AFL 你好世界示例
AFL hello world example
我正在尝试弄清楚如何使用 AFL,但我似乎无法举出一个简单的示例 运行。
这是我的 C 程序:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
char *remove_white_space(char *s)
{
while (s && *s++)
if (*s == ' ')
return "moish";
return s;
}
int main(int argc, char **argv)
{
char buffer[256]={0};
FILE *fl = fopen(argv[1],"rt");
if (fl == NULL) return 0;
assert(fscanf(fl,"%s",buffer) > 0);
char *res = remove_white_space(buffer);
if (strcmp(res,"a b c d") == 0)
{
assert(0);
}
fclose(fl);
return 0;
}
我的输入种子是一个只有一行的文本文件abhgsd。
这是我所做的:
$ afl-gcc main.c -o main
afl-cc 2.56b by <lcamtuf@google.com>
afl-as 2.56b by <lcamtuf@google.com>
[+] Instrumented 62 locations (64-bit, non-hardened mode, ratio 100%).
$ afl-fuzz -i INPUTS/ -o OUTPUTS ./main @@
我收到这条红色的 CAPITAL CRASH 消息:
afl-fuzz 2.56b by <lcamtuf@google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[-] Hmm, your system is configured to send core dump notifications to an
external utility. This will cause issues: there will be an extended delay
between stumbling upon a crash and having this information relayed to the
fuzzer via the standard waitpid() API.
To avoid having crashes misinterpreted as timeouts, please log in as root
and temporarily modify /proc/sys/kernel/core_pattern, like so:
echo core >/proc/sys/kernel/core_pattern
[-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
Location : check_crash_handling(), afl-fuzz.c:7316
除非我确定自己在做什么,否则我不太愿意更改某些内容。
这里发生了什么?我应该听听 AFL 在说什么吗?
答案就在你面前
log in as root and echo core >/proc/sys/kernel/core_pattern
您或许应该更改您的核心模式,但您可以稍后再将其改回来。许多 linux 发行版都有像 apport, which relies on having core dumps from crashing processes piped to it via a core pattern like |/usr/share/apport/apport %p %s %c %d %P (see man 5 core 这样的崩溃报告服务)当核心模式以这种方式设置时,每次程序崩溃时,apport 都是 运行 并且核心被提供给它作为标准输入。因此,如果您将核心模式更改为 core,进行模糊测试,然后将核心模式更改回当前的任何模式,您的发行版的崩溃报告器应该恢复其正常运行。
AFL 可能有一个环境变量来禁用此检查,因为我知道存在禁用其他预模糊检查的环境变量(例如 AFL_SKIP_CRASHES 允许在初始种子中输入崩溃),但这个是切换成本非常低。
我正在尝试弄清楚如何使用 AFL,但我似乎无法举出一个简单的示例 运行。
这是我的 C 程序:
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <assert.h>
char *remove_white_space(char *s)
{
while (s && *s++)
if (*s == ' ')
return "moish";
return s;
}
int main(int argc, char **argv)
{
char buffer[256]={0};
FILE *fl = fopen(argv[1],"rt");
if (fl == NULL) return 0;
assert(fscanf(fl,"%s",buffer) > 0);
char *res = remove_white_space(buffer);
if (strcmp(res,"a b c d") == 0)
{
assert(0);
}
fclose(fl);
return 0;
}
我的输入种子是一个只有一行的文本文件abhgsd。
这是我所做的:
$ afl-gcc main.c -o main
afl-cc 2.56b by <lcamtuf@google.com>
afl-as 2.56b by <lcamtuf@google.com>
[+] Instrumented 62 locations (64-bit, non-hardened mode, ratio 100%).
$ afl-fuzz -i INPUTS/ -o OUTPUTS ./main @@
我收到这条红色的 CAPITAL CRASH 消息:
afl-fuzz 2.56b by <lcamtuf@google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[-] Hmm, your system is configured to send core dump notifications to an
external utility. This will cause issues: there will be an extended delay
between stumbling upon a crash and having this information relayed to the
fuzzer via the standard waitpid() API.
To avoid having crashes misinterpreted as timeouts, please log in as root
and temporarily modify /proc/sys/kernel/core_pattern, like so:
echo core >/proc/sys/kernel/core_pattern
[-] PROGRAM ABORT : Pipe at the beginning of 'core_pattern'
Location : check_crash_handling(), afl-fuzz.c:7316
除非我确定自己在做什么,否则我不太愿意更改某些内容。 这里发生了什么?我应该听听 AFL 在说什么吗?
答案就在你面前
log in as root and echo core >/proc/sys/kernel/core_pattern
您或许应该更改您的核心模式,但您可以稍后再将其改回来。许多 linux 发行版都有像 apport, which relies on having core dumps from crashing processes piped to it via a core pattern like |/usr/share/apport/apport %p %s %c %d %P (see man 5 core 这样的崩溃报告服务)当核心模式以这种方式设置时,每次程序崩溃时,apport 都是 运行 并且核心被提供给它作为标准输入。因此,如果您将核心模式更改为 core,进行模糊测试,然后将核心模式更改回当前的任何模式,您的发行版的崩溃报告器应该恢复其正常运行。
AFL 可能有一个环境变量来禁用此检查,因为我知道存在禁用其他预模糊检查的环境变量(例如 AFL_SKIP_CRASHES 允许在初始种子中输入崩溃),但这个是切换成本非常低。