Giter Site home page Giter Site logo

eurecom-s3 / invscov Goto Github PK

View Code? Open in Web Editor NEW
80.0 80.0 8.0 218.55 MB

The Use of Likely Invariants as Feedback for Fuzzers

Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi

License: Apache License 2.0

Python 1.13% Dockerfile 0.04% Makefile 2.31% Shell 1.56% PLpgSQL 0.01% C 41.15% Java 37.12% HTML 0.64% C++ 9.67% JavaScript 0.01% Rich Text Format 0.01% PostScript 0.13% Perl 2.61% TeX 2.03% Raku 0.01% Common Lisp 0.01% BlitzBasic 0.67% PHP 0.08% Scilab 0.85% Brainfuck 0.01%

invscov's People

Contributors

andreafioraldi avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

invscov's Issues

Feature: enable invscov into afl++ (Fuzzbench/OSS-Fuzz)

Your code is not even released and here's your first issue... :-)

We'd love to see your code enabled into afl++ as a special mode.

Afl++ is already supported in Fuzzbench and it used actively to test new fuzzing techniques. If you could enable invscov in mainstream afl++, we'd easily be able to test it with a combination of other afl++ options!

Afl++ is also used in OSS-Fuzz, which is used to continuously fuzz hundreds of open source projects.

How to fuzz a binary project file built by makefile

Hello andreafioraldi , Invscov is a very interesting idea. I benefit a lot from it. Thank you very much :)
As mentioned in readme, invScov uses the following steps:

  1. set the env var INVSCOV_OUTPUT_PATH to an existing empty folder
  2. compile the PUT with InvsCov/dump-cc/c++
  3. run InvsCov/reconstruct-dump
  4. run InvsCov/learn-invariants with the dumper binary produced in the second step
  5. run InvsCov/generate-constraints
  6. compile with InvsCov/instrument-cc/c++
  7. fuzz this last binary with AFLplusplus/afl-fuzz

But I have a small question. If we want to fuzz the target program that is compiled by Makefile, and there are many project files. In this case, what should I do to fuzz these complex programs? Specifically, I don't know how to do steps 2, 3 and 4 for such a complex project.
I successfully used invscov to fuzz some very simple demos, but I was very confused about using it to fuzz other complex projects.
Looking forward to your reply :)

Consider using the latest AFLplusplus

The release code using AFLplusplus 2.65c, which is a bit old. Now the latest AFLplusplus version is 3.14c. I want to replace the 2.65c version with the latest 3.14c version. Is it OK to patch the differences that diff shows? Any suggestions for me? Thanks a lot.
The diff tool shows that:

$ diff -ru AFLplusplus AFLplusplus-2.65c/
diff -ru AFLplusplus/llvm_mode/afl-clang-fast.c AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c
--- AFLplusplus/llvm_mode/afl-clang-fast.c	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c	2020-05-15 14:36:51.000000000 +0800
@@ -584,11 +584,9 @@
 
     be_quiet = 1;
 
-  instrument_mode = INSTRUMENT_DEFAULT;
-
-/*#ifdef USE_TRACE_PC
+#ifdef USE_TRACE_PC
   instrument_mode = INSTRUMENT_PCGUARD;
-#endif*/
+#endif
 
   if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
       getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
diff -ru AFLplusplus/llvm_mode/afl-llvm-pass.so.cc AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc
--- AFLplusplus/llvm_mode/afl-llvm-pass.so.cc	2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc	2020-05-15 14:36:51.000000000 +0800
@@ -266,12 +266,7 @@
     AFLPrevLoc = new GlobalVariable(
         M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
 #else
-  //AFLPrevLoc = new GlobalVariable(
-  //    M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
-  //    GlobalVariable::GeneralDynamicTLSModel, 0, false);
-  AFLPrevLoc = M.getGlobalVariable("__afl_prev_loc");
-	if (AFLPrevLoc == nullptr)
-	  AFLPrevLoc = new GlobalVariable(
+  AFLPrevLoc = new GlobalVariable(
       M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
       GlobalVariable::GeneralDynamicTLSModel, 0, false);
 #endif
diff -ru AFLplusplus/src/afl-common.c AFLplusplus-2.65c/src/afl-common.c
--- AFLplusplus/src/afl-common.c	2021-11-19 15:01:11.153806707 +0800
+++ AFLplusplus-2.65c/src/afl-common.c	2020-05-15 14:36:51.000000000 +0800
@@ -884,6 +884,7 @@
   timeout.tv_sec = (timeout_ms / 1000);
   timeout.tv_usec = (timeout_ms % 1000) * 1000;
 
+  size_t read_total = 0;
   size_t len_read = 0;
 
   while (len_read < len) {
@@ -906,6 +907,7 @@
 
     len_read = read(fd, ((u8 *)buf) + len_read, len - len_read);
     if (!len_read) { return 0; }
+    read_total += len_read;
 
   }
 
diff -ru AFLplusplus/src/afl-fuzz-one.c AFLplusplus-2.65c/src/afl-fuzz-one.c
--- AFLplusplus/src/afl-fuzz-one.c	2021-11-19 08:31:53.641050896 +0800
+++ AFLplusplus-2.65c/src/afl-fuzz-one.c	2020-05-15 14:36:51.000000000 +0800
@@ -488,8 +488,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 
@@ -2638,8 +2636,6 @@
 
     if (afl->queue_cur->cal_failed < CAL_CHANCES) {
 
-      afl->queue_cur->exec_cksum = 0;
-
       res =
           calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
 

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.