最近几天一直在弄FuzzBench添加新的fuzzer,在添加过程中遇到各种问题,在此做详细记录。
拉取fuzzbench到本地
这一部分可以直接参考此链接FuzzBench预备条件
1.拉取代码到本地
git clone https://github.com/google/fuzzbench
cd fuzzbench
git submodule update --init
2.安装fuzzbench
sudo apt-get install build-essential
3.安装fuzzbench需要使用的依赖
sudo apt-get install python3.8-dev python3.8-venv
make install-dependencies
#接下里是进入虚拟环境,这一步可以不执行,执行后也可以执行deactivate退出虚拟环境
source .venv/bin/activate
4.安装本地依赖
如果想要在本地执行fuzzbench需要执行一下语句进行rsync的安装
sudo apt-get install rsync
添加新的Fuzzer
1.创建目录
首先到fuzzbench的fuzzer目录下创建需要添加的fuzzer对应的文件名,该文件夹用于存放接下来需要创建的三个文件
export FUZZER_NAME= < your_fuzzer_name>
cd fuzzers
mkdir $FUZZER_NAME
例如本文新增的fuzzer名为agilefuzz,注意这里fuzzer_name名称只能是小写字母,否则会报错。
2.编写fuzzer文件
接下来编写的文件都保存在(1)中创建的目录下
cd $FUZZER_NAME
builder.Dockerfile编写
此处使用vim对该文件进行编写,直接参考它给出的例子afl。
vim builder.Dockerfile
写入代码如下:
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.ARG parent_image
FROM $parent_image# Download and compile AFL v2.57b.
# Set AFL_NO_X86 to skip flaky tests.
#注意这里的git clone的地址要改成你需要添加的fuzzer的拉取地址
#拉取到afl目录下是为了方便在afl编写的其他代码中进行兼容,看了一下其他模糊器的builder.Dockerfile也是拉取到afl目录下
RUN git clone https://github.com/12qwetyd/agile.git /afl && \cd /afl && \AFL_NO_X86=1 make# Use afl_driver.cpp from LLVM as our fuzzing library.
#wget部分用于拉取编译fuzzer的函数,此处可以直接使用AFL的驱动程序
RUN apt-get update && \apt-get install wget -y && \wget https://raw.githubusercontent.com/llvm/llvm-project/5feb80e748924606531ba28c97fe65145c65372e/compiler-rt/lib/fuzzer/afl/afl_driver.cpp -O /afl/afl_driver.cpp && \clang -Wno-pointer-sign -c /afl/llvm_mode/afl-llvm-rt.o.c -I/afl && \clang++ -stdlib=libc++ -std=c++11 -O2 -c /afl/afl_driver.cpp && \ar r /libAFL.a *.o
run.Dockerfile
这里对于大部分模糊测试只需要一句from语句用于拉取镜像即可,但如果fuzzer需要一些依赖也可以直接使用apt-get语句下载,在本次实验中并不需要其他依赖,因此代码如下:
首先创建run.Dockerfile
vim run.Dockerfile
在编译器中输入如下代码:
FROM gcr.io/fuzzbench/base-image
fuzzer.py
vim fuzzer.py
直接复制AFL的fuzzer.py文件即可,由于在上面runner.Dockerfile中直接将fuzzer拉取并命名为afl,因此对该文件不需要做修改,但如果添加的fuzzer中存在一些新的执行参数或者删除了一些参数,则需要对fuzzer.py中的参数进行修改。
fuzzer.py代码
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Integration code for AFL fuzzer."""import json
import os
import shutil
import subprocessfrom fuzzers import utilsdef prepare_build_environment():"""Set environment variables used to build targets for AFL-basedfuzzers."""cflags = ['-fsanitize-coverage=trace-pc-guard']utils.append_flags('CFLAGS', cflags)utils.append_flags('CXXFLAGS', cflags)os.environ['CC'] = 'clang'os.environ['CXX'] = 'clang++'os.environ['FUZZER_LIB'] = '/libAFL.a'def build():"""Build benchmark."""prepare_build_environment()utils.build_benchmark()print('[post_build] Copying afl-fuzz to $OUT directory')# Copy out the afl-fuzz binary as a build artifact.shutil.copy('/afl/afl-fuzz', os.environ['OUT'])def get_stats(output_corpus, fuzzer_log): # pylint: disable=unused-argument"""Gets fuzzer stats for AFL."""# Get a dictionary containing the stats AFL reports.stats_file = os.path.join(output_corpus, 'fuzzer_stats')with open(stats_file) as file_handle:stats_file_lines = file_handle.read().splitlines()stats_file_dict = {}for stats_line in stats_file_lines:key, value = stats_line.split(': ')stats_file_dict[key.strip()] = value.strip()# Report to FuzzBench the stats it accepts.stats = {'execs_per_sec': float(stats_file_dict['execs_per_sec'])}return json.dumps(stats)def prepare_fuzz_environment(input_corpus):"""Prepare to fuzz with AFL or another AFL-based fuzzer."""# Tell AFL to not use its terminal UI so we get usable logs.os.environ['AFL_NO_UI'] = '1'# Skip AFL's CPU frequency check (fails on Docker).os.environ['AFL_SKIP_CPUFREQ'] = '1'# No need to bind affinity to one core, Docker enforces 1 core usage.os.environ['AFL_NO_AFFINITY'] = '1'# AFL will abort on startup if the core pattern sends notifications to# external programs. We don't care about this.os.environ['AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES'] = '1'# Don't exit when crashes are found. This can happen when corpus from# OSS-Fuzz is used.os.environ['AFL_SKIP_CRASHES'] = '1'# Shuffle the queueos.environ['AFL_SHUFFLE_QUEUE'] = '1'# AFL needs at least one non-empty seed to start.utils.create_seed_file_for_empty_corpus(input_corpus)def check_skip_det_compatible(additional_flags):""" Checks if additional flags are compatible with '-d' option"""# AFL refuses to take in '-d' with '-M' or '-S' options for parallel mode.# (cf. https://github.com/google/AFL/blob/8da80951/afl-fuzz.c#L7477)if '-M' in additional_flags or '-S' in additional_flags:return Falsereturn True#这部分是编译afl的代码,如果添加的fuzzer修改了一些参数在此处进行修改
def run_afl_fuzz(input_corpus,output_corpus,target_binary,additional_flags=None,hide_output=False):"""Run afl-fuzz."""# Spawn the afl fuzzing process.print('[run_afl_fuzz] Running target with afl-fuzz')command = ['./afl-fuzz','-i',input_corpus,'-o',output_corpus,# Use no memory limit as ASAN doesn't play nicely with one.'-m','none','-t','1000+', # Use same default 1 sec timeout, but add '+' to skip hangs.]# Use '-d' to skip deterministic mode, as long as it it compatible with# additional flags.if not additional_flags or check_skip_det_compatible(additional_flags):command.append('-d')if additional_flags:command.extend(additional_flags)dictionary_path = utils.get_dictionary_path(target_binary)if dictionary_path:command.extend(['-x', dictionary_path])command += ['--',target_binary,# Pass INT_MAX to afl the maximize the number of persistent loops it# performs.'2147483647']print('[run_afl_fuzz] Running command: ' + ' '.join(command))output_stream = subprocess.DEVNULL if hide_output else Nonesubprocess.check_call(command, stdout=output_stream, stderr=output_stream)def fuzz(input_corpus, output_corpus, target_binary):"""Run afl-fuzz on target."""prepare_fuzz_environment(input_corpus)run_afl_fuzz(input_corpus, output_corpus, target_binary)
执行文件
在fuzzbench目录下执行如下语句,其中FUZZER_NAME在前文中已经给出了定义,为新添加的fuzzer目录名称:
export BENCHMARK_NAME=libpng-1.2.56
make build-$FUZZER_NAME-$BENCHMARK_NAME
#debug a build
make debug-builder-$FUZZER_NAME-$BENCHMARK_NAME
接下来会生成一个docker并自动进入到该docker中,记录生成的docker的名称,然后执行exit退出该docker,依然回到fuzzbench目录下执行剩下的语句:
下面这两句执行任意一句即可,后一句执行一个更快的测试
make run-$FUZZER_NAME-$BENCHMARK_NAME
make test-run-$FUZZER_NAME-$BENCHMARK_NAME
上面的语句执行速度比较慢,我这边执行的第一句,等了一天多还没执行完,最后一句建立fuzzer的所有基准也是在服务器的fuzzbench目录下执行:
make build-$FUZZER_NAME-all
以上为添加fuzzer的全过程,结束。
遇见问题
如果添加的fuzzer删除或新增了一些指令,在复制完fuzzer.py后应该上上文中文提到的部分修改参数引用,例如本文添加的fuzzer删除了-d参数,由于没有及时修改fuzzer.py文件,在执行过程中报错如下:
这是因为在执行afl-fuzz时新增的fuzzer没有-d参数,直接在fuzzer.py文件中删除这一参数即可:
需要提交
fuzzbench更新了代码后需要执行git commit提交命令,否则会报失败,这里可以直接修改它的检查语句:
在fuzzbench的experiment目录下修改run_experiment.py文件
在vim非编译模式下输入一下命令查找到git提交检查部分,删除该部分代码即可: