Giter Site home page Giter Site logo

eurecom-s3 / invscov Goto Github PK

View Code? Open in Web Editor NEW
83.0 16.0 8.0 218.55 MB

The Use of Likely Invariants as Feedback for Fuzzers

Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi

License: Apache License 2.0

Python 1.13% Dockerfile 0.04% Makefile 2.31% Shell 1.56% PLpgSQL 0.01% C 41.15% Java 37.12% HTML 0.64% C++ 9.67% JavaScript 0.01% Rich Text Format 0.01% PostScript 0.13% Perl 2.61% TeX 2.03% Raku 0.01% Common Lisp 0.01% BlitzBasic 0.67% PHP 0.08% Scilab 0.85% Brainfuck 0.01%

invscov's Introduction

The Use of Likely Invariants as Feedback for Fuzzers

This prototype implements the idea described in our USENIX Security '21 paper, a new feedback mechanism that augments code coverage by taking into account the usual values and relationships among program variables.

One of the main limitations of coverage-guided fuzzing is the fact that most of the available solutions are optimized to reach different parts of the program under test, but struggle when reachability alone is insufficient to trigger a vulnerability. In reality, many bugs require a specific program state that involves not only the control flow, but also the values of some of the program variables.

For this purpose, we learn likely invariants over variables at the basic- block level, and partition the program state space accordingly. Our feedback can distinguish when an input violates one or more invariants and reward it, thus refining the program state approximation that code coverage normally offers.

This prototype, called InvsCov, is based on AFL++, LLVM and the Daikon invariant detector.

Cite

  • Andrea Fioraldi, Daniele Cono D’Elia, and Davide Balzarotti. The use of likely invariants as feedback for fuzzers. In 30th USENIX Security Symposium (USENIX Security 21), pages 2829–2846. USENIX Association, August 2021.

Bibtex:

@inproceedings {usenixsec21fioraldi,
  author = {Andrea Fioraldi and Daniele Cono D{\textquoteright}Elia and Davide Balzarotti},
  title = {The Use of Likely Invariants as Feedback for Fuzzers},
  booktitle = {30th {USENIX} Security Symposium ({USENIX} Security 21)},
  year = {2021},
  isbn = {978-1-939133-24-3},
  pages = {2829--2846},
  url = {https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi},
  publisher = {{USENIX} Association},
  month = aug,
}

Build

LLVM 10 is required. It may work with more recent versions but it is untested.

Build the fuzzer and the passes with:

make -C InvsCov/dump LLVM_CONFIG=llvm-config-10
make -C InvsCov/instrument LLVM_CONFIG=llvm-config-10
make -C AFLplusplus
make -C AFLplusplus/llvm_mode LLVM_CONFIG=llvm-config-10

To compile Daikon, follow the steps in the Daikon readme and copy the resulting daikon.jar in the root folder of this project.

Usage

  • set the env var INVSCOV_OUTPUT_PATH to an existing empty folder
mkdir output_path
export INVSCOV_OUTPUT_PATH=`pwd`/output_path/
  • compile the PUT with dump-cc[c++]
cd target_program_src/
./configure
make CC=/path/to/invscov/InvsCov/dump-cc CXX=/path/to/invscov/InvsCov/dump-c++
cp ./program ./program_dump # assuming that 'program' is the result of the compilation
  • run reconstruct-dump
/path/to/invscov/InvsCov/reconstruct-dump
  • run learn-invariants with the dumper binary produced in the second step
/path/to/invscov/InvsCov/learn-invariants /path/to/initial_corpus ./program_dump @@
  • run generate-constraints
/path/to/invscov/InvsCov/generate-constraints
  • compile with instrument-cc[c++]
make clean
make CC=/path/to/invscov/InvsCov/instrument-cc CXX=/path/to/invscov/InvsCov/instrument-c++
cp ./program ./program_fuzz

Using the NO_CONSTRS=1 env var the instrument-cc compiler wrapper will simply compile the PUT with the classic AFL++ edge coverage instrumentation. Other env variables are available, refer to the source code.

  • fuzz this last binary with afl-fuzz
/path/to/invscov/AFLplusplus/afl-fuzz -i /path/to/initial_corpus -o output -d -- ./program_fuzz @@

License

The modification to the AFL++ and Daikon codebases are released under the same license of the modified package.

The InvsCov code is released under Apache-2.

invscov's People

Contributors

andreafioraldi avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

invscov's Issues

Consider using the latest AFLplusplus

The release code using AFLplusplus 2.65c, which is a bit old. Now the latest AFLplusplus version is 3.14c. I want to replace the 2.65c version with the latest 3.14c version. Is it OK to patch the differences that diff shows? Any suggestions for me? Thanks a lot.
The diff tool shows that:

$ diff -ru AFLplusplus AFLplusplus-2.65c/
diff -ru AFLplusplus/llvm_mode/afl-clang-fast.c AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c
--- AFLplusplus/llvm_mode/afl-clang-fast.c	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c	2020-05-15 14:36:51.000000000 +0800
@@ -584,11 +584,9 @@
 
     be_quiet = 1;
 
-  instrument_mode = INSTRUMENT_DEFAULT;
-
-/*#ifdef USE_TRACE_PC
+#ifdef USE_TRACE_PC
   instrument_mode = INSTRUMENT_PCGUARD;
-#endif*/
+#endif
 
   if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
       getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
diff -ru AFLplusplus/llvm_mode/afl-llvm-pass.so.cc AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc
--- AFLplusplus/llvm_mode/afl-llvm-pass.so.cc	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc	2020-05-15 14:36:51.000000000 +0800
@@ -266,12 +266,7 @@
     AFLPrevLoc = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
 #else
-  //AFLPrevLoc = new GlobalVariable(
-  //    M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
-  //    GlobalVariable::GeneralDynamicTLSModel, 0, false);
-  AFLPrevLoc = M.getGlobalVariable("__afl_prev_loc");
-	if (AFLPrevLoc == nullptr)
-	  AFLPrevLoc = new GlobalVariable(
+  AFLPrevLoc = new GlobalVariable(
       M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
       GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
diff -ru AFLplusplus/src/afl-common.c AFLplusplus-2.65c/src/afl-common.c
--- AFLplusplus/src/afl-common.c	2021-11-19 15:01:11.153806707 +0800
+++ AFLplusplus-2.65c/src/afl-common.c	2020-05-15 14:36:51.000000000 +0800
@@ -884,6 +884,7 @@
   timeout.tv_sec = (timeout_ms / 1000);
   timeout.tv_usec = (timeout_ms % 1000) * 1000;
 
+  size_t read_total = 0;
   size_t len_read = 0;
 
   while (len_read < len) {
@@ -906,6 +907,7 @@
 
     len_read = read(fd, ((u8 *)buf) + len_read, len - len_read);
     if (!len_read) { return 0; }
+    read_total += len_read;
 
   }
 
diff -ru AFLplusplus/src/afl-fuzz-one.c AFLplusplus-2.65c/src/afl-fuzz-one.c
--- AFLplusplus/src/afl-fuzz-one.c	2021-11-19 08:31:53.641050896 +0800
+++ AFLplusplus-2.65c/src/afl-fuzz-one.c	2020-05-15 14:36:51.000000000 +0800
@@ -488,8 +488,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 
@@ -2638,8 +2636,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 

Feature: enable invscov into afl++ (Fuzzbench/OSS-Fuzz)

Your code is not even released and here's your first issue... :-)

We'd love to see your code enabled into afl++ as a special mode.

Afl++ is already supported in Fuzzbench and it used actively to test new fuzzing techniques. If you could enable invscov in mainstream afl++, we'd easily be able to test it with a combination of other afl++ options!

Afl++ is also used in OSS-Fuzz, which is used to continuously fuzz hundreds of open source projects.

How to fuzz a binary project file built by makefile

Hello andreafioraldi , Invscov is a very interesting idea. I benefit a lot from it. Thank you very much :)
As mentioned in readme, invScov uses the following steps:

  1. set the env var INVSCOV_OUTPUT_PATH to an existing empty folder
  2. compile the PUT with InvsCov/dump-cc/c++
  3. run InvsCov/reconstruct-dump
  4. run InvsCov/learn-invariants with the dumper binary produced in the second step
  5. run InvsCov/generate-constraints
  6. compile with InvsCov/instrument-cc/c++
  7. fuzz this last binary with AFLplusplus/afl-fuzz

But I have a small question. If we want to fuzz the target program that is compiled by Makefile, and there are many project files. In this case, what should I do to fuzz these complex programs? Specifically, I don't know how to do steps 2, 3 and 4 for such a complex project.
I successfully used invscov to fuzz some very simple demos, but I was very confused about using it to fuzz other complex projects.
Looking forward to your reply :)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.