Fuzzing with AFL

AFL for cross architecture blackbox binaries

#Pull AFL and install QEMU support
git clone https://github.com/mcarpenter/afl
cd afl
make
cd qemu_mode/
sudo apt install libtool-bin
export CPU_TARGET=mips
./build_qemu_support.sh
sudo -i
#Stop coredumps from being sent to an external utility
echo core > /proc/sys/kernel/core_pattern
exit
 
QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN

If you get issues on Ubuntu 18.04, add the following to the qemu_mode/patches directory:

From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <pbonzini@redhat.com>
Date: Tue, 28 Nov 2017 11:51:27 +0100
Subject: [PATCH] memfd: fix configure test
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Recent glibc added memfd_create in sys/mman.h.  This conflicts with
the definition in util/memfd.c:

    /builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration

Fix the configure test, and remove the sys/memfd.h inclusion since the
file actually does not exist---it is a typo in the memfd_create(2) man
page.

Cc: Marc-André Lureau <marcandre.lureau@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
---
 configure    | 2 +-
 util/memfd.c | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 9c8aa5a..99ccc17 100755
--- a/configure
+++ b/configure
@@ -3923,7 +3923,7 @@ fi
 # check if memfd is supported
 memfd=no
 cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
 
 int main(void)
 {
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1a..412e94a 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -31,9 +31,7 @@
 
 #include "qemu/memfd.h"
 
-#ifdef CONFIG_MEMFD
-#include <sys/memfd.h>
-#elif defined CONFIG_LINUX
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
 #include <sys/syscall.h>
 #include <asm/unistd.h>
 
-- 
1.8.3.1

And add patch -p1 <../patches/mman.diff || exit 1 to line 129 of build_qemu_support.sh

Use RAMdisks for input since, we don't want to destroy harddrives

#Make a 1GB ramdisk file from which AFL can read input
mkdir -p inputFiles
mount -t tmpfs -o size=1024M tmpfs inputFiles/

AFL for source

This part uses the afl-clang-fast to build instrumented binaries.

#Ubuntu does not have clang 5, and I don't like building it from source
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main"
sudo apt-get update
sudo apt-get install -y clang-5.0 llvm-5.0
 
#Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin
sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang
sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++
sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config


#Pull AFL and install llvm mode
git clone https://github.com/mcarpenter/afl
cd afl
make
cd llvm_mode
 
#This part is important. Clang5 support WILL NOT WORK without this change
vim Makefile
#Change CLANG_CFL from
#CLANG_CFL    = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
# To
#CLANG_CFL    = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG  -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS)
 
#`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION.
make
cd ..
sudo make install
cd /path/to/source/code
./configure CC=afl-clang-fast
make

Setting up and using Preeny

Makes fuzzing binaries with socket/alarm/fork etc so much easier

git clone https://github.com/zardus/preeny.git
cd preeny
 
#Your architecture libs
make
#32 bit libs
CFLAGS=-m32 make
#Cross architecture libs
CC=mips-malta-linux-gnu-gcc make -i
 
#Standard usage:
LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary
 
#AFL usage:
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary

Useful environment variables for AFL

#This disables fork server which stops before main() and issues forked processes from there
AFL_NO_FORKSRV=1
#Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so"
PreviousBuilding QEMU on UbuntuNextAutomated Vulnerability Discovery

Last updated