AFL基础

  1. Fuzzing 炼金路
    1. 开箱即用的佩剑 —— AFL
    2. 初识佩剑
    3. 深入探究
    4. 常见问题

Fuzzing 炼金路

Lazy Pwner ☞ primelee

声明:以下仅作为笔记学习,不是作者原创。

开箱即用的佩剑 —— AFL

  1. make .

  2. 写栈溢出源码 gets(name)

    image-20200302021009932

  3. 插桩编译

    image-20200302021513499

  4. 创建初识语料库

    echo 'Pwn me' >> ./input/a.in
  5. Go fuzzing !

    Oh no …

    image-20200302021916706

    Fix it…

    sudo echo core >/proc/sys/kernel/core_pattern
  6. Fuzz again !

    image-20200302022711028

  7. Chart , love it !

    image-20200302022730604

初识佩剑

精华提取自 http://lcamtuf.coredump.cx/afl/README.txt

面临的问题 —— 难以覆盖全部执行路径

Unfortunately, fuzzing is also relatively blind, random mutations make it very unlikely to reach certain code paths

解决思路:

  1. corpus distillation:The method relies on coverage signals to select a subset of interesting seeds from a massive, high-quality corpus of candidate files, and then fuzz them by traditional means.
  2. more sophisticated research has focused on techniques such as program flow analysis (“concolic execution”), symbolic execution, or static analysis.

afl-fuzz 算法摘要 ⏬

Simplifying a bit, the overall algorithm can be summed up as:

  1) Load user-supplied initial test cases into the queue,

  2) Take next input file from the queue,

  3) Attempt to trim the test case to the smallest size that doesn't alter
     the measured behavior of the program,

  4) Repeatedly mutate the file using a balanced and well-researched variety
     of traditional fuzzing strategies,

  5) If any of the generated mutations resulted in a new state transition
     recorded by the instrumentation, add mutated output as a new entry in the
     queue.

  6) Go to 2.

源码编译插桩 ( Instrumenting programs for use with AFL )

$ CC=/path/to/afl/afl-gcc ./configure
$ make clean all
#For C++ programs, you'd would also want to set CXX=/path/to/afl/afl-g++.

源码 fuzz lib

When testing libraries, you need to find or write a simple program that reads
data from stdin or from a file and passes it to the tested library. In such a
case, it is essential to link this executable against a static version of the
instrumented library, or to make sure that the correct .so file is loaded at
runtime (usually by setting LD_LIBRARY_PATH). The simplest option is a static
build, usually possible via:

$ CC=/path/to/afl/afl-gcc ./configure --disable-shared

📒NOTE:

Setting AFL_HARDEN=1 when calling 'make' will cause the CC wrapper to
automatically enable code hardening options that make it easier to detect
simple memory bugs. Libdislocator, a helper library included with AFL (see
libdislocator/README.dislocator) can help uncover heap corruption issues, too.

黑盒插桩 (on-the-fly instrumentation of black-box binaries)

When source code is *NOT* available, the fuzzer offers experimental support for
fast, on-the-fly instrumentation of black-box binaries. This is accomplished
with a version of QEMU running in the lesser-known "user space emulation" mode.

⚠️ 警告

1 - Your CPU will run hot and will need adequate cooling. In most cases, if
    cooling is insufficient or stops working properly, CPU speeds will be
    automatically throttled. That said, especially when fuzzing on less
    suitable hardware (laptops, smartphones, etc), it's not entirely impossible
    for something to blow up.

2 - Targeted programs may end up erratically grabbing gigabytes of memory or
    filling up disk space with junk files. AFL tries to enforce basic memory
    limits, but can't prevent each and every possible mishap. The bottom line
    is that you shouldn't be fuzzing on systems where the prospect of data loss
    is not an acceptable risk.

3 - Fuzzing involves billions of reads and writes to the filesystem. On modern
    systems, this will be usually heavily cached, resulting in fairly modest
    "physical" I/O - but there are many factors that may alter this equation.
    It is your responsibility to monitor for potential trouble; with very heavy
    I/O, the lifespan of many HDDs and SSDs may be reduced.

Qemu mode 安装

遇到的坑很多,参考这篇博文 http://www.gandalf.site/2019/01/aflafl-qemufuzz.html

深入探究

输入文件集蒸馏工具 afl-cmin

单个文件蒸馏 afl-tmin

常见问题

  1. 第一次运行 afl-fuzz 失败。 ✅

    [-] Hmm, your system is configured to send core dump notifications to an
        external utility. This will cause issues: there will be an extended delay
        between stumbling upon a crash and having this information relayed to the
        fuzzer via the standard waitpid() API.
    
        To avoid having crashes misinterpreted as timeouts, please log in as root
        and temporarily modify /proc/sys/kernel/core_pattern, like so:
    
        echo core >/proc/sys/kernel/core_pattern
    
    [-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
             Location : check_crash_handling(), afl-fuzz.c:7275
    
     cat /proc/sys/kernel/core_pattern
    |/usr/share/apport/apport %p %s %c %d %P
  2. 文件读入按照文档要求加了符号 @@ ,无法触发crash。✅

    文件读入的前提是文件作为参数。
    ./your_target_program file_name 
    # 运行成功 
    
    afl-fuzz -i testcases -o result ./your_target_program file_name

转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论。

文章标题:AFL基础

本文作者:枫云李

发布时间:2020-04-10, 12:35:49

最后更新:2020-04-11, 01:11:17

原始链接:https://primelyw.github.io/2020/04/10/AFL%E5%9F%BA%E7%A1%80/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录
github