def afl(binary):
l.info("beginning to fuzz \"%s\"", binary)
binary_path = os.path.join(config.BINARY_DIR, binary)
seeds = ["111", "fuzz"]
fzr = Fuzzer(binary_path,
config.AFL_WORK_DIR,
config.AFL_INSTANCES,
time_limit=config.FUZZ_TIMEOUT,
qemu=False,
seeds=seeds,
create_dictionary=False)
try:
fzr.start()
# clean all stale redis data
clean_redis(fzr)
time.sleep(2)
# start the fuzzer and poll for a crash, timeout, or concolic assistance
while not fzr.found_crash() and not fzr.timed_out():
time.sleep(5)
if fzr.timed_out():
sql = 'update binarys SET status=5 WHERE binary_name = %s'
else:
sql = 'update binarys SET status=4 WHERE binary_name = %s'
db.execute(sql, binary)
fzr.kill()
except InstallError:
return False
def fuzz(binary):
l.info("beginning to fuzz \"%s\"", binary)
binary_path = os.path.join(config.BINARY_DIR, binary)
seeds = ["fuzzz", "111"]
# look for a pcap
pcap_path = os.path.join(config.PCAP_DIR, "%s.pcap" % binary)
if os.path.isfile(pcap_path):
l.info("found pcap for binary %s", binary)
seeds = pcap.process(pcap_path)
else:
l.warning(
"unable to find pcap file, will seed fuzzer with the default")
# TODO enable dictionary creation, this may require fixing parts of the fuzzer module
fzr = Fuzzer(binary_path,
config.FUZZER_WORK_DIR,
config.FUZZER_INSTANCES,
time_limit=config.FUZZ_TIMEOUT,
qemu=False,
seeds=seeds,
create_dictionary=False)
try:
fzr.start()
# start a listening for inputs produced by concolic
start_listener(fzr)
# clean all stale redis data
clean_redis(fzr)
# list of 'concolic request' each is a celery async result object
concolic_jobs = []
time.sleep(2)
# start the fuzzer and poll for a crash, timeout, or concolic assistance
while not fzr.found_crash() and not fzr.timed_out():
# check to see if concolic should be invoked
sql = 'update binarys SET status=1 WHERE binary_name = %s'
db.execute(sql, binary)
if 'fuzzer-1' in fzr.stats and 'pending_favs' in fzr.stats[
'fuzzer-1']:
if not int(fzr.stats['fuzzer-1']['pending_favs']) > 0:
sql = 'update binarys SET status=2 WHERE binary_name = %s'
db.execute(sql, binary)
concolic_jobs.extend(request_drilling(fzr))
time.sleep(config.CRASH_CHECK_INTERVAL)
# make sure to kill the fuzzers when we're done
fzr.kill()
except InstallError:
l.info("fuzzer InstallError")
return False
# we found a crash!
if fzr.found_crash():
l.info("found crash for \"%s\"", binary)
l.info("time for found_crash %d", fzr.compute_time())
sql = 'update binarys SET status=3 WHERE binary_name = %s'
db.execute(sql, binary)
# publish the crash
redis_inst = redis.Redis(host=config.REDIS_HOST,
port=config.REDIS_PORT,
db=config.REDIS_DB)
redis_inst.publish("crashes", binary)
# revoke any concolic jobs which are still working
for job in concolic_jobs:
if job.status == 'PENDING':
job.revoke(terminate=True)
if fzr.timed_out():
l.info("timed out while fuzzing \"%s\"", binary)
sql = 'update binarys SET status=-1 WHERE binary_name = %s'
db.execute(sql, binary)
# TODO end drilling jobs working on the binary
return len(fzr.crashes()) > 0