Directed Greybox Fuzzing with AFL

Related tags

Deep Learningaflgo
Overview

AFLGo: Directed Greybox Fuzzing

AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo generates inputs specifically with the objective to exercise these target locations.

Unlike AFL, AFLGo spends most of its time budget on reaching specific target locations without wasting resources stressing unrelated program components. This is particularly interesting in the context of

  • patch testing by setting changed statements as targets. When a critical component is changed, we would like to check whether this introduced any vulnerabilities. AFLGo, a fuzzer that can focus on those changes, has a higher chance of exposing the regression.
  • static analysis report verification by setting statements as targets that a static analysis reports as potentially dangerous or vulnerability-inducing. When assessing the security of a program, static analysis tools might identify dangerous locations, such as critical system calls. AFLGo can generate inputs that actually show that this is indeed no false positive.
  • information flow detection by setting sensitive sources and sinks as targets. To expose data leakage vulnerabilities, a security researcher would like to generate executions that exercise sensitive sources containing private information and sensitive sinks where data becomes visible to the outside world. A directed fuzzer can be used to generate such executions efficiently.
  • crash reproduction by setting method calls in the stack-trace as targets. When in-field crashes are reported, only the stack-trace and some environmental parameters are sent to the in-house development team. To preserve the user's privacy, the specific crashing input is often not available. AFLGo could help the in-house team to swiftly reproduce these crashes.

AFLGo is based on AFL from Michał Zaleski <[email protected]>. Checkout the project awesome-directed-fuzzing for related work on directed greybox/whitebox fuzzing.

Integration into OSS-Fuzz

The easiest way to use AFLGo is as patch testing tool in OSS-Fuzz. Here is our integration:

Environment Variables

  • AFLGO_INST_RATIO -- The proportion of basic blocks instrumented with distance values (default: 100).
  • AFLGO_SELECTIVE -- Add AFL-trampoline only to basic blocks with distance values? (default: off).
  • AFLGO_PROFILING_FILE -- When CFG-tracing is enabled, the data will be stored here.

How to instrument a Binary with AFLGo

  1. Install LLVM 11.0.0 with Gold-plugin. You can also follow these instructions or run AFLGo building script.
  2. Install other prerequisite
sudo apt-get update
sudo apt-get install python3
sudo apt-get install python3-dev
sudo apt-get install python3-pip
sudo apt-get install libboost-all-dev  # boost is not required if you use genDistance.sh in step 7
sudo pip3 install --upgrade pip
sudo pip3 install networkx
sudo pip3 install pydot
sudo pip3 install pydotplus
  1. Compile AFLGo fuzzer, LLVM-instrumentation pass and the distance calculator
# Checkout source code
git clone https://github.com/aflgo/aflgo.git
export AFLGO=$PWD/aflgo

# Compile source code
pushd $AFLGO
make clean all 
cd llvm_mode
make clean all
cd ..
cd distance_calculator/
cmake -G Ninja ./
cmake --build ./
popd
  1. Download subject (e.g., libxml2) or just run libxml2 fuzzing script.
# Clone subject repository
git clone https://gitlab.gnome.org/GNOME/libxml2
export SUBJECT=$PWD/libxml2
  1. Set targets (e.g., changed statements in commit ef709ce2). Writes BBtargets.txt.
# Setup directory containing all temporary files
mkdir temp
export TMP_DIR=$PWD/temp

# Download commit-analysis tool
wget https://raw.githubusercontent.com/jay/showlinenum/develop/showlinenum.awk
chmod +x showlinenum.awk
mv showlinenum.awk $TMP_DIR

# Generate BBtargets from commit ef709ce2
pushd $SUBJECT
  git checkout ef709ce2
  git diff -U0 HEAD^ HEAD > $TMP_DIR/commit.diff
popd
cat $TMP_DIR/commit.diff |  $TMP_DIR/showlinenum.awk show_header=0 path=1 | grep -e "\.[ch]:[0-9]*:+" -e "\.cpp:[0-9]*:+" -e "\.cc:[0-9]*:+" | cut -d+ -f1 | rev | cut -c2- | rev > $TMP_DIR/BBtargets.txt

# Print extracted targets. 
echo "Targets:"
cat $TMP_DIR/BBtargets.txt
  1. Note: If there are no targets, there is nothing to instrument!
  2. Generate CG and intra-procedural CFGs from subject (i.e., libxml2).
# Set aflgo-instrumenter
export CC=$AFLGO/afl-clang-fast
export CXX=$AFLGO/afl-clang-fast++

# Set aflgo-instrumentation flags
export COPY_CFLAGS=$CFLAGS
export COPY_CXXFLAGS=$CXXFLAGS
export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
export CFLAGS="$CFLAGS $ADDITIONAL"
export CXXFLAGS="$CXXFLAGS $ADDITIONAL"

# Build libxml2 (in order to generate CG and CFGs).
# Meanwhile go have a coffee ☕️
export LDFLAGS=-lpthread
pushd $SUBJECT
  ./autogen.sh
  ./configure --disable-shared
  make clean
  make xmllint
popd
# * If the linker (CCLD) complains that you should run ranlib, make
#   sure that libLTO.so and LLVMgold.so (from building LLVM with Gold)
#   can be found in /usr/lib/bfd-plugins
# * If the compiler crashes, there is some problem with LLVM not 
#   supporting our instrumentation (afl-llvm-pass.so.cc:540-577).
#   LLVM has changed the instrumentation-API very often :(
#   -> Check LLVM-version, fix problem, and prepare pull request.
# * You can speed up the compilation with a parallel build. However,
#   this may impact which BBs are identified as targets. 
#   See https://github.com/aflgo/aflgo/issues/41.


# Test whether CG/CFG extraction was successful
$SUBJECT/xmllint --valid --recover $SUBJECT/test/dtd3
ls $TMP_DIR/dot-files
echo "Function targets"
cat $TMP_DIR/Ftargets.txt

# Clean up
cat $TMP_DIR/BBnames.txt | rev | cut -d: -f2- | rev | sort | uniq > $TMP_DIR/BBnames2.txt && mv $TMP_DIR/BBnames2.txt $TMP_DIR/BBnames.txt
cat $TMP_DIR/BBcalls.txt | sort | uniq > $TMP_DIR/BBcalls2.txt && mv $TMP_DIR/BBcalls2.txt $TMP_DIR/BBcalls.txt

# Generate distance ☕️
# $AFLGO/scripts/genDistance.sh is the original, but significantly slower, version
$AFLGO/scripts/gen_distance_fast.py $SUBJECT $TMP_DIR xmllint

# Check distance file
echo "Distance values:"
head -n5 $TMP_DIR/distance.cfg.txt
echo "..."
tail -n5 $TMP_DIR/distance.cfg.txt
  1. Note: If distance.cfg.txt is empty, there was some problem computing the CG-level and BB-level target distance. See $TMP_DIR/step*.
  2. Instrument subject (i.e., libxml2)
export CFLAGS="$COPY_CFLAGS -distance=$TMP_DIR/distance.cfg.txt"
export CXXFLAGS="$COPY_CXXFLAGS -distance=$TMP_DIR/distance.cfg.txt"

# Clean and build subject with distance instrumentation ☕️
pushd $SUBJECT
  make clean
  ./configure --disable-shared
  make xmllint
popd

If your compilation crashes in this step, have a look at Issue #4.

How to fuzz the instrumented binary

  • We set the exponential annealing-based power schedule (-z exp).
  • We set the time-to-exploitation to 45min (-c 45m), assuming the fuzzer is run for about an hour.
# Construct seed corpus
mkdir in
cp $SUBJECT/test/dtd* in
cp $SUBJECT/test/dtds/* in

$AFLGO/afl-fuzz -S ef709ce2 -z exp -c 45m -i in -o out $SUBJECT/xmllint --valid --recover @@
  • Tipp: Concurrently fuzz the most recent version as master with classical AFL :)
$AFL/afl-fuzz -M master -i in -o out $MASTER/xmllint --valid --recover @@
  • Run more fuzzing scripts of various real programs like Binutils, jasper, lrzip, libming and DARPA CGC.
Comments
  • Error in building binutils

    Error in building binutils

    Hi, I'm trying to build binutils to reproduce the bug CVE-2016-4487. But I'm not able to build binutils using similar commands given in the example. This is the error that i get when trying to build:

    /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yywrap' /usr/bin/ld.gold: ar.o: previous definition here

    I'm getting the following error if I skip the "-Wl,-plugin-opt=save-temps" parameter

    clang (LLVM option parsing): for the -targets option: may only occur zero or one times!
    clang (LLVM option parsing): for the -outdir option: may only occur zero or one times!

    Can anyone share the build steps for binutils?

    opened by deathholes 14
  • ERROR in step 7 while running

    ERROR in step 7 while running "./autogen.sh"

    Hi, thanks for your AFLGO. Now I am using aflgo following the steps with llvm-3.9.1 but failed in step7 many times. This is what i get running "./autogen.sh". You can see the error: C compiler cannot create executables. It seems that your compiler failed the check. Could you please give me any suggestion about how to solve the problem? Thank you very much!

    [email protected]:~/libxml2$ ./autogen.sh I am going to run ./configure with no arguments - if you wish to pass any to it, please specify them on the ./autogen.sh command line. configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:9200: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level libtoolize: putting auxiliary files in .'. libtoolize: copying file./ltmain.sh' libtoolize: putting macros in AC_CONFIG_MACRO_DIR, m4'. libtoolize: copying filem4/libtool.m4' libtoolize: copying file m4/ltoptions.m4' libtoolize: copying filem4/ltsugar.m4' libtoolize: copying file m4/ltversion.m4' libtoolize: copying filem4/lt~obsolete.m4' configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. aclocal.m4:598: AM_INIT_AUTOMAKE is expanded from... configure.ac:52: the top level configure.ac:52: warning: AM_INIT_AUTOMAKE: two- and three-arguments forms are deprecated. For more info, see: configure.ac:52: http://www.gnu.org/software/automake/manual/automake.html#Modernize-AM_005fINIT_005fAUTOMAKE-invocation configure.ac:60: installing './compile' configure.ac:7: installing './config.guess' configure.ac:7: installing './config.sub' configure.ac:52: installing './install-sh' configure.ac:52: installing './missing' Makefile.am: installing './INSTALL' Makefile.am: installing './COPYING' using GNU General Public License v3 file Makefile.am: Consider adding the COPYING file to the version control system Makefile.am: for your code, to avoid questions about which license your project uses /usr/share/automake-1.14/am/ltlibrary.am: warning: 'libxml2.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:22: while processing Libtool library 'libxml2.la' /usr/share/automake-1.14/am/ltlibrary.am: warning: 'testdso.la': linking libtool libraries using a non-POSIX /usr/share/automake-1.14/am/ltlibrary.am: archiver requires 'AM_PROG_AR' in 'configure.ac' Makefile.am:173: while processing Libtool library 'testdso.la' Makefile.am: installing './depcomp' doc/Makefile.am:21: warning: wildcard tutorial/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.c: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/.pdf: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard tutorial/images/callouts/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard API.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.1: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard *.xsl: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard .gif: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.html: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:21: warning: wildcard html/.png: non-POSIX variable name doc/Makefile.am:21: (probably a GNU make extension) doc/Makefile.am:301: warning: filter-out %/xmlversion.h, $(wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) doc/Makefile.am:301: warning: wildcard $(top_srcdir: non-POSIX variable name doc/Makefile.am:301: (probably a GNU make extension) checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu extra=CVE-2015-8317-5-gef709ce checking for a BSD-compatible install... /usr/bin/install -c checking whether build environment is sane... yes checking for a thread-safe mkdir -p... /bin/mkdir -p checking for gawk... gawk checking whether make sets $(MAKE)... yes checking whether make supports nested variables... yes checking whether make supports nested variables... (cached) yes checking for gcc... /home/chenyixiu/aflgo/afl-clang-fast checking whether the C compiler works... no configure: error: in /home/chenyixiu/libxml2': configure: error: C compiler cannot create executables Seeconfig.log' for more details

    Now type 'make' to compile libxml2.

    opened by Jiadosi 14
  • distance.callgraph.txt: No such file or directory

    distance.callgraph.txt: No such file or directory

    Hi, when I use aflgo, i always meet a problem that the cat: ..../AFLGO/temp/distance.callgraph.txt: No such file or directory there are my environment subject:libxml2 OS: ubuntu 16.04 LLVM: 4.0

    and when i excute the command $AFLGO/scripts/genDistance.sh $SUBJECT $TMP_DIR xmllint, the result is (1) Constructing CG for /home/wcc/Downloads/AFLGO/libxml2/.libs/xmllint.. (2) Computing distance for call graph .. cat: /home/wcc/Downloads/AFLGO/temp/distance.callgraph.txt: No such file or directory

    Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

    Working in CG mode.. Loading targets.. No targets available -- Problem in Step 2 of generating ! -- You can resume by executing: $ /home/wcc/Downloads/AFLGO/aflgo/scripts/genDistance.sh /home/wcc/Downloads/AFLGO/libxml2 /home/wcc/Downloads/AFLGO/temp xmllint /home/wcc/Downloads/AFLGO/temp

    And the Ftargets.txt is xmlAddID__internal_alias xmlAddID step2.log is Parsing /home/wcc/Downloads/AFLGO/temp/dot-files/callgraph.dot .. Name: Call graph Type: DiGraph Number of nodes: 252 Number of edges: 765 Average in degree: 3.0357 Average out degree: 3.0357

    Working in CG mode.. Loading targets.. No targets available

    Thanks!

    opened by CCWANG19 12
  • oss-fuzz installation, stuck at step 2

    oss-fuzz installation, stuck at step 2

    Hi, I am trying to install the oss-fuzz before installing aflgo and im doing this behind corporate firewall. I keep getting the error:

    E: Unable to locate package libc6-dev
    E: Unable to locate package binutils
    E: Unable to locate package libgcc-5-dev
    

    when the /infra/base-images/base-clang/Dockerfile is running. I poked around google and most suggestions include doing sudo apt-get update, sudo apt-get upgrade, adding repositories like multiverse etc etc, and i've tried them but this error is still thrown. I've also tried editing the Dockerfile to run RUN apt-get install -y libc6-dev binutils libgcc-5-dev, but the error message:

    Step 3/12 : RUN sudo apt-get install -y libc6-dev binutils libgcc-5-dev
     ---> Running in fa2d4767bc4c
    /bin/sh: 1: sudo: not found
    The command '/bin/sh -c sudo apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 127
    

    then appears. Help!! Not sure if its the corporate firewall preventing it from downloading the packages (which, last time I checked, were the latest versions already as of 25 June 2018)

    Below is what comes up in the terminal when entering infra/base-images/all.sh:

    + docker build --pull -t gcr.io/oss-fuzz-base/base-image infra/base-images/base-image
    Sending build context to Docker daemon   2.56kB
    Step 1/9 : FROM ubuntu:16.04
    16.04: Pulling from library/ubuntu
    Digest: sha256:b050c1822d37a4463c01ceda24d0fc4c679b0dd3c43e742730e2884d3c582e3a
    Status: Image is up to date for ubuntu:16.04
     ---> 5e8b97a2a082
    Step 2/9 : MAINTAINER [email protected]
     ---> Using cache
     ---> ce3911a754ea
    Step 3/9 : ENV DEBIAN_FRONTEND noninteractive
     ---> Using cache
     ---> ae05540f823a
    Step 4/9 : RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y
     ---> Using cache
     ---> 9dbd6c3bdefc
    Step 5/9 : ENV OUT /out
     ---> Using cache
     ---> 498e0b22b8b3
    Step 6/9 : ENV SRC /src
     ---> Using cache
     ---> 9a6be30850ec
    Step 7/9 : ENV WORK /work
     ---> Using cache
     ---> 0ca61162fa17
    Step 8/9 : ENV PATH "$PATH:/out"
     ---> Using cache
     ---> 5e933374ad11
    Step 9/9 : RUN mkdir -p $OUT $SRC $WORK && chmod a+rwx $OUT $SRC $WORK
     ---> Using cache
     ---> 85e3704aafae
    Successfully built 85e3704aafae
    Successfully tagged gcr.io/oss-fuzz-base/base-image:latest
    + docker build -t gcr.io/oss-fuzz-base/base-clang infra/base-images/base-clang
    Sending build context to Docker daemon  6.656kB
    Step 1/12 : FROM gcr.io/oss-fuzz-base/base-image
     ---> 85e3704aafae
    Step 2/12 : MAINTAINER [email protected]
     ---> Using cache
     ---> 15da6853474d
    Step 3/12 : RUN apt-get install -y libc6-dev binutils libgcc-5-dev
     ---> Running in 0c969a46d227
    Reading package lists...
    Building dependency tree...
    Reading state information...
    E: Unable to locate package libc6-dev
    E: Unable to locate package binutils
    E: Unable to locate package libgcc-5-dev
    The command '/bin/sh -c apt-get install -y libc6-dev binutils libgcc-5-dev' returned a non-zero code: 100```
    
    opened by swonlek 10
  • Fuzz Chromium [Couldn't find any binaries in folder (Instrumenting chromium)]

    Fuzz Chromium [Couldn't find any binaries in folder (Instrumenting chromium)]

    Want to fuzz Chromium? See some useful links here.


    Hi there,

    I'm trying to instrument Chromium. I can follow along your instructions perfectly fine until the 7th step here. You take libxml2 as an example and build it. Prior to that, you export some additional compiler flags:

    # Set aflgo-instrumentation flags
    export COPY_CFLAGS=$CFLAGS
    export COPY_CXXFLAGS=$CXXFLAGS
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    export CFLAGS="$CFLAGS $ADDITIONAL"
    export CXXFLAGS="$CXXFLAGS $ADDITIONAL"
    

    Build script for chromium

    After that, I've replaced the build section by the build instructions for chromium:

    # --- 🔄 Build chromium
    # in order to generate CG and CFGs later... meanwhile, go have a coffee ☕️
    # see: https://github.com/chromium/chromium/blob/master/docs/linux/build_instructions.md
    
    # Install additional build dependencies
    ./build/install-build-deps.sh
    
    # Gclient sync
    gclient sync
    
    # Run the hooks
    gclient runhooks
    
    # Set up the build
    gn gen out/MyChromeBuild --is_debug=false
    
    # Finally build chromium
    autoninja -C out/MyChromeBuild chrome
    # --- 🔄
    

    After having built chrome for several hours, the gen_distance_fast.py claims that (path shortened):

    gen_distance_fast.py: error: Couldn't find any binaries in folder .../chromium/src/out/MyChromeBuild
    

    However, in this folder, there is indeed a file called chrome (1.2 GB big).


    Binary not found

    Do you have any tips for me? I've looked into gen_distance_fast.py and don't quite get why the binary has to be in that specific format (ending with *.0.0.*.bc)?

     binaries = list(args.binaries_directory.glob("*.0.0.*.bc"))
        if len(binaries) == 0:
            parser.error("Couldn't find any binaries in folder "
                         f"{args.binaries_directory}.")
    

    | :heavy_exclamation_mark: | I guess AFLGo assumes that I have to use something along the lines of CMake. However, Chrome uses gn and ninja as build tool. Is that a problem? Please clarify the 7th step for me as it is unclear how the CG and CFGs are extracted from the subject without ever calling a script residing inside the AFLGo repository. Is it that you provide additional CFLAGS to pass to LLVM (so I would need a specific compiler) or how is this step working exactly? This is my biggest confusion at the moment. | |---------------|:-------------------------|

    What is this third argument?

    Also, I don't understand why you pass in xmllint as an example in the readme:

    # Generate distance ☕️
    # $AFLGO/scripts/genDistance.sh is the original, but significantly slower, version
    $AFLGO/scripts/gen_distance_fast.py $SUBJECT $TMP_DIR xmllint
    

    In the gen_distance_fast.py script, the third argument corresponds to the fuzzer name. I thought that AFLGo itself is the fuzzer. Why do we have to specify a "Name of fuzzer binary" here?

    Thank you for any help 😇

    opened by Splines 9
  • Unable to find target in callgraph when fuzzing Apache httpd

    Unable to find target in callgraph when fuzzing Apache httpd

    Fuzzing target

    Apache httpd

    Patched used

    The patch for CVE-2016-2161.

    Httpd version

    Commit 5da25a4

    Aflgo version

    Compiled from the latest commit on master branch.

    Issue description

    Unable to find the targets in $TMP_DIR/Ftarget.txt in the callgraph (dot-files/callgraph.dot).

    opened by cty12 9
  • Distance calculation failure

    Distance calculation failure

    Hi,

    I tried to run AFLGo with openjpeg according to README. I succeeded to instrument but when I run gen_distance_fast.py script, the error messages are printed repeatedly as follows.

    ~/aflgo$ $AFLGO/scripts/gen_distance_fast.py $SUBJECT/build/bin $TMP_DIR opj_dump
    (0) Constructing CG for /home/user/aflgo/openjpeg-2.1.1/build/bin/opj_dump.0.0.preopt.bc..
    (1) Computing distance for callgraph
    (1) Computing distance for control-flow graphs (this might take a while)
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    cfg distance calculator failed while calculating distance for /home/user/aflgo/temp/BBtargets.txt.
    ...
    
    ~/aflgo/temp$ cat step0.log 
    Writing 'callgraph.dot'...
    

    Can you tell me what's the problem?

    Additionally, I also tried to fuzz gif2png. However the configuration step failed with the following error.

    $ ./configure
    ...
    checking whether make sets $(MAKE)... yes
    checking for gcc... /home/user/aflgo/gif2png-2.5.8/afl-clang-fast
    checking whether the C compiler works... no
    configure: error: in `/home/user/aflgo/gif2png-2.5.8':
    configure: error: C compiler cannot create executables
    See `config.log' for more details
    

    I followed all 1~6 step on README file, Is there something I missed?

    opened by blbi 8
  • clang4.0 not support -V -g options

    clang4.0 not support -V -g options

    configure:3509: ./aflgo/afl-clang-fast -V >&5 clang-4.0: error: unsupported option '-V -g' configure:3520: $? = 1 configure:3509: ./aflgo/afl-clang-fast -qversion >&5 clang-4.0: error: unknown argument: '-qversion' configure:3520: $? = 1

    opened by apinellia 8
  • Fuzzing lrzip CVE 2017-8846 with ASAN

    Fuzzing lrzip CVE 2017-8846 with ASAN

    Hi,

    I recently run the following script to fuzz lrzip:

    https://github.com/aflgo/aflgo/blob/master/scripts/fuzz/lrzip-CVE-2017-8846.sh

    I could successfully generate distance files, and fuzz the program with AFLGo on Ubuntu 18.04. I generated the binary both with and without ASAN support (when generating distance files, I did not set AFL_USE_ASAN as specified here). As expected, lrzip becomes extremely slow with ASAN (<1 exec/sec). I guess the only option here is to compile the binary with m32 which is not recognized by clang wrapper of AFLGo (afl-clang-fast) and ended up with a FATAL.

    I see that you build all projects with ASAN support in the paper. Did you generate 32 binaries? If so, how can I compile lrzip as 32-bit on a 64 bit machine? Or, did you use any other tricks to fuzz with ASAN?

    Thanks,

    Sadullah

    opened by scanakci 7
  • problems on AFLGo Building Script

    problems on AFLGo Building Script

    when ninja running, there are some errors: 1. ninja: build stopped : subcommand failed; 2. c++ : internal compiler error: killed(program cc1plus) what should I do ? THX

    opened by Kiwi071211 7
  • Error in building binutils

    Error in building binutils

    My error description is very similar to #37 which has been closed due to inactivity.

    When building binutils with Clang + Gold I get the following error:

    /usr/bin/ld.gold: error: arlex.o: multiple definition of 'yylex' /usr/bin/ld.gold: ar.o: previous definition here

    Additional Information: OS: Ubuntu 18.04.3 Clang version: I tried 4.0.0, 4.0.1, and 6.0.0 (all result in same error) Binutils version: I tried 2.33.1 and 2.29.1 (all result in sam error) Configure Flags: --disable-werror --disable-shared --disable-ld (all result in sam error) Gold Linker: I tried version 1.15 and 1.16

    I am able to build binutils with clang, when skipping the gold arguments.

    Is ther anything else I could try?

    Edit: Added gold linker version

    opened by OskarBo 7
  • Incorrect method of merge call graph

    Incorrect method of merge call graph

    Hello, While reading and testing the python script gen_distance_fast.py, I wonder how it identifies caller and callee functions from different callgraph files. The .callgraph.dot is generated separately by the command opt and NodeID is different for the same function in different .callgraph.dot files. So I make a demo to test it.

    I create two .c files as below.

    // a.c
    #include <stdio.h>
    #include "b.h"
    
    static void test(){
        printf("test from a.c\n");
    }
    
    int main(){
        test();
        testB();
    }
    // b.c
    #include <stdio.h>
    #include "b.h"
    
    static void test(){
        printf("test from b.c\n");
    }
    
    void testB(){
        test();
    }
    

    Secondly, I generate .bc, .ll and callgraph files for them with the following command.

    # .bc
    clang -g -O0 -c -emit-llvm a.c -o a.bc
    clang -g -O0 -c -emit-llvm b.c -o b.bc
    # .ll
    llvm-dis a.bc -o a.ll
    llvm-dis b.bc -o b.ll
    # .callgraph.dot
    opt -dot-callgraph a.bc
    opt -dot-callgraph b.bc
    

    Thirdly, I merge the two .callgraph.dot into by the following python script with same method in the gen_distance_fast.py

    #!/usr/bin/env python3
    
    import networkx as nx
    
    
    a_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./a.bc.callgraph.dot"))
    b_cg = nx.DiGraph(nx.drawing.nx_pydot.read_dot("./b.bc.callgraph.dot"))
    a_cg.update(b_cg)
    with open('./all.bc.callgraph.dot','w') as f:
        nx.drawing.nx_pydot.write_dot(a_cg, f)
    print("done")
    

    However, the result is disappointing. NetworkX cannot identify the same function in different .callgraph.dot files. There are two Nodes with the same label testB, which should be merged. The .callgraph.dot files is shown in the following.

    # a.bc.callgraph.dot
    digraph "Call graph: a.bc" {
    	label="Call graph: a.bc";
    
    	Node0x590adb0 [shape=record,label="{main}"];
    	Node0x590adb0 -> Node0x590ae60;
    	Node0x590adb0 -> Node0x590af10;
    	Node0x590af10 [shape=record,label="{testB}"];
    	Node0x590ae60 [shape=record,label="{test}"];
    	Node0x590ae60 -> Node0x590b050;
    	Node0x590b050 [shape=record,label="{printf}"];
    }
    # b.bc.callgraph.dot
    digraph "Call graph: b.bc" {
    	label="Call graph: b.bc";
    
    	Node0x4ed5900 [shape=record,label="{testB}"];
    	Node0x4ed5900 -> Node0x4ed59b0;
    	Node0x4ed59b0 [shape=record,label="{test}"];
    	Node0x4ed59b0 -> Node0x4ed5a60;
    	Node0x4ed5a60 [shape=record,label="{printf}"];
    }
    # merged all.bc.callgraph.dot
    strict digraph "Call graph: b.bc" {
    label="Call graph: b.bc";
    Node0x590adb0 [label="{main}", shape=record];
    Node0x590af10 [label="{testB}", shape=record];
    Node0x590ae60 [label="{test}", shape=record];
    Node0x590b050 [label="{printf}", shape=record];
    Node0x4ed5900 [label="{testB}", shape=record];
    Node0x4ed59b0 [label="{test}", shape=record];
    Node0x4ed5a60 [label="{printf}", shape=record];
    Node0x590adb0 -> Node0x590ae60;
    Node0x590adb0 -> Node0x590af10;
    Node0x590ae60 -> Node0x590b050;
    Node0x4ed5900 -> Node0x4ed59b0;
    Node0x4ed59b0 -> Node0x4ed5a60;
    }
    
    
    
    opened by TheSilentDawn 1
  • Fail to build lua [lua.o: File format not recognized]

    Fail to build lua [lua.o: File format not recognized]

    Hi there,

    I would like to fuzz lua with AFLGo but it fails during the first building. The CG and CFGs seem generated successfully, but the binary is not.

    Target

    export TMP_DIR=$OUT/temp
    mkdir -p $TMP_DIR
    echo "liolib.c:298\nldebug.c:197\nldebug.c:848\nldebug.c:920" > $TMP_DIR/BBtargets.txt
    

    Fetch Lua

    git clone --no-checkout https://github.com/lua/lua.git
    git -C lua checkout dbdc74dc5502c2e05e1c1e2ac894943f418c8431
    

    Set AFLGo ENV

    export CC="$HOME/aflgo/afl-clang-fast"
    export CXX="$HOME/aflgo/afl-clang-fast++"
    
    export COPY_CFLAGS=$CFLAGS
    export COPY_CXXFLAGS=$CXXFLAGS
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    export CFLAGS="$CFLAGS $ADDITIONAL"
    export CXXFLAGS="$CXXFLAGS $ADDITIONAL"
    

    Modify makefile

    To support AFLGo configuration, I modify its makefile as follows:

    -CC= gcc
    -CFLAGS= -Wall -O2 $(MYCFLAGS) -fno-stack-protector -fno-common -march=native
    +CC ?= gcc
    +CFLAGS += -Wall $(MYCFLAGS) -fno-stack-protector -fno-common -march=native
    
    -LIBS = -lm
    +LIBS += -lm
    
     $(LUA_T): $(LUA_O) $(CORE_T)
    -	$(CC) -o $@ $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)
    +	$(CC) -o $@ $(LDFLAGS) $(MYLDFLAGS) $(LUA_O) $(CORE_T) $(LIBS) $(MYLIBS) $(DL)
    

    Build

    cd lua
    make clean
    make liblua.a # could generate dot/F/BB files in $TMP_DIR
    make lua # fails to generate binary _lua_
    

    Error Msg

    Command make -j$(nproc) lua fails with the following msg:

    $HOME/aflgo/afl-clang-fast -o lua -g  -Wfatal-errors -Wextra -Wshadow -Wsign-compare -Wundef -Wwrite-strings -Wredundant-decls -Wdisabled-optimization -Wdouble-promotion  -Wdeclaration-after-statement -Wmissing-prototypes -Wnested-externs -Wstrict-prototypes -Wc++-compat -Wold-style-definition  -Wlogical-op -Wno-aggressive-loop-optimizations  -Wl,-E lua.o liblua.a -lrt -lm -ldl -lreadline 
    aflgo-compiler (yeah!) 2.52b
    lua.o: file not recognized: File format not recognized
    clang: fatal error: linker command failed with exit code 1 (use -v to see invocation)
    makefile:114: recipe for target 'lua' failed
    make: *** [lua] Error 1
    

    The file format of lua.o is "LLVM IR bitcode"

    file lua.o
    lua.o: LLVM IR bitcode
    
    opened by qhjchc 0
  • Fix using relative filename to find targets

    Fix using relative filename to find targets

    Hello, I'm trying to reproduce CVE-2016-4487 using scripts/fuzz/cxxfilt-CVE-2016-4487.sh. However, I found that content in Ftargets.txt is incomplete. According to valgrind report, the CVE callstack should include following functions, but as I executed cxxfilt-CVE-2016-4487.sh, Ftargets.txt contains only several functions.

    valgrind report

    valgrind binutils/cxxfilt _Q10-__9cafebabe.
    ==3272167== Memcheck, a memory error detector      
    ==3272167== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
    ==3272167== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
    ==3272167== Command: binutils-2.26/binutils/cxxfilt _Q10-__9cafebabe.   
    ==3272167== 
    ==3272167== Invalid write of size 8                                                
    ==3272167==    at 0x23B180: register_Btype (cplus-dem.c:4319)             
    ==3272167==    by 0x23755A: demangle_class (cplus-dem.c:2594)                                                                                                         
    ==3272167==    by 0x234EAC: demangle_signature (cplus-dem.c:1490)                 
    ==3272167==    by 0x23441D: internal_cplus_demangle (cplus-dem.c:1203)
    ==3272167==    by 0x23399A: cplus_demangle (cplus-dem.c:886)
    ==3272167==    by 0x137E21: demangle_it (cxxfilt.c:62)
    ==3272167==    by 0x1382B6: main (cxxfilt.c:227)
    ...
    
    

    target locations in scripts/fuzz/cxxfilt-CVE-2016-4487.sh

    cxxfilt.c:227
    cxxfilt.c:62
    cplus-dem.c:886
    cplus-dem.c:1203
    cplus-dem.c:1490
    cplus-dem.c:2594
    cplus-dem.c:4319
    

    actually Ftargets.txt

    cplus_demangle
    internal_cplus_demangle
    main
    demangle_it
    

    I dumped all values of target_file, target_line, filename, line used to find the BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and found that sometimes filename was relative filename. aflgo has already handled this problem when constructing bb_namein llvm_mode/afl-llvm-pass.so.cc:331, but it seems that aflgo still tried to use relative filename to find BBtarget in llvm_mode/afl-llvm-pass.so.cc:344, and may cause missing certain target locations. I removed the relative path for every filename, it seems to solve the problem.

    llvm_mode/afl-llvm-pass.so.cc

    ...
    325  if (bb_name.empty()) {
    326
    327    std::size_t found = filename.find_last_of("/\\");
    328    if (found != std::string::npos)
    329      filename = filename.substr(found + 1);
    330
    331    bb_name = filename + ":" + std::to_string(line);
    332  }
    ...
    344  if (!target_file.compare(filename) && target_line == line)
    345    is_target = true;
    ...
    

    part of values of target_file, target_line, filename, line using in llvm_mode/afl-llvm-pass.so.cc:344

    # target_file target_line filename line
    ...
    ../../libiberty/cplus-dem.c 4319 cxxfilt.c 227   
    ../../libiberty/cplus-dem.c 4319 cxxfilt.c 62    
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 886 
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 1203
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 1490
    ../../libiberty/cplus-dem.c 4319 cplus-dem.c 2594
    **../../libiberty/cplus-dem.c 4319 cplus-dem.c 4319** is target location, should be found
    ...
    

    what I modified

    ...
      std::size_t found = filename.find_last_of("/\\");
      if (found != std::string::npos)
        filename = filename.substr(found + 1);
              
      if (bb_name.empty()) 
       bb_name = filename + ":" + std::to_string(line);
    ...
      if (!target_file.compare(filename) && target_line == line)
        is_target = true;
    ...
    

    fixed Ftargets.txt

    cplus_demangle
    internal_cplus_demangle
    demangle_signature
    register_Btype
    demangle_class
    main
    demangle_it
    

    By the way, I test on ubuntu 20.04. In my system scripts/fuzz/cxxfilt-CVE-2016-4487.sh:8 will write a $character to first line of BBtargets.txt and cause first target location can't be found. I'm not sure this problem exists in every system, but in my case I need to remove this $ character.

    opened by tl455047 0
  • Building libav with aflgo

    Building libav with aflgo

    Hi,

    I would like to fuzz avconv from libav with AFLGo. These are the commands I used to build libav:

    export AFLGO=path/to/aflgo
    export CC=$AFLGO/afl-clang-fast
    export CXX=$AFLGO/afl-clang-fast
    cd path/to/libav
    mkdir temp; mkdir obj-aflgo
    export TMP_DIR=$PWD/temp
    export LDFLAGS=-lpthread
    export ADDITIONAL="-targets=$TMP_DIR/BBtargets.txt -outdir=$TMP_DIR -flto -fuse-ld=gold -Wl,-plugin-opt=save-temps"
    cd obj-aflgo
    ../configure --cc=$CC --prefix=`pwd` --extra-cflags="$ADDITIONAL" --disable-shared
    

    However, I got a C compiler test failed error saying temp/test.o: file not recognized: File format not recognized. I guess that the test failed because afl-clang-fast generate the IR bitcode instead of the ELF object file. I have read #69 and #71, and they suggest using --host-cflags. So, I changed the configure command to:

    ../configure --cc=$CC --prefix=`pwd` --host-cflags="$ADDITIONAL" --disable-shared --disable-doc
    

    Using the above configure command, configuring the makefile and building the libav can be done successfully but afl-clang-fast does not generate the dot-files. The BBnames.txt and BBcalls.txt are also empty. Therefore, I cannot calculate the distance.

    Would you please help me to build libav with aflgo?

    Here is the commit hash of the libav and the BBtargets.txt :

    Commuit hash : c4642788e83b0858bca449f9b6e71ddb015dfa5d BBtargets.txt:

    libavcodec/aacdec.c:2578
    libavcodec/aacdec.c:2631
    libavcodec/aacdec.c:2666
    libavcodec/aacdec.c:2944
    libavcodec/aacdec.c:3010
    libavcodec/decode.c:336
    libavcodec/decode.c:387
    libavcodec/decode.c:405
    libavcodec/decode.c:466
    libavformat/utils.c:1950
    libavformat/utils.c:2459
    avtools/avconv_opt.c:821
    avtools/avconv_opt.c:2467
    avtools/avconv_opt.c:2504
    avtools/avconv.c:2953
    

    Thank you.

    opened by irfanariq 2
  • If the target test program requires two or more input files

    If the target test program requires two or more input files

    If the target test program requires two or more input files, such as./target file1 file2, how should the fuzz procedure be constructed, whether the fuzz source code needs to be modified, or whether AFL/AFLGo supports fuzz testing for the target? If yes, then whether the obtained crash is also a combination of two or more files.

    opened by qwwq251 0
  • Python scripts for fuzzing

    Python scripts for fuzzing

    Hi there,

    Erik Imgrund, a friend of mine, recently wrote a python program to simplify the usage of AFLGo. It's an alternative to bash scripts that - at least in our opinion - are very powerful but sometimes quite frightening and not easy to understand/adapt/play around with.

    Pros and Cons I'd like to adapt the Python program and incorporate it into AFLGo (this is cleared with Erik Imgrund) as I feel other users would benefit from it. Python has a nice syntax, is easy to learn and widespread. It's heavily used in the fields of machine learning which would simplify the process to use AFLGo. Cons are that we have duplicate scripts, so there are two places to adapt if the API is changing some day. Yet, that's also the case right now with the sample shell scripts.

    I'd like to open a pull request to AFLGo if the general idea described here is welcome. If so, it'd be great to know where a good place would be to place the scripts.

    All the best, Dominic

    enhancement 
    opened by Splines 2
Releases(LLVM-4.0)
Owner
Maintained by @mboehme, @thuanpv, and @strongcourage
WORD: Revisiting Organs Segmentation in the Whole Abdominal Region

WORD: Revisiting Organs Segmentation in the Whole Abdominal Region (Paper and DataSet). [New] Note that all the emails about the download permission o

Healthcare Intelligence Laboratory 71 Dec 22, 2022
Code I use to automatically update my videos' metadata on YouTube

mCodingYouTube This repository contains the code I use to automatically update my videos' metadata on YouTube, including: titles, descriptions, tags,

James Murphy 19 Oct 07, 2022
A Context-aware Visual Attention-based training pipeline for Object Detection from a Webpage screenshot!

CoVA: Context-aware Visual Attention for Webpage Information Extraction Abstract Webpage information extraction (WIE) is an important step to create k

Keval Morabia 41 Jan 01, 2023
Text-to-Image generation

Generate vivid Images for Any (Chinese) text CogView is a pretrained (4B-param) transformer for text-to-image generation in general domain. Read our p

THUDM 1.3k Dec 29, 2022
Hyperbolic Image Segmentation, CVPR 2022

Hyperbolic Image Segmentation, CVPR 2022 This is the implementation of paper Hyperbolic Image Segmentation (CVPR 2022). Repository structure assets :

Mina Ghadimi Atigh 46 Dec 29, 2022
Video Background Music Generation with Controllable Music Transformer (ACM MM 2021 Oral)

CMT Code for paper Video Background Music Generation with Controllable Music Transformer (ACM MM 2021 Best Paper Award) [Paper] [Site] Directory Struc

Zhaokai Wang 198 Dec 27, 2022
InsCLR: Improving Instance Retrieval with Self-Supervision

InsCLR: Improving Instance Retrieval with Self-Supervision This is an official PyTorch implementation of the InsCLR paper. Download Dataset Dataset Im

Zelu Deng 25 Aug 30, 2022
Image-Scaling Attacks and Defenses

Image-Scaling Attacks & Defenses This repository belongs to our publication: Erwin Quiring, David Klein, Daniel Arp, Martin Johns and Konrad Rieck. Ad

Erwin Quiring 163 Nov 21, 2022
a project for 3D multi-object tracking

a project for 3D multi-object tracking

155 Jan 04, 2023
PyTorch implementation of an end-to-end Handwritten Text Recognition (HTR) system based on attention encoder-decoder networks

AttentionHTR PyTorch implementation of an end-to-end Handwritten Text Recognition (HTR) system based on attention encoder-decoder networks. Scene Text

Dmitrijs Kass 31 Dec 22, 2022
Official page of Patchwork (RA-L'21 w/ IROS'21)

Patchwork Official page of "Patchwork: Concentric Zone-based Region-wise Ground Segmentation with Ground Likelihood Estimation Using a 3D LiDAR Sensor

Hyungtae Lim 254 Jan 05, 2023
[CVPR'20] TTSR: Learning Texture Transformer Network for Image Super-Resolution

TTSR Official PyTorch implementation of the paper Learning Texture Transformer Network for Image Super-Resolution accepted in CVPR 2020. Contents Intr

Multimedia Research 689 Dec 28, 2022
A minimal implementation of face-detection models using flask, gunicorn, nginx, docker, and docker-compose

Face-Detection-flask-gunicorn-nginx-docker This is a simple implementation of dockerized face-detection restful-API implemented with flask, Nginx, and

Pooya-Mohammadi 30 Dec 17, 2022
Open-CyKG: An Open Cyber Threat Intelligence Knowledge Graph

Open-CyKG: An Open Cyber Threat Intelligence Knowledge Graph Model Description Open-CyKG is a framework that is constructed using an attenti

Injy Sarhan 34 Jan 05, 2023
Reverse engineering recurrent neural networks with Jacobian switching linear dynamical systems

Reverse engineering recurrent neural networks with Jacobian switching linear dynamical systems This repository is the official implementation of Rever

6 Aug 25, 2022
Binary classification for arrythmia detection with ECG datasets.

HEART DISEASE AI DATATHON 2021 [Eng] / [Kor] #English This is an AI diagnosis modeling contest that uses the heart disease echocardiography and electr

HY_Kim 3 Jul 14, 2022
Code to accompany the paper "Finding Bipartite Components in Hypergraphs", which is published in NeurIPS'21.

Finding Bipartite Components in Hypergraphs This repository contains code to accompany the paper "Finding Bipartite Components in Hypergraphs", publis

Peter Macgregor 5 May 06, 2022
Code for "Adversarial Attack Generation Empowered by Min-Max Optimization", NeurIPS 2021

Min-Max Adversarial Attacks [Paper] [arXiv] [Video] [Slide] Adversarial Attack Generation Empowered by Min-Max Optimization Jingkang Wang, Tianyun Zha

Jingkang Wang 12 Nov 23, 2022
Little tool in python to watch anime from the terminal (the better way to watch anime)

ani-cli Script working again :), thanks to the fork by Dink4n for the alternative approach to by pass the captcha on gogoanime A cli to browse and wat

Harshith 4.5k Dec 31, 2022
Deep learning image registration library for PyTorch

TorchIR: Pytorch Image Registration TorchIR is a image registration library for deep learning image registration (DLIR). I have integrated several ide

Bob de Vos 40 Dec 16, 2022