Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/angorafuzzer/angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
https://github.com/angorafuzzer/angora

afl data-flow-analysis fuzzer fuzzing security symbolic-execution taint-analysis

Last synced: 2 days ago
JSON representation

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.

Host: GitHub
URL: https://github.com/angorafuzzer/angora
Owner: AngoraFuzzer
License: apache-2.0
Created: 2018-03-19T06:07:32.000Z (over 6 years ago)
Default Branch: master
Last Pushed: 2022-07-18T13:42:14.000Z (over 2 years ago)
Last Synced: 2024-09-26T01:48:10.021Z (about 1 month ago)
Topics: afl, data-flow-analysis, fuzzer, fuzzing, security, symbolic-execution, taint-analysis
Language: C++
Size: 13 MB
Stars: 917
Watchers: 41
Forks: 168
Open Issues: 41
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

        # Angora

[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)

[![Build Status](https://api.cirrus-ci.com/github/AngoraFuzzer/Angora.svg)](https://cirrus-ci.com/github/AngoraFuzzer/Angora)

Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is 

to increase branch coverage by solving path constraints without symbolic 

execution. 

## Published Work

Arxiv: [Angora: Efficient Fuzzing by Principled Search](https://arxiv.org/abs/1803.01307), S&P 2018.

## Building Angora

### Build Requirements

- Linux-amd64 (Tested on Ubuntu 16.04/18.04 and Debian Buster)

- Rust stable (>= 1.31), can be obtained using [rustup](https://rustup.rs)

- [LLVM 4.0.0 - 12.0.1](http://llvm.org/docs/index.html) : run `PREFIX=/path-to-install ./build/install_llvm.sh`.

### Environment Variables

Append the following entries in the shell configuration file (`~/.bashrc`, `~/.zshrc`).

```

export PATH=/path-to-clang/bin:$PATH

export LD_LIBRARY_PATH=/path-to-clang/lib:$LD_LIBRARY_PATH

```

### Fuzzer Compilation

The build script will resolve most dependencies and setup the 

runtime environment.

```shell

./build/build.sh

```

### System Configuration

As with AFL, system core dumps must be disabled.

```shell

echo core | sudo tee /proc/sys/kernel/core_pattern

```

## Test

Test if Angora is builded successfully.

```

cd /path-to-angora/tests

./test.sh mini

```

## Running Angora

### Build Target Program

Angora compiles the program into two separate binaries, each with their respective

instrumentation. Using `autoconf` programs as an example, here are the steps required.

```

# Use the instrumenting compilers

CC=/path/to/angora/bin/angora-clang \

CXX=/path/to/angora/bin/angora-clang++ \

LD=/path/to/angora/bin/angora-clang \

PREFIX=/path/to/target/directory \

./configure --disable-shared

# Build with taint tracking support 

USE_TRACK=1 make -j

make install

# Save the compiled target binary into a new directory

# and rename it with .taint postfix, such as uniq.taint

# Build with light instrumentation support

make clean

USE_FAST=1 make -j

make install

# Save the compiled binary into the directory previously

# created and rename it with .fast postfix, such as uniq.fast

```

If you fail to build by this approach, try `wllvm` and `gllvm` described in [Build a target program](./docs/build_target.md#wllvm-or-gllvm).

Also, we have implemented taint analysis with libdft64 instead of DFSan ([Use libdft64 for taint tracking](./docs/pin_mode.md)). 

### Fuzzing

```

./angora_fuzzer -i input -o output -t path/to/taint/program -- path/to/fast/program [argv]

```

-----------

For more information, please refer to the documentation under the 

`docs/` directory.

- [Angora Overview](./docs/overview.md)

- [Build a target program](./docs/build_target.md)

- [Running Angora](./docs/running.md)

- [Use libdft64 for taint tracking](./docs/pin_mode.md)

- [Example - Fuzz program file by Angora](./docs/example.md)

- [Run Angora on LAVA](./docs/lava.md)

- [Exploit attack points](./docs/exploitation.md)

- [Usage](./docs/usage.md)

- [Configuration Files](./docs/configuration.md)

- [Environment variables](./docs/environment_variables.md)

- [UI Terminology](./docs/ui.md)

- [Troubleshoot](./docs/troubleshoot.md)

- [Related works](./docs/related_works.md)