一个简单的示例
安装afl
- wget http://lcamtuf.coredump.cx/afl.tgz
- tar xfz afl.tgz
- cd afl-xxx
- sudo make install
用afl编译程序,以便插桩
- ./afl-gcc tst.c -o tst
进行测试
- ./afl-fuzz -i testcase -o output/ ./test @@
指定一个要跑的test程序和输出的output路径即可。
查看是否有插桩符号
- readelf -s ./7zDec | grep afl
参数说明
afl-fuzz 2.34b by <lcamtuf@google.com> afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ] Required parameters: -i dir - input directory with test cases -o dir - output directory for fuzzer findings Execution control settings: -f file - location read by the fuzzed program (stdin) -t msec - timeout for each run (auto-scaled, 50-1000 ms) -m megs - memory limit for child process (25 MB) -Q - use binary-only instrumentation (QEMU mode) Fuzzing behavior settings: -d - quick & dirty mode (skips deterministic steps) -n - fuzz without instrumentation (dumb mode) -x dir - optional fuzzer dictionary (see README) Other stuff: -T text - text banner -to show on the screen -M / -S id - distributed mode (see parallel_fuzzing.txt) -C - crash exploration mode (the peruvian rabbit thing) For additional tips, please consult /usr/local/share/doc/afl/README.
- -i 输入的目录
- -o 输出的目录
- -f 被fuzz的进程,通过标准输入(stdin)读入的数据
- -t 每一次的超时时间
- -m 给子进程分配的内存大小
- -Q 没看懂啥意思。。
- -d 快速模式(跳过确认测试)
- -n 不使用插桩进行fuzz
- -x 设置fuzzer的目录
- -T 要显示在屏幕上的文本
- -M/-S 分布式fuzz
- -C crash探索模式
文档说明
3) Instrumenting programs for use with AFL ------------------------------------------ When source code is available, instrumentation can be injected by a companion tool that works as a drop-in replacement for gcc or clang in any standard build process for third-party code. The instrumentation has a fairly modest performance impact; in conjunction with other optimizations implemented by afl-fuzz, most programs can be fuzzed as fast or even faster than possible with traditional tools. The correct way to recompile the target program may vary depending on the specifics of the build process, but a nearly-universal approach would be: $ CC=/path/to/afl/afl-gcc ./configure $ make clean all For C++ programs, you'd would also want to set CXX=/path/to/afl/afl-g++. The clang wrappers (afl-clang and afl-clang++) can be used in the same way; clang users may also opt to leverage a higher-performance instrumentation mode, as described in llvm_mode/README.llvm. When testing libraries, you need to find or write a simple program that reads data from stdin or from a file and passes it to the tested library. In such a case, it is essential to link this executable against a static version of the instrumented library, or to make sure that the correct .so file is loaded at runtime (usually by setting LD_LIBRARY_PATH). The simplest option is a static build, usually possible via: $ CC=/path/to/afl/afl-gcc ./configure --disable-shared Setting AFL_HARDEN=1 when calling 'make' will cause the CC wrapper to automatically enable code hardening options that make it easier to detect simple memory bugs. Libdislocator, a helper library included with AFL (see libdislocator/README.dislocator) can help uncover heap corruption issues, too. PS. ASAN users are advised to review notes_for_asan.txt file for important caveats. 4) Instrumenting binary-only apps --------------------------------- When source code is *NOT* available, the fuzzer offers experimental support for fast, on-the-fly instrumentation of black-box binaries. This is accomplished with a version of QEMU running in the lesser-known "user space emulation" mode. QEMU is a project separate from AFL, but you can conveniently build the feature by doing: $ cd qemu_mode $ ./build_qemu_support.sh For additional instructions and caveats, see qemu_mode/README.qemu. The mode is approximately 2-5x slower than compile-time instrumentation, is less conductive to parallelization, and may have some other quirks.