ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-08 00:01:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

add Nyx support in various tools (like afl-cmin)

Browse Source
This commit is contained in:
Sergej Schumilo 2023-04-14 02:25:33 +02:00
parent 824385f52c
commit eefd98f374
9 changed files with 330 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
afl-cmin
View File

@ -109,6 +109,7 @@ function usage() {
" -O - use binary-only instrumentation (FRIDA mode)\n" \
" -Q - use binary-only instrumentation (QEMU mode)\n" \
" -U - use unicorn-based instrumentation (unicorn mode)\n" \
" -X - use Nyx mode\n" \
"\n" \
"Minimization settings:\n" \
" -A - allow crashes and timeouts (not recommended)\n" \
@ -156,7 +157,7 @@ BEGIN {
# process options
Opterr = 1 # default is to diagnose
Optind = 1 # skip ARGV[0]
while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eACOQU?")) != -1) {
while ((_go_c = getopt(ARGC, ARGV, "hi:o:f:m:t:eACOQUX?")) != -1) {
if (_go_c == "i") {
if (!Optarg) usage()
if (in_dir) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
@ -217,6 +218,12 @@ BEGIN {
extra_par = extra_par " -U"
unicorn_mode = 1
continue
} else
if (_go_c == "X") {
if (nyx_mode) { print "Option "_go_c" is only allowed once" > "/dev/stderr"}
extra_par = extra_par " -X"
nyx_mode = 1
continue
} else
if (_go_c == "?") {
exit 1
@ -291,7 +298,8 @@ BEGIN {
exit 1
}
if (target_bin && !exists_and_is_executable(target_bin)) {
if (!nyx_mode && target_bin && !exists_and_is_executable(target_bin)) {
"command -v "target_bin" 2>/dev/null" | getline tnew
if (!tnew || !exists_and_is_executable(tnew)) {
@ -311,7 +319,7 @@ BEGIN {
}
}
if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode) {
if (!ENVIRON["AFL_SKIP_BIN_CHECK"] && !qemu_mode && !frida_mode && !unicorn_mode && !nyx_mode) {
if (0 != system( "grep -q __AFL_SHM_ID "target_bin )) {
print "[-] Error: binary '"target_bin"' doesn't appear to be instrumented." > "/dev/stderr"
exit 1

6
include/common.h
View File

@ -147,5 +147,11 @@ s32 create_file(u8 *fn);
void *afl_memmem(const void *haystack, size_t haystacklen, const void *needle,
size_t needlelen);
#ifdef __linux__
/* Nyx helper functions to create and remove tmp workdirs */
char* create_nyx_tmp_workdir(void);
void remove_nyx_tmp_workdir(char* nyx_out_dir_path);
#endif
#endif

3
include/forkserver.h
View File

@ -75,6 +75,9 @@ typedef struct {
} nyx_plugin_handler_t;
/* Imports helper functions to enable Nyx mode (Linux only )*/
nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary);
#endif
typedef struct afl_forkserver {

64
src/afl-analyze.c
View File

@ -121,9 +121,9 @@ static void kill_child() {
}
static void classify_counts(u8 *mem) {
static void classify_counts(u8 *mem, u32 mem_size) {
u32 i = map_size;
u32 i = mem_size;
if (edges_only) {
@ -222,7 +222,7 @@ static u64 analyze_run_target(u8 *mem, u32 len, u8 first_run) {
}
classify_counts(fsrv.trace_bits);
classify_counts(fsrv.trace_bits, fsrv.map_size);
total_execs++;
if (stop_soon) {
@ -768,6 +768,7 @@ static void usage(u8 *argv0) {
" -U - use unicorn-based instrumentation (Unicorn mode)\n"
" -W - use qemu-based instrumentation with Wine (Wine "
"mode)\n"
" -X - use Nyx mode\n"
#endif
"\n"
@ -814,7 +815,7 @@ int main(int argc, char **argv_orig, char **envp) {
afl_fsrv_init(&fsrv);
while ((opt = getopt(argc, argv, "+i:f:m:t:eAOQUWh")) > 0) {
while ((opt = getopt(argc, argv, "+i:f:m:t:eAOQUWXh")) > 0) {
switch (opt) {
@ -965,6 +966,22 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv.mem_limit = mem_limit;
break;
#ifdef __linux__
case 'X': /* NYX mode */
if (fsrv.nyx_mode) { FATAL("Multiple -X options not supported"); }
fsrv.nyx_mode = 1;
fsrv.nyx_parent = true;
fsrv.nyx_standalone = true;
break;
#else
case 'X':
FATAL("Nyx mode is only availabe on linux...");
break;
#endif
case 'h':
usage(argv[0]);
@ -997,7 +1014,17 @@ int main(int argc, char **argv_orig, char **envp) {
set_up_environment(argv);
#ifdef __linux__
if(!fsrv.nyx_mode){
fsrv.target_path = find_binary(argv[optind]);
}
else{
fsrv.target_path = ck_strdup(argv[optind]);
}
#else
fsrv.target_path = find_binary(argv[optind]);
#endif
fsrv.trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, fsrv.out_file, &use_stdin);
signal(SIGALRM, kill_child);
@ -1020,6 +1047,23 @@ int main(int argc, char **argv_orig, char **envp) {
use_argv = get_cs_argv(argv[0], &target_path, argc - optind, argv + optind);
#ifdef __linux__
} else if (fsrv.nyx_mode) {
fsrv.nyx_id = 0;
u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so");
fsrv.nyx_handlers = afl_load_libnyx_plugin(libnyx_binary);
if (fsrv.nyx_handlers == NULL) {
FATAL("failed to initialize libnyx.so...");
}
fsrv.out_dir_path = create_nyx_tmp_workdir();
fsrv.nyx_bind_cpu_id = 0;
use_argv = argv + optind;
#endif
} else {
use_argv = argv + optind;
@ -1045,7 +1089,13 @@ int main(int argc, char **argv_orig, char **envp) {
&fsrv, NULL, NULL, (fsrv.qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM);
read_initial_file();
#ifdef __linux__
if(!fsrv.nyx_mode){
(void)check_binary_signatures(fsrv.target_path);
}
#else
(void)check_binary_signatures(fsrv.target_path);
#endif
ACTF("Performing dry run (mem limit = %llu MB, timeout = %u ms%s)...",
mem_limit, exec_tmout, edges_only ? ", edges only" : "");
@ -1069,6 +1119,12 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("We're done here. Have a nice day!\n");
#ifdef __linux__
if (fsrv.nyx_mode) {
remove_nyx_tmp_workdir(fsrv.out_dir_path);
}
#endif
afl_shm_deinit(&shm);
afl_fsrv_deinit(&fsrv);
if (fsrv.target_path) { ck_free(fsrv.target_path); }

31
src/afl-common.c
View File

@ -1359,3 +1359,34 @@ s32 create_file(u8 *fn) {
}
#ifdef __linux__
/* Nyx requires a tmp workdir to access specific files (such as mmapped files,
* etc.). This helper function basically creates both a path to a tmp workdir
* and the workdir itself. If the environment variable TMPDIR is set, we use
* that as the base directory, otherwise we use /tmp. */
char* create_nyx_tmp_workdir(void) {
char *tmpdir = getenv("TMPDIR");
if (!tmpdir) { tmpdir = "/tmp"; }
char* nyx_out_dir_path = alloc_printf("%s/.nyx_tmp_%d/", tmpdir, (u32)getpid());
if (mkdir(nyx_out_dir_path, 0700)) {
PFATAL("Unable to create nyx workdir");
}
return nyx_out_dir_path;
}
/* Vice versa, we remove the tmp workdir for nyx with this helper function. */
void remove_nyx_tmp_workdir(char* nyx_out_dir_path) {
/* Fix me: This is not recursive, so it will always fail. Use a libnyx helper function instead
* to remove the workdir safely (and not risking to wipe the whole filesystem accidentally). */
//if (rmdir(nyx_out_dir_path)) {
// PFATAL("Unable to remove nyx workdir");
//}
free(nyx_out_dir_path);
}
#endif

65
src/afl-forkserver.c
View File

@ -49,6 +49,71 @@
#include <sys/select.h>
#include <sys/stat.h>
#ifdef __linux__
#include <dlfcn.h>
/* function to load nyx_helper function from libnyx.so */
nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) {
void *handle;
nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t));
ACTF("Trying to load libnyx.so plugin...");
handle = dlopen((char *)libnyx_binary, RTLD_NOW);
if (!handle) { goto fail; }
plugin->nyx_new = dlsym(handle, "nyx_new");
if (plugin->nyx_new == NULL) { goto fail; }
plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent");
if (plugin->nyx_new_parent == NULL) { goto fail; }
plugin->nyx_new_child = dlsym(handle, "nyx_new_child");
if (plugin->nyx_new_child == NULL) { goto fail; }
plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown");
if (plugin->nyx_shutdown == NULL) { goto fail; }
plugin->nyx_option_set_reload_mode =
dlsym(handle, "nyx_option_set_reload_mode");
if (plugin->nyx_option_set_reload_mode == NULL) { goto fail; }
plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout");
if (plugin->nyx_option_set_timeout == NULL) { goto fail; }
plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply");
if (plugin->nyx_option_apply == NULL) { goto fail; }
plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input");
if (plugin->nyx_set_afl_input == NULL) { goto fail; }
plugin->nyx_exec = dlsym(handle, "nyx_exec");
if (plugin->nyx_exec == NULL) { goto fail; }
plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer");
if (plugin->nyx_get_bitmap_buffer == NULL) { goto fail; }
plugin->nyx_get_bitmap_buffer_size =
dlsym(handle, "nyx_get_bitmap_buffer_size");
if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; }
plugin->nyx_get_aux_string = dlsym(handle, "nyx_get_aux_string");
if (plugin->nyx_get_aux_string == NULL) { goto fail; }
OKF("libnyx plugin is ready!");
return plugin;
fail:
FATAL("failed to load libnyx: %s\n", dlerror());
free(plugin);
return NULL;
}
#endif
/**
* The correct fds for reading and writing pipes
*/

63
src/afl-fuzz.c
View File

@ -436,69 +436,6 @@ static void fasan_check_afl_preload(char *afl_preload) {
}
#ifdef __linux__
#include <dlfcn.h>
nyx_plugin_handler_t *afl_load_libnyx_plugin(u8 *libnyx_binary) {
void *handle;
nyx_plugin_handler_t *plugin = calloc(1, sizeof(nyx_plugin_handler_t));
ACTF("Trying to load libnyx.so plugin...");
handle = dlopen((char *)libnyx_binary, RTLD_NOW);
if (!handle) { goto fail; }
plugin->nyx_new = dlsym(handle, "nyx_new");
if (plugin->nyx_new == NULL) { goto fail; }
plugin->nyx_new_parent = dlsym(handle, "nyx_new_parent");
if (plugin->nyx_new_parent == NULL) { goto fail; }
plugin->nyx_new_child = dlsym(handle, "nyx_new_child");
if (plugin->nyx_new_child == NULL) { goto fail; }
plugin->nyx_shutdown = dlsym(handle, "nyx_shutdown");
if (plugin->nyx_shutdown == NULL) { goto fail; }
plugin->nyx_option_set_reload_mode =
dlsym(handle, "nyx_option_set_reload_mode");
if (plugin->nyx_option_set_reload_mode == NULL) { goto fail; }
plugin->nyx_option_set_timeout = dlsym(handle, "nyx_option_set_timeout");
if (plugin->nyx_option_set_timeout == NULL) { goto fail; }
plugin->nyx_option_apply = dlsym(handle, "nyx_option_apply");
if (plugin->nyx_option_apply == NULL) { goto fail; }
plugin->nyx_set_afl_input = dlsym(handle, "nyx_set_afl_input");
if (plugin->nyx_set_afl_input == NULL) { goto fail; }
plugin->nyx_exec = dlsym(handle, "nyx_exec");
if (plugin->nyx_exec == NULL) { goto fail; }
plugin->nyx_get_bitmap_buffer = dlsym(handle, "nyx_get_bitmap_buffer");
if (plugin->nyx_get_bitmap_buffer == NULL) { goto fail; }
plugin->nyx_get_bitmap_buffer_size =
dlsym(handle, "nyx_get_bitmap_buffer_size");
if (plugin->nyx_get_bitmap_buffer_size == NULL) { goto fail; }
plugin->nyx_get_aux_string = dlsym(handle, "nyx_get_aux_string");
if (plugin->nyx_get_aux_string == NULL) { goto fail; }
OKF("libnyx plugin is ready!");
return plugin;
fail:
FATAL("failed to load libnyx: %s\n", dlerror());
free(plugin);
return NULL;
}
#endif
/* Main entry point */
int main(int argc, char **argv_orig, char **envp) {

99
src/afl-showmap.c
View File

@ -434,6 +434,20 @@ static u32 read_file(u8 *in_file) {
}
#ifdef __linux__
/* Execute the target application with an empty input (in Nyx mode). */
static void showmap_run_target_nyx_mode(afl_forkserver_t *fsrv) {
afl_fsrv_write_to_testcase(fsrv, NULL, 0);
if (afl_fsrv_run_target(fsrv, fsrv->exec_tmout, &stop_soon) ==
FSRV_RUN_ERROR) {
FATAL("Error running target in Nyx mode");
}
}
#endif
/* Execute target application. */
static void showmap_run_target(afl_forkserver_t *fsrv, char **argv) {
@ -797,6 +811,7 @@ static void usage(u8 *argv0) {
" -W - use qemu-based instrumentation with Wine (Wine mode)\n"
" (Not necessary, here for consistency with other afl-* "
"tools)\n"
" -X - use Nyx mode\n"
#endif
"\n"
"Other settings:\n"
@ -875,7 +890,7 @@ int main(int argc, char **argv_orig, char **envp) {
if (getenv("AFL_QUIET") != NULL) { be_quiet = true; }
while ((opt = getopt(argc, argv, "+i:o:f:m:t:AeqCZOH:QUWbcrsh")) > 0) {
while ((opt = getopt(argc, argv, "+i:o:f:m:t:AeqCZOH:QUWbcrshX")) > 0) {
switch (opt) {
@ -1063,6 +1078,22 @@ int main(int argc, char **argv_orig, char **envp) {
break;
#ifdef __linux__
case 'X': /* NYX mode */
if (fsrv->nyx_mode) { FATAL("Multiple -X options not supported"); }
fsrv->nyx_mode = 1;
fsrv->nyx_parent = true;
fsrv->nyx_standalone = true;
break;
#else
case 'X':
FATAL("Nyx mode is only availabe on linux...");
break;
#endif
case 'b':
/* Secret undocumented mode. Writes output in raw binary format
@ -1134,7 +1165,17 @@ int main(int argc, char **argv_orig, char **envp) {
set_up_environment(fsrv, argv);
#ifdef __linux__
if(!fsrv->nyx_mode){
fsrv->target_path = find_binary(argv[optind]);
}
else{
fsrv->target_path = ck_strdup(argv[optind]);
}
#else
fsrv->target_path = find_binary(argv[optind]);
#endif
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
if (!quiet_mode) {
@ -1190,6 +1231,26 @@ int main(int argc, char **argv_orig, char **envp) {
use_argv =
get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind);
#ifdef __linux__
} else if (fsrv->nyx_mode) {
use_argv = ck_alloc(sizeof(char *) * (1));
use_argv[0] = argv[0];
fsrv->nyx_id = 0;
u8 *libnyx_binary = find_afl_binary(use_argv[0], "libnyx.so");
fsrv->nyx_handlers = afl_load_libnyx_plugin(libnyx_binary);
if (fsrv->nyx_handlers == NULL) {
FATAL("failed to initialize libnyx.so...");
}
fsrv->out_dir_path = create_nyx_tmp_workdir();
fsrv->nyx_bind_cpu_id = 0;
#endif
} else {
use_argv = argv + optind;
@ -1226,7 +1287,13 @@ int main(int argc, char **argv_orig, char **envp) {
}
#ifdef __linux__
if(!fsrv->nyx_mode && in_dir){
(void)check_binary_signatures(fsrv->target_path);
}
#else
if (in_dir) { (void)check_binary_signatures(fsrv->target_path); }
#endif
shm_fuzz = ck_alloc(sizeof(sharedmem_t));
@ -1247,7 +1314,13 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz = map + sizeof(u32);
configure_afl_kill_signals(
fsrv, NULL, NULL, (fsrv->qemu_mode || unicorn_mode) ? SIGKILL : SIGTERM);
fsrv, NULL, NULL, (fsrv->qemu_mode || unicorn_mode
#ifdef __linux__
|| fsrv->nyx_mode
#endif
)
? SIGKILL
: SIGTERM);
if (!fsrv->cs_mode && !fsrv->qemu_mode && !unicorn_mode) {
@ -1370,6 +1443,12 @@ int main(int argc, char **argv_orig, char **envp) {
if (execute_testcases(in_dir) == 0) {
#ifdef __linux__
if (fsrv->nyx_mode) {
remove_nyx_tmp_workdir(fsrv->out_dir_path);
fsrv->nyx_handlers->nyx_shutdown(fsrv->nyx_runner);
}
#endif
FATAL("could not read input testcases from %s", in_dir);
}
@ -1390,7 +1469,15 @@ int main(int argc, char **argv_orig, char **envp) {
if (fsrv->support_shmem_fuzz && !fsrv->use_shmem_fuzz)
shm_fuzz = deinit_shmem(fsrv, shm_fuzz);
showmap_run_target(fsrv, use_argv);
#ifdef __linux__
if(!fsrv->nyx_mode){
#endif
showmap_run_target(fsrv, use_argv);
#ifdef __linux__
} else {
showmap_run_target_nyx_mode(fsrv);
}
#endif
tcnt = write_results_to_file(fsrv, out_file);
if (!quiet_mode) {
@ -1441,6 +1528,12 @@ int main(int argc, char **argv_orig, char **envp) {
if (fsrv->target_path) { ck_free(fsrv->target_path); }
#ifdef __linux__
if (fsrv->nyx_mode) {
remove_nyx_tmp_workdir(fsrv->out_dir_path);
}
#endif
afl_fsrv_deinit(fsrv);
if (stdin_file) { ck_free(stdin_file); }

59
src/afl-tmin.c
View File

@ -789,6 +789,7 @@ static void usage(u8 *argv0) {
"mode)\n"
" (Not necessary, here for consistency with other afl-* "
"tools)\n"
" -X - use Nyx mode\n"
#endif
"\n"
@ -845,7 +846,7 @@ int main(int argc, char **argv_orig, char **envp) {
SAYF(cCYA "afl-tmin" VERSION cRST " by Michal Zalewski\n");
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeAOQUWHh")) > 0) {
while ((opt = getopt(argc, argv, "+i:o:f:m:t:B:xeAOQUWXHh")) > 0) {
switch (opt) {
@ -1003,6 +1004,22 @@ int main(int argc, char **argv_orig, char **envp) {
break;
#ifdef __linux__
case 'X': /* NYX mode */
if (fsrv->nyx_mode) { FATAL("Multiple -X options not supported"); }
fsrv->nyx_mode = 1;
fsrv->nyx_parent = true;
fsrv->nyx_standalone = true;
break;
#else
case 'X':
FATAL("Nyx mode is only availabe on linux...");
break;
#endif
case 'H': /* Hang Mode */
/* Minimizes a testcase to the minimum that still times out */
@ -1068,7 +1085,17 @@ int main(int argc, char **argv_orig, char **envp) {
set_up_environment(fsrv, argv);
#ifdef __linux__
if(!fsrv->nyx_mode){
fsrv->target_path = find_binary(argv[optind]);
}
else{
fsrv->target_path = ck_strdup(argv[optind]);
}
#else
fsrv->target_path = find_binary(argv[optind]);
#endif
fsrv->trace_bits = afl_shm_init(&shm, map_size, 0);
detect_file_args(argv + optind, out_file, &fsrv->use_stdin);
signal(SIGALRM, kill_child);
@ -1092,6 +1119,23 @@ int main(int argc, char **argv_orig, char **envp) {
use_argv =
get_cs_argv(argv[0], &fsrv->target_path, argc - optind, argv + optind);
#ifdef __linux__
} else if (fsrv->nyx_mode) {
fsrv->nyx_id = 0;
u8 *libnyx_binary = find_afl_binary(argv[0], "libnyx.so");
fsrv->nyx_handlers = afl_load_libnyx_plugin(libnyx_binary);
if (fsrv->nyx_handlers == NULL) {
FATAL("failed to initialize libnyx.so...");
}
fsrv->out_dir_path = create_nyx_tmp_workdir();
fsrv->nyx_bind_cpu_id = 0;
use_argv = argv + optind;
#endif
} else {
use_argv = argv + optind;
@ -1161,7 +1205,14 @@ int main(int argc, char **argv_orig, char **envp) {
fsrv->shmem_fuzz = map + sizeof(u32);
read_initial_file();
#ifdef __linux__
if(!fsrv->nyx_mode){
(void)check_binary_signatures(fsrv->target_path);
}
#else
(void)check_binary_signatures(fsrv->target_path);
#endif
if (!fsrv->qemu_mode && !unicorn_mode) {
@ -1265,6 +1316,12 @@ int main(int argc, char **argv_orig, char **envp) {
OKF("We're done here. Have a nice day!\n");
#ifdef __linux__
if (fsrv->nyx_mode) {
remove_nyx_tmp_workdir(fsrv->out_dir_path);
}
#endif
remove_shm = 0;
afl_shm_deinit(&shm);
if (fsrv->use_shmem_fuzz) shm_fuzz = deinit_shmem(fsrv, shm_fuzz);