Fuzzing with AFL

AFL for cross architecture blackbox binaries
#Pull AFL and install QEMU support
git clone https://github.com/mcarpenter/afl
cd afl
make
cd qemu_mode/
sudo apt install libtool-bin
export CPU_TARGET=mips
./build_qemu_support.sh
sudo -i
#Stop coredumps from being sent to an external utility
echo core > /proc/sys/kernel/core_pattern
exit
 
QEMU_LD_PREFIX=$(pwd) AFL_PATH=/home/$USER/afl afl-fuzz -i testcases/ -o output/ -Q -- ./myBinaryWithSTDIN
If you get issues on Ubuntu 18.04, add the following to the qemu_mode/patches directory:
From 75e5b70e6b5dcc4f2219992d7cffa462aa406af0 Mon Sep 17 00:00:00 2001
From: Paolo Bonzini <[email protected]>
Date: Tue, 28 Nov 2017 11:51:27 +0100
Subject: [PATCH] memfd: fix configure test
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
​
Recent glibc added memfd_create in sys/mman.h.  This conflicts with
the definition in util/memfd.c:
​
    /builddir/build/BUILD/qemu-2.11.0-rc1/util/memfd.c:40:12: error: static declaration of memfd_create follows non-static declaration
​
Fix the configure test, and remove the sys/memfd.h inclusion since the
file actually does not exist---it is a typo in the memfd_create(2) man
page.
​
Cc: Marc-AndrÃ© Lureau <[email protected]>
Signed-off-by: Paolo Bonzini <[email protected]>
---
 configure    | 2 +-
 util/memfd.c | 4 +---
 2 files changed, 2 insertions(+), 4 deletions(-)
​
diff --git a/configure b/configure
index 9c8aa5a..99ccc17 100755
--- a/configure
+++ b/configure
@@ -3923,7 +3923,7 @@ fi
 # check if memfd is supported
 memfd=no
 cat > $TMPC << EOF
-#include <sys/memfd.h>
+#include <sys/mman.h>
 
 int main(void)
 {
diff --git a/util/memfd.c b/util/memfd.c
index 4571d1a..412e94a 100644
--- a/util/memfd.c
+++ b/util/memfd.c
@@ -31,9 +31,7 @@
 
 #include "qemu/memfd.h"
 
-#ifdef CONFIG_MEMFD
-#include <sys/memfd.h>
-#elif defined CONFIG_LINUX
+#if defined CONFIG_LINUX && !defined CONFIG_MEMFD
 #include <sys/syscall.h>
 #include <asm/unistd.h>
 
-- 
1.8.3.1
​
​
​
And add patch -p1 <../patches/mman.diff || exit 1 to line 129 of build_qemu_support.sh
Use RAMdisks for input since, we don't want to destroy harddrives
#Make a 1GB ramdisk file from which AFL can read input
mkdir -p inputFiles
mount -t tmpfs -o size=1024M tmpfs inputFiles/
AFL for source
This part uses the afl-clang-fast to build instrumented binaries.
#Ubuntu does not have clang 5, and I don't like building it from source
wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | sudo apt-key add -
sudo apt-add-repository "deb http://apt.llvm.org/xenial/ llvm-toolchain-xenial-5.0 main"
sudo apt-get update
sudo apt-get install -y clang-5.0 llvm-5.0
 
#Ubuntu doesn't like adding "clang" and "llvm-config" to the /usr/bin
sudo ln -s /usr/bin/clang-5.0 /usr/bin/clang
sudo ln -s /usr/bin/clang++-5.0 /usr/bin/clang++
sudo ln -s /usr/bin/llvm-config-5.0 /usr/bin/llvm-config
​
​
#Pull AFL and install llvm mode
git clone https://github.com/mcarpenter/afl
cd afl
make
cd llvm_mode
 
#This part is important. Clang5 support WILL NOT WORK without this change
vim Makefile
#Change CLANG_CFL from
#CLANG_CFL    = `$(LLVM_CONFIG) --cxxflags` -fno-rtti -fpic $(CXXFLAGS)
# To
#CLANG_CFL    = -I/usr/lib/llvm-5.0/include -std=c++0x -fuse-ld=gold -Wl,--no-keep-files-mapped -Wl,--no-map-whole-files -fPIC -Werror=date-time -std=c++11 -Wall -W -Wno-unused-parameter -Wwrite-strings -Wcast-qual -Wno-missing-field-initializers -pedantic -Wno-long-long -Wno-maybe-uninitialized -Wdelete-non-virtual-dtor -Wno-comment -ffunction-sections -fdata-sections -O2 -DNDEBUG  -fno-exceptions -DLLVM_BUILD_GLOBAL_ISEL -D_GNU_SOURCE -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -D__STDC_LIMIT_MACROS -fno-rtti -fpic $(CXXFLAGS)
 
#`llvm-config --cxxflags` includes the `-fvisibility-inlines-hidden` flag which WILL BREAK AFL INSTRUMENTATION.
make
cd ..
sudo make install
cd /path/to/source/code
./configure CC=afl-clang-fast
make
Setting up and using Preeny
Makes fuzzing binaries with socket/alarm/fork etc so much easier
git clone https://github.com/zardus/preeny.git
cd preeny
 
#Your architecture libs
make
#32 bit libs
CFLAGS=-m32 make
#Cross architecture libs
CC=mips-malta-linux-gnu-gcc make -i
 
#Standard usage:
LD_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so" ./myFavoriteForkingBinary
 
#AFL usage:
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/desock.so" afl-fuzz -i i/ -o o/ -m 200 ./myFavoriteSocketBinary
Useful environment variables for AFL
#This disables fork server which stops before main() and issues forked processes from there
AFL_NO_FORKSRV=1
#Send your LD_PRELOAD stuff only to the binary. This way you don't mess with AFL's fork server
AFL_PRELOAD="/home/$USER/preeny/x86_64-linux-gnu/defork.so"

Building QEMU on Ubuntu

Next - Vulnerability Discovery

Automated Vulnerability Discovery

Last modified 3yr ago

Copy link

On this page

AFL for cross architecture blackbox binaries

Use RAMdisks for input since, we don't want to destroy harddrives

AFL for source

Setting up and using Preeny

Useful environment variables for AFL