Angora is a mutation-based coverage guided fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Arxiv: Angora: Efficient Fuzzing by Principled Search, S&P 2018.
- Linux-amd64 (Tested on Ubuntu 16.04/18.04 and Debian Buster)
- Rust stable (>= 1.31), can be obtained using rustup
- LLVM 4.0.0 - 7.1.0 : run
Append the following entries in the shell configuration file (
export PATH=/path-to-clang/bin:$PATH export LD_LIBRARY_PATH=/path-to-clang/lib:$LD_LIBRARY_PATH
The build script will resolve most dependencies and setup the runtime environment.
As with AFL, system core dumps must be disabled.
echo core | sudo tee /proc/sys/kernel/core_pattern
Test if Angora is builded successfully.
cd /path-to-angora/tests ./test.sh mini
Build Target Program
Angora compiles the program into two separate binaries, each with their respective
autoconf programs as an example, here are the steps required.
# Use the instrumenting compilers CC=/path/to/angora/bin/angora-clang \ CXX=/path/to/angora/bin/angora-clang++ \ LD=/path/to/angora/bin/angora-clang \ PREFIX=/path/to/target/directory \ ./configure --disable-shared # Build with taint tracking support USE_TRACK=1 make -j make install # Save the compiled target binary into a new directory # and rename it with .taint postfix, such as uniq.taint # Build with light instrumentation support make clean USE_FAST=1 make -j make install # Save the compiled binary into the directory previously # created and rename it with .fast postfix, such as uniq.fast
If you fail to build by this approach, try
gllvm described in Build a target program.
Also, we have implemented taint analysis with libdft64 instead of DFSan (Use libdft64 for taint tracking).
./angora_fuzzer -i input -o output -t path/to/taint/program -- path/to/fast/program [argv]
For more information, please refer to the documentation under the