An investigation of three fuzzers: American Fuzzy Lop++ (AFL), Honggfuzz, and Radamsa
AFL++ can be installed natively (which seems like such a pain that I skipped it) or run using their Docker image. I eventually realized I needed a bit more functionality than was included by default.
The docker run examples in this README will use the hare_afl Docker image as the "IMAGE". The procedures for the base AFL++ Docker image are listed below.
docker pull aflplusplus/aflplusplus:latest # Just use aflplusplus/aflplusplus as the docker run IMAGE (see: man docker-run)
docker image list # Verify you see "aflplusplus/aflplusplus latest"
HARE does some things that needs additional functionality and I got tired of repeating these steps manually. I wrote a Dockerfile that essentially adds Radamsa and syslog to aflplusplus/aflplusplus:latest.
docker build devops/docker/HARE_AFL/ --tag hare_afl:latest # Just use hare_afl:latest as the docker run IMAGE (see: man docker-run)
docker image list # Verify you see "hare_afl latest"
- From the host OS
# Build the HARE AFL Docker container (see: "HARE Docker Container" above)
docker run -ti --rm --mount type=tmpfs,destination=/ramdisk -e AFL_TMPDIR=/ramdisk -v `pwd`:/HARE hare_afl:latest # Start the container
- From the HARE AFL Docker container
cd /HARE # Use the hardy-remix directory as the working directory
make all # Build *all* the binaries
mkdir test/afl/input01/ # Input directory with test cases
mkdir test/afl/output01/ # Output directory for fuzzer findings
echo -n "some_file.txt" > test/afl/input01/test_input.txt # Create a test case
afl-fuzz -D -i test/afl/input01/ -o test/afl/output01/ dist/<BINARY TO FUZZ>.bin @@
afl-fuzz -D -t 10000 -i test/afl/input16a/ -o test/afl/output16a/ -M fuzzer01 dist/source08_test_harness_best_AFL.bin @@
ASAN_OPTIONS="log_path=/ramdisk/asan_log abort_on_error=1 symbolize=0" afl-fuzz -D -t 10000 -i test/afl/input17/ -o test/afl/output17/ dist/source08_test_harness_bad_AFL_ASAN.bin @@
ASAN_OPTIONS="log_path=/ramdisk/asan_log abort_on_error=1 symbolize=0" afl-fuzz -D -i test/afl/input21/ -o test/afl/output21/ dist/source08_test_harness_bad_AFL_ASAN.bin @@
- Watch it run
NOTE: Regarding <BINARY TO FUZZ>... there are multiple binaries to fuzz. Hopefully, the binaries are obviously named. The higher the "source??" number, the more mature the code is. The "source08" code represents the ultimate goal of this research: a "lite" Linux daemon to fuzz. I recommend focusing on the "test_harness" files. The "best" binaries should be error/crash/BUG free. The "bad" binaries should have BUGs for the fuzzer to find. TLDR... You're probably looking for a dist binary that matches source08_test_harness_b*_AFL_*.bin.
afl-collect ../hardy-remix/test/output05_bad ../hardy-remix/test/test_collection/ -- ../hardy-remix/dist/source05_bad.bin @@
afl-vcrash ../hardy-remix/test/test_collection/ -- ../hardy-remix/dist/source05_bad.bin @@
- afl-utils - a set of utilities for automatic processing/analysis of crashes and reducing the number of test cases.
- afl-other-arch - is a set of patches and scripts for easily adding support for various non-x86 architectures for AFL.
- afl-trivia - a few small scripts to simplify the management of AFL.
- afl-monitor - a script for monitoring AFL.
- afl-manager - a web server on Python for managing multi-afl.
- afl-remote - a web server for the remote management of AFL instances.
- afl-extras - shell scripts to parallelize afl-tmin, startup, and data collection.
- Parallel Fuzzing
- afl-crash-analyzer - another crash analyzer for AFL.
- fuzzer-utils - a set of scripts for the analysis of results.
- atriage - a simple triage tool.
- afl-kit - afl-cmin on Python.
- AFLize - a tool that automatically generates builds of debian packages suitable for AFL.
- afl-fid - a set of tools for working with input data.
| Filename | Description |
|---|---|
| source01_*.c | Read input and print to stdout |
| source02_*.c | Print command line argument to stdout |
| source03_*.c | Compare input to a "password" file |
| source04_*.c | Read input, authenticate, and read file argument |
| source05_*.c | Get filename from argv[1], read, and print it |
| source06_*.c | Get filename from argv[1], read, and print it w/ Sanitizers |
| source07_*.c | Get filename from argv[1], read, and print it w/ AFL test harness & ASAN |
| source08_*.c | Launch a "lite" Linux daemon that moves/renames/logs a given file |
NOTE: All source files should have a 'bad' and 'best' version.