{"id":13515560,"url":"https://github.com/RUB-SysSec/antifuzz","last_synced_at":"2025-03-31T04:37:12.800Z","repository":{"id":49585239,"uuid":"201225999","full_name":"RUB-SysSec/antifuzz","owner":"RUB-SysSec","description":"AntiFuzz: Impeding Fuzzing Audits of Binary Executables","archived":false,"fork":false,"pushed_at":"2021-03-25T09:00:12.000Z","size":42,"stargazers_count":101,"open_issues_count":0,"forks_count":15,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-12-24T09:02:16.171Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"agpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/RUB-SysSec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-08-08T09:32:34.000Z","updated_at":"2024-08-12T19:51:47.000Z","dependencies_parsed_at":"2022-09-21T17:50:55.243Z","dependency_job_id":null,"html_url":"https://github.com/RUB-SysSec/antifuzz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2Fantifuzz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2Fantifuzz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2Fantifuzz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/RUB-SysSec%2Fantifuzz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/RUB-SysSec","download_url":"https://codeload.github.com/RUB-SysSec/antifuzz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246418675,"owners_count":20773935,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T05:01:12.877Z","updated_at":"2025-03-31T04:37:11.091Z","avatar_url":"https://github.com/RUB-SysSec.png","language":"C","readme":"\n# AntiFuzz: Impeding Fuzzing Audits of Binary Executables\n\nGet the paper here: https://www.usenix.org/system/files/sec19-guler.pdf\n\n## Usage:\nThe python script antifuzz_generate.py generates a \"antifuzz.h\" file that you need to include in your C project (see chapter below). The script takes multiple arguments to define which features you want to activate.\n\nTo disable all features, supply:\n\n      --disable-all\n\n  \nTo break assumption (A), i.e. to break coverage-guided fuzzing, use:\n\n      --enable-anti-coverage\n\nYou can specify how many random BBs and random constrain functions you want to have by supplying \"--anti-coverage [num]\" (default: 10000).\n\nTo break assumption (B), i.e. to prevent fuzzers from detecting crashes, use:\n\n      --signal --crash-action exit\n\nTo break assumption (C), i.e. to decrease the performance of the application when being fuzzed, use:\n\n      --enable-sleep --signal\n\nAdditionaly, you can supply \"--sleep [ms]\" to set the length of the sleep in milliseconds (default: 750). You can also replace the crash behavior by supplying \"--crash-action timeout\" to replace every crash with a timeout. \n\nTo break assumption (D), i.e. to boggle down symbolic execution engines, use:\n\n      --hash-cmp --enable-encrypt-decrypt\n\nTo enable all features, use:\n\n      --enable-anti-coverage --signal --crash-action exit --enable-sleep --signal --hash-cmp --enable-encrypt-decrypt\n\n## Demo\nTo test it out, we supplied a demo application called antifuzz_test.c that just checks for \"crsh\" with single byte comparisons, and crashes if that's the case. It configures itself to fit the generated antifuzz header file, i.e. when hash comparisons are demanded via antifuzz_generate.py, antifuzz_test will compare the hashes instead of the plain constants.\n\nFirst, generate the antifuzz.h file:\n\n    python antifuzz_generate.py --enable-anti-coverage --signal --crash-action exit --enable-sleep --signal --hash-cmp --enable-encrypt-decrypt\n\nNext, compile the demo application with afl-gcc after installing AFL 2.52b (note that this may take minutes (!) depending on the number of random BBs added):\n\n    afl-gcc antifuzz_test.c -o antifuzz_test \n\nRun it in AFL to test it out:\n\n    mkdir inp; echo 1234 \u003e inp/a.txt; afl-fuzz -i inp/ -o /dev/shm/out -- ./antifuzz_test @@\n\nIf you enabled all options, AFL may take a long time to start because the application is slowed down (to break assumption (C))\n\n## Protecting Applications\nTo include it in your own C project, follow these instructions (depending on your use-case and application, you might want to skip some of them):\n\n### 1.\nAdd \n\n    #include \"antifuzz.h\"\n    \n to the header.\n\n### 2. \nJump to the line that opens the (main) input file, the one that an attacker might target as an attack vector, and call \n  \n    antifuzz_init(\"file_name_here\", FLAG_ALL); \n\nThis initializes AntiFuzz, checks if overwriting signals is possible, checks if the application is ptrace'd, puts the input through encryption and decryption, jumps through random BBs, etc.\n\n### 3.\nFind all lines and blocks of code that deal with malformed input files or introduce those yourself. It's often the case that these lines already exist to print some kind of error or warning message (e.g. \"this is not a valid ... file\"). Add a call to \n\n    antifuzz_onerror()\n\neverywhere you deem appropriate.\n\n### 4.\nFind comparisons to constants (e.g. magic bytes) that you think are important for this file format, and change the comparison to hash comparisons. Add your constant to antifuzz_constants.tpl.h like this:\n\n    char *antifuzzELF = \"ELF\";\n\nOur generator script will automatically change these lines to their respective SHA512 hashes when generating the final header file, you do not have to do this manually.\nNow change the lines from (as an example):\n\n    if(strcmp(header, \"ELF\") == 0)\n\nto\n\n    if(antifuzz_str_equal(header, antifuzzELF))\n\nSee antifuzz.tpl.h for more comparison functions.\n\n### 5.\nIf you have more data that you want to protect from symbolic execution, use:\n  \n    antifuzz_encrypt_decrypt_buf(char *ptr, size_t fileSize) \n","funding_links":[],"categories":["Fuzzing"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRUB-SysSec%2Fantifuzz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRUB-SysSec%2Fantifuzz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRUB-SysSec%2Fantifuzz/lists"}