Can AFL++ used in QNX neutrino embedded system? If can how to?

[DarrenDaRui]

Hi maintainer,

Here I stuck with the problem to fuzz code in QNX neutrino embedded system. The reason is QNX use qcc as the compiler and not support LLVM related toolset.
Previously I use libFuzzer to fuzz both X86_64 and Arm platform in Linux, but failed to fuzz QNX as no LLVM toolset supported.
Could you help guide if AFL++ can do this or not? If so could guide me the main orientation?

Thanks very much.

[vanhauser-thc]

You are lucky, I looked into that last week.
It is very ficklish to do, and I found one roadblock I could not solve (but did not look into it very deeply).

Because you need to cross compile you have to compile afl++ for your host (easy), and then specifically the afl tools also for that target. BUT - you must configure both to use MMAP.

first for your host:
sed -i 's/-lrt//' src/afl-cc.c
make TEST_MMAP=1 afl-as
make TEST_MMAP=1 -f GNUmakefile.llvm afl-cc

then for your target:
rm -f instrumentation/*.o
sed -i 's/-ldl//g' GNUmakefile
sed -i 's/-lrt//g' GNUmakefile
make AFL_NO_X86=1 TEST_MMAP=1 CC=x86_64-pc-nto-qnx7.1.0-gcc afl-fuzz afl-showmap afl-tmin
then you copy afl-fuzz afl-showmap, afl-tmin and afl-cmin to your QNX.

Now to compile a target you need to do the following - the compiler to set in your source environment is afl-gcc, and additionally you have to set AFL_CC=x86_64-pc-nto-qnx7.1.0-gcc AFL_CXX=x86_64-pc-nto-qnx7.1.0-g++ you also have to set AFL_PATH and point it to the AFL++ compilation directory.

Now the issue that I ran into is that the forkserver is not triggering and I do not know why. This could be worked around by setting AFL_NO_FORKSRV=1 when starting afl-fuzz.

There might be further issues but I did not went deeper into this.

If you down further steps, please document them here!
:-)

[DarrenDaRui]

@vanhauser-thc

After link qnx aarch64-unknown-nto-qnx7.1.0-as to afl-as, afl-as can be invoked. However encounter error with ld stage. Do you have any idea?

[DarrenDaRui]

Hi @vanhauser-thc ,

Seems the assemble code in afl-as.h is x86 format, not suitable for aarch64 format. I got lot of "Error: unknown mnemonic `movq' -- " somethig like this. Really hard to go on, could you help guide me a little?

[vanhauser-thc]

oh damn yes. I didnt know that you are on aarch64. my QNX was on x86_x64 ...
you now have 3 choices:

1. rewrite the assembly for arm64
2. compile and fuzz on linux (best)
3. do system emulated fuzzing (e.g. nyx_mode or unicorn_mode)

[DarrenDaRui]

@vanhauser-thc
Fine, thanks for your idea.
Is that 2nd method means do "off-target" fuzzing based on Linux X86_64 platform?

[vanhauser-thc]

yes, you "just" compile it on linux ... mock whatever hardware would be there etc.

[vanhauser-thc]

Also there is this paper: https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Dynamic-analysis-of-firmware-components-in-iot-devices-En.pdf
which shows how to use AFL++ to fuzz QNX binaries/libs with Unicorn mode

[DarrenDaRui]

Thanks very much for you reply, I will go through this paper. BTW, may I know it will work in QNX run-time env, I mean do on-target fuzzing.
Some QNX fuzzing may utilize QEMU platform to boot up QNX, but that's not we want.

[vanhauser-thc]

what I wrote in the other answer is for on-target fuzzing (obivously, if you look at it)

[DarrenDaRui]

Yes, just found the older one. I will learn your way and verify. Thanks again!