def fuzz(input_corpus, output_corpus, target_binary):
"""Run afl-fuzz on target."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
os.environ['PATH'] += os.pathsep + '/out'
composite_mode = False
input_model = get_format()
os.environ['FORMAT_FUZZER'] = '{fmt}-fuzzer'.format(fmt=input_model)
additional_flags = [
# Enable stacked mutations
'-h',
# Enable structure-aware fuzzing
'-w',
'peach',
# Select input model
'-g',
'{fmt}-fuzzer'.format(fmt=input_model),
]
# Enable composite mode for targets
# taking multiple input formats like bloaty
if composite_mode:
additional_flags.append('-c')
if input_model != '':
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary,
additional_flags)
else:
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = ['-pmmopt'] # modified MOpt scheduling.
flags += ['-s123'] # fixed random seed.
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary, flags=tuple()):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = list(flags)
if not flags or not flags[0] == '-Q' and '-p' not in flags:
flags += ['-p', 'coe']
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if os.path.exists('./afl++.dict'):
flags += ['-x', './afl++.dict']
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run afl-fuzz on target."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
os.environ['PATH'] += os.pathsep + '/out/peach-3.0.202/'
input_model = ''
benchmark_name = os.environ['BENCHMARK']
if benchmark_name == 'libpng-1.2.56':
input_model = 'png.xml'
if benchmark_name == 'libpcap_fuzz_both':
input_model = 'pcap.xml'
if benchmark_name == 'libjpeg-turbo-07-2017':
input_model = 'jpeg.xml'
if benchmark_name == 'freetype2-2017':
input_model = 'xtf.xml'
if benchmark_name == 'vorbis-2017-12-11':
input_model = 'ogg.xml'
if input_model != '':
afl_fuzzer.run_afl_fuzz(
input_corpus,
output_corpus,
target_binary,
additional_flags=[
# Enable stacked mutations
'-h',
# Enable structure-aware fuzzing
'-w',
'peach',
# Select input model
'-g',
input_model,
])
else:
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary)
def fuzz(input_corpus, output_corpus, target_binary, flags=tuple()):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = list(flags)
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
# needed for LTO mode to run c++ targets
os.environ['LD_LIBRARY_PATH'] = '/out'
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def afl_worker(input_corpus, output_corpus, target_binary):
"""Run AFL worker instance."""
print('[afl_worker] Run AFL worker')
#dictionary_path = utils.get_dictionary_path(target_binary)
#if dictionary_path:
# command += (['-x', dictionary_path])
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary,
['-S', 'afl-worker'], True)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run afl-fuzz on target."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=['-p'])
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# Write AFL's output to /dev/null to avoid filling up disk by writing too
# much to log file. This is a problem in general with AFLFast but
# particularly with the lcms benchmark.
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
hide_output=True)
def fuzz(input_corpus,
output_corpus,
target_binary,
flags=tuple(),
skip=False):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
# Calculate Unusual binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
unusual_target_binary_directory = (
get_unusual_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
unusual_target_binary = os.path.join(unusual_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator.
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = list(flags)
if os.path.exists('./afl++.dict'):
flags += ['-x', './afl++.dict']
# Move the following to skip for upcoming _double tests:
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if os.path.exists(unusual_target_binary):
flags += ['-u', unusual_target_binary]
if not skip:
if not flags or not flags[0] == '-Q' and '-p' not in flags:
flags += ['-p', 'fast']
if ((not flags or (not '-l' in flags and not '-R' in flags))
and os.path.exists(cmplog_target_binary)):
flags += ['-l', '2']
os.environ['AFL_DISABLE_TRIM'] = "1"
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
afl_fuzzer.run_afl_fuzz(
input_corpus,
output_corpus,
target_binary,
additional_flags=[
# Enable Mopt mutator with pacemaker fuzzing mode at first. This
# is also recommended in a short-time scale evaluation.
'-L',
'0',
])
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
afl_fuzzer.run_afl_fuzz(
input_corpus,
output_corpus,
target_binary,
additional_flags=[
# Enable AFLFast's power schedules with default exponential
# schedule.
'-p',
'fast',
# Enable Mopt mutator with pacemaker fuzzing mode at first. This
# is also recommended in a short-time scale evaluation.
'-L',
'0',
])
def fuzz(input_corpus,
output_corpus,
target_binary,
flags=tuple(),
skip=False,
no_cmplog=False): # pylint: disable=too-many-arguments
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator.
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = list(flags)
if os.path.exists('./afl++.dict'):
flags += ['-x', './afl++.dict']
# Move the following to skip for upcoming _double tests:
if os.path.exists(cmplog_target_binary) and no_cmplog is not False:
flags += ['-c', cmplog_target_binary]
if not skip:
os.environ['AFL_DISABLE_TRIM'] = "1"
# os.environ['AFL_FAST_CAL'] = '1'
os.environ['AFL_CMPLOG_ONLY_NEW'] = '1'
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
os.environ['AFL_DISABLE_WRS'] = '1'
os.environ['AFL_DISABLE_RF'] = '1'
os.environ['AFL_DISABLE_RP'] = '1'
os.environ['AFL_DISABLE_FAVS'] = '1'
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run afl-fuzz on target."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
os.environ['PATH'] += os.pathsep + '/out/peach-3.0.202/'
composite_mode = False
input_model = ''
benchmark_name = os.environ['BENCHMARK']
if benchmark_name == 'libpng-1.2.56':
input_model = 'png.xml'
if benchmark_name == 'libpcap_fuzz_both':
input_model = 'pcap.xml'
if benchmark_name == 'libjpeg-turbo-07-2017':
input_model = 'jpeg.xml'
if benchmark_name == 'freetype2-2017':
input_model = 'xtf.xml'
if benchmark_name == 'vorbis-2017-12-11':
input_model = 'ogg.xml'
if benchmark_name == 'bloaty_fuzz_target':
input_model = 'bloaty_composite.xml'
composite_mode = True
additional_flags = [
# Enable stacked mutations
'-h',
# Enable structure-aware fuzzing
'-w',
'peach',
# Select input model
'-g',
input_model,
]
# Enable composite mode for targets
# taking multiple input formats like bloaty
if composite_mode:
additional_flags.append('-c')
if input_model != '':
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary,
additional_flags)
else:
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary)
def run_neuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=None,
hide_output=False):
"""Run neuzz"""
# Spawn the afl fuzzing process for warmup
output_stream = subprocess.DEVNULL if hide_output else None
threading.Timer(20, kill_afl, [output_stream]).start()
afl.run_afl_fuzz(input_corpus, output_corpus, target_binary,
additional_flags, hide_output)
# After warming up, copy the 'queue' to use for neuzz input
print("[run_neuzz] Warmed up!")
command = [
"cp", "-RT", f"{output_corpus}/queue/", f"{input_corpus}_neuzzin/"
]
print('[run_neuzz] Running command: ' + ' '.join(command))
subprocess.check_call(command, stdout=output_stream, stderr=output_stream)
afl_output_dir = os.path.join(output_corpus, 'queue')
neuzz_input_dir = os.path.join(output_corpus, 'neuzz_in')
# Treat afl's queue folder as the input for Neuzz.
os.rename(afl_output_dir, neuzz_input_dir)
# Spinning up the neural network
command = [
"python2", "./nn.py", '--output-folder', afl_output_dir, target_binary
]
print('[run_neuzz] Running command: ' + ' '.join(command))
subprocess.Popen(command, stdout=output_stream, stderr=output_stream)
time.sleep(40)
target_rel_path = os.path.relpath(target_binary, os.getcwd())
# Spinning up neuzz
command = [
"./neuzz", "-m", "none", "-i", neuzz_input_dir, "-o", afl_output_dir,
target_rel_path, "@@"
]
print('[run_neuzz] Running command: ' + ' '.join(command))
neuzz_proc = subprocess.Popen(command,
stdout=output_stream,
stderr=output_stream)
neuzz_proc.wait()
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = ['-d'] # FidgetyAFL is better when running alone.
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
flags = ['-L0'] # afl++ MOpt activation at once.
flags += ['-prare'] # rare branch scheduling.
flags += ['-s123'] # fixed random seed.
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = ['-L0'] # afl++ MOpt activation at once
flags += ['-pfast'] # fast scheduling
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def afl_worker(input_corpus, output_corpus, target_binary):
"""Run AFL worker instance."""
print('[afl_worker] Run AFL worker')
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary,
['-S', 'afl-worker'], True)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary)
