This directory contains build scripts for building the targets fuzzed in the paper. Like in the paper, we group the targets into three benchmarks: Magma, the Google Fuzzer Test Suite (FTS), and a set of real-world programs.
Note: AFL typically requires that coredumps be disabled:
sudo bash -c 'echo core >/proc/sys/kernel/core_pattern'
sudo systemctl disable apport.service
Magma is a ground-truth fuzzing benchmark. To build:
-
Install dependencies, as described here
-
Run
./magma/setup.sh /magma/benchmark/dir
-
Clean out the default corpora
./magma/clean_corpora.sh /magma/benchmark/dir
-
Copy the relevant
TARGET
corpus into/magma/benchmark/dir/targets/TARGET/corpus/PROGRAM
. You can either distill your own corpus or use one that we have already prepared. For the former, see the Run OptiMin instructions. For the latter, use theget_corpus.py
script. E.g., to download theafl-cmin
-minimized libpng corpus (this can take up to 15-20 mins):get_corpus.py --benchmark magma --corpus cmin --log info --target libpng \ /magma/benchmark/dir/targets/libpng/corpus/libpng_read_fuzzer
-
Set
WORKDIR
in/magma/benchmark/dir/tools/captain/captainrc
to something appropriate. If you only want to fuzz a single target (e.g., libpng), edit theafl_TARGETS
/aflplusplus_TARGETS
entry incaptainrc
-
Start fuzzing!
cd /magma/benchmark/dir/tools/captain ./run.sh
-
This Magma script can be used to perform the survival analysis on the results
The Google Fuzzer Test Suite is a widely-used fuzzing benchmark.
-
Build the base image
docker build -t seed-selection/fts/base -f fts/base.Dockerfile fts
-
Build the FTS targets with the required
$INSTRUMENTATION
(one ofafl
,aflpp
, orcoverage
)docker build -t seed-selection/fts/$INSTRUMENTATION \ -f fts/$INSTRUMENTATION.Dockerfile fts
-
Extract the relevant files for fuzzing, as instructed at the end of the previous step. E.g., for AFL++
./extract-from-container.sh seed-selection/fts/$INSTRUMENTATION /aflplusplus . ./extract-from-container.sh seed-selection/fts/$INSTRUMENTATION /build-aflpp . ./extract-from-container.sh seed-selection/fts/$INSTRUMENTATION /build-cmplog .
-
Create a fuzzing corpus using the
get_corpus.py
script -
Start fuzzing. The runtime fuzzer configurations (e.g., timeouts and memory limits) that we used are stored here. The
fuzz.py
script (inscripts/bin
) can be used to launch multiple campaigns in parallel. For example, to fuzz FreeType2 with AFL++ and the provided seeds:LD_LIBRARY_PATH=$(pwd)/build-aflpp/RUNDIR-aflpp-freetype2-2017/lib \ fuzz.py -i $(pwd)/build-aflpp/RUNDIR-aflpp-freetype2-2017/seeds \ -o fuzz-out -n2 --num-trials 30 --trial-len $((18*60*60)) \ --cmp-log $(pwd)/build-aflpp_cmplog/RUNDIR-aflpp_cmplog-freetype2-2017/freetype2-2017-aflpp_cmplog \ $(pwd)/build-aflpp/RUNDIR-aflpp-freetype2-2017/freetype2-2017-aflpp
-
We use the regexs here to determine each crash's root cause.
A set of real-world programs.
-
Build the base image for a given
$TARGET
(e.g., sox, freetype)docker build -t seed-selection/real-world/$TARGET/base \ -f real-world/$TARGET/base.Dockerfile real-world/$TARGET
-
Build the target with the required
$INSTRUMENTATION
docker build -t seed-selection/real-world/$TARGET/$INSTRUMENTATION \ -f real-world/$TARGET/$INSTRUMENTATION.Dockerfile \ real-world/$TARGET
-
Extract the relevant files for fuzzing, using the
extract-from-container.sh
script -
Create a fuzzing corpus using the
get_corpus.py
script -
Start fuzzing. Again, the
fuzz.py
script can be used.
To reproduce the readelf
experiment (Section 3.1 of the paper):
-
Build the Docker image
docker build -t seed-selection/readelf readelf
-
Start the container, run the fuzzers, and process the results
docker run -ti --rm seed-selection/readelf # Execute the following commands inside the Docker container ./fuzz.sh ./get_afl_cov.sh ./get_hfuzz_cov.sh ./merge_cov.py ./plot_cov.py
We use LLVM's source-code-level coverage in our evaluation. To generate LLVM coverage after a fuzzing campaign:
- Build the target with LLVM's coverage instrumentation. For Magma, this
requires building with the
llvm_cov
fuzzer. For the FTS and real-world targets, build with thecoverage
Dockerfile. - Replay the final fuzzing queue (in AFL, this is the
queue
output directory) using thellvm_cov_merge
script - Summarize the results using
llvm_cov_stats