eurecom-s3 / invscov Goto Github PK

The Use of Likely Invariants as Feedback for Fuzzers

Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi

License: Apache License 2.0

Python 1.13% Dockerfile 0.04% Makefile 2.31% Shell 1.56% PLpgSQL 0.01% C 41.15% Java 37.12% HTML 0.64% C++ 9.67% JavaScript 0.01% Rich Text Format 0.01% PostScript 0.13% Perl 2.61% TeX 2.03% Raku 0.01% Common Lisp 0.01% BlitzBasic 0.67% PHP 0.08% Scilab 0.85% Brainfuck 0.01%

invscov's People

Contributors

Stargazers

Watchers

Forkers

c0de3 microsvuln diewufeihong welkinchan001 chinggg tizianocolagrossi sansquoi gmh5225

invscov's Issues

Feature: enable invscov into afl++ (Fuzzbench/OSS-Fuzz)

Your code is not even released and here's your first issue... :-)

We'd love to see your code enabled into afl++ as a special mode.

Afl++ is already supported in Fuzzbench and it used actively to test new fuzzing techniques. If you could enable invscov in mainstream afl++, we'd easily be able to test it with a combination of other afl++ options!

Afl++ is also used in OSS-Fuzz, which is used to continuously fuzz hundreds of open source projects.

Does daikon support mining invariants of network programs ?

Hi ~
I am focusing on the research work in the field of invariants. I am very curious about whether the invariants mining tool daikon used in invscov is suitable for server programs, that is, reading input through sockets?

How to fuzz a binary project file built by makefile

Hello andreafioraldi , Invscov is a very interesting idea. I benefit a lot from it. Thank you very much :)
As mentioned in readme, invScov uses the following steps：

set the env var INVSCOV_OUTPUT_PATH to an existing empty folder
compile the PUT with InvsCov/dump-cc/c++
run InvsCov/reconstruct-dump
run InvsCov/learn-invariants with the dumper binary produced in the second step
run InvsCov/generate-constraints
compile with InvsCov/instrument-cc/c++
fuzz this last binary with AFLplusplus/afl-fuzz

But I have a small question. If we want to fuzz the target program that is compiled by Makefile, and there are many project files. In this case, what should I do to fuzz these complex programs? Specifically, I don't know how to do steps 2, 3 and 4 for such a complex project.
I successfully used invscov to fuzz some very simple demos, but I was very confused about using it to fuzz other complex projects.
Looking forward to your reply :)

Why Invscov cannot compile 32bit program?

I want to fuzz cgc program, but invscov only support 64 bit program.How do i add the 32 bit platform support?

Consider using the latest AFLplusplus

The release code using AFLplusplus 2.65c, which is a bit old. Now the latest AFLplusplus version is 3.14c. I want to replace the 2.65c version with the latest 3.14c version. Is it OK to patch the differences that diff shows? Any suggestions for me? Thanks a lot.
The diff tool shows that:

$ diff -ru AFLplusplus AFLplusplus-2.65c/
diff -ru AFLplusplus/llvm_mode/afl-clang-fast.c AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c
--- AFLplusplus/llvm_mode/afl-clang-fast.c	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c	2020-05-15 14:36:51.000000000 +0800
@@ -584,11 +584,9 @@
 
     be_quiet = 1;
 
-  instrument_mode = INSTRUMENT_DEFAULT;
-
-/*#ifdef USE_TRACE_PC
+#ifdef USE_TRACE_PC
   instrument_mode = INSTRUMENT_PCGUARD;
-#endif*/
+#endif
 
   if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
       getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
diff -ru AFLplusplus/llvm_mode/afl-llvm-pass.so.cc AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc
--- AFLplusplus/llvm_mode/afl-llvm-pass.so.cc	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc	2020-05-15 14:36:51.000000000 +0800
@@ -266,12 +266,7 @@
     AFLPrevLoc = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
 #else
-  //AFLPrevLoc = new GlobalVariable(
-  //    M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
-  //    GlobalVariable::GeneralDynamicTLSModel, 0, false);
-  AFLPrevLoc = M.getGlobalVariable("__afl_prev_loc");
-	if (AFLPrevLoc == nullptr)
-	  AFLPrevLoc = new GlobalVariable(
+  AFLPrevLoc = new GlobalVariable(
       M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
       GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
diff -ru AFLplusplus/src/afl-common.c AFLplusplus-2.65c/src/afl-common.c
--- AFLplusplus/src/afl-common.c	2021-11-19 15:01:11.153806707 +0800
+++ AFLplusplus-2.65c/src/afl-common.c	2020-05-15 14:36:51.000000000 +0800
@@ -884,6 +884,7 @@
   timeout.tv_sec = (timeout_ms / 1000);
   timeout.tv_usec = (timeout_ms % 1000) * 1000;
 
+  size_t read_total = 0;
   size_t len_read = 0;
 
   while (len_read < len) {
@@ -906,6 +907,7 @@
 
     len_read = read(fd, ((u8 *)buf) + len_read, len - len_read);
     if (!len_read) { return 0; }
+    read_total += len_read;
 
   }
 
diff -ru AFLplusplus/src/afl-fuzz-one.c AFLplusplus-2.65c/src/afl-fuzz-one.c
--- AFLplusplus/src/afl-fuzz-one.c	2021-11-19 08:31:53.641050896 +0800
+++ AFLplusplus-2.65c/src/afl-fuzz-one.c	2020-05-15 14:36:51.000000000 +0800
@@ -488,8 +488,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 
@@ -2638,8 +2636,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.