ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-11 17:51:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

updated binary_fuzzing document

Browse Source
This commit is contained in:
van Hauser
2020-01-27 13:06:00 +01:00
parent 3374ada561
commit 17f0aad0f0
1 changed files with 56 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
docs/binaryonly_fuzzing.txt → docs/binaryonly_fuzzing.md
View File

@ -1,6 +1,4 @@
Fuzzing binary-only programs with afl++
=======================================
#Fuzzing binary-only programs with afl++
afl++, libfuzzer and others are great if you have the source code, and
it allows for very fast and coverage guided fuzzing.
@ -16,36 +14,42 @@ TL;DR: try DYNINST with afl-dyninst. If it produces too many crashes then
!!!!!
QEMU
----
##QEMU
Qemu is the "native" solution to the program.
It is available in the ./qemu_mode/ directory and once compiled it can
be accessed by the afl-fuzz -Q command line option.
The speed decrease is at about 50%
It is the easiest to use alternative and even works for cross-platform binaries.
Note that there is also honggfuzz: [https://github.com/google/honggfuzz](https://github.com/google/honggfuzz)
which now has a qemu_mode, but its performance is just 1.5%!
As it is included in afl++ this needs no URL.
WINE+QEMU
---------
##WINE+QEMU
Wine mode can run Win32 PE binaries with the QEMU instrumentation.
It needs Wine, python3 and the pefile python package installed.
UNICORN
-------
As it is included in afl++ this needs no URL.
##UNICORN
Unicorn is a fork of QEMU. The instrumentation is, therefore, very similar.
In contrast to QEMU, Unicorn does not offer a full system or even userland emulation.
Runtime environment and/or loaders have to be written from scratch, if needed.
On top, block chaining has been removed. This means the speed boost introduced in
the patched QEMU Mode of afl++ cannot simply be ported over to Unicorn.
For further information, check out ./unicorn_mode.txt.
In contrast to QEMU, Unicorn does not offer a full system or even userland
emulation. Runtime environment and/or loaders have to be written from scratch,
if needed. On top, block chaining has been removed. This means the speed boost
introduced in the patched QEMU Mode of afl++ cannot simply be ported over to
Unicorn. For further information, check out ./unicorn_mode.txt.
As it is included in afl++ this needs no URL.
DYNINST
-------
##DYNINST
Dyninst is a binary instrumentation framework similar to Pintool and Dynamorio
(see far below). However whereas Pintool and Dynamorio work at runtime, dyninst
instruments the target at load time, and then let it run.
instruments the target at load time, and then let it run - or save the
binary with the changes.
This is great for some things, e.g. fuzzing, and not so effective for others,
e.g. malware analysis.
@ -53,9 +57,9 @@ So what we can do with dyninst is taking every basic block, and put afl's
instrumention code in there - and then save the binary.
Afterwards we can just fuzz the newly saved target binary with afl-fuzz.
Sounds great? It is. The issue though - it is a non-trivial problem to
insert instructions, which change addresses in the process space, so
insert instructions, which change addresses in the process space, so that
everything is still working afterwards. Hence more often than not binaries
crash when they are run (because of instrumentation).
crash when they are run.
The speed decrease is about 15-35%, depending on the optimization options
used with afl-dyninst.
@ -63,11 +67,10 @@ used with afl-dyninst.
So if dyninst works, it is the best option available. Otherwise it just doesn't
work well.
https://github.com/vanhauser-thc/afl-dyninst
[https://github.com/vanhauser-thc/afl-dyninst](https://github.com/vanhauser-thc/afl-dyninst)
INTEL-PT
--------
##INTEL-PT
If you have a newer Intel CPU, you can make use of Intels processor trace.
The big issue with Intel's PT is the small buffer size and the complex
encoding of the debug information collected through PT.
@ -77,30 +80,39 @@ the implementation and other factors).
There are two afl intel-pt implementations:
1. https://github.com/junxzm1990/afl-pt
1. [https://github.com/junxzm1990/afl-pt](https://github.com/junxzm1990/afl-pt)
=> this needs Ubuntu 14.04.05 without any updates and the 4.4 kernel.
2. https://github.com/hunter-ht-2018/ptfuzzer
2. [https://github.com/hunter-ht-2018/ptfuzzer](https://github.com/hunter-ht-2018/ptfuzzer)
=> this needs a 4.14 or 4.15 kernel. the "nopti" kernel boot option must
be used. This one is faster than the other.
Note that there is also honggfuzz: https://github.com/google/honggfuzz
But its IPT performance is just 6%!
CORESIGHT
---------
##CORESIGHT
Coresight is ARM's answer to Intel's PT.
There is no implementation so far which handle coresight and getting
it working on an ARM Linux is very difficult due to custom kernel building
on embedded systems is difficult. And finding one that has coresight in
the ARM chip is difficult too.
My guess is that it is slower than Qemu, but faster than Intel PT.
If anyone finds any coresight implementation for afl please ping me:
vh@thc.org
PIN & DYNAMORIO
---------------
##FRIDA
Frida is a dynamic instrumentation engine like Pintool, Dyninst and Dynamorio.
What is special is that it is written Python, and scripted with Javascript.
It is mostly used to reverse binaries on mobile phones however can be used
everywhere.
There is a WIP fuzzer available at [https://github.com/andreafioraldi/frida-fuzzer](https://github.com/andreafioraldi/frida-fuzzer)
##PIN & DYNAMORIO
Pintool and Dynamorio are dynamic instrumentation engines, and they can be
used for getting basic block information at runtime.
Pintool is only available for Intel x32/x64 on Linux, Mac OS and Windows
@ -115,30 +127,27 @@ Hence Dynamorio is the option to go for if everything fails, and Pintool
only if Dynamorio fails too.
Dynamorio solutions:
https://github.com/vanhauser-thc/afl-dynamorio
https://github.com/mxmssh/drAFL
https://github.com/googleprojectzero/winafl/ <= very good but windows only
* [https://github.com/vanhauser-thc/afl-dynamorio](https://github.com/vanhauser-thc/afl-dynamorio)
* [https://github.com/mxmssh/drAFL](https://github.com/mxmssh/drAFL)
* [https://github.com/googleprojectzero/winafl/](https://github.com/googleprojectzero/winafl/) <= very good but windows only
Pintool solutions:
https://github.com/vanhauser-thc/afl-pin
https://github.com/mothran/aflpin
https://github.com/spinpx/afl_pin_mode <= only old Pintool version supported
* [https://github.com/vanhauser-thc/afl-pin](https://github.com/vanhauser-thc/afl-pin)
* [https://github.com/mothran/aflpin](https://github.com/mothran/aflpin)
* [https://github.com/spinpx/afl_pin_mode](https://github.com/spinpx/afl_pin_mode) <= only old Pintool version supported
Non-AFL solutions
-----------------
##Non-AFL solutions
There are many binary-only fuzzing frameworks.
Some are great for CTFs but don't work with large binaries, others are very
slow but have good path discovery, some are very hard to set-up ...
There are many binary-only fuzzing frameworks. Some are great for CTFs but don't
work with large binaries, others are very slow but have good path discovery,
some are very hard to set-up ...
QSYM: https://github.com/sslab-gatech/qsym
Manticore: https://github.com/trailofbits/manticore
S2E: https://github.com/S2E
<please send me any missing that are good>
* QSYM: [https://github.com/sslab-gatech/qsym](https://github.com/sslab-gatech/qsym)
* Manticore: [https://github.com/trailofbits/manticore](https://github.com/trailofbits/manticore)
* S2E: [https://github.com/S2E](https://github.com/S2E)
* <please send me any missing that are good>
## Closing words
That's it!
News, corrections, updates?
Email vh@thc.org
That's it! News, corrections, updates? Send an email to vh@thc.org