AFLplusplus-blogpost icon indicating copy to clipboard operation
AFLplusplus-blogpost copied to clipboard

Published 20 hours ago verified publisher icon airbus-seclab

Metadata

Blogpost about optimizing binary-only fuzzing with AFL++

Lab for grammar-aware in-memory persistent fuzzing

Introduction

This repository contains all scripts and data (as well as an ELF target) to follow along as you read the associated blogpost by experimenting on your own on one example: src/target.c (the source code of the target).

Repository organization:

  • step0: basic fuzzing setup, default configuration
  • step1: custom instrumentation (targeting parse_cert_buf function)
  • step2: with a customized entrypoint
  • step3: with persistent mode
  • step4: with an in-memory hook
    • src/hook: source code of the hook
  • step5: custom grammar-aware mutator
    • src/mutator: source code of the custom mutator
  • step6: with multi-processing

Setup

AFL++

Clone and compile AFL++ from the base folder:

$ git clone https://github.com/AFLplusplus/AFLplusplus.git -b dev
$ cd AFLplusplus
$ git apply ../src/mutator/afl-fuzz-run.patch
$ make distrib

Note:

  • See this discussion to understand why this patch is necessary
  • Tested with commit 4063a3eb4c4099e37aef4f1d96e8b80d58d65fe2 from Mon Jan 23 12:50:57 2023 +0100

libprotobuf-mutator

Clone and compile libprotobuf-mutator (used to build our custom mutator) from the base folder:

$ git clone https://github.com/google/libprotobuf-mutator.git
$ cd libprotobuf-mutator
$ mkdir build && cd build
$ cmake .. -GNinja -DLIB_PROTO_MUTATOR_DOWNLOAD_PROTOBUF=ON -DLIB_PROTO_MUTATOR_TESTING=OFF -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_FLAGS="-fPIC" -DCMAKE_CXX_FLAGS="-fPIC"
$ ninja

Note: Tested with commit af3bb18749db3559dc4968dd85319d05168d4b5e from Wed Dec 7 15:21:20 2022 -0800

Clone and compile the protobuf ASN.1 mutator from the base folder:

$ git clone https://github.com/google/fuzzing.git google-fuzzing
$ cd google-fuzzing/proto/asn1-pdu/
$ ../../../libprotobuf-mutator/build/external.protobuf/bin/protoc *.proto --python_out=. --cpp_out=.
$ git apply ../../../src/mutator/google-fuzzing.patch

Note:

  • See this pull request to understand why this patch is necessary
  • Tested with commit 128a82660ffe414036ded9a6e561a9532945280d from Wed Oct 26 14:12:31 2022 +0200

Python packages

Install Python3 and the venv package:

$ apt update
$ apt install python3 python3-venv

Setup a virtual environment and install dependencies:

$ cd src/mutator
$ python3 -m venv .env
$ source .env/bin/activate
$ pip3 install -r requirements.txt

Blog

Compile the target and libraries created for this blogpost from the base folder:

make -C src

Finally, generate the corpus:

$ cd <step folder>
$ ./build_corpus.sh

Run

Simply use the fuzz.sh script from the step you are on:

$ cd <step folder>
$ ./fuzz.sh

Metadata

59
Stars
5
Forks
Watchers

Owner

verified publisher icon airbus-seclab

Metadata

Blogpost about optimizing binary-only fuzzing with AFL++

Back