uafbench

uafbench copied to clipboard

UAF Fuzzing Benchmark

We create a fuzzing benchmark of Use-After-Free (UAF) and Double-Free (DF) bugs for our evaluations. It includes recent bugs found by existing (directed) greybox fuzzers of real-world programs. We provide scripts, Valgrind's stack traces as targets and initial seeds of each subject. Please follow the instructions to install fuzzers like AFL(-QEMU), AFLGo and UAFuzz.

# Environment variables
export AFL=/path/to/afl-2.52b
export AFLGO=/path/to/aflgo
export IDA_PATH=/path/to/ida-6.9/idaq
export GRAPH_EASY_PATH=/path/to/graph-easy
export UAFUZZ_PATH=/path/to/uafuzz

# Avoid hang when fuzzing
export MALLOC_CHECK_=0

# Checkout the benchmark
git clone https://github.com/strongcourage/uafbench.git
cd uafbench; export UAFBENCH_PATH=`pwd`

# Fuzz CVE-20018-20623 with UAFuzz and timeout 60 minutes
$UAFBENCH_PATH/CVE-2018-20623.sh uafuzz 60 $UAFBENCH_PATH/valgrind/CVE-2018-20623.valgrind

# Fuzz patched version of CVE-2018-6952
$UAFBENCH_PATH/CVE-2019-20633.sh uafuzz 360 $UAFBENCH_PATH/valgrind/CVE-2018-6952.valgrind

You can also fuzz without IDA Pro by specifying the argument --no_ida in the Python scripts. In this case, existing Ida files and call graphs in the folder /ida will be used. For example, the last two commands in CVE-2019-20633.sh should be updated as follows:

$UAFUZZ_PATH/scripts/preprocess.py --no_ida -f $PUT -v $targets -o $FUZZ_DIR
$UAFUZZ_PATH/scripts/run_uafuzz.py --no_ida -f $FUZZ_DIR/$PUT -M fuzz -i $FUZZ_DIR/in -o run -r "$FUZZ_DIR/$PUT -Rf" -I $runmode -T "$FUZZ_DIR/$PUT.tgt" -to $timeout

UAF bugs found by UAFuzz