zodf0055980 / yuan-fuzz Goto Github PK

View Code? Open in Web Editor NEW

33.0 1.0 9.0 1010 KB

Fuzzing with the generated argument

License: Apache License 2.0

Makefile 2.69% C 86.53% Shell 6.82% C++ 1.02% HTML 0.67% JavaScript 0.01% Rich Text Format 0.01% Python 2.26%

fuzz argv-information afl afl-fuzz fuzzer k-means k-means-clustering

yuan-fuzz's Introduction

Yuan-fuzz

Fuzzer runs with argv information and uses k-means clustering to group seed.

  Written and maintained by zodf0055980 <[email protected]>
  Based on American Fuzzy Lop by Michal Zalewski

Why I do this?

There are a lot of command line arguments in the common binary, but common fuzzer only runs with one command line argument, so it cannot find some errors through the special command line. For instance, in CVE-2020-27843 I found, it have out of bound read with 8 argv and crafted input. Therefore, I made a fuzzer that can generate argv at runtime.

Technology

Yuan-fuzz is a fuzzer implementing a technique to generate argv in addition fuzzing stage named arg_gen. It can help to fuzz binary target that has a lot of argv can use.

It also can use k-means clustering to the group in the seed pool to improve seed selection, just like the k-means-AFL I made.

TODO

Cannot use -i - to resume fuzzer.
Cannot use without -s xmlfile, maybe you can try k-means-AFL I made.
Allow use other format to write argv info file, likes json
Release English paper, I did in traditional Chinese now.

If you have any other questions, you are welcome to create issue and I will try my best to solve them.

Usage

Install libxml2 first.

Build it.

$ make

Use -h --help to know target program options, and use it to write XML file to help fuzzing. I give some XML examples here, maybe could help to write XML file.

We also implement our seed selection. You should open our seed selection server first if you want to use it.

$ python3 group_seed.py [port]

The command line usage of Yuan-fuzz is similar to AFL.

$ Yuan-fuzz -i [testcase_dir] -o [output_dir] -s [~/XML_PATH/parameters.xml] [-p [port]] -- [Target program]

I also implement two command that can help arg_gen stage.

-w            - let file_path in front of argv
-r            - argv random initial

Example

Use libjpeg-turbo to be example.

$ git clone [email protected]:libjpeg-turbo/libjpeg-turbo.git

Build with instrumentation, you can use other compiler.

$ export CC=~/Yuan-fuzz/afl-gcc                                       
$ export CXX=~/Yuan-fuzz/afl-g++
$ export AFL_USE_ASAN=1 ;
$ cd libjpeg-turbo
$ mkdir build && cd build
$ cmake -G"Unix Makefiles" ..
$ make

Run fuzzer

$ python3 group_seed.py 8888
# Another Terminal
$ Yuan-fuzz -i ./testcases/images/jpeg -o fuzz_output -m none -s ./xml/libjpeg-turbo/djpeg/parameters.xml -p 8888 -- ~/TARGET_PATH/libjpeg-turbo/build/djpeg

If your xml file have a lot of argv, maybe you have to change some define value in parse.h.

parallel fuzzing

Yuan-fuzz can parallel fuzz with other afl-base fuzzer, likely AFLplusplus. However, Yuan-fuzz can only be used in -S mode. And please check argv information file is same with master run.

for example:

# afl++
$ ./afl-fuzz -i ./testcases/images/jpeg -o ~/jpeg-out -M master -m none -- ~/afl-target/libjpeg-turbo/build/djpeg -outfile /dev/null @@

# Yuan-fuzz
$ ./Yuan-fuzz -i ./testcases/images/jpeg -o ~/jpeg-out -S slave1 -m none -s ~/Yuan-fuzz/xml/libjpeg-turbo/djpeg/parameters.xml -- ~/afl-target/libjpeg-turbo/build/djpeg

Interpreting output

It will have addition subdirectories created within the output directory and updated in real time.

queue_info/queue
queue_info/crashes
queue_info/hangs

It save all seed running parameters and one-to-one correspondence with seed in queue, crashes, hangs subdirectories.

Bug reported

libjpeg-turbo

libjpeg-turbo/libjpeg-turbo#441 (CVE-2020-35538)

binutils

libvips (not use fuzz)

Thanks

Use SQ-fuzz to modify.

yuan-fuzz's People

Contributors

Stargazers

Watchers

Forkers

iasthc lqingyu a4865g po1lux xiaoxiaoafeifei 13579and2468 enheng5 jieyongma

yuan-fuzz's Issues

How do crash parameters correspond to crash

for example：djpeg

when I fuzzer libjpeg-turbo module cjpeg use the default xml,some errors happen

add 1154 in group 19
[] run rarget = 412
[] get b'skip'
[] next group 1
[] run target = 1106
[] get b'next'
[] find new path 1155 to 1171
add 1155 in group 25
add 1156 in group 25
add 1157 in group 25
add 1158 in group 25
add 1159 in group 25
add 1160 in group 25
add 1161 in group 25
add 1162 in group 25
add 1163 in group 25
add 1164 in group 25
add 1165 in group 25
add 1166 in group 25
add 1167 in group 25
add 1168 in group 25
add 1169 in group 1
add 1170 in group 25
add 1171 in group 25
[] run rarget = 412
[] get b'skip'
[] group 0 is not interesting
[] run target = 1106
[] get b'skip'
[] run target = 1108
[] get b'next'
[] find new path 1172 to 1187
Traceback (most recent call last):
File "group_seed.py", line 208, in
out = subprocess.check_output(
File "/usr/lib/python3.8/subprocess.py", line 411, in check_output
return run(*popenargs, stdout=PIPE, timeout=timeout, check=True,
File "/usr/lib/python3.8/subprocess.py", line 512, in run
raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '['./afl-showmap', '-q', '-e', '-o', '/dev/stdout', '-m', 'none', '-t', '500', 'target/libjpeg-turbo/build/cjpeg', '-outfile', '/dev/null', 'fuzzer_out/cjpeg319/queue/id:001183,src:001108,op:havoc,rep:4']' returned non-zero exit status 1.

All the fuzzer die when fuzzing libxml2

I run fuzzing campaign targetting libxml2 with group_seed on and few hours later all the fuzzer die.
I don't know what exactly happen as it doesn't display any error.
Is it mandatory to run group_seed or it's optional?

Error while building imagemagick

I'm using gcc 9.3.0 pre-built binaries of clang+llvm 11 for ubuntu 20.04

clang version 11.0.0 (https://github.com/llvm/llvm-project.git 0160ad802e899c2922bc9b29564080c22eb0908c)
Target: x86_64-unknown-linux-gnu
Thread model: posix
InstalledDir: /usr/local/clang_11.0.0/bin
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Selected GCC installation: /usr/lib/gcc/x86_64-linux-gnu/9
Candidate multilib: .;@m64
Selected multilib: .;@m64

/usr/local/clang_11.0.0/bin/clang

And here is command I used to build imagemagick

CC=~/Yuan-fuzz/afl-clang-fast CXX=~/Yuan-fuzz/afl-clang-fast++ CFLAGS="-g -O0 -fsanitize=address" CXXFLAGS="-g -O0 -fsanitize=address" ./configure
AFL_USE_ASAN=1 make -j4 && sudo make -j4 install

But I'm encountered error. Any idea why I got error?

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:60: multiple definition of `__afl_area_initial'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:60: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:61: multiple definition of `__afl_area_ptr'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:61: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o: in function `__afl_auto_init':
/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:257: multiple definition of `__afl_auto_init'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight
/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:257: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o: in function `__afl_manual_init':
/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:240: multiple definition of `__afl_manual_init'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:240: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o: in function `__afl_persistent_loop':
/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:184: multiple definition of `__afl_persistent_loop'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:184: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:(.tbss+0x0): multiple definition of `__afl_prev_loc'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:(.tbss+0x0): first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o: in function `__sanitizer_cov_trace_pc_guard':
/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:276: multiple definition of `__sanitizer_cov_trace_pc_guard'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:276: first defined here

/usr/bin/ld: /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o: in function `__sanitizer_cov_trace_pc_guard_init':
/home/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:284: multiple definition of `__sanitizer_cov_trace_pc_guard_init'; /home/cityoflight/Yuan-fuzz/afl-llvm-rt.o:/h
ome/cityoflight/Yuan-fuzz/llvm_mode/afl-llvm-rt.o.c:284: first defined here
clang-11: error: linker command failed with exit code 1 (use -v to see invocation)
make[1]: *** [Makefile:6065: Magick++/lib/libMagick++-6.Q16.la] Error 1
make[1]: Leaving directory '/home/cityoflight/ImageMagick-6.9.11-45'
make: *** [Makefile:5682: all] Error 2

How to know target options trigger crashes?

I found crashes with yuan-fuzz, but how to know which target argv trigger the crash?