This does what it sounds like! It attempts to, as automatically as possible, generate and
run fuzzers for up to the entire set of libc (in the default case, musl-libc, because
glibc is really hard!) functions. I started this project thinking I would fuzz musl-libc
but that actually ended up being tricky because of compiler things. I still use musl-libc
to extract prototypes (hey, libc is a standard, after all!), but they are actually fuzzed
on the regular standard library. Less likely to find bugs, but the proof of concept is there!
It uses tree-sitter
to parse source code
and obtain function declarations, then creates simple harness(es) using
LibAFL
.
You will need cargo
(and by extension, rustc
and the rust toolchain).
You will also need AFLplusplus
and LLVM 14.0.
Installing AFLPlusplus is pretty easy by following the documentation
here. We don't
need anything special, following the steps up to make distrib
should do it. Then, you
will need to add the path to wherever you installed it to your $PATH
.
LLVM has, thankfully, made this much easier in recent years. Follow the instructions
here to install latest (which right now is 14, but in the
future you may need to follow the instructions that read sudo ./llvm.sh 14
).
build.rs
will take care of most things for you, and tree-sitter
is provided in
third_party
, so there is no need to manually download
musl-libc
or anything.
To generate a harness, run:
libc-fuzzer 0.1.0
USAGE:
harnesser [FUNCTIONS]...
ARGS:
<FUNCTIONS>...
OPTIONS:
-h, --help Print help information
-V, --version Print version information
Basically just cargo run --bin harnesser [FUNC ...]
, for example:
$ cargo run --bin harnesser atoi regcomp
[2022-05-01T04:56:35Z INFO harnesser] Found 1301 functions.
[2022-05-01T04:56:35Z INFO harnesser] Generating fuzzer for atoi: int atoi(const char *)
[2022-05-01T04:56:35Z INFO harnesser] Harness code:
#include <cstddef>
#include <cstdint>
/* Header file this harness is fuzzing against */
#include <stdlib.h>
/* FuzzedDataProvider header library */
#include <fuzzed_data_provider.hh>
__AFL_FUZZ_INIT();
/* Persistent-mode fuzzing ready harness, can't use this to debug the program */
int main() {
#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
uint8_t *data = (uint8_t *)__AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(10000)) {
size_t len = (size_t)__AFL_FUZZ_TESTCASE_LEN;
try {
FuzzedDataProvider fdp(data, len);
/* clang-format off */
const char * param0 = fdp.consume<char>(fdp.consume<uint8_t>());
int rv = atoi(param0);
/* clang-format on */
} catch (FuzzedDataProviderException &e) {
continue;
}
}
return 0;
}
afl-cc ++3.15a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD
SanitizerCoveragePCGUARD++3.15a
[+] Instrumented 88 locations with no collisions (non-hardened mode).
[2022-05-01T04:56:36Z INFO harnesser] Generating fuzzer for regcomp: int regcomp(regex_t *, const char *, int)
[2022-05-01T04:56:36Z INFO harnesser] Harness code:
#include <cstddef>
#include <cstdint>
/* Header file this harness is fuzzing against */
#include <regex.h>
/* FuzzedDataProvider header library */
#include <fuzzed_data_provider.hh>
__AFL_FUZZ_INIT();
/* Persistent-mode fuzzing ready harness, can't use this to debug the program */
int main() {
#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
uint8_t *data = (uint8_t *)__AFL_FUZZ_TESTCASE_BUF;
while (__AFL_LOOP(10000)) {
size_t len = (size_t)__AFL_FUZZ_TESTCASE_LEN;
try {
FuzzedDataProvider fdp(data, len);
/* clang-format off */
regex_t * param0 = new regex_t[1];
const char * param1 = fdp.consume<char>(fdp.consume<uint8_t>());
int param2 = fdp.consume<int>();
int rv = regcomp(param0, param1, param2);
/* clang-format on */
} catch (FuzzedDataProviderException &e) {
continue;
}
}
return 0;
}
This will generate four files for each function:
- The fuzzer harness supporting persistent mode. (
harness-FUNCNAME.cc
) - Another fuzzer harness that takes straight from stdin and allows you to debug
the setup more easily with GDB if that's your thing. (
harness-FUCNAME-manual.cc
) - All four of those, compiled and ready to go! (
harness-FUNCNAME
,harness-FUNCNAME-manual
)
The fuzzer is pretty simple, because I intend to use it to get more into the weeds of LibAFL as I go, but this is a PoC and I was focused on getting the automatic harness generation going. In any case, to run the fuzzer, you just run with:
Program to start the LibAFL fuzzer on the generated harness
USAGE:
libc-fuzzer <PROGRAM> <CORPUS_DIR>
ARGS:
<PROGRAM> The relative path to the program -- if it is in the local directory, be sure
that the path starts with `./`
<CORPUS_DIR> The relative path to the corpus directory to start with ex `./corpus`
OPTIONS:
-h, --help Print help information
-V, --version Print version information
So, for example to run our generated atoi
fuzzer, we can run:
cargo run --bin libc-fuzzer ./fuzzer-atoi corpus
warning: dependency (clap) specified without providing a local path, Git repository, or version to use. This will be considered an error in future versions
warning: unused manifest key: dependencies.clap.verison
Finished dev [unoptimized + debuginfo] target(s) in 0.06s
Running `target/debug/libc-fuzzer ./fuzzer-atoi corpus`
All right - fork server is up.
Using SHARED MEMORY FUZZING feature.
Loading file "corpus/atoi.input.1" ...
[Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 0, objectives: 0, executions: 0, exec/sec: 0
Client 000:
NaN: Scheduler
NaN: Manager
Feedbacks:
NaN: Not Measured
[Testcase #0] run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 1, exec/sec: 0
Client 000:
NaN: Scheduler
NaN: Manager
Feedbacks:
NaN: Not Measured
Loading file "corpus/input" ...
File "corpus/input" was not interesting, skipped.
[LOG Debug]: Loaded 1 initial testcases.
We imported 1 inputs from disk.
[Stats #0] run time: 0h-0m-0s, clients: 1, corpus: 1, objectives: 0, executions: 1, exec/sec: 0
Client 000:
NaN: Scheduler
NaN: Manager
Feedbacks:
NaN: Not Measured
[Testcase #0] run time: 0h-0m-0s, clients: 1, corpus: 2, objectives: 0, executions: 4, exec/sec: 0
Client 000:
NaN: Scheduler
NaN: Manager
Feedbacks:
NaN: Not Measured
[PerfMonitor #0] run time: 0h-0m-15s, clients: 1, corpus: 2, objectives: 0, executions: 1827, exec/sec: 0
Client 000:
0.0002: Scheduler
0.0000: Manager
Stage 0:
0.0002: GetInputFromCorpus
0.0028: Mutate
0.0000: MutatePostExec
0.0468: TargetExecution
0.1804: PreExecObservers
0.2913: PostExecObservers
Feedbacks:
0.4752: shared_mem
0.0001: time
0.0000: TimeoutFeedback
0.0030: Not Measured
Once you start getting PerfMonitor
output, it should be working!
- Structs: harnesser does not deduce or generate singly or multiply nested structs yet.
- Double (or greater) indirection: results for functions that take double pointers will be inconsistent at best, and probably will not work.