banner
Silas

REAO

Be a better man
github
HomeArchives

AFL Quick Start

#漏洞挖掘79
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
AFL-fuzz is a tool used for automatically generating test cases to explore new execution paths in binary programs by instrumenting the source code during recompilation. It has lower performance overhead compared to other instrumentation-based fuzzers and supports various efficient fuzzing strategies and techniques. AFL can also test binary programs without source code, but it requires support from QEMU. To install AFL, download the source code, extract it, and compile it. After installation, it is recommended to configure AFL to output coredumps as files instead of sending crash information to specific handlers. AFL can be used to compile test programs with source code, and its instrumentation can optimize AFL-fuzz's performance and speed up fuzzing. A crash example program is provided, and AFL can be used to compile and instrument it. To start fuzzing, create input and output folders, initialize the test case with a specific content, and then run AFL-fuzz with the input and output directories specified. The fuzzing results will be stored in the output directory.

It automatically generates test cases by instrumenting the source code during recompilation to explore new execution paths within binary programs.

Compared to other fuzzers based on instrumentation techniques, afl-fuzz has lower performance overhead, various efficient fuzzing strategies and techniques to minimize overhead, and does not require complex pre-configuration, making it seamless to handle complex real-world programs.

Of course, AFL also supports direct testing of binary programs without source code, but it requires QEMU support.

Installing afl-fuzz#

Download the source code compressed package from the official website and unzip it. Then compile and install:

make
sudo make install

After installation, it usually needs to be configured to output coredumps as files instead of sending crash information to a specific handler:

sudo su
echo core > /proc/sys/kernel/core_pattern

Official documentation: http://lcamtuf.coredump.cx/afl/README.txt

Testing Example#

For test programs with source code, afl can be used instead of gcc or clang for compilation. The instrumentation of afl can optimize the performance of afl-fuzz and accelerate fuzzing.

Test Program#

Here is a crash example program:

#include <stdio.h>
#include <signal.h>

int main(int argc, char *argv[])
{
 char buf[233] = {0};
 FILE *input = NULL;
 input = fopen(argv[1], "r");
 if(input != 0)
 {
  fscanf(input ,"%s", &buf);
  printf("buf is %s\n", buf);
  func(buf);
  fclose(input);
 }
 else
  printf("error!");

 return 0;
}

int func(char *data)
{
 if(data[0] == 'A')
  raise(SIGSEGV);

 else
  printf("ok\n");

 return 0;
}

The program crashes when the first letter of the input file is A.

Compile the program with afl-gcc and instrument it:

afl-gcc test.c -o test

Preparation#

Create input and output folders:

mkdir fuzz_in fuzz_out

Prepare the initialization test case, write the content of the case as aaa, and the fuzzer will mutate based on the test case:

echo aaa > fuzz_in/case

Start fuzzing#

fuzz_in is the built-in input directory, and fuzz_out is the specified output directory.

afl-fuzz -i fuzz_in -o fuzz_out ./test @@

Here, use the @@ flag to read input from a file. During actual execution, @@ will be replaced with the test samples under fuzz_in.

Fuzzing Results#

fuzz_out/crashes$ cat id\:000000\,sig\:11\,src\:000000\,op\:flip1\,pos\:0
Aaa

References:

  1. Linux Fuzzing: A First Attempt
  2. Finding bugs using AFL
Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.