def fuzz(input_corpus, output_corpus, target_binary):
"""
Launches a master and a secondary instance of AFL, as well as
the symcc helper.
"""
target_binary_dir = os.path.dirname(target_binary)
symcc_workdir = get_symcc_build_dir(target_binary_dir)
target_binary_name = os.path.basename(target_binary)
symcc_target_binary = os.path.join(symcc_workdir, target_binary_name)
os.environ['AFL_DISABLE_TRIM'] = "1"
# Start a master and secondary instance of AFL.
# We need both because of the way SymCC works.
print('[run_fuzzer] Running AFL for SymCC')
afl_fuzzer.prepare_fuzz_environment(input_corpus)
launch_afl_thread(input_corpus, output_corpus, target_binary,
["-S", "afl-secondary"])
time.sleep(5)
# Start an instance of SymCC.
# We need to ensure it uses the symbolic version of libc++.
symqemu_target = os.path.join(symcc_workdir, "symqemu-x86_64")
if os.path.isfile(symqemu_target):
print("Found symqemu target")
else:
print("Did not find symqemu target")
print("Starting the SymCC helper")
new_environ = os.environ.copy()
new_environ['LD_LIBRARY_PATH'] = symcc_workdir
cmd = [
os.path.join(symcc_workdir, "symcc_fuzzing_helper"), "-o",
output_corpus, "-a", "afl-secondary", "-n", "symqemu", "-m", "--",
symqemu_target, symcc_target_binary, "@@"
]
print("Running command: %s" % (" ".join(cmd)))
subprocess.Popen(cmd, env=new_environ)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = ['-d'] # FidgetyAFL is better when running alone.
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary, master_only=False):
"""
Launches a master and a secondary instance of AFL, as well as
the symcc helper.
"""
target_binary_dir = os.path.dirname(target_binary)
symcc_workdir = get_symcc_build_dir(target_binary_dir)
target_binary_name = os.path.basename(target_binary)
symcc_target_binary = os.path.join(symcc_workdir, target_binary_name)
# Start a master and secondary instance of AFL.
# We need both because of the way SymCC works.
print('[run_fuzzer] Running AFL for SymCC')
afl_fuzzer.prepare_fuzz_environment(input_corpus)
launch_afl_thread(input_corpus, output_corpus, target_binary,
["-M", "afl-master"])
time.sleep(5)
if master_only:
sharing_dir = "afl-master"
else:
launch_afl_thread(input_corpus, output_corpus, target_binary,
["-S", "afl-secondary"])
time.sleep(5)
sharing_dir = "afl-secondary"
# Start an instance of SymCC.
# We need to ensure it uses the symbolic version of libc++.
print("Starting the SymCC helper")
new_environ = os.environ.copy()
new_environ['LD_LIBRARY_PATH'] = symcc_workdir
cmd = [
os.path.join(symcc_workdir,
"symcc_fuzzing_helper"), "-o", output_corpus, "-a",
sharing_dir, "-n", "symcc", "--", symcc_target_binary, "@@"
]
subprocess.Popen(cmd, env=new_environ)
def fuzz(input_corpus, output_corpus, target_binary, flags=tuple(), skip=False):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# decomment this to enable libdislocator.
# os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = list(flags)
if os.path.exists('./afl++.dict'):
flags += ['-x', './afl++.dict']
# Move the following to skip for upcoming _double tests:
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if not skip:
if not flags or not flags[0] == '-Q' and '-p' not in flags:
flags += ['-p', 'fast']
if ((not flags or (not '-l' in flags and not '-R' in flags)) and
os.path.exists(cmplog_target_binary)):
flags += ['-l', '2']
os.environ['AFL_DISABLE_TRIM'] = "1"
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
flags = ['-L0'] # afl++ MOpt activation at once.
flags += ['-prare'] # rare branch scheduling.
flags += ['-s123'] # fixed random seed.
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
# Calculate CmpLog binary path from the instrumented target binary.
target_binary_directory = os.path.dirname(target_binary)
cmplog_target_binary_directory = (
aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory))
target_binary_name = os.path.basename(target_binary)
cmplog_target_binary = os.path.join(cmplog_target_binary_directory,
target_binary_name)
afl_fuzzer.prepare_fuzz_environment(input_corpus)
# os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so'
flags = ['-L0'] # afl++ MOpt activation at once
flags += ['-pfast'] # fast scheduling
if os.path.exists(cmplog_target_binary):
flags += ['-c', cmplog_target_binary]
if 'ADDITIONAL_ARGS' in os.environ:
flags += os.environ['ADDITIONAL_ARGS'].split(' ')
afl_fuzzer.run_afl_fuzz(input_corpus,
output_corpus,
target_binary,
additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run fuzzer."""
afl_fuzzer.prepare_fuzz_environment(input_corpus)
afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary)
def fuzz(input_corpus, output_corpus, target_binary):
"""Run afl-fuzz on target."""
afl.prepare_fuzz_environment(input_corpus)
run_neuzz(input_corpus, output_corpus, target_binary)
