zoukankan      html  css  js  c++  java
  • afl入门学习

    一个简单的示例

    安装afl

    1. wget http://lcamtuf.coredump.cx/afl.tgz
    2. tar xfz afl.tgz
    3. cd afl-xxx
    4. sudo make install

    用afl编译程序,以便插桩

    1. ./afl-gcc tst.c -o tst

    进行测试

    1. ./afl-fuzz -i testcase -o output/ ./test @@

      指定一个要跑的test程序和输出的output路径即可。

    查看是否有插桩符号

    1. readelf -s ./7zDec | grep afl

    参数说明

    afl-fuzz 2.34b by <lcamtuf@google.com>
    
    afl-fuzz [ options ] -- /path/to/fuzzed_app [ ... ]
    
    Required parameters:
    
      -i dir        - input directory with test cases
      -o dir        - output directory for fuzzer findings
    
    Execution control settings:
    
      -f file       - location read by the fuzzed program (stdin)
      -t msec       - timeout for each run (auto-scaled, 50-1000 ms)
      -m megs       - memory limit for child process (25 MB)
      -Q            - use binary-only instrumentation (QEMU mode)
    
    Fuzzing behavior settings:
    
      -d            - quick & dirty mode (skips deterministic steps)
      -n            - fuzz without instrumentation (dumb mode)
      -x dir        - optional fuzzer dictionary (see README)
    
    Other stuff:
    
      -T text       - text banner -to show on the screen
      -M / -S id    - distributed mode (see parallel_fuzzing.txt)
      -C            - crash exploration mode (the peruvian rabbit thing)
    
    For additional tips, please consult /usr/local/share/doc/afl/README.
    • -i    输入的目录
    • -o   输出的目录
    • -f    被fuzz的进程,通过标准输入(stdin)读入的数据
    • -t    每一次的超时时间
    • -m  给子进程分配的内存大小
    • -Q   没看懂啥意思。。
    • -d    快速模式(跳过确认测试)
    • -n    不使用插桩进行fuzz
    • -x    设置fuzzer的目录
    • -T    要显示在屏幕上的文本
    • -M/-S  分布式fuzz
    • -C    crash探索模式

    文档说明

    3) Instrumenting programs for use with AFL
    ------------------------------------------
    
    When source code is available, instrumentation can be injected by a companion
    tool that works as a drop-in replacement for gcc or clang in any standard build
    process for third-party code.
    
    The instrumentation has a fairly modest performance impact; in conjunction with
    other optimizations implemented by afl-fuzz, most programs can be fuzzed as fast
    or even faster than possible with traditional tools.
    
    The correct way to recompile the target program may vary depending on the
    specifics of the build process, but a nearly-universal approach would be:
    
    $ CC=/path/to/afl/afl-gcc ./configure
    $ make clean all
    
    For C++ programs, you'd would also want to set CXX=/path/to/afl/afl-g++.
    
    The clang wrappers (afl-clang and afl-clang++) can be used in the same way;
    clang users may also opt to leverage a higher-performance instrumentation mode,
    as described in llvm_mode/README.llvm.
    
    When testing libraries, you need to find or write a simple program that reads
    data from stdin or from a file and passes it to the tested library. In such a
    case, it is essential to link this executable against a static version of the
    instrumented library, or to make sure that the correct .so file is loaded at
    runtime (usually by setting LD_LIBRARY_PATH). The simplest option is a static
    build, usually possible via:
    
    $ CC=/path/to/afl/afl-gcc ./configure --disable-shared
    
    Setting AFL_HARDEN=1 when calling 'make' will cause the CC wrapper to
    automatically enable code hardening options that make it easier to detect
    simple memory bugs. Libdislocator, a helper library included with AFL (see
    libdislocator/README.dislocator) can help uncover heap corruption issues, too.
    
    PS. ASAN users are advised to review notes_for_asan.txt file for important
    caveats.
    
    4) Instrumenting binary-only apps
    ---------------------------------
    
    When source code is *NOT* available, the fuzzer offers experimental support for
    fast, on-the-fly instrumentation of black-box binaries. This is accomplished
    with a version of QEMU running in the lesser-known "user space emulation" mode.
    
    QEMU is a project separate from AFL, but you can conveniently build the
    feature by doing:
    
    $ cd qemu_mode
    $ ./build_qemu_support.sh
    
    For additional instructions and caveats, see qemu_mode/README.qemu.
    
    The mode is approximately 2-5x slower than compile-time instrumentation, is
    less conductive to parallelization, and may have some other quirks.
  • 相关阅读:
    DS博客作业03--树
    DS博客作业02--栈和队列
    DS博客作业02--线性表
    c博客06-结构体&文件
    c博客作业-指针
    C语言博客作业04--数组
    C语言博客作业03--函数
    图书馆
    5-互评-OO之接口-DAO模式代码阅读及应用.xls
    DS博客作业04--图
  • 原文地址:https://www.cnblogs.com/Ox9A82/p/5877526.html
Copyright © 2011-2022 走看看