Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/airbus-seclab/aflplusplus-blogpost
Blogpost about optimizing binary-only fuzzing with AFL++
https://github.com/airbus-seclab/aflplusplus-blogpost
afl aflplusplus binary-only fuzzing qemu
Last synced: about 1 month ago
JSON representation
Blogpost about optimizing binary-only fuzzing with AFL++
- Host: GitHub
- URL: https://github.com/airbus-seclab/aflplusplus-blogpost
- Owner: airbus-seclab
- License: gpl-2.0
- Created: 2023-06-14T11:54:16.000Z (over 1 year ago)
- Default Branch: main
- Last Pushed: 2023-10-07T19:31:18.000Z (about 1 year ago)
- Last Synced: 2023-10-07T20:25:25.845Z (about 1 year ago)
- Topics: afl, aflplusplus, binary-only, fuzzing, qemu
- Language: Shell
- Homepage: https://airbus-seclab.github.io/AFLplusplus-blogpost
- Size: 354 KB
- Stars: 45
- Watchers: 3
- Forks: 4
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Lab for grammar-aware in-memory persistent fuzzing
## Introduction
This repository contains all scripts and data (as well as an ELF target) to follow along as you read the [associated blogpost](https://airbus-seclab.github.io/AFLplusplus-blogpost) by experimenting on your own on one example: [src/target.c](./src/target.c) (the source code of the **target**).
Repository organization:
* [step0](./step0): **basic fuzzing setup**, default configuration
* [step1](./step1): custom **instrumentation** (targeting `parse_cert_buf` function)
* [step2](./step2): with a customized **entrypoint**
* [step3](./step3): with **persistent mode**
* [step4](./step4): with an **in-memory hook**
* [src/hook](./src/hook): source code of the hook
* [step5](./step5): custom **grammar-aware mutator**
* [src/mutator](./src/mutator): source code of the custom mutator
* [step6](./step6): with **multi-processing**## Setup
### AFL++
Clone and compile AFL++ from the base folder:
```bash
$ git clone https://github.com/AFLplusplus/AFLplusplus.git -b dev
$ cd AFLplusplus
$ git apply ../src/mutator/afl-fuzz-run.patch
$ make distrib
```**Note:**
* See [this discussion](https://github.com/AFLplusplus/AFLplusplus/issues/1397)
to understand why this patch is necessary
* Tested with commit `4063a3eb4c4099e37aef4f1d96e8b80d58d65fe2` from `Mon Jan 23
12:50:57 2023 +0100`### libprotobuf-mutator
Clone and compile `libprotobuf-mutator` (used to build our custom mutator) from
the base folder:```bash
$ git clone https://github.com/google/libprotobuf-mutator.git
$ cd libprotobuf-mutator
$ mkdir build && cd build
$ cmake .. -GNinja -DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=ON -DLIB_PROTO_MUTATOR_TESTING=OFF -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC"
$ ninja
```**Note:** Tested with commit `af3bb18749db3559dc4968dd85319d05168d4b5e` from
`Wed Dec 7 15:21:20 2022 -0800`Clone and compile the protobuf ASN.1 mutator from the base folder:
```bash
$ git clone https://github.com/google/fuzzing.git google-fuzzing
$ cd google-fuzzing/proto/asn1-pdu/
$ ../../../libprotobuf-mutator/build/external.protobuf/bin/protoc *.proto --python_out=. --cpp_out=.
$ git apply ../../../src/mutator/google-fuzzing.patch
```**Note:**
* See [this pull request](https://github.com/google/fuzzing/pull/110) to
understand why this patch is necessary
* Tested with commit `128a82660ffe414036ded9a6e561a9532945280d` from `Wed Oct 26
14:12:31 2022 +0200`### Python packages
Install Python3 and the venv package:
```
$ apt update
$ apt install python3 python3-venv
```Setup a virtual environment and install dependencies:
```
$ cd src/mutator
$ python3 -m venv .env
$ source .env/bin/activate
$ pip3 install -r requirements.txt
```### Blog
Compile the target and libraries created for this blogpost from the base folder:
```
make -C src
```Finally, generate the corpus:
```bash
$ cd
$ ./build_corpus.sh
```## Run
Simply use the `fuzz.sh` script from the step you are on:
```bash
$ cd
$ ./fuzz.sh
```