def fuzz(input_corpus, output_corpus, target_binary): """ Launches a master and a secondary instance of AFL, as well as the symcc helper. """ target_binary_dir = os.path.dirname(target_binary) symcc_workdir = get_symcc_build_dir(target_binary_dir) target_binary_name = os.path.basename(target_binary) symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) os.environ['AFL_DISABLE_TRIM'] = "1" # Start a master and secondary instance of AFL. # We need both because of the way SymCC works. print('[run_fuzzer] Running AFL for SymCC') afl_fuzzer.prepare_fuzz_environment(input_corpus) launch_afl_thread(input_corpus, output_corpus, target_binary, ["-S", "afl-secondary"]) time.sleep(5) # Start an instance of SymCC. # We need to ensure it uses the symbolic version of libc++. symqemu_target = os.path.join(symcc_workdir, "symqemu-x86_64") if os.path.isfile(symqemu_target): print("Found symqemu target") else: print("Did not find symqemu target") print("Starting the SymCC helper") new_environ = os.environ.copy() new_environ['LD_LIBRARY_PATH'] = symcc_workdir cmd = [ os.path.join(symcc_workdir, "symcc_fuzzing_helper"), "-o", output_corpus, "-a", "afl-secondary", "-n", "symqemu", "-m", "--", symqemu_target, symcc_target_binary, "@@" ] print("Running command: %s" % (" ".join(cmd))) subprocess.Popen(cmd, env=new_environ)
def fuzz(input_corpus, output_corpus, target_binary): """Run fuzzer.""" # Calculate CmpLog binary path from the instrumented target binary. target_binary_directory = os.path.dirname(target_binary) cmplog_target_binary_directory = ( get_cmplog_build_directory(target_binary_directory)) target_binary_name = os.path.basename(target_binary) cmplog_target_binary = os.path.join(cmplog_target_binary_directory, target_binary_name) afl_fuzzer.prepare_fuzz_environment(input_corpus) os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' flags = ['-d'] # FidgetyAFL is better when running alone. if os.path.exists(cmplog_target_binary): flags += ['-c', cmplog_target_binary] if 'ADDITIONAL_ARGS' in os.environ: flags += os.environ['ADDITIONAL_ARGS'].split(' ') afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary, master_only=False): """ Launches a master and a secondary instance of AFL, as well as the symcc helper. """ target_binary_dir = os.path.dirname(target_binary) symcc_workdir = get_symcc_build_dir(target_binary_dir) target_binary_name = os.path.basename(target_binary) symcc_target_binary = os.path.join(symcc_workdir, target_binary_name) # Start a master and secondary instance of AFL. # We need both because of the way SymCC works. print('[run_fuzzer] Running AFL for SymCC') afl_fuzzer.prepare_fuzz_environment(input_corpus) launch_afl_thread(input_corpus, output_corpus, target_binary, ["-M", "afl-master"]) time.sleep(5) if master_only: sharing_dir = "afl-master" else: launch_afl_thread(input_corpus, output_corpus, target_binary, ["-S", "afl-secondary"]) time.sleep(5) sharing_dir = "afl-secondary" # Start an instance of SymCC. # We need to ensure it uses the symbolic version of libc++. print("Starting the SymCC helper") new_environ = os.environ.copy() new_environ['LD_LIBRARY_PATH'] = symcc_workdir cmd = [ os.path.join(symcc_workdir, "symcc_fuzzing_helper"), "-o", output_corpus, "-a", sharing_dir, "-n", "symcc", "--", symcc_target_binary, "@@" ] subprocess.Popen(cmd, env=new_environ)
def fuzz(input_corpus, output_corpus, target_binary, flags=tuple(), skip=False): """Run fuzzer.""" # Calculate CmpLog binary path from the instrumented target binary. target_binary_directory = os.path.dirname(target_binary) cmplog_target_binary_directory = ( get_cmplog_build_directory(target_binary_directory)) target_binary_name = os.path.basename(target_binary) cmplog_target_binary = os.path.join(cmplog_target_binary_directory, target_binary_name) afl_fuzzer.prepare_fuzz_environment(input_corpus) # decomment this to enable libdislocator. # os.environ['AFL_ALIGNED_ALLOC'] = '1' # align malloc to max_align_t # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' flags = list(flags) if os.path.exists('./afl++.dict'): flags += ['-x', './afl++.dict'] # Move the following to skip for upcoming _double tests: if os.path.exists(cmplog_target_binary): flags += ['-c', cmplog_target_binary] if not skip: if not flags or not flags[0] == '-Q' and '-p' not in flags: flags += ['-p', 'fast'] if ((not flags or (not '-l' in flags and not '-R' in flags)) and os.path.exists(cmplog_target_binary)): flags += ['-l', '2'] os.environ['AFL_DISABLE_TRIM'] = "1" if 'ADDITIONAL_ARGS' in os.environ: flags += os.environ['ADDITIONAL_ARGS'].split(' ') afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary): """Run fuzzer.""" # Calculate CmpLog binary path from the instrumented target binary. target_binary_directory = os.path.dirname(target_binary) cmplog_target_binary_directory = ( aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory)) target_binary_name = os.path.basename(target_binary) cmplog_target_binary = os.path.join(cmplog_target_binary_directory, target_binary_name) afl_fuzzer.prepare_fuzz_environment(input_corpus) flags = ['-L0'] # afl++ MOpt activation at once. flags += ['-prare'] # rare branch scheduling. flags += ['-s123'] # fixed random seed. if os.path.exists(cmplog_target_binary): flags += ['-c', cmplog_target_binary] if 'ADDITIONAL_ARGS' in os.environ: flags += os.environ['ADDITIONAL_ARGS'].split(' ') afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary): """Run fuzzer.""" # Calculate CmpLog binary path from the instrumented target binary. target_binary_directory = os.path.dirname(target_binary) cmplog_target_binary_directory = ( aflplusplus_fuzzer.get_cmplog_build_directory(target_binary_directory)) target_binary_name = os.path.basename(target_binary) cmplog_target_binary = os.path.join(cmplog_target_binary_directory, target_binary_name) afl_fuzzer.prepare_fuzz_environment(input_corpus) # os.environ['AFL_PRELOAD'] = '/afl/libdislocator.so' flags = ['-L0'] # afl++ MOpt activation at once flags += ['-pfast'] # fast scheduling if os.path.exists(cmplog_target_binary): flags += ['-c', cmplog_target_binary] if 'ADDITIONAL_ARGS' in os.environ: flags += os.environ['ADDITIONAL_ARGS'].split(' ') afl_fuzzer.run_afl_fuzz(input_corpus, output_corpus, target_binary, additional_flags=flags)
def fuzz(input_corpus, output_corpus, target_binary): """Run fuzzer.""" afl_fuzzer.prepare_fuzz_environment(input_corpus) afl_fuzzer.fuzz(input_corpus, output_corpus, target_binary)
def fuzz(input_corpus, output_corpus, target_binary): """Run afl-fuzz on target.""" afl.prepare_fuzz_environment(input_corpus) run_neuzz(input_corpus, output_corpus, target_binary)