Code Monkey home page Code Monkey logo

rezzan's Introduction

ReZZan: RET+Fuzzing+Sanitizer

ReZZan is a fast memory error sanitizer for fuzzing C/C++ code.

Publication

Efficient Greybox Fuzzing to Detect Memory Errors (In the 37th IEEE/ACM International Conference on Automated Software Engineering [ASE22])

PDF: https://arxiv.org/abs/2204.02773.

Prerequisites

  • LLVM >= 12
  • Clang >= 12

Build

sudo ./install.sh

Run

You can directly call rezzan command, instead of clang, to compile your target program.

rezzanclang target.c
./target

When a memory error happens, the target program will receive the SIGILL signal.

Options

There are options to control the parameters of the ReZZan. Note that these environment variables must be set for both compiling and running of target programs. For example:

REZZAN_NONCE_SIZE=64 rezzanclang target.c -o target
REZZAN_NONCE_SIZE=64 ./target
  • REZZAN_NONCE_SIZE: size of the nonce in bits, must be {61,64}. 61 represents the byte-accurate detection, while 64 represents word-accurate detection. (Default: 61).
  • REZZAN_QUARANTINE_SIZE: size of the quarantine, used for storing freed heap memory, in bytes (Default: ~1MB).
  • REZZAN_POOL_SIZE: size of the memory pool in bytes (Default: ~2GB).
  • REZZAN_DEBUG: set to 1 to enable debug output (Default: 0).
  • REZZAN_CHECKS: set to 1 to enable additional checking for deubgging ReZZan (Default: 0).
  • REZZAN_DISABLED: set to 1 to disable ReZZan allocation (Default: 0).
  • REZZAN_STATS: set to 1 to print stats on exit (Default: 0).

AFL

Build:

The same as the vanillan AFL

cd AFL
make clean all
cd llvm_mode
make clean all

Run:

Setting AFL_CHECK_REZZAN environment to enable ReZZan in AFL.

AFL_CHECK_REZZAN=1 AFL/afl-clang-fast target.c -o target
./afl-fuzz -i in -o out -- ./target @@

Demo:

To quickly start a fuzzing campaign:

git clone https://github.com/glennrp/libpng.git && \
    cd libpng && \
    CC=../AFL/afl-clang-fast ./configure --disable-shared --disable-libseccomp && \
    AFL_CHECK_REZZAN=1 make clean all
cd ..
mkdir in
echo "test" > in/test.txt
./AFL/afl-fuzz -i in -o out -- ./libpng/pngfix @@

Artifact Evaluation

We provide a docker file to facilitate reproducing our results.

Build:

sudo docker build . -t rezzan

To Reproduce RQ.1 Detection Capability:

sudo docker run -it rezzan
cd /juliet
./run_juliet.sh

The final results will be shown in the terminal when the execution is done. Please see juliet/Readme.md for more information. The execution is expected to take several hours.

To Reproduce RQ.2 Execution Speed:

sudo docker run -it rezzan
cd /benchmark
./run_benchmark.sh <fuzzer> <target>

Please choose the args from the following options:

fuzzer: {asan, rezzan, rezzan_lite, native}

target: {cxxfilt, file, jerryscript, mupdf, nm, objdump, libpng, size, sqlite, tcpdump}

The execution speed information will be shown in the terminal. Please see benchmark/Readme.md for more information.

To Reproduce RQ.4 Bug Finding Effectiveness:

sudo docker run -it rezzan
cd /fuzzer-test-suite
./run_fuzzer-test-suite.sh <fuzzer> <target>

Please choose the args from the following options:

fuzzer: {asan, rezzan, rezzan_lite}

target: {c-ares-CVE-2016-5180, json-2017-02-12, libxml2-v2.9.2, openssl-1.0.1f, pcre2-10.00}

The fuzzing campaign will automatically stop when a crash found, so the time to reach this bug can be observed from the AFL GUI. More information please see fuzzer-test-suite/Readme.md

License

This project is licensed under the GPL-3.0 - see the LICENSE file for details.

rezzan's People

Contributors

bajinsheng avatar

Stargazers

qqq123 avatar avatar avatar Oliver Schneider avatar Zz avatar item avatar Tomahawkd avatar avatar JeasonTom avatar avatar leehung avatar kenan_xiao avatar Clement Poncelet Sanchez avatar avatar Surendra Joshi avatar mimicria avatar Sam James avatar avatar O avatar Cycatz avatar Gr3yD0g avatar C0ss4ck avatar xhlove avatar Nikita avatar Jai Verma avatar avatar Tolya Korniltsev avatar avatar Theodor Arsenij avatar avatar Xingwei Lin avatar Michael Rodler avatar ccoday avatar Peter Goodman avatar avatar avatar avatar

Watchers

James Cloos avatar avatar avatar

Forkers

ufwt fengjixuchui 0x6b7966 teemperor kursh

rezzan's Issues

ReZZaN misses trivial UAF bugs once quarantine is filled

ReZZaN doesn't seem to catch simple use-after-free bugs once the quarantine was filled at least once.

#include <stdio.h>
#include <stdlib.h>

int main() {
  // Simulate a normal program that allocates memory and free's it.
  for (int m = 0; m < 4096; ++m) {
    int *fill_quarantine = malloc(65536*2);
    free(fill_quarantine);
  }

  // Allocate and free.
  float *uaf = malloc(sizeof(float) * 2);
  free(uaf);

  // Reallocate and do a use-after-free on the just free'd memory.
  int *target = malloc(sizeof(int));
  if (*uaf)
    return 3;
  free(target);
}

Doesn't yield a SIGILL indicating an error:

$ rezzanclang uaf.c -g -O0 -o uaf ; and ./uaf
$

If I remove the loop at the start (or shorten it to like 1000 iterations) then the UAF is detected.

$ rezzanclang uaf-fixed.c -g -O0 -o uaf ; and ./uaf
fish: './uaf' terminated by signal SIGILL (Illegal instruction)
$

Note that ASan (and probably every other UAF detector using an actual queue) will reliably catch such bugs.

memset not instrumented

I'm trying to reproduce the ReZZan results and I noticed that memset is not instrumented by the rezzan_runtime. Given it's a major part of the workload of most of the fuzzed binaries, I want to fix it before doing a fuzzing evaluation. I attached my local diff below to confirm this would be the intended way for ReZZan to implement the poison check?

diff --git a/rezzan_runtime.c b/rezzan_runtime.c
index 3e77d07..d6c9131 100644
--- a/rezzan_runtime.c
+++ b/rezzan_runtime.c
@@ -824,6 +824,23 @@ void *memcpy(void * restrict dst, const void * restrict src, size_t n)
     return dst;
 }
 
+/*
+ * The glib runtime support.
+ */
+void *__ni_memset(void *dst, int c, size_t n)
+{
+    uint8_t *dst8 = (uint8_t *)dst;
+    for (size_t i = 0; i < n; i++)
+        dst8[i] = c;
+    return dst;
+}
+
+void *memset(void *dst, int c, size_t n)
+{
+    check_poisoned(dst, n);
+    return __ni_memset(dst, c, n);
+}
+
 void *memmove(void * restrict dst, const void * restrict src, size_t n)
 {
     check_poisoned(dst, n);

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.