Ejemplo n.º 1
0
def main():

    KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/"
    KAFL_CONFIG = KAFL_ROOT + "kafl.ini"

    print("<< " + common.color.BOLD + common.color.OKGREEN +
          " kAFL Coverage Analyzer " + common.color.ENDC + ">>\n")

    if not self_check(KAFL_ROOT):
        return -1

    config = DebugConfiguration(KAFL_CONFIG)
    if not post_self_check(config):
        return -1

    verbose = config.argument_values['v']
    if verbose:
        enable_logging(config.argument_values["work_dir"])

    data_dir = config.argument_values["input"]

    print(" Scanning target data_dir »%s«..." % data_dir)
    input_list = get_inputs_by_time(data_dir)
    trace_dir = generate_traces(config, input_list)

    if not trace_dir:
        return -1

    plot_bbs_from_traces(trace_dir, input_list)
Ejemplo n.º 2
0
Archivo: core.py Proyecto: vient/kAFL 
def start(config):

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    log_info("Dumping target addresses...")

    # TODO: use proper temp file or store to $work_dir
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")

    q = qemu(0, config)
    q.start()
    q.shutdown()

    try:
        with open("/tmp/kAFL_info.txt", 'r') as f:
            print(f.read())
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass

    return 0
Ejemplo n.º 3
0
def start():
    config = InfoConfiguration()

    if not post_self_check(config):
        return -1

    config.argument_values["work_dir"] = DEFAULT_INFO_WORKDIR

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    prepare_working_dir(config.argument_values['work_dir'])

    log_info("Dumping target addresses...")
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")
    q = qemu(0, config)
    q.start()
    q.__del__()
    try:
        for line in open("/tmp/kAFL_info.txt"):
            print line,
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass

    shutil.rmtree(DEFAULT_INFO_WORKDIR)
    return 0
Ejemplo n.º 4
0
def main():
    global null_hash

    KAFL_ROOT = os.path.dirname(os.path.realpath(__file__)) + "/"
    KAFL_CONFIG = KAFL_ROOT + "kafl.ini"

    print("<< " + common.color.BOLD + common.color.OKGREEN +
          " kAFL Coverage Analyzer " + common.color.ENDC + ">>\n")

    if not self_check(KAFL_ROOT):
        return -1

    config = DebugConfiguration(KAFL_CONFIG)
    if not post_self_check(config):
        return -1

    verbose = config.argument_values['v']
    if verbose:
        enable_logging(config.argument_values["work_dir"])

    data_dir = config.argument_values["input"]

    null_hash = ExecutionResult.get_null_hash(
        config.config_values['BITMAP_SHM_SIZE'])

    print(" Scanning target data_dir »%s«..." % data_dir)
    input_list = get_inputs_by_time(data_dir)
    trace_dir = generate_traces(config, input_list)

    if not trace_dir:
        return -1

    trace_parser = TraceParser(trace_dir)
    trace_parser.parse_trace_list(input_list)
    trace_parser.gen_reports()
Ejemplo n.º 5
0
def start(config):

    if not post_self_check(config):
        return -1
    
    work_dir   = config.argument_values["work_dir"]
    
    if config.argument_values['v'] or config.argument_values['debug']:
        enable_logging(work_dir)

    if not prepare_working_dir(config):
        print_fail("Refuse to operate on existing work directory. Use --purge to override.")
        return 1

    # Load an interface json file.
    interface_manager.load(config.argument_values['interface'])

    # Start IRPT!
    qemu_sweep()
    proc = Process(config)
    
    try:
        proc.loop()
    except KeyboardInterrupt:
        print_note("Received Ctrl-C")
    finally:
        proc.database.save()
        proc.shutdown()

    os._exit(0)
Ejemplo n.º 6
0
Archivo: core.py Proyecto: vient/kAFL 
def start(config):

    prepare_working_dir(config)

    if not post_self_check(config):
        return -1

    # kAFL debug output is redirected to logs as part of -v mode. stdout will only print test/debug results.
    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    # Without -ip0, Qemu will not active PT tracing and Redqueen will not
    # attempt to handle debug traps. This is a requirement for modes like gdb.
    if not config.argument_values['ip0']:
        print_warning("No trace region configured! Intel PT disabled!")

    max_execs = config.argument_values['n']

    try:
        # TODO: noise, benchmark, trace are working, others untested
        mode = config.argument_values['action']
        if (mode == "noise"):
            debug_non_det(config, max_execs)
        elif (mode == "benchmark"):
            benchmark(config)
        elif (mode == "gdb"):
            gdb_session(config, qemu_verbose=True)
        elif (mode == "single"):
            execute_once(config, max_execs)
        elif (mode == "trace"):
            debug_execution(config, max_execs)
        elif (mode == "trace-qemu"):
            debug_execution(config, max_execs, qemu_verbose=True)
        elif (mode == "printk"):
            debug_execution(config, 1, qemu_verbose=True, notifiers=False)
        elif (mode == "redqueen"):
            redqueen_dbg(config, qemu_verbose=False)
        elif (mode == "redqueen-qemu"):
            redqueen_dbg(config, qemu_verbose=True)
        elif (mode == "verify"):
            verify_dbg(config, qemu_verbose=True)
        else:
            print("Unknown debug mode. Exit")
    except Exception as e:
        raise
    finally:
        # cleanup
        #os.system("stty sane")
        for i in range(512):
            if os.path.exists("/tmp/kAFL_printf.txt." + str(i)):
                os.remove("/tmp/kAFL_printf.txt." + str(i))
            else:
                break

        print(
            "\nDone. Check logs for details.\nAny remaining qemu instances should be GC'ed on exit:"
        )
        os.system("pgrep qemu-system")
    return 0
Ejemplo n.º 7
0
def start():
    config = FuzzerConfiguration()

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    num_processes = config.argument_values['p']

    if not config.argument_values['Purge']:
        if ask_for_permission("PURGE", " to wipe old workspace:"):
            print_warning("Wiping old workspace...")
            time.sleep(2)
        else:
            print_fail("Aborting...")
            return 0

    prepare_working_dir(config.argument_values['work_dir'])

    if not copy_seed_files(config.argument_values['work_dir'],
                           config.argument_values['seed_dir']):
        print_fail("Seed directory is empty...")
        return 1

    master = MasterProcess(config)

    slaves = []
    for i in range(num_processes):
        print
        "fuzzing process {}".format(i)
        slaves.append(
            multiprocessing.Process(name='SLAVE' + str(i),
                                    target=slave_loader,
                                    args=(i, )))
        slaves[i].start()

    try:
        master.loop()
    except KeyboardInterrupt:
        pass

    signal.signal(signal.SIGINT, signal.SIG_IGN)

    counter = 0
    # print_pre_exit_msg(counter, clrscr=True)
    for slave in slaves:
        while True:
            counter += 1
            # print_pre_exit_msg(counter)
            slave.join(timeout=0.25)
            if not slave.is_alive():
                break
    # print_exit_msg()
    return 0
Ejemplo n.º 8
0
def start(config):

    if not post_self_check(config):
        return -1

    work_dir = config.argument_values["work_dir"]
    seed_dir = config.argument_values["seed_dir"]
    num_slaves = config.argument_values['p']

    if config.argument_values['v']:
        enable_logging(work_dir)

    if not prepare_working_dir(config):
        print_fail(
            "Refuse to operate on existing work directory. Use --purge to override."
        )
        return 1

    if seed_dir and not copy_seed_files(work_dir, seed_dir):
        print_fail("Error when importing seeds. Exit.")
        return 1

    # Without -ip0, Qemu will not active PT tracing and we turn into a blind fuzzer
    if not config.argument_values['ip0']:
        print_warning("No trace region configured! PT feedback disabled!")

    master = MasterProcess(config)

    slaves = []
    for i in range(num_slaves):
        slaves.append(
            multiprocessing.Process(name="Slave " + str(i),
                                    target=slave_loader,
                                    args=(i, )))
        slaves[i].start()

    try:
        master.loop()
    except KeyboardInterrupt:
        print_note("Received Ctrl-C, killing slaves...")
    except:
        print_fail("Exception in Master. Exiting..")
        print(traceback.format_exc())
    finally:
        graceful_exit(slaves)

    time.sleep(0.2)
    qemu_sweep()
    sys.exit(0)
Ejemplo n.º 9
0
Archivo: core.py Proyecto: kirasys/kAFL 
def start(config):

    if not post_self_check(config):
        return -1
    
    work_dir   = config.argument_values["work_dir"]
    seed_dir   = config.argument_values["seed_dir"]
    num_slaves = config.argument_values['p']

    if config.argument_values['v'] or config.argument_values['debug']:
        enable_logging(work_dir)

    if not prepare_working_dir(config):
        print_fail("Refuse to operate on existing work directory. Use --purge to override.")
        return 1

    if seed_dir and not copy_seed_files(work_dir, seed_dir):
        print_fail("Error when importing seeds. Exit.")
        return 1
        
    if config.argument_values['wdm']:
        interface_manager.load(config.argument_values['wdm'])

    master = MasterProcess(config)

    slaves = []
    for i in range(num_slaves):
        slaves.append(multiprocessing.Process(name="Slave " + str(i), target=slave_loader, args=(i,)))
        slaves[i].start()

    try:
        master.loop()
    except KeyboardInterrupt:
        print_note("Received Ctrl-C, killing slaves...")
    except SystemExit as e:
        print_fail("Master exit: " + str(e))
    finally:
        graceful_exit(slaves)

    time.sleep(0.2)
    qemu_sweep()
    sys.exit(0)
Ejemplo n.º 10
0
def start():
    config = DebugConfiguration()

    prepare_working_dir(config.argument_values['work_dir'])

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging(config.argument_values["work_dir"])

    if not config.argument_values['ip0']:
        print(common.color.WARNING + "[WARNING]\tNo trace region configured!" +
              common.color.ENDC)

    if (config.argument_values['debug_mode'] == "noise"):
        debug_non_det(config,
                      open(config.argument_values["payload"][0]).read())
    if (config.argument_values['debug_mode'] == "noise-multiple"):
        q = qemu(1337, config, debug_mode=False)
        q.start(verbose=False)
        for e in config.argument_values["payload"]:
            print("FILE: " + e)
            debug_non_det(config, open(e).read(), max_iterations=20, q=q)
    elif (config.argument_values['debug_mode'] == "benchmark"):
        benchmark(config)
    elif (config.argument_values['debug_mode'] == "trace"):
        debug_execution(config, config.argument_values['i'])
    elif (config.argument_values['debug_mode'] == "trace-qemu"):
        debug_execution(config, config.argument_values['i'], qemu_verbose=True)
    elif (config.argument_values['debug_mode'] == "printk"):
        debug_execution(config, 1, qemu_verbose=True, notifiers=False)
    elif (config.argument_values['debug_mode'] == "redqueen"):
        redqueen_dbg(config, qemu_verbose=False)
    elif (config.argument_values['debug_mode'] == "redqueen-qemu"):
        redqueen_dbg(config, qemu_verbose=True)
    elif (config.argument_values['debug_mode'] == "cov"):
        redqueen_cov(config, qemu_verbose=True)
    elif (config.argument_values['debug_mode'] == "verify"):
        verify_dbg(config, qemu_verbose=True)
    return 0
Ejemplo n.º 11
0
def start():
    config = InfoConfiguration()

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging()

    log_info("Dumping target addresses...")
    if os.path.exists("/tmp/kAFL_info.txt"):
        os.remove("/tmp/kAFL_info.txt")
    q = qemu(0, config)
    q.start()
    q.__del__()
    try:
        for line in open("/tmp/kAFL_info.txt"):
            print line,
        os.remove("/tmp/kAFL_info.txt")
    except:
        pass
    return 0
Ejemplo n.º 12
0
def start():
    config = FuzzerConfiguration()

    if not post_self_check(config):
        return -1

    if config.argument_values['v']:
        enable_logging()

    num_processes = config.argument_values['p']

    if config.argument_values['Purge'] and check_if_old_state_exits(
            config.argument_values['work_dir']):
        print_warning("Old workspace found!")
        if ask_for_permission("PURGE", " to wipe old workspace:"):
            print_warning("Wiping old workspace...")
            prepare_working_dir(config.argument_values['work_dir'], purge=True)
            time.sleep(2)
        else:
            print_fail("Aborting...")
            return 0

    if not check_if_old_state_exits(config.argument_values['work_dir']):
        if not prepare_working_dir(config.argument_values['work_dir'],
                                   purge=True):
            print_fail("Working directory is weired or corrupted...")
            return 1
        if not copy_seed_files(config.argument_values['work_dir'],
                               config.argument_values['seed_dir']):
            print_fail("Seed directory is empty...")
            return 1
        config.save_data()
    else:
        log_core("Old state exist -> loading...")
        config.load_data()

    comm = Communicator(num_processes=num_processes,
                        tasks_per_requests=config.argument_values['t'],
                        bitmap_size=config.config_values["BITMAP_SHM_SIZE"])
    comm.create_shm()

    qlookup = QemuLookupSet()

    master = MasterProcess(comm)

    update_process = multiprocessing.Process(name='UPDATE',
                                             target=update_loader,
                                             args=(comm, ))
    mapserver_process = multiprocessing.Process(name='MAPSERVER',
                                                target=mapserver_loader,
                                                args=(comm, ))

    slaves = []
    for i in range(num_processes):
        slaves.append(
            multiprocessing.Process(name='SLAVE' + str(i),
                                    target=slave_loader,
                                    args=(comm, i)))
        slaves[i].start()

    update_process.start()
    mapserver_process.start()

    try:
        master.loop()
    except KeyboardInterrupt:
        master.save_data()
        log_core("Date saved!")

    signal.signal(signal.SIGINT, signal.SIG_IGN)

    counter = 0
    print_pre_exit_msg(counter, clrscr=True)
    for slave in slaves:
        while True:
            counter += 1
            print_pre_exit_msg(counter)
            slave.join(timeout=0.25)
            if not slave.is_alive():
                break
    print_exit_msg()
    return 0
Ejemplo n.º 13
0
    print "crash %d, timeout %d, kasan %d" % (q.crashed, q.timeout, q.kasan)
    print
    sys.stdout.flush()
    time.sleep(0.2)


def testFile(fn):
    print fn
    dat = file(fn, 'rb').read()
    return test(dat)


# -----------

config = FuzzerConfiguration()
enable_logging()

start = time.time()
q = qemu(0, config)
q.start()
timediff("start qemu", start)

testFile('tests/ok')
testFile('tests/ok')
testFile('tests/panic')
q.soft_reload()
testFile('tests/ok')
testFile('tests/exit')
q.soft_reload()
testFile('tests/timeout')
q.soft_reload()