fdu-sec / nestfuzz Goto Github PK

A structure-aware grey box fuzzer based on modeling the input processing logic.

License: Apache License 2.0

Makefile 0.42% C 20.76% Shell 1.60% HTML 0.10% CMake 2.45% Rust 3.35% Python 1.23% C++ 69.82% Assembly 0.16% Pawn 0.11% JavaScript 0.01% Rich Text Format 0.01%

structure-aware-fuzzing taint-analysis fuzzing

nestfuzz's People

Contributors

Stargazers

Watchers

Forkers

chlitsec wx69wx ruikangpeng h1d3r donghaitad loulan-ling googlei1996 sec-fork akane0721 chicharitomu14 gmh5225 komorogrov

nestfuzz's Issues

Some questions about recurrence

I am a newbie in fuzz testing. I am trying to reproduce NestFuzz and follow the readme. There is no crash within 23 hours. Is this normal? It is shown in the paper that the average result of fuzz testing tiffsplit is 13. At the same time, I also want to use NestFuzz to test other programs. How to do this? Hope to get your help, thank you!

Error in make operation

/usr/bin/ld: /tmp/ccr2blME.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccr2blME.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccr2blME.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccr2blME.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccr2blME.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/cc0m6ieh.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here /usr/bin/ld: /tmp/cc0m6ieh.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/cc0m6ieh.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/cc0m6ieh.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here
/usr/bin/ld: /tmp/cc0m6ieh.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here /usr/bin/ld: /tmp/ccfU4uyb.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccfU4uyb.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccfU4uyb.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccfU4uyb.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccfU4uyb.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccjThZe1.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccjThZe1.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccjThZe1.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here /usr/bin/ld: /tmp/ccjThZe1.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here
/usr/bin/ld: /tmp/ccjThZe1.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here /usr/bin/ld: /tmp/cct92SZa.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here
/usr/bin/ld: /tmp/cct92SZa.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here /usr/bin/ld: /tmp/cct92SZa.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/cct92SZa.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/cct92SZa.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccY4NADw.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here /usr/bin/ld: /tmp/ccY4NADw.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccY4NADw.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccY4NADw.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccY4NADw.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccVXovAt.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccVXovAt.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here /usr/bin/ld: /tmp/ccVXovAt.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccVXovAt.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccVXovAt.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here
/usr/bin/ld: /tmp/ccIUdc8x.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here /usr/bin/ld: /tmp/ccIUdc8x.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccIUdc8x.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccIUdc8x.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccIUdc8x.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccBh9Mit.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccBh9Mit.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccBh9Mit.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccBh9Mit.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccBh9Mit.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccM4ih4X.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccM4ih4X.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccM4ih4X.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here /usr/bin/ld: /tmp/ccM4ih4X.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here
/usr/bin/ld: /tmp/ccM4ih4X.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here /usr/bin/ld: /tmp/ccWTbKt6.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here
/usr/bin/ld: /tmp/ccWTbKt6.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here /usr/bin/ld: /tmp/ccWTbKt6.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here
/usr/bin/ld: /tmp/ccWTbKt6.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here /usr/bin/ld: /tmp/ccWTbKt6.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here
/usr/bin/ld: /tmp/ccUwxjth.o:/home/senku/NestFuzz/afl-fuzz.h:274: multiple definition of top_rated'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:274: first defined here /usr/bin/ld: /tmp/ccUwxjth.o:/home/senku/NestFuzz/afl-fuzz.h:271: multiple definition of q_prev100'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:271: first defined here
/usr/bin/ld: /tmp/ccUwxjth.o:/home/senku/NestFuzz/afl-fuzz.h:270: multiple definition of queue_top'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:270: first defined here /usr/bin/ld: /tmp/ccUwxjth.o:/home/senku/NestFuzz/afl-fuzz.h:269: multiple definition of queue_cur'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:269: first defined here
/usr/bin/ld: /tmp/ccUwxjth.o:/home/senku/NestFuzz/afl-fuzz.h:268: multiple definition of queue'; /tmp/ccU42CHR.o:/home/senku/NestFuzz/afl-fuzz.h:268: first defined here collect2: error: ld returned 1 exit status make: *** [Makefile:73: afl-fuzz] Error 1

I tried compiling it, but it fails.
Is there anything I miss?

target compile issues

I am experimenting with nestfuzz on tiff-4.0.4

the configure script hangs when it does ANSI include checks, I bypassed this by configuring normally and then swichting the compiler with sed -i 's|gcc|test-clang|g' Makefile */Makefile

during compilation the llvm plugin crashes for tif_close.c:

/bin/bash ../libtool  --tag=CC   --mode=compile /prg/NestFuzz/ipl-modeling/install/test-clang -DHAVE_CONFIG_H -I.     -g -O2 -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c -o tif_close.lo tif_close.c
libtool: compile:  /prg/NestFuzz/ipl-modeling/install/test-clang -DHAVE_CONFIG_H -I. -g -O2 -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o
use_zlib: (null)
clang -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so -mllvm -chunk-exploitation-list=/prg/NestFuzz/ipl-modeling/install/rules/exploitation_list.txt -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libDFSanPass.so -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/angora_abilist.txt -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/dfsan_abilist.txt -pie -fpic -Qunused-arguments -fno-discard-value-names -g -O0 
clang: /prg/llvm-10/llvm/lib/IR/Instructions.cpp:400: void llvm::CallInst::init(llvm::FunctionType *, llvm::Value *, ArrayRef<llvm::Value *>, ArrayRef<llvm::OperandBundleDef>, const llvm::Twine &): Assertion `(i >= FTy->getNumParams() || FTy->getParamType(i) == Args[i]->getType()) && "Calling a function with a bad signature!"' failed.
Stack dump:
0.	Program arguments: clang -DHAVE_CONFIG_H -I. -g -Wall -W -MT tif_close.lo -MD -MP -MF .deps/tif_close.Tpo -c tif_close.c -o tif_close.o -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so -mllvm -chunk-exploitation-list=/prg/NestFuzz/ipl-modeling/install/rules/exploitation_list.txt -Xclang -load -Xclang /prg/NestFuzz/ipl-modeling/install/pass/libDFSanPass.so -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/angora_abilist.txt -mllvm -chunk-dfsan-abilist=/prg/NestFuzz/ipl-modeling/install/rules/dfsan_abilist.txt -pie -fpic -Qunused-arguments -fno-discard-value-names -g -O0 
1.	<eof> parser at end of file
2.	Per-module optimization passes
3.	Running pass 'LoopHandlingPass' on module 'tif_close.c'.
 #0 0x0000000003e3a197 llvm::sys::PrintStackTrace(llvm::raw_ostream&) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:564:11
 #1 0x0000000003e3a329 PrintStackTraceSignalHandler(void*) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:625:1
 #2 0x0000000003e38be3 llvm::sys::RunSignalHandlers() /prg/llvm-10/llvm/lib/Support/Signals.cpp:68:5
 #3 0x0000000003e39aae llvm::sys::CleanupOnSignal(unsigned long) /prg/llvm-10/llvm/lib/Support/Unix/Signals.inc:362:1
 #4 0x0000000003d4642e (anonymous namespace)::CrashRecoveryContextImpl::HandleCrash(int, unsigned long) /prg/llvm-10/llvm/lib/Support/CrashRecoveryContext.cpp:0:7
 #5 0x0000000003d466bf CrashRecoverySignalHandler(int) /prg/llvm-10/llvm/lib/Support/CrashRecoveryContext.cpp:383:1
 #6 0x00007ffff665afd0 (/lib/x86_64-linux-gnu/libc.so.6+0x3bfd0)
 #7 0x00007ffff66a9d3c (/lib/x86_64-linux-gnu/libc.so.6+0x8ad3c)
 #8 0x00007ffff665af32 raise ../sysdeps/posix/raise.c:27:6
 #9 0x00007ffff6645472 abort (/lib/x86_64-linux-gnu/libc.so.6+0x26472)
#10 0x00007ffff6645395 (/lib/x86_64-linux-gnu/libc.so.6+0x26395)
#11 0x00007ffff6653e32 (/lib/x86_64-linux-gnu/libc.so.6+0x34e32)
#12 0x00000000033f5c34 llvm::CallInst::init(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >, llvm::Twine const&) /prg/llvm-10/llvm/lib/IR/Instructions.cpp:398:5
#13 0x00007ffff7fbe644 llvm::CallInst::Create(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::ArrayRef<llvm::OperandBundleDefT<llvm::Value*> >, llvm::Twine const&, llvm::Instruction*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xe644)
#14 0x00007ffff7fbe1b0 llvm::IRBuilder<llvm::ConstantFolder, llvm::IRBuilderDefaultInserter>::CreateCall(llvm::FunctionType*, llvm::Value*, llvm::ArrayRef<llvm::Value*>, llvm::Twine const&, llvm::MDNode*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xe1b0)
#15 0x00007ffff7fbb68d (anonymous namespace)::LoopHandlingPass::visitExploitation(llvm::Instruction*) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0xb68d)
#16 0x00007ffff7fb93be (anonymous namespace)::LoopHandlingPass::runOnModule(llvm::Module&) (/prg/NestFuzz/ipl-modeling/install/pass/libLoopHandlingPass.so+0x93be)

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.