sudo make install
LLVM安装
1.sudo apt-get install llvm clang
2.下载release版本3.8.0 http://llvm.org/releases/download.html
3.sudo cp /clang+llvm-3.8.0..../bin/* /usr/bin
cd afl-2.5.2b/llvm-mode/
export CC=clang
export CXX=clang++
make
cd ../
sudo cp afl-llvm* /usr/local/lib/afl/
sudo cp afl-clang-fast* /usr/local/bin
对lava数据集进行测试
1.指定编译器 export CC=afl-clang-fast
export CXX=afl-clang-fast++
2.编译 ./configure
make
3.cd lava_corpus/LAVA-M/base64/coreytuks-8.24-lava-safe
4.afl-showmap -o /dev/null -- ./src/base64
5.afl-cmin -i input -o input_mini -- ./src/base64
6.for i in ./input_mini; do afl-tmin -i $i -o $i.mini -- ./src/base64; done
7.mkdir ./in && cp ./input_mini/*.mini ./in/
8.afl-fuzz -i in -o output -M fuzzer1 ./src/base64 @@
afl-fuzz -i in -o output -S fuzzer2 ./src/base64 @@
afl-fuzz -i in -o output -S fuzzer3 ./src/base64 @@
对binutils2.25进行测试
1.指定编译器 export CC=afl-clang-fast
export CXX=afl-clang-fast++
2.编译 ./configure
make
3.cp /usr/bin/clear ./input
4.afl-fuzz -i input -o output -M fuzzer1 ./binutils/size(or objdump -d or nm-new -C) @@
afl-fuzz -i input -o output -S fuzzer2 ./binutils/size(or objdump -d or nm-new -C) @@
afl-fuzz -i input -o output -S fuzzer3 ./binutils/size(or objdump -d or nm-new -C) @@
对jhead2.97进行测试
1.指定编译器 export CC=afl-clang-fast
export CXX=afl-clang-fast++
2.编译 make
3.将AFL测试集下jpeg格式的测试用例复制到input中
4.参照lava数据集对afl-fuzz的使用进行测试
对libpng1.6.34进行测试
1.指定编译器 export CC=afl-clang-fast
export CXX=afl-clang-fast++
2.编译 ./configure --disable-shared
make
3.将AFL测试集下png格式的测试用例复制到input中
4.参照lava数据集对afl-fuzz的使用进行测试
afl-cov安装
1.sudo apt-get install afl-cov(notes 0.3)
2.下载最新版afl-cov(0.6)
3.sudo cp afl-cov/afl-cov /usr/bin
4.export CC="gcc -fprofile-arcs -ftest-coverage"
export CXX="g++ -fprofile-arcs -ftest-coverage"
5. ./configure
6. make
7.afl-cov -d output/ -e "path/to/target -f AFL_FILE" -c . --enable-branch-coverage
crashwalk安装及使用
安装go:
1.apt-get install gdb golang
2.mkdir src
3.cd src
4.git clone https://github.com/jfoote/exploitable.git
5.cd && mkdir go
6.export GOPATH=~/go
7.go get -u github.com/bnagy/crashwalk/cmd/...
8.~/go/bin/cwtriage -root . -afl ./path/to/target @@
对于测试结束结果进行分析:~/go/bin/cwtriage -root fuzzer2/crashes/ -match id -seen ~/afl-experient/binutils-2.29/binutils/objdump -d @@
(同时输出到屏幕和一个名为crashwalk.db的数据库中,上面的-seen代表可以对数据库进行追加写入,通过~/go/bin/cwdump ./crashwalk.db > triage.txt,可以将漏洞进行分类到txt文件中)
9.NOTES:需要AFL命令为afl-fuzz -i input -o output -- ./binutils/size @@
10.cwdump ./crashwalk.db > triage.txt
11.cwfind a9060880abffbe2dcd5c9b4bb39c9233.0e358881a2545b216eee9aabe3723302(crash的hash)
Qsym:
设置环境变量:
export AFL_ROOT=/home/lbb/afl-2.52b
==============who=============
export INPUT=/home/lbb/afl-experient/input/who
export OUTPUT=/home/lbb/afl-experient/output/who_qsym
export AFL_CMDLINE=/home/lbb/afl-experient/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/who
export QSYM_CMDLINE=/home/lbb/afl-experient/lava_corpus/LAVA-M/who/coreutils-8.24-lava-safe/src/who
==============objdump=========
export INPUT=/home/lbb/afl-experient/input/objdump
export OUTPUT=/home/lbb/afl-experient/output/objdump_qsym
export AFL_CMDLINE=/home/lbb/afl-experient/binutils-2.19/binutils/objdump
export QSYM_CMDLINE=/home/lbb/afl-experient/binutils-2.19/binutils/objdump
; run AFL master
$ $AFL_ROOT/afl-fuzz -M afl-master -i $INPUT -o $OUTPUT -- $AFL_CMDLINE @@
; run AFL slave
$ $AFL_ROOT/afl-fuzz -S afl-slave -i $INPUT -o $OUTPUT -- $AFL_CMDLINE @@
; run QSYM
$ bin/run_qsym_afl.py -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE @@
QEMU模式:
设置AFL_PATH(afl所在文件夹绝对路径):AFL_PATH=/../afl-2.52b
编译afl:sudo make install
进入qemu_mode文件夹:cd qemu_mode/
安装和设置QEMU:./build_qemu_support.sh
出现Error: 'libtool' not found, please install first. 则执行 apt-get install libtool libtool-bin
退回上一层目录:cd ../
再次编译:sudo make install
使用AFL的QEMU模式测试:afl-fuzz -i in -o out -m x -Q /path/to/app
查看所需虚拟内存大小:recidivm -u M ./app
更改文件名:for i in ./inputs; do afl-tmin -i $i -o $i.mini -- ./src/base64; done