eurecom-s3 / invscov Goto Github PK

The Use of Likely Invariants as Feedback for Fuzzers

Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi

License: Apache License 2.0

Python 1.13% Dockerfile 0.04% Makefile 2.31% Shell 1.56% PLpgSQL 0.01% C 41.15% Java 37.12% HTML 0.64% C++ 9.67% JavaScript 0.01% Rich Text Format 0.01% PostScript 0.13% Perl 2.61% TeX 2.03% Raku 0.01% Common Lisp 0.01% BlitzBasic 0.67% PHP 0.08% Scilab 0.85% Brainfuck 0.01%

invscov's Introduction

The Use of Likely Invariants as Feedback for Fuzzers

This prototype implements the idea described in our USENIX Security '21 paper, a new feedback mechanism that augments code coverage by taking into account the usual values and relationships among program variables.

One of the main limitations of coverage-guided fuzzing is the fact that most of the available solutions are optimized to reach different parts of the program under test, but struggle when reachability alone is insufficient to trigger a vulnerability. In reality, many bugs require a specific program state that involves not only the control flow, but also the values of some of the program variables.

For this purpose, we learn likely invariants over variables at the basic- block level, and partition the program state space accordingly. Our feedback can distinguish when an input violates one or more invariants and reward it, thus refining the program state approximation that code coverage normally offers.

This prototype, called InvsCov, is based on AFL++, LLVM and the Daikon invariant detector.

Cite

Andrea Fioraldi, Daniele Cono D’Elia, and Davide Balzarotti. The use of likely invariants as feedback for fuzzers. In 30th USENIX Security Symposium (USENIX Security 21), pages 2829–2846. USENIX Association, August 2021.

Bibtex:

@inproceedings {usenixsec21fioraldi,
  author = {Andrea Fioraldi and Daniele Cono D{\textquoteright}Elia and Davide Balzarotti},
  title = {The Use of Likely Invariants as Feedback for Fuzzers},
  booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
  year = {2021},
  isbn = {978-1-939133-24-3},
  pages = {2829--2846},
  url = {https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi},
  publisher = {{USENIX} Association},
  month = aug,
}

Build

LLVM 10 is required. It may work with more recent versions but it is untested.

Build the fuzzer and the passes with:

make -C InvsCov/dump LLVM_CONFIG=llvm-config-10
make -C InvsCov/instrument LLVM_CONFIG=llvm-config-10
make -C AFLplusplus
make -C AFLplusplus/llvm_mode LLVM_CONFIG=llvm-config-10

To compile Daikon, follow the steps in the Daikon readme and copy the resulting daikon.jar in the root folder of this project.

Usage

set the env var INVSCOV_OUTPUT_PATH to an existing empty folder

mkdir output_path
export INVSCOV_OUTPUT_PATH=`pwd`/output_path/

compile the PUT with dump-cc[c++]

cd target_program_src/
./configure
make CC=/path/to/invscov/InvsCov/dump-cc CXX=/path/to/invscov/InvsCov/dump-c++
cp ./program ./program_dump # assuming that 'program' is the result of the compilation

run reconstruct-dump

/path/to/invscov/InvsCov/reconstruct-dump

run learn-invariants with the dumper binary produced in the second step

/path/to/invscov/InvsCov/learn-invariants /path/to/initial_corpus ./program_dump @@

run generate-constraints

/path/to/invscov/InvsCov/generate-constraints

compile with instrument-cc[c++]

make clean
make CC=/path/to/invscov/InvsCov/instrument-cc CXX=/path/to/invscov/InvsCov/instrument-c++
cp ./program ./program_fuzz

Using the NO_CONSTRS=1 env var the instrument-cc compiler wrapper will simply compile the PUT with the classic AFL++ edge coverage instrumentation. Other env variables are available, refer to the source code.

fuzz this last binary with afl-fuzz

/path/to/invscov/AFLplusplus/afl-fuzz -i /path/to/initial_corpus -o output -d -- ./program_fuzz @@

License

The modification to the AFL++ and Daikon codebases are released under the same license of the modified package.

The InvsCov code is released under Apache-2.

invscov's People

Contributors

Stargazers

Watchers

Forkers

c0de3 microsvuln diewufeihong welkinchan001 chinggg tizianocolagrossi sansquoi gmh5225

invscov's Issues

Why Invscov cannot compile 32bit program?

I want to fuzz cgc program, but invscov only support 64 bit program.How do i add the 32 bit platform support?

Does daikon support mining invariants of network programs ?

Hi ~
I am focusing on the research work in the field of invariants. I am very curious about whether the invariants mining tool daikon used in invscov is suitable for server programs, that is, reading input through sockets?

Consider using the latest AFLplusplus

The release code using AFLplusplus 2.65c, which is a bit old. Now the latest AFLplusplus version is 3.14c. I want to replace the 2.65c version with the latest 3.14c version. Is it OK to patch the differences that diff shows? Any suggestions for me? Thanks a lot.
The diff tool shows that:

$ diff -ru AFLplusplus AFLplusplus-2.65c/
diff -ru AFLplusplus/llvm_mode/afl-clang-fast.c AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c
--- AFLplusplus/llvm_mode/afl-clang-fast.c	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c	2020-05-15 14:36:51.000000000 +0800
@@ -584,11 +584,9 @@
 
     be_quiet = 1;
 
-  instrument_mode = INSTRUMENT_DEFAULT;
-
-/*#ifdef USE_TRACE_PC
+#ifdef USE_TRACE_PC
   instrument_mode = INSTRUMENT_PCGUARD;
-#endif*/
+#endif
 
   if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
       getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
diff -ru AFLplusplus/llvm_mode/afl-llvm-pass.so.cc AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc
--- AFLplusplus/llvm_mode/afl-llvm-pass.so.cc	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc	2020-05-15 14:36:51.000000000 +0800
@@ -266,12 +266,7 @@
     AFLPrevLoc = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
 #else
-  //AFLPrevLoc = new GlobalVariable(
-  //    M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
-  //    GlobalVariable::GeneralDynamicTLSModel, 0, false);
-  AFLPrevLoc = M.getGlobalVariable("__afl_prev_loc");
-	if (AFLPrevLoc == nullptr)
-	  AFLPrevLoc = new GlobalVariable(
+  AFLPrevLoc = new GlobalVariable(
       M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
       GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
diff -ru AFLplusplus/src/afl-common.c AFLplusplus-2.65c/src/afl-common.c
--- AFLplusplus/src/afl-common.c	2021-11-19 15:01:11.153806707 +0800
+++ AFLplusplus-2.65c/src/afl-common.c	2020-05-15 14:36:51.000000000 +0800
@@ -884,6 +884,7 @@
   timeout.tv_sec = (timeout_ms / 1000);
   timeout.tv_usec = (timeout_ms % 1000) * 1000;
 
+  size_t read_total = 0;
   size_t len_read = 0;
 
   while (len_read < len) {
@@ -906,6 +907,7 @@
 
     len_read = read(fd, ((u8 *)buf) + len_read, len - len_read);
     if (!len_read) { return 0; }
+    read_total += len_read;
 
   }
 
diff -ru AFLplusplus/src/afl-fuzz-one.c AFLplusplus-2.65c/src/afl-fuzz-one.c
--- AFLplusplus/src/afl-fuzz-one.c	2021-11-19 08:31:53.641050896 +0800
+++ AFLplusplus-2.65c/src/afl-fuzz-one.c	2020-05-15 14:36:51.000000000 +0800
@@ -488,8 +488,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 
@@ -2638,8 +2636,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);

Feature: enable invscov into afl++ (Fuzzbench/OSS-Fuzz)

Your code is not even released and here's your first issue... :-)

We'd love to see your code enabled into afl++ as a special mode.

Afl++ is already supported in Fuzzbench and it used actively to test new fuzzing techniques. If you could enable invscov in mainstream afl++, we'd easily be able to test it with a combination of other afl++ options!

Afl++ is also used in OSS-Fuzz, which is used to continuously fuzz hundreds of open source projects.

How to fuzz a binary project file built by makefile

Hello andreafioraldi , Invscov is a very interesting idea. I benefit a lot from it. Thank you very much :)
As mentioned in readme, invScov uses the following steps：

set the env var INVSCOV_OUTPUT_PATH to an existing empty folder
compile the PUT with InvsCov/dump-cc/c++
run InvsCov/reconstruct-dump
run InvsCov/learn-invariants with the dumper binary produced in the second step
run InvsCov/generate-constraints
compile with InvsCov/instrument-cc/c++
fuzz this last binary with AFLplusplus/afl-fuzz

But I have a small question. If we want to fuzz the target program that is compiled by Makefile, and there are many project files. In this case, what should I do to fuzz these complex programs? Specifically, I don't know how to do steps 2, 3 and 4 for such a complex project.
I successfully used invscov to fuzz some very simple demos, but I was very confused about using it to fuzz other complex projects.
Looking forward to your reply :)

eurecom-s3 / invscov Goto Github PK

invscov's Introduction

The Use of Likely Invariants as Feedback for Fuzzers

Cite

Build

Usage

License

invscov's People

Contributors

Stargazers

Watchers

Forkers

invscov's Issues

Why Invscov cannot compile 32bit program?

Does daikon support mining invariants of network programs ?

Consider using the latest AFLplusplus

Feature: enable invscov into afl++ (Fuzzbench/OSS-Fuzz)

How to fuzz a binary project file built by makefile

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent