How to fuzz with AFLGo
Update (Jun 27, 2019): Add more fuzzing scripts.
Update (Aug 08, 2019): My changes have been merged into the main repo AFLGo where I am an maintainer.
TODO: App 3 about Static analysis (Clang Static Analyzer) report verification.
Bonjour! There were quite a lot of questions on how to build AFLGo – the state-of-the-art directed greybox fuzzing (DGF) and how to fuzz different programs using this tool. Therefore, I decide to write this blog to address these issues. Shoutout to my friends Marcel, Thuan and Toan.
You could use the original AFLGo v2.49b or checkout my forked project (at your own risk) where I’ve made some tiny update: (1) upgrade to v2.52b (no technical improvements though); (2) get the time when an input is generated and (3) add some scripts that you could be interested in.
Please use the build script to install clang v4.0.0, LLVM, the plugin LLVMgold and AFLGo. Note that I use Ubuntu 16.04 (64-bit) and gcc v4.9.4. Make sure that you install everything correctly as follows:
$ clang --version
clang version 4.0.0 (tags/RELEASE_400/final)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/bin
$ ls /usr/lib/bfd-plugins
libLTO.so LLVMgold.so
App 1: Reproduce known bugs
In this case, targets could be extracted from the bug report. For example, you can use AFLGo to fuzz the lrzip to reproduce CVE-2018-11496 as follows using this script. Please modify your own AFLGO. I use the default fuzzing configuration: empty seed, exponential power schedule and 45 mins of exploration.
# prepare dirs
git clone https://github.com/ckolivas/lrzip.git lrzip-CVE-2018-11496
cd lrzip-CVE-2018-11496/; git checkout ed51e14
mkdir obj-aflgo; mkdir obj-aflgo/temp
# some env variables
export AFLGO=/home/dungnguyen/aflgo
export SUBJECT=$PWD; export TMP_DIR=$PWD/obj-aflgo/temp
export CC=$AFLGO/afl-clang-fast; export CXX=$AFLGO/afl-clang-fast++
export LDFLAGS=-lpthread
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
# identify BB targets from backtrace
echo $'stream.c:1756' > $TMP_DIR/BBtargets.txt
# first build
./autogen.sh; make distclean
cd obj-aflgo; CFLAGS="$ADDITIONAL" CXXFLAGS="$ADDITIONAL" ../configure --prefix=`pwd`
make clean; make -j4
# clean up
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt
# gen distances
$AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR lrzip
# second build
CFLAGS="-distance=$TMP_DIR/distance.cfg.txt" CXXFLAGS="-distance=$TMP_DIR/distance.cfg.txt" ../configure --prefix=`pwd`
make clean; make -j4
# create empty seed
mkdir in; echo "" > in/in
# fuzz
$AFLGO/afl-fuzz -m none -z exp -c 45m -i in -o out ./lrzip -t @@
App 2: Patch testing
DGF could be used to stress testing on developer’s patch, thus we extract targets from the patch. You can run this script to fuzz the libxml2 as discussed in README. The main difference between two applications comes from the target identification step as the following.
# identify BB targets from patch
git diff -U0 HEAD^ HEAD > $TMP_DIR/commit.diff
wget https://raw.githubusercontent.com/jay/showlinenum/develop/showlinenum.awk
chmod +x showlinenum.awk
mv showlinenum.awk $TMP_DIR
cat $TMP_DIR/commit.diff | $TMP_DIR/showlinenum.awk show_header=0 path=1 | grep -e "\.[ch]:[0-9]*:+" -e "\.cpp:[0-9]*:+" -e "\.cc:[0-9]*:+" | cut -d+ -f1 | rev | cut -c2- | rev > $TMP_DIR/BBtargets.txt
To sum up, you have a good template to write your own script to fuzz other programs (by modifying predefined targets, adding specific values to CFLAGS …) using AFLGo. Checkout more fuzzing scripts (stay tuned I will add more):
- jasper: CVE-2015-5221
- mjs (used in another DGF Hawkeye): issues-57, issues-78
- GIFLIB: bugs-74
- libming: CVE-2018-8962, CVE-2018-8807
- binutils: CVE-2016-{4487,4488}
- DARPA CGC: Palindrome, KTY_Pretty_Printer, LMS
- libxml2: ef709ce2
- lrzip: CVE-2017-8846, CVE-2018-11496
Happy fuzzing :-P