Table of Contents
1. TODO
2. 总结
2.1. 常用参数
-n
指定最大线程数
-f
原始输入种子文件目录
-W
有效变异种子文件输出目录
-e
指定输入文件扩展名 默认为*.fuzz
-d
Debug info
--mutate_cmd|-c
扩展变异规则以代替原有变异方式,
当你通过-f提供输入样本目录后,在fuzzing时,随机提取的文件会直接传递给-c参数指定的扩展命令作变异
input_prepareExternalFile or input_postProcessFile: bool input_prepareExternalFile(run_t* run) { // ... const char* const argv[] = {run->global->exe.externalCommand, fname, NULL}; if (subproc_System(run, argv) != 0) { LOG_E("Subprocess '%s' returned abnormally", run->global->exe.externalCommand); return false; } // ... } uint8_t subproc_System(run_t* run, const char* const argv[]) { // ... execv(argv[0], (char* const*)&argv[0]); // ... } 假如 run->global->exe.externalCommand = extcmd.py 则会执行 extcmd.py fname 在实现中可以通过open(argv[1])打开文件对数据进行处理
--mutations_per_run|-r
每个样例编译的最大次数 默认6
--pprocess_cmd
在原有的文件变异后再作处理
-P
persistent模式
-t
timeout
-F
Max File Size
-V
verifier 如果开启,则会验证崩溃样本(最大运行5次)
--exit_upon_crash
有崩溃直接退出fuzz
-R
生成报告文件
-E
ENV参数,如增加sanitizers: ASAN_OPTIONS=coverage=1
-S
sanitizer模式
参数放在 hfzz.exe.envs[] hfuzz->sanitizer.enable 如果启用: snprintf(buf, buflen, "%s=%s:%s:%s%s/%s", env, kASAN_OPTS, abortFlag, kSANLOGDIR, hfuzz->io.workDir, kLOGPREFIX); kASAN_OPTS = kASAN_COMMON_OPTS: "allow_user_segv_handler=1:" \ "handle_segv=0:" \ "allocator_may_return_null=1:" kSAN_COMMON ":exitcode=" HF_XSTR(HF_SAN_EXIT_CODE) #define kSAN_COMMON "symbolize=0" /* Exit code is common for all sanitizers */ #define HF_SAN_EXIT_CODE 103 即:ASAN_OPTIONS= "allow_user_segv_handler=1:handle_segv=0:allocator_may_return_null=1:symbolize=0:exitcode=103:abort_on_error=1:log_path=workDir/HF.sanitizer.log" 否则: snprintf(buf, buflen, "%s=%s", env, kSAN_REGULAR); /* If no sanitzer support was requested, simply make it use abort() on errors */ #define kSAN_REGULAR \ "abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:" \ "handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:" \ "symbolize=1:detect_leaks=0:disable_coredump=0:" \ "detect_odr_violation=0"
-x
static mode(_HF_DYNFILE_NONE) 不使用任何feedback.
--instrument|-z
使用编译时的feedback 默认 _HF_DYNFILE_SOFT
-w
字典,针对特殊格式的解析,如xml:
https://github.com/rc0r/afl-fuzz/blob/master/dictionaries/xml.dict
实际变异中,命中字典格式变异存在随机性,如果需要只指定字典变异,需要修改源码 mangle_Dictionary -> mangle_DictionaryNoCheck mangle_DictionaryInsert -> mangle_DictionaryInsertNoCheck 取随机数N,遍历标签取到内容,覆写/插入随机位置。
__FILE__
相当于AFL中的@@,
在实际的运行中会被input_dir中的输入所替换,替换为文件句柄,可以通过open(fd)打开进行操作,参考honggfuzz/examples/badcode/targets/badcode1.c
bool arch_launchChild(run_t* run) { //... int x = 0; for (x = 0; x < ARGS_MAX && x < run->global->exe.argc; x++) { if (run->global->exe.persistent || run->global->exe.fuzzStdin) { args[x] = run->global->exe.cmdline[x]; } else if (!strcmp(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { args[x] = inputFile; } else if (strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER)) { const char* off = strstr(run->global->exe.cmdline[x], _HF_FILE_PLACEHOLDER); snprintf(argData, sizeof(argData), "%.*s%s", (int)(off - run->global->exe.cmdline[x]), run->global->exe.cmdline[x], inputFile); args[x] = argData; } else { args[x] = run->global->exe.cmdline[x]; } } // ... } ___FILE___: 必须在非persistent模式(-P)下,且没有指定stdin(-s)的情况下使用, -s: run->global->exe.fuzzStdin -P: run->global->exe.persistent 比如 ./badcode1 这个程序的 第1个参数是要处理的文件的名称,那么相应的 fuzz 的命令就是: /honggfuzz -S -W ./outputs -f ./corpus -- ./badcode1 __FILE__ 实际fuzz过程中,会将__FILE__替换成文件句柄传入,作为第一个参数, 即argv[1]=file_fd
--sancov|-C
使用ASAN_OPTIONS="coverage=1",
clang-4使用,慢,已经废除(commit:
8267c77c0bfee82a528290c5e86c297291922dc6)。
--monitor_sigabrt
: 默认是true,在=-S=模式下会设置ASAN标志
abort_on_error=1, 发生错误会调 abort() 返回错误代码,替代_exit()函数
2.2. 关于coverage计算模式
run->global->feedback.dynFileMethod字段记录着Trace方式
typedef enum { _HF_DYNFILE_NONE = 0x0, // -x 命令指定 static mode _HF_DYNFILE_INSTR_COUNT = 0x1, // --linux_perf_instr _HF_DYNFILE_BRANCH_COUNT = 0x2, // --linux_perf_branch _HF_DYNFILE_BTS_EDGE = 0x10, // --linux_perf_bts_edge _HF_DYNFILE_IPT_BLOCK = 0x20, // --linux_perf_ipt_block _HF_DYNFILE_SOFT = 0x40, // -z 编译时模式,初始化默认 -fsanitize-coverage } dynFileMethod_t;
2.2.1. 1. SanitizerCoverage 模式
需要编译源码
编译添加CFLAGS: -fsanitize-coverage=trace-pc,trace-pc-guard,trace-cmp,trace-div,indirect-calls
默认方式_HF_DYNFILE_SOFT,通过重定义 SanitizerCoverage 中的函数来实现累加
Pc: __sanitizer_cov_trace_pc_guard
Edge: __sanitizer_cov_trace_pc_guard
Cmp: __sanitizer_cov_trace_cmpN, __sanitizer_cov_trace_switch, __sanitizer_cov_trace_divN, N=(1,2,4,8)
参考:
https://bcain-llvm.readthedocs.io/projects/clang/en/release_39/SanitizerCoverage/
https://github.com/google/sanitizers/wiki/SanitizerCommonFlags
2.2.2. 2. perf模式
不需要编译源码
fuzz时候通过添加参数实现
arch_perfCreate 创建 fd
perf_event_open(&pe, pid, -1, -1, PERF_FLAG_FD_CLOEXEC); dynFileMethod_t perf config fd _HF_DYNFILE_INSTR_COUNT: pe.config = PERF_COUNT_HW_INSTRUCTIONS &run->linux.cpuInstrFd _HF_DYNFILE_BRANCH_COUNT: pe.config = PERF_COUNT_HW_BRANCH_INSTRUCTIONS &run->linux.cpuBranchFd _HF_DYNFILE_BTS_EDGE: pe.type = /sys/bus/event_source/devices/intel_bts/type &run->linux.cpuIptBtsFd _HF_DYNFILE_IPT_BLOCK: pe.type = /sys/bus/event_source/devices/intel_pt/type, pe.config = RTIT_CTL_DISRETC; &run->linux.cpuIptBtsFd PERF_COUNT_HW_INSTRUCTIONS 完整执行的指令数 PERF_COUNT_HW_BRANCH_INSTRUCTIONS 完整执行的分支数
该模式需要硬件支持,简单验证:
在host运行perf命令即可得倒相应数据
./perf stat pwd /home/secret/work Performance counter stats for 'pwd': 0.277524 task-clock (msec) # 0.017 CPUs utilized 1 context-switches # 0.004 M/sec 0 cpu-migrations # 0.000 K/sec 56 page-faults # 0.202 M/sec 989,977 cycles # 3.567 GHz <not supported> stalled-cycles-frontend <not supported> stalled-cycles-backend 656,001 instructions # 0.66 insns per cycle 135,672 branches # 488.866 M/sec 7,481 branch-misses # 5.51% of all branches 0.016769350 seconds time elapsed
instructions 记录着指令数
参考:
http://www.man7.org/linux/man-pages/man2/perf_event_open.2.html
https://software.intel.com/en-us/vtune-amplifier-help-instructions-retired-event
2.3. 关于fuzz运行三种状态
hfuzz->feedback.state
typedef enum { _HF_STATE_UNSET = 0, // 初始化默认值 _HF_STATE_STATIC = 1, // hfuzz->feedback.dynFileMethod == _HF_DYNFILE_NONE _HF_STATE_DYNAMIC_DRY_RUN = 2, // hfuzz->feedback.dynFileMethod != _HF_DYNFILE_NONE _HF_STATE_DYNAMIC_MAIN = 3, // hfuzz->socketFuzzer.enabled == true } fuzzState_t;
2.3.1. 1. socket模式
hfuzz->feedback.state = _HF_STATE_DYNAMIC_MAIN
该模式用于fuzz socket服务
2.3.2. 2. persistent模式(常规模式)
正常设置语料库模式下,状态为
hfuzz->feedback.state = _HF_STATE_DYNAMIC_DRY_RUN
,
执行所有语料库文件且不变异(run->mutationsPerRun = 0 不变异);
之后通过函数 fuzz_setDynamicMainState() 设置状态
hfuzz->feedback.state = _HF_STATE_DYNAMIC_MAIN
(run->mutationsPerRun =
-r指定变异次数,默认6),进入正常fuzz流程。
2.3.3. 3. -x 静态模式
hfuzz->feedback.state = _HF_STATE_STATIC
该模式会设置 hfuzz->feedback.dynFileMethod = _HF_DYNFILE_NONE, 不会使用perf模式,不会产生feedback,主要用于验证样本
如复现某个崩溃样本
./honggfuzz -f crash_dir -x -R ./bug_report --exit_upon_crash -- ./honggfuzz-example/bin/persistent-bin
2.4. 覆盖率报告生成
2.5. 整个fuzz函数流
main -> fuzz_threadsStart -> fuzz_threadNew -> fuzz_fuzzLoop -> subproc_Run -> subproc_New -> arch_launchChild(子进程中执行) bool subproc_Run(run_t* run) { run->timeStartedMillis = util_timeNowMillis(); /* fork子进程,通过ptrace attach 打开perf,用于记录完整执行的指令数 execve执行fuzz实例 */ if (!subproc_New(run)) { LOG_E("subproc_New()"); return false; } /* arch_perfEnable 启用perf,记录执行的指令数 */ arch_prepareParent(run); /* arch_checkWait() -> arch_traceAnalyze()/arch_perfAnalyze() ptrace/perf结果分析 崩溃记录,记录 cpuInstrCnt 和 cpuBranchCnt,关闭perf */ arch_reapChild(run); return true; } static bool subproc_New(run_t* run) { // ... run->pid = arch_fork(run); if (run->pid == -1) { PLOG_E("Couldn't fork"); run->pid = 0; return false; } /* The child process */ if (!run->pid) { // ... /* 系统资源和文件初始化 setrlimit -E fsanitizer参数放入环境变量 putenv */ if (!subproc_PrepareExecv(run)) { LOG_E("subproc_PrepareExecv() failed"); exit(EXIT_FAILURE); } /* 子进程执行 1. prctl(PR_SET_DUMPABLE), 设置可以被attach 2. 关闭ASLR 3. 格式化fuzz实例参数,等待父进程attach,然后调用execve(args[0], (char* const*)args, environ); */ if (!arch_launchChild(run)) { LOG_E("Error launching child process"); kill(run->global->threads.mainPid, SIGTERM); _exit(1); } abort(); } // ... /* 1. fcntl(%d, F_SETOWN_EX),开启perf,用于记录完整执行的指令数 2. arch_attachToNewPid(): ptrace attatch fork子进程 (PTRACE_SEIZE方式,具体实现arch_traceAttach), 并通过 ptrace(PTRACE_CONT) Restart the stopped tracee process */ arch_prepareParentAfterFork(run); // ... return true; }
2.6. trace跟踪子进程
arch_reapChild() -> arch_checkWait() -> arch_traceAnalyze()
通过ptrace挂载子进程,捕获WIFSTOPPED状态,该状态表明目标进程退出,
之后通过 PTRACE_GETEVENTMSG 标志获取退出状态,进行退出状态码判断:
run->mainWorker=true(默认模式下): arch_traceSaveData run->mainWorker=false(Verifier模式下): arch_traceAnalyzeData HF_SAN_EXIT_CODE: arch_traceExitAnalyze
相关API:
long int ptrace(enum __ptrace_request request, pid_t pid, void * addr, void * data) request决定ptrace做什么,pid是被跟踪进程的ID,data存储从进程空间偏移量为addr的地方开始将被读取/写入的数据. pid_t wait4(pid_t pid,int *status,int options,struct rusage *rusage); 获得指定子进程的资源使用信息,通过参数 rusage 获得 PTRACE_SEIZE(since Linux 3.4) Attach to the process specified in pid 相对于 PTRACE_ATTACH, 该方式不会停止目标进程 PTRACE_CONT 让子进程继续运行 PTRACE_GETEVENTMSG (since Linux 2.5.46) 取回数据 arch_traceAnalyze()
3. xcode 调试
需要修改honggfuzz源码目录下的Makefile文件添加调试选项
diff --git a/Makefile b/Makefile index fc5ea74..c6e1fdc 100644 --- a/Makefile +++ b/Makefile @@ -29,7 +29,8 @@ HFUZZ_CC_SRCS := hfuzz_cc/hfuzz-cc.c COMMON_CFLAGS := -D_GNU_SOURCE -Wall -Werror -Wno-format-truncation -I. COMMON_LDFLAGS := -lm libhfcommon/libhfcommon.a COMMON_SRCS := $(sort $(wildcard *.c)) -CFLAGS ?= -O3 -mtune=native +# CFLAGS ?= -O3 -mtune=native +CFLAGS ?= -g -mtune=native LDFLAGS ?= LIBS_CFLAGS ?= -fPIC -fno-stack-protector GREP_COLOR ?=
之后参考文章 https://blog.csdn.net/kubibo/article/details/25902703
4. 源码分析
4.1. honggfuzz-clang编译器
honggfuzz/hfuzz_cc/hfuzz-cc.c
通过编译器名字(hfuzz-clang, hfuzz-clang++, hfuzz-g++, hfuzz-gcc)来判断使用哪种编译器编译。
hfuzz-clang -> clang hfuzz-clang++ -> clang++ hfuzz-g++ -> g++ hfuzz-gcc -> gcc
之后是参数拼接,主要添加的优化参数列表(clang):
"-Wno-unused-command-line-argument"; "-fsanitize-coverage=trace-pc-guard,trace-cmp,trace-div,indirect-calls"; "-mllvm"; "-sanitizer-coverage-prune-blocks=0"; "-mllvm"; "-sanitizer-coverage-level=3"; /* * Make the execution flow more explicit, allowing for more code blocks * (and better code coverage estimates) */ "-fno-inline"; "-fno-builtin"; "-fno-omit-frame-pointer"; "-D__NO_STRING_INLINES"; /* Make it possible to use the libhfnetdriver */ "-DHFND_FUZZING_ENTRY_FUNCTION_CXX(x,y)=" "extern \"C\" int HonggfuzzNetDriver_main(x,y);" "extern const char* LIBHFNETDRIVER_module_netdriver;" "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;" "int HonggfuzzNetDriver_main(x,y)"; "-DHFND_FUZZING_ENTRY_FUNCTION(x,y)=" "int HonggfuzzNetDriver_main(x,y);" "extern const char* LIBHFNETDRIVER_module_netdriver;" "const char** LIBHFNETDRIVER_module_main = &LIBHFNETDRIVER_module_netdriver;" "int HonggfuzzNetDriver_main(x,y)"; /* Intercept common *cmp functions */ "-Wl,--wrap=strcmp"; "-Wl,--wrap=strcasecmp"; "-Wl,--wrap=strncmp"; "-Wl,--wrap=strncasecmp"; "-Wl,--wrap=strstr"; "-Wl,--wrap=strcasestr"; "-Wl,--wrap=memcmp"; "-Wl,--wrap=bcmp"; "-Wl,--wrap=memmem"; "-Wl,--wrap=strcpy"; /* Apache's httpd mem/str cmp functions */ "-Wl,--wrap=ap_cstr_casecmp"; "-Wl,--wrap=ap_cstr_casecmpn"; "-Wl,--wrap=ap_strcasestr"; "-Wl,--wrap=apr_cstr_casecmp"; "-Wl,--wrap=apr_cstr_casecmpn"; /* Frequently used time-constant *SSL functions */ "-Wl,--wrap=CRYPTO_memcmp"; "-Wl,--wrap=OPENSSL_memcmp"; "-Wl,--wrap=OPENSSL_strcasecmp"; "-Wl,--wrap=OPENSSL_strncasecmp"; "-Wl,--wrap=memcmpct"; /* Frequently used libXML2 functions */ "-Wl,--wrap=xmlStrncmp"; "-Wl,--wrap=xmlStrcmp"; "-Wl,--wrap=xmlStrEqual"; "-Wl,--wrap=xmlStrcasecmp"; "-Wl,--wrap=xmlStrncasecmp"; "-Wl,--wrap=xmlStrstr"; "-Wl,--wrap=xmlStrcasestr"; /* Some Samba functions */ "-Wl,--wrap=memcmp_const_time"; "-Wl,--wrap=strcsequal"; /* Pull modules defining the following symbols (if they exist) */ args[j++] = "-Wl,-u,LIBHFNETDRIVER_module_main", args[j++] = "-Wl,-u,LIBHFUZZ_module_instrument"; args[j++] = "-Wl,-u,LIBHFUZZ_module_memorycmp"; "/tmp/libhfnetdriver.uid.crc64.a"; // eg: /tmp/libhfnetdriver.1000.9a0f6dce36be32e.a, libhfnetdriver/libhfnetdriver.a "/tmp/libhfuzz.uid.crc64.a" // eg: /tmp/libhfuzz.1000.cb422fcd8679a683.a, libhfuzz/libhfuzz.a
-fsanitize参数
ASAN(AddressSanitizer) -fsanitize=address: 打开asan内存错误检查 -fno-omit-frame-pointer: 保留函数调用的帧信息,以便分析函数调用关系 UBSAN(UndefinedBehaviorSanitizer) -fsanitize=undefined: 未定义行为检测
4.2. 结构体说明
typedef struct { struct { size_t threadsMax; // -n 指定最大线程数 size_t threadsFinished; uint32_t threadsActiveCnt; pthread_t mainThread; pid_t mainPid; pthread_t threads[_HF_THREAD_MAX]; } threads; struct { const char* inputDir; // -f 原始种子文件目录 DIR* inputDirPtr; // fdopendir(dir_fd) 打开的原始种子目录指针 size_t fileCnt; // 原始种子文件个数 const char* fileExtn; // 文件扩展名, 不能包含 / bool fileCntDone; const char* workDir; // -W 有效变异种子文件输出目录 const char* crashDir; const char* covDirAll; // 默认值为-f指定目录 const char* covDirNew; bool saveUnique; size_t dynfileqCnt; pthread_rwlock_t dynfileq_mutex; TAILQ_HEAD(dyns_t, dynfile_t) dynfileq; } io; struct { int argc; const char* const* cmdline; // -- 后边跟的fuzz样例 bool nullifyStdio; bool fuzzStdin; const char* externalCommand; // -c fuzz样例参数 const char* postExternalCommand; bool netDriver; bool persistent; // -P persistent模式 uint64_t asLimit; uint64_t rssLimit; uint64_t dataLimit; uint64_t coreLimit; bool clearEnv; char* envs[128]; // -E ENV参数,如sanitizers sigset_t waitSigSet; } exe; struct { time_t timeStart; time_t runEndTime; time_t tmOut; // -t timeout time_t lastCovUpdate; bool tmoutVTALRM; } timing; struct { const char* dictionaryFile; TAILQ_HEAD(strq_t, strings_t) dictq; size_t dictionaryCnt; size_t mutationsMax; unsigned mutationsPerRun; size_t maxFileSz; // -F Max File Size } mutate; struct { bool useScreen; char cmdline_txt[65]; int64_t lastDisplayMillis; } display; struct { bool useVerifier; // -V verifier 如果开启,则会验证崩溃样本(最大运行5次) bool exitUponCrash; // --exit_upon_crash 有崩溃直接退出fuzz const char* reportFile; // -R 生成报告文件 pthread_mutex_t report_mutex; bool monitorSIGABRT; size_t dynFileIterExpire; bool only_printable; } cfg; struct { bool enable; // -S sanitizer } sanitizer; struct { fuzzState_t state; feedback_t* feedbackMap; int bbFd; pthread_mutex_t feedback_mutex; const char* blacklistFile; uint64_t* blacklist; size_t blacklistCnt; bool skipFeedbackOnTimeout; dynFileMethod_t dynFileMethod; // -x static mode, feedback 默认 _HF_DYNFILE_SOFT } feedback; struct { size_t mutationsCnt; size_t crashesCnt; size_t uniqueCrashesCnt; size_t verifiedCrashesCnt; size_t blCrashesCnt; size_t timeoutedCnt; } cnts; struct { bool enabled; int serverSocket; int clientSocket; } socketFuzzer; /* For the Linux code */ struct { int exeFd; hwcnt_t hwCnts; // 记录所有fuzz实例的代码覆盖数总和 edge pc cmp uint64_t dynamicCutOffAddr; bool disableRandomization; void* ignoreAddr; size_t numMajorFrames; const char* symsBlFile; char** symsBl; size_t symsBlCnt; const char* symsWlFile; char** symsWl; size_t symsWlCnt; uintptr_t cloneFlags; bool kernelOnly; bool useClone; } linux; /* For the NetBSD code */ struct { void* ignoreAddr; size_t numMajorFrames; const char* symsBlFile; char** symsBl; size_t symsBlCnt; const char* symsWlFile; char** symsWl; size_t symsWlCnt; } netbsd; } honggfuzz_t; fuzzing thread: typedef struct { honggfuzz_t* global; // hfuzz实例 pid_t pid; // 当前fuzz种子线程pid int64_t timeStartedMillis; char origFileName[PATH_MAX]; char crashFileName[PATH_MAX]; uint64_t pc; uint64_t backtrace; uint64_t access; int exception; char report[_HF_REPORT_SIZE]; bool mainWorker; unsigned mutationsPerRun; struct dynfile_t* dynfileqCurrent; // {data: 种子文件内容,size: 长度, pointers: 文件队列} uint8_t* dynamicFile; // 指向name=hfuzz-input的buf, 该buff接受mangle变异的数据 size_t dynamicFileSz; // 种子文件size int dynamicFileFd; // 通过memfd_create创建name=hfuzz-input的匿名文件句柄 int dynamicFileCopyFd; // fuzz种子句柄,执行时会用过/dev/fd/%d方式打开并获取内容 uint32_t fuzzNo; // 编号 int persistentSock; bool waitingForReady; runState_t runState; bool tmOutSignaled; #if !defined(_HF_ARCH_DARWIN) timer_t timerId; #endif // !defined(_HF_ARCH_DARWIN) struct { /* For Linux code */ uint8_t* perfMmapBuf; uint8_t* perfMmapAux; hwcnt_t hwCnts; // 记录当前fuzz实例的代码覆盖数 edge pc cmp int cpuInstrFd; int cpuBranchFd; int cpuIptBtsFd; } linux; struct { /* For NetBSD code */ uint8_t* perfMmapBuf; uint8_t* perfMmapAux; hwcnt_t hwCnts; int cpuInstrFd; int cpuBranchFd; int cpuIptBtsFd; } netbsd; } run_t;
(lldb) print *hfuzz (honggfuzz_t) $5 = { threads = { threadsMax = 2 threadsFinished = 0 threadsActiveCnt = 0 mainThread = 0x000000013f19f380 mainPid = 48586 threads = { [0] = 0x0000000000000000 [1] = 0x0000000000000000 [2] = 0x0000000000000000 [3] = 0x0000000000000000 ... [255] = 0x0000000000000000 ... } } io = { inputDir = 0x00007ffeefbffa3d "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/corpus_2019-02-28_13-48-20/" inputDirPtr = 0x000000013f601af0 fileCnt = 5 fileExtn = 0x000000010002cffb "fuzz" fileCntDone = false workDir = 0x00007ffeefbff9d8 "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/outputs_2019-02-28_13-48-20" crashDir = 0x00007ffeefbff9d8 "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/outputs_2019-02-28_13-48-20" covDirAll = 0x00007ffeefbffa3d "/Users/idhyt/Work/sec.ret/gitlab/opensourcefuzz/honggfuzz-example/bin/corpus_2019-02-28_13-48-20/" covDirNew = 0x0000000000000000 <no value available> saveUnique = true dynfileqCnt = 0 dynfileq_mutex = (__sig = 766030772, __opaque = char [192] @ 0x00007fb4a533fa88) dynfileq = { tqh_first = 0x0000000000000000 tqh_last = 0x0000000100128c68 } } exe = { argc = 1 cmdline = 0x000000013f302e68 nullifyStdio = true fuzzStdin = false externalCommand = 0x0000000000000000 <no value available> postExternalCommand = 0x0000000000000000 <no value available> netDriver = false persistent = true asLimit = 0 rssLimit = 0 dataLimit = 0 coreLimit = 0 clearEnv = false envs = { [0] = 0x000000010005f5f0 "ASAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0" [1] = 0x00000001000605f0 "UBSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0" [2] = 0x00000001000615f0 "MSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0" [3] = 0x00000001000625f0 "LSAN_OPTIONS=abort_on_error=1:handle_segv=0:handle_sigbus=0:handle_abort=0:handle_sigill=0:handle_sigfpe=0:allocator_may_return_null=1:symbolize=1:detect_leaks=0:disable_coredump=0:detect_odr_violation=0" [4] = 0x0000000000000000 <no value available> [5] = 0x0000000000000000 <no value available> ... [127] = 0x0000000000000000 <no value available> } waitSigSet = 541065216 } timing = (timeStart = 1551337933, runEndTime = 0, tmOut = 10, lastCovUpdate = 1551337933, tmoutVTALRM = false) mutate = { dictionaryFile = 0x0000000000000000 <no value available> dictq = { tqh_first = 0x0000000000000000 tqh_last = 0x0000000100129108 } dictionaryCnt = 0 mutationsMax = 0 mutationsPerRun = 6 maxFileSz = 8192 } display = (useScreen = true, cmdline_txt = char [65] @ 0x00007fb4a5340019, lastDisplayMillis = 1551337933633) cfg = { useVerifier = false exitUponCrash = false reportFile = 0x0000000000000000 <no value available> report_mutex = (__sig = 850045863, __opaque = char [56] @ 0x00007fb4a5340080) monitorSIGABRT = true dynFileIterExpire = 0 only_printable = false } sanitizer = (enable = false) feedback = { state = _HF_STATE_UNSET feedbackMap = 0x0000000142180000 bbFd = 5 feedback_mutex = (__sig = 850045863, __opaque = char [56] @ 0x00007fb4a53400f8) blacklistFile = 0x0000000000000000 <no value available> blacklist = 0x0000000000000000 blacklistCnt = 0 skipFeedbackOnTimeout = false dynFileMethod = _HF_DYNFILE_SOFT } cnts = { mutationsCnt = 0 crashesCnt = 0 uniqueCrashesCnt = 0 verifiedCrashesCnt = 0 blCrashesCnt = 0 timeoutedCnt = 0 } socketFuzzer = (enabled = false, serverSocket = -1, clientSocket = -1) linux = { exeFd = -1 hwCnts = { cpuInstrCnt = 0 cpuBranchCnt = 0 bbCnt = 0 newBBCnt = 0 softCntPc = 0 softCntEdge = 0 softCntCmp = 0 } dynamicCutOffAddr = 18446744073709551615 disableRandomization = true ignoreAddr = 0x0000000000000000 numMajorFrames = 7 symsBlFile = 0x0000000000000000 <no value available> symsBl = 0x0000000000000000 symsBlCnt = 0 symsWlFile = 0x0000000000000000 <no value available> symsWl = 0x0000000000000000 symsWlCnt = 0 cloneFlags = 0 kernelOnly = false useClone = true } netbsd = { ignoreAddr = 0x0000000000000000 numMajorFrames = 7 symsBlFile = 0x0000000000000000 <no value available> symsBl = 0x0000000000000000 symsBlCnt = 0 symsWlFile = 0x0000000000000000 <no value available> symsWl = 0x0000000000000000 symsWlCnt = 0 } }
5. 编译
5.1. 1. 依赖库
sudo apt-get install libbfd-dev libunwind8-dev
### 2. GCC
sudo add-apt-repository ppa:jonathonf/gcc-7.1 sudo apt-get update sudo apt-get install gcc-7 g++-7 sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-7 70
5.2. 3. clang
要求 5.0+
sudo apt install clang-6.0
最新版
wget https://raw.githubusercontent.com/Dor1s/libfuzzer-workshop/master/checkout_build_install_llvm.sh ./checkout_build_install_llvm.sh
5.3. 4. 编译
git clone https://github.com/google/honggfuzz.git cd honggfuzz make
6. fuzz libxml2
6.1. 1. 依赖库
sudo apt install autoconf libtool liblzma-dev python-dev
6.2. 2. 编译libxml2
git clone https://github.com/GNOME/libxml2.git cd libxml2/ git checkout f8a8c1f59db355b46962577e7b74f1a1e8149dc6 git branch libxml2-2.9.9 git checkout libxml2-2.9.9 ./autogen.sh hfuzz_cc_dir=/path/to/honggfuzz/hfuzz_cc CFLAGS="-g -fno-omit-frame-pointer -fsanitize=address,undefined -fsanitize-coverage=trace-pc-guard" CC="$hfuzz_cc_dir/hfuzz-clang $CFLAGS" CXX="$hfuzz_cc_dir/hfuzz-clang++ $CFLAGS" CCLD="$hfuzz_cc_dir/hfuzz-clang $CFLAGS" ./configure make -j4 ls .libs/libxml2.a
6.3. 编译测试样例
测试样例: persistent-xml2
cd /path/to/honggfuzz/examples/libxml2 CFLAGS="-g -fno-omit-frame-pointer -fsanitize=address,undefined -fsanitize-coverage=trace-pc-guard" ./path/to/honggfuzz/hfuzz_cc/hfuzz-clang persistent-xml2.c $CFLAGS -I/path/to/libxml2/include -I/path/to/libxml2 /path/to/libxml2/.libs/libxml2.a /path/to/honggfuzz/libhfuzz/libhfuzz.a -o persistent-xml2
6.4. 执行
mkdir output_dir mkdir corpus_dir echo "test" > ./corpus_dir/origin ./path/to/honggfuzz/honggfuzz -P -S -W ./output_dir -f ./corpus_dir -- ./persistent-xml2 使用字典: ./path/to/honggfuzz/honggfuzz -P -S -w ./xml.dict -W ./output_dir -f ./corpus_dir -- ./persistent-xml2
6.5. issue
- Did you mean '-sanitizer-coverage-level=0'…
clang-5.0
- ASAN
==84373==LeakSanitizer has encountered a fatal error. ==84373==HINT: For debugging, try setting environment variable LSAN_OPTIONS=verbosity=1:log_threads=1 ==84373==HINT: LeakSanitizer does not work under ptrace (strace, gdb, etc)
fuzz去掉 -S 参数
- ubuntu 16.04 apt
Reading package lists... Done E: Problem executing scripts APT::Update::Post-Invoke-Success 'if /usr/bin/test -w /var/cache/app-info -a -e /usr/bin/appstreamcli; then appstreamcli refresh > /dev/null; fi' E: Sub-process returned an error code
sudo pkill -KILL appstreamcli wget -P /tmp https://launchpad.net/ubuntu/+archive/primary/+files/appstream_0.9.4-1ubuntu1_amd64.deb https://launchpad.net/ubuntu/+archive/primary/+files/libappstream3_0.9.4-1ubuntu1_amd64.deb sudo dpkg -i /tmp/appstream_0.9.4-1ubuntu1_amd64.deb /tmp/libappstream3_0.9.4-1ubuntu1_amd64.deb
Created: 2017-03-02 Thu 15:53