Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Arxiv: Angora: Efficient Fuzzing by Principled Search, S&P '2018.
- Linux-amd64 (Tested on Ubuntu 16.04/18.04 and Debian Buster)
- Rust stable (>= 1.31), can be obtained using rustup
- LLVM 4.0.0 : run
Append the following entries in the shell configuration file (
export PATH=/path-to-clang/bin:$PATH export LD_LIBRARY_PATH=/path-to-clang/lib:$LD_LIBRARY_PATH
The build script will resolve most dependencies and setup the runtime environment.
As with AFL, system core dumps must be disabled.
echo core | sudo tee /proc/sys/kernel/core_pattern
Test if Angora is builded successfully.
cd /path-to-angora/tests ./test.sh mini
Build Target Program
Angora compiles the program into two separate binaries, each with their respective
autoconf programs as an example, here are the steps required.
# Use the instrumenting compilers CC=/path/to/angora/bin/angora-clang \ CXX=/path/to/angora/bin/angora-clang++ \ LD=/path/to/angora/bin/angora-clang \ PREFIX=/path/to/target/directory \ ./configure --disable-shared # Build with taint tracking support USE_TRACK=1 make -j make install # Save the compiled target binary into a new directory # and rename it with .taint postfix, such as uniq.taint # Build with light instrumentation support make clean USE_FAST=1 make -j make install # Save the compiled binary into the directory previously # created and rename it with .fast postfix, such as uniq.fast
If you fail to build by this approach, try
gllvm described in Build a target program.
./angora_fuzzer -i input -o output -t path/to/taint/program -- path/to/fast/program [argv]
For more information, please refer to the documentation under the
- Angora Overview
- Build a target program
- Running Angora
- Example - Fuzz program file by Angora
- Run Angora on LAVA
- Exploit attack points
- Configuration Files
- Environment variables in compiling
- UI Terminology
Angora is maintained by ByteDance AI Lab now.