Fuzzing with AFL
#Pull AFL and install QEMU support
git clone https://github.com/mcarpenter/afl
cd afl
make
cd qemu_mode/
sudo apt install libtool-bin
export CPU_TARGET=mips
./build_qemu_support.sh
sudo -i
#Stop coredumps from being sent to an external utility
echo core > /proc/sys/kernel/core_pattern
exit
QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN
If you get issues on Ubuntu 18.04, add the following to the
qemu_mode/patches directory:From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <[email protected]>
Date: Tue, 28 Nov 2017 11:51:27 +0100
Subject: [PATCH] memfd: fix configure test
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Recent glibc added memfd_create in sys/mman.h. This conflicts with
the definition in util/memfd.c:
/builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration
Fix the configure test, and remove the sys/memfd.h inclusion since the
file actually does not exist---it is a typo in the memfd_create(2) man
page.
Cc: Marc-André Lureau <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
---
configure | 2 +-
util/memfd.c | 4 +---
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/configure b/configure
index 9c8aa5a..99ccc17 100755
--- a/configure
+++ b/configure
@@ -3923,7 +3923,7 @@ fi
# check if memfd is supported
memfd=no
cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
int main(void)
{
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1a..412e94a 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -31,9 +31,7 @@
#include "qemu/memfd.h"
-#ifdef CONFIG_MEMFD
-#include <sys/memfd.h>
-#elif defined CONFIG_LINUX
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
#include <sys/syscall.h>
#include <asm/unistd.h>
--
1.8.3.1
And add
patch -p1 <../patches/mman.diff || exit 1 to line 129 of build_qemu_support.sh#Make a 1GB ramdisk file from which AFL can read input
mkdir -p inputFiles
mount -t tmpfs -o size=1024M tmpfs inputFiles/
This part uses the afl-clang-fast to build instrumented binaries.
#Ubuntu does not have clang 5, and I don't like building it from source
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main"
sudo apt-get update
sudo apt-get install -y clang-5.0 llvm-5.0
#Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin
sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang
sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++
sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config
#Pull AFL and install llvm mode
git clone https://github.com/mcarpenter/afl
cd afl
make
cd llvm_mode
#This part is important. Clang5 support WILL NOT WORK without this change
vim Makefile
#Change CLANG_CFL from
#CLANG_CFL = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
# To
#CLANG_CFL = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS)
#`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION.
make
cd ..
sudo make install
cd /path/to/source/code
./configure CC=afl-clang-fast
make
Makes fuzzing binaries with socket/alarm/fork etc so much easier
git clone https://github.com/zardus/preeny.git
cd preeny
#Your architecture libs
make
#32 bit libs
CFLAGS=-m32 make
#Cross architecture libs
CC=mips-malta-linux-gnu-gcc make -i
#Standard usage:
LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary
#AFL usage:
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary
#This disables fork server which stops before main() and issues forked processes from there
AFL_NO_FORKSRV=1
#Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so"