alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
FRET-LibAFL/fuzzers/libfuzzer_libpng_launcher/README.md
Vimal Joseph d991395c81
Launcher (#48) 
* launcher in linux

* silence stdout and stderr linux

* arg parser and other changes

* retry instead of sleep

* no_std fixes

* reordered includes

* launcher for windows and kill clients when broker returns

* cargo fmt

* started launcher api cleanup

* use closures instead of functions

* small change

* reordered launcher params

* fixed clippy warnings

* fixed no_std

* moved launcher example to own folder

* docu

* cleanup launcher

* more docs

* Fix merge issues

* Rework the launcher code to provide a cleaner API

* Open file before spawning clients

* launcher: fix merge issue, sleep for a different amount for each core

* fixed no_std

* Tcp Broker to Broker Communication (#66)

* initial b2b implementation

* no_std and clippy fixes

* b2b testcase added

* more correct testcases

* fixed b2b

* typo

* fixed unused warning

* some clippy warning ignored

* using clippy.sh

* Update README.md

* fixed clippy run in workflow

* fixing clippy::match-same-arms

* make clippy less pedantic

* fixed some minor typos in the book

* launcher: use s1341's fork of core_affinity

* Build warning fix proposal, mostly about reference to packed fields. (#79)

* Observers refactor (#84)

* new observer structure with HasExecHooks

* adapt libafl_frida to new observers

* docstrings

* Composing feedback (#85)

* composing feedbacks as logic operations and bump to 0.2

* adapt fuzzers and libafl_frida

* fix windows build

* fixed clippy warnings

* Frida suppress instrumentation locations option (#87)

* Implement  frida option

* Format

* add append/discard_metadata for and/or/not feedback (#86)

* add append/discard_metadata for and/or/not feedback

* fix

* Call append_metadata on crash (#88)

* Call append_metadata on crash

* Formatting

* Reachability example (#65)

* add reachability observer/feedback

* add fuzzer exmaple

* fmt

* remove reachabilityobserver, use stdmapobserver instead

* update diff.patch

* update README

* fix the clippy warning

* Squashed commit of the following:

commit f20524ebd77011481e86b420c925e8504bd11308
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date:   Tue May 4 16:00:39 2021 +0200

    Composing feedback (#85)

    * composing feedbacks as logic operations and bump to 0.2

    * adapt fuzzers and libafl_frida

    * fix windows build

commit e06efaa03bc96ef71740d7376c7381572bf11c6c
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date:   Tue May 4 13:54:46 2021 +0200

    Observers refactor (#84)

    * new observer structure with HasExecHooks

    * adapt libafl_frida to new observers

    * docstrings

commit 17c6fcd31cb746c099654be2b7a168bd04d46381
Merge: 08a2d43 a78a4b7
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date:   Mon May 3 11:16:49 2021 +0200

    Merge branch 'main' into dev

commit 08a2d43790797d8864565fec99e7043289a46283
Author: David CARLIER <devnexen@gmail.com>
Date:   Mon May 3 10:15:28 2021 +0100

    Build warning fix proposal, mostly about reference to packed fields. (#79)

commit 88fe8fa532ac34cbc10782f5f71264f620385dda
Merge: d5d46ad d2e7719
Author: Andrea Fioraldi <andreafioraldi@gmail.com>
Date:   Mon May 3 11:05:42 2021 +0200

    Merge pull request #80 from marcograss/book-typos

    fixed some minor typos in the book

commit a78a4b73fa798c1ed7a3d053369cca435e57aa07
Author: s1341 <s1341@users.noreply.github.com>
Date:   Mon May 3 10:34:15 2021 +0300

    frida-asan: Un-inline report funclet to reduce code bloat (#81)

    * frida-asan: Outline report funclet to reduce code bloat

    * fmt

commit d2e7719a8bea3a993394c187e2183d3e91f02c75
Author: Marco Grassi <marco.gra@gmail.com>
Date:   Sun May 2 21:58:33 2021 +0800

    fixed some minor typos in the book

commit d5d46ad7e440fd4a2925352ed1ccb9ced5d9463d
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 23:09:10 2021 +0200

    make clippy less pedantic

commit 52d25e979e23589587c885803641058dc36aa998
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 22:23:59 2021 +0200

    fixing clippy::match-same-arms

commit cd66f880dea830d1e38e89fd1bf3c20fd89c9d70
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 14:02:07 2021 +0200

    fixed clippy run in workflow

commit ddcf086acde2b703c36e4ec3976588313fc3d591
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 13:53:29 2021 +0200

    Update README.md

commit c715f1fe6e42942e53bd13ea6a23214620f6c829
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 13:48:38 2021 +0200

    using clippy.sh

commit 9374b26b1d2d44c6042fdd653a8d960ce698592c
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 13:47:44 2021 +0200

    some clippy warning ignored

commit b9e75c0c98fdfb1e70778e6f3612a94b71dcd21a
Author: Dominik Maier <domenukk@gmail.com>
Date:   Sat May 1 13:24:02 2021 +0200

    Tcp Broker to Broker Communication (#66)

    * initial b2b implementation

    * no_std and clippy fixes

    * b2b testcase added

    * more correct testcases

    * fixed b2b

    * typo

    * fixed unused warning

* feedbacks now return a boolean value

* use feedback_or, and modify Cargo.toml

* fix diff between dev and this branch

* fmt

Co-authored-by: Dominik Maier <domenukk@gmail.com>

* clippy fixes

* clippy fixes

* clippy fixes, x86_64 warnings

* more docs

* Observers lifetime (#89)

* introduce MatchName and alow lifetimes in observers

* adapt fuzzers to observers with lifetime

* introduce type_eq when on nightly

* fix no_std

* fmt

* Better docu (#90)

* more docs

* more docs:

* more docu

* more docu

* finished docs

* cleaned up markup

* must_use tags added

* more docs

* more docu, less clippy

* more fixes

* Clippy fixes (#92)

* more docs

* more docs:

* more docu

* more docu

* finished docs

* cleaned up markup

* must_use tags added

* more docs

* swapped if/else, as per clippy

* more docu, less clippy

* more fixes

* Fix merge issues

* Get rid of unneeded prints

* Fix merge errors

* added b2b to restarting interface

* Setting SO_REUSEPORT

* added b2b to launcher api

* more windows launcher

* Fix merge errors

* Add b2b support to frida_libpng

* make frida_libpng bind to a public address

* Convert launcher into a builder LauncherBuilder

* formatting

* Convert setup_restarting_mgr to a builder RestartingMgrBuilder; leave setup_restarting_mgr_std as is, so that fuzzers work

* RcShmem should be locked via a mutex

* Wait at least 1 second between broker and first client, to avoid race

* update frida_libpng README for cross-compiling to android (#100)

Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>

* Fixed build for Windows

* no_std fixes

* reverted aa6773dcade93b3a66ce86e6b2cc75f55ce194e7 & windows fixes

* added pipes, moving to remove race conditions for rc shmem

* fix unix build

* fixed clippy:

* fixed no_std once more

* renamed b2b to remote_broker_addr

* you get a pre_fork, and you get a post_fork, forks for everyone

* switched to typed_builder

* Fix merge isseu

* Fix frida fuzzer with new Launcher builder

* Introspection (#97)

* Rework to put `ClientPerfStats` in `State` and pass that along. Still need to work on getting granular information from `Feedback` and `Observer`

* Add perf_stats feature to libafl/Cargo.toml

* Update feedbacks to have with_perf

* Remove unneeeded print statement

* cargo fmt all the things

* use local llvmint vs cpu specific asm for reading cycle counter

* Remove debug testing code

* Stats timeout to 3 seconds

* Inline smallish functions for ClientPerfStats

* Remove .libs/llvmint and have the correct conditional compilation of link_llvm_intrinsics on the perf_stats feature

* pub(crate) the NUM_FEEDBACK and NUM_STAGES consts

* Tcp Broker to Broker Communication (#66)

* initial b2b implementation

* no_std and clippy fixes

* b2b testcase added

* more correct testcases

* fixed b2b

* typo

* fixed unused warning

* clippy fixes

* fallback to systemtime on non-x86

* make clippy more strict

* small fixes

* bump 0.2.1

* readme

Co-authored-by: ctfhacker <cld251@gmail.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>

* typos (please review)

* merged clippy.sh

* utils

* Add asan cores option (#102)

* added asan-cores option for frida fuzzer

When asan is enabled (via LIBBAFL_FRIDA_OPTIONS enable-asan), you can
filter exactly which of the cores asan should run on with the
asan-cores variable.

* add is_some check instead of !None

Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>

* moved utils to bolts

* fixed typo

* no_std fixes

* unix fixes

* fixed unix no_std build

* fix llmp.rs

* adapt libfuzzer_libpng_launcher

* added all fuzzers to ci

* fmt, improved ci

* tests crate not ready for prime time

* clippy fixes

* make ci script executable

* trying to fix example fuzzers

* working libfuzzer_libpng_laucnher

* frida_libpng builds

* clippy

* bump version

* fix no_std

* fix dep version

* clippy fixes

* more fies

* clippy++

* warn again

* clearer readme

Co-authored-by: Vimal Joseph <vimaljoseph027@gmail.com>
Co-authored-by: Dominik Maier <domenukk@gmail.com>
Co-authored-by: s1341 <github@shmarya.net>
Co-authored-by: Marco Grassi <marco.gra@gmail.com>
Co-authored-by: s1341 <s1341@users.noreply.github.com>
Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
Co-authored-by: David CARLIER <devnexen@gmail.com>
Co-authored-by: Toka <tokazerkje@outlook.com>
Co-authored-by: r-e-l-z <azentner@gmail.com>
Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com>
Co-authored-by: ctfhacker <cld251@gmail.com>
Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
2021-05-19 13:08:24 +02:00

47 lines
1.6 KiB
Markdown
Raw Permalink Blame History

# Libfuzzer for libpng, with launcher
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
To show off crash detection, we added a `ud2` instruction to the harness, edit harness.cc if you want a non-crashing example.
It has been tested on Linux.
In contrast to the normal libfuzzer libpng example, this uses the `launcher` feature, that automatically spawns `n` child processes, and binds them to a free core.
## Build
To build this example, run
```bash
cargo build --release
```
This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback.
In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.
Then download libpng, and unpack the archive:
```bash
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
```
Now compile libpng, using the libafl_cc compiler wrapper:
```bash
cd libpng-1.6.37
./configure
make CC=../target/release/libafl_cc CXX=../target/release/libafl_cxx -j `nproc`
```
You can find the static lib at `libpng-1.6.37/.libs/libpng16.a`.
Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.
```
cd ..
./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
```
Afterwards, the fuzzer will be ready to run.
## Run
Just run once, the launcher feature should do the rest.
Reference in New Issue View Git Blame Copy Permalink