d991395c81
* launcher in linux * silence stdout and stderr linux * arg parser and other changes * retry instead of sleep * no_std fixes * reordered includes * launcher for windows and kill clients when broker returns * cargo fmt * started launcher api cleanup * use closures instead of functions * small change * reordered launcher params * fixed clippy warnings * fixed no_std * moved launcher example to own folder * docu * cleanup launcher * more docs * Fix merge issues * Rework the launcher code to provide a cleaner API * Open file before spawning clients * launcher: fix merge issue, sleep for a different amount for each core * fixed no_std * Tcp Broker to Broker Communication (#66) * initial b2b implementation * no_std and clippy fixes * b2b testcase added * more correct testcases * fixed b2b * typo * fixed unused warning * some clippy warning ignored * using clippy.sh * Update README.md * fixed clippy run in workflow * fixing clippy::match-same-arms * make clippy less pedantic * fixed some minor typos in the book * launcher: use s1341's fork of core_affinity * Build warning fix proposal, mostly about reference to packed fields. (#79) * Observers refactor (#84) * new observer structure with HasExecHooks * adapt libafl_frida to new observers * docstrings * Composing feedback (#85) * composing feedbacks as logic operations and bump to 0.2 * adapt fuzzers and libafl_frida * fix windows build * fixed clippy warnings * Frida suppress instrumentation locations option (#87) * Implement frida option * Format * add append/discard_metadata for and/or/not feedback (#86) * add append/discard_metadata for and/or/not feedback * fix * Call append_metadata on crash (#88) * Call append_metadata on crash * Formatting * Reachability example (#65) * add reachability observer/feedback * add fuzzer exmaple * fmt * remove reachabilityobserver, use stdmapobserver instead * update diff.patch * update README * fix the clippy warning * Squashed commit of the following: commit f20524ebd77011481e86b420c925e8504bd11308 Author: Andrea Fioraldi <andreafioraldi@gmail.com> Date: Tue May 4 16:00:39 2021 +0200 Composing feedback (#85) * composing feedbacks as logic operations and bump to 0.2 * adapt fuzzers and libafl_frida * fix windows build commit e06efaa03bc96ef71740d7376c7381572bf11c6c Author: Andrea Fioraldi <andreafioraldi@gmail.com> Date: Tue May 4 13:54:46 2021 +0200 Observers refactor (#84) * new observer structure with HasExecHooks * adapt libafl_frida to new observers * docstrings commit 17c6fcd31cb746c099654be2b7a168bd04d46381 Merge: 08a2d43 a78a4b7 Author: Andrea Fioraldi <andreafioraldi@gmail.com> Date: Mon May 3 11:16:49 2021 +0200 Merge branch 'main' into dev commit 08a2d43790797d8864565fec99e7043289a46283 Author: David CARLIER <devnexen@gmail.com> Date: Mon May 3 10:15:28 2021 +0100 Build warning fix proposal, mostly about reference to packed fields. (#79) commit 88fe8fa532ac34cbc10782f5f71264f620385dda Merge: d5d46ad d2e7719 Author: Andrea Fioraldi <andreafioraldi@gmail.com> Date: Mon May 3 11:05:42 2021 +0200 Merge pull request #80 from marcograss/book-typos fixed some minor typos in the book commit a78a4b73fa798c1ed7a3d053369cca435e57aa07 Author: s1341 <s1341@users.noreply.github.com> Date: Mon May 3 10:34:15 2021 +0300 frida-asan: Un-inline report funclet to reduce code bloat (#81) * frida-asan: Outline report funclet to reduce code bloat * fmt commit d2e7719a8bea3a993394c187e2183d3e91f02c75 Author: Marco Grassi <marco.gra@gmail.com> Date: Sun May 2 21:58:33 2021 +0800 fixed some minor typos in the book commit d5d46ad7e440fd4a2925352ed1ccb9ced5d9463d Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 23:09:10 2021 +0200 make clippy less pedantic commit 52d25e979e23589587c885803641058dc36aa998 Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 22:23:59 2021 +0200 fixing clippy::match-same-arms commit cd66f880dea830d1e38e89fd1bf3c20fd89c9d70 Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 14:02:07 2021 +0200 fixed clippy run in workflow commit ddcf086acde2b703c36e4ec3976588313fc3d591 Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 13:53:29 2021 +0200 Update README.md commit c715f1fe6e42942e53bd13ea6a23214620f6c829 Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 13:48:38 2021 +0200 using clippy.sh commit 9374b26b1d2d44c6042fdd653a8d960ce698592c Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 13:47:44 2021 +0200 some clippy warning ignored commit b9e75c0c98fdfb1e70778e6f3612a94b71dcd21a Author: Dominik Maier <domenukk@gmail.com> Date: Sat May 1 13:24:02 2021 +0200 Tcp Broker to Broker Communication (#66) * initial b2b implementation * no_std and clippy fixes * b2b testcase added * more correct testcases * fixed b2b * typo * fixed unused warning * feedbacks now return a boolean value * use feedback_or, and modify Cargo.toml * fix diff between dev and this branch * fmt Co-authored-by: Dominik Maier <domenukk@gmail.com> * clippy fixes * clippy fixes * clippy fixes, x86_64 warnings * more docs * Observers lifetime (#89) * introduce MatchName and alow lifetimes in observers * adapt fuzzers to observers with lifetime * introduce type_eq when on nightly * fix no_std * fmt * Better docu (#90) * more docs * more docs: * more docu * more docu * finished docs * cleaned up markup * must_use tags added * more docs * more docu, less clippy * more fixes * Clippy fixes (#92) * more docs * more docs: * more docu * more docu * finished docs * cleaned up markup * must_use tags added * more docs * swapped if/else, as per clippy * more docu, less clippy * more fixes * Fix merge issues * Get rid of unneeded prints * Fix merge errors * added b2b to restarting interface * Setting SO_REUSEPORT * added b2b to launcher api * more windows launcher * Fix merge errors * Add b2b support to frida_libpng * make frida_libpng bind to a public address * Convert launcher into a builder LauncherBuilder * formatting * Convert setup_restarting_mgr to a builder RestartingMgrBuilder; leave setup_restarting_mgr_std as is, so that fuzzers work * RcShmem should be locked via a mutex * Wait at least 1 second between broker and first client, to avoid race * update frida_libpng README for cross-compiling to android (#100) Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com> * Fixed build for Windows * no_std fixes * reverted aa6773dcade93b3a66ce86e6b2cc75f55ce194e7 & windows fixes * added pipes, moving to remove race conditions for rc shmem * fix unix build * fixed clippy: * fixed no_std once more * renamed b2b to remote_broker_addr * you get a pre_fork, and you get a post_fork, forks for everyone * switched to typed_builder * Fix merge isseu * Fix frida fuzzer with new Launcher builder * Introspection (#97) * Rework to put `ClientPerfStats` in `State` and pass that along. Still need to work on getting granular information from `Feedback` and `Observer` * Add perf_stats feature to libafl/Cargo.toml * Update feedbacks to have with_perf * Remove unneeeded print statement * cargo fmt all the things * use local llvmint vs cpu specific asm for reading cycle counter * Remove debug testing code * Stats timeout to 3 seconds * Inline smallish functions for ClientPerfStats * Remove .libs/llvmint and have the correct conditional compilation of link_llvm_intrinsics on the perf_stats feature * pub(crate) the NUM_FEEDBACK and NUM_STAGES consts * Tcp Broker to Broker Communication (#66) * initial b2b implementation * no_std and clippy fixes * b2b testcase added * more correct testcases * fixed b2b * typo * fixed unused warning * clippy fixes * fallback to systemtime on non-x86 * make clippy more strict * small fixes * bump 0.2.1 * readme Co-authored-by: ctfhacker <cld251@gmail.com> Co-authored-by: Dominik Maier <domenukk@gmail.com> * typos (please review) * merged clippy.sh * utils * Add asan cores option (#102) * added asan-cores option for frida fuzzer When asan is enabled (via LIBBAFL_FRIDA_OPTIONS enable-asan), you can filter exactly which of the cores asan should run on with the asan-cores variable. * add is_some check instead of !None Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com> * moved utils to bolts * fixed typo * no_std fixes * unix fixes * fixed unix no_std build * fix llmp.rs * adapt libfuzzer_libpng_launcher * added all fuzzers to ci * fmt, improved ci * tests crate not ready for prime time * clippy fixes * make ci script executable * trying to fix example fuzzers * working libfuzzer_libpng_laucnher * frida_libpng builds * clippy * bump version * fix no_std * fix dep version * clippy fixes * more fies * clippy++ * warn again * clearer readme Co-authored-by: Vimal Joseph <vimaljoseph027@gmail.com> Co-authored-by: Dominik Maier <domenukk@gmail.com> Co-authored-by: s1341 <github@shmarya.net> Co-authored-by: Marco Grassi <marco.gra@gmail.com> Co-authored-by: s1341 <s1341@users.noreply.github.com> Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com> Co-authored-by: David CARLIER <devnexen@gmail.com> Co-authored-by: Toka <tokazerkje@outlook.com> Co-authored-by: r-e-l-z <azentner@gmail.com> Co-authored-by: Ariel Zentner <ArielZ@nsogroup.com> Co-authored-by: ctfhacker <cld251@gmail.com> Co-authored-by: hexcoder <hexcoder-@users.noreply.github.com>
Libfuzzer for libpng
This folder contains an example fuzzer for libpng, using LLMP for fast multi-process fuzzing and crash detection.
In contrast to other fuzzer examples, this setup uses fuzz_loop_for, to occasionally respawn the fuzzer executor.
While this costs performance, it can be useful for targets with memory leaks or other instabilities.
If your target is really instable, however, consider exchanging the InProcessExecutor for a ForkserverExecutor instead.
It also uses the introspection feature, printing fuzzer stats during execution.
To show off crash detection, we added a ud2 instruction to the harness, edit harness.cc if you want a non-crashing example.
It has been tested on Linux.
Build
To build this example, run
cargo build --release
This will build the library with the fuzzer (src/lib.rs) with the libfuzzer compatibility layer and the SanitizerCoverage runtime functions for coverage feedback. In addition, it will also build two C and C++ compiler wrappers (bin/libafl_c(libafl_c/xx).rs) that you must use to compile the target.
The compiler wrappers, libafl_cc and libafl_cxx, will end up in ./target/release/(or./target/debug, in case you did not build with the --release` flag).
Then download libpng, and unpack the archive:
wget https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz
tar -xvf libpng-1.6.37.tar.xz
Now compile libpng, using the libafl_cc compiler wrapper:
cd libpng-1.6.37
./configure
make CC=$(realpath ../target/release/libafl_cc) CXX=$(realpath ../target/release/libafl_cxx) -j `nproc`
You can find the static lib at libpng-1.6.37/.libs/libpng16.a.
Now, we have to build the libfuzzer harness and link all together to create our fuzzer binary.
cd ..
./target/release/libafl_cxx ./harness.cc libpng-1.6.37/.libs/libpng16.a -I libpng-1.6.37/ -o fuzzer_libpng -lz -lm
Afterward, the fuzzer will be ready to run.
Note that, unless you use the launcher, you will have to run the binary multiple times to actually start the fuzz process, see Run in the following.
This allows you to run multiple different builds of the same fuzzer alongside, for example, with and without ASAN (-fsanitize=address) or with different mutators.
Run
The first time you run the binary, the broker will open a tcp port (currently on port 1337), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel. Currently, you must run the clients from the libfuzzer_libpng directory for them to be able to access the PNG corpus.
./fuzzer_libpng
[libafl/src/bolts/llmp.rs:407] "We're the broker" = "We\'re the broker"
Doing broker things. Run this tool again to start fuzzing in a client.
And after running the above again in a separate terminal:
[libafl/src/bolts/llmp.rs:1464] "New connection" = "New connection"
[libafl/src/bolts/llmp.rs:1464] addr = 127.0.0.1:33500
[libafl/src/bolts/llmp.rs:1464] stream.peer_addr().unwrap() = 127.0.0.1:33500
[LOG Debug]: Loaded 4 initial testcases.
[New Testcase #2] clients: 3, corpus: 6, objectives: 0, executions: 5, exec/sec: 0
< fuzzing stats >
As this example uses in-process fuzzing, we added a Restarting Event Manager (setup_restarting_mgr).
This means each client will start itself again to listen for crashes and timeouts.
By restarting the actual fuzzer, it can recover from these exit conditions.
In any real-world scenario, you should use taskset to pin each client to an empty CPU core, the lib does not pick an empty core automatically (yet).