Skip to content
This repository has been archived by the owner. It is now read-only.
master
Switch branches/tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

uberfuzz2

Dependencies and Compilation

Master

  • deps - rust toolchain, library deps provisioned by cargo
  • build - run the following in the master directory cargo build --release

Driver:

  • deps - zeromq (install from distro repository), Collections-C
  • build - use the provided Makefile in the driver folder

Usage

First you have to create a configuration file for the fuzzer you want to run in the work folder. The file name must be of the kind fuzzer_id.fuzzer_type.conf where fuzzer_id is the identifier of the configuration and fuzzer_type is one of afl, hongg or vu. The configuration file contains the path to the fuzzer executable and all its parameters, separated line by line.

Before running, you should setup the work directory accordingly. Within that folder, run the setup_dir.sh script; this will setup directories for each configuration file present. The script accepts one argument that can be a string to be used as seed or a directory which contents are to be copied and used as seed.

Based on the fuzzers you're planning to use, you may need to setup you system or some environment variables: this can be done within the uberenv.sh script to later be sourced in the shell from which you'll run the fuzzers. Remember that regardless of what fuzzer you're going to use it is advised that you turn off ASLR.

The master executable accepts the following options:

usage: ./master/target/release/master [options] -- target [args]

Options:
    -h, --help          Print this help
    -f, --fuzzer aflfast
                        Fuzzer id (from id.type.conf in work directory)
    -H, --high          High or low winning strategy
    -t, --winning-threshold 0.42
                        Winning strategy threshold
    -s, --stdin         Target reads from standard input
    -B, --basic-blocks  Drivers use basic blocks from static analysis
    -S, --section       Drivers use only the .text section of the target

The -f flag identifies a configuration file. If the target reads from a file, use the flag --stdin and a @@ as a placeholder for the input file name. For example:

./master/target/release/master -f aflfst -f vuzzer -f honggfuzz -H -s -- djpeg @@

Setting-up VUzzer

Start VM with vagrant up (set up vuzzer directory in work first), then vagrant provision --provision-with vu-setup.

Run standalone drivers

timeout -k 3 $((60 * 60 * 4)) ./driver/driver -i vuzzer -f ./work/vuzzer.vu.conf \
  -c ./work/vuzzer/special -d ./work/vuzzer/driver \
  -l ./work/vuzzer.fuzz.log -L ./work/vuzzer.fuzz.err.log \
  -- ../libjpeg-turbo-1.5.1/djpeg ./work/.vuzzer.input

timeout -k 3 $((60 * 60 * 4)) ./driver/driver -i honggfuzz -f ./work/honggfuzz.hongg.conf \
  -c ./work/honggfuzz/in -d ./work/honggfuzz/driver \
  -l ./work/honggfuzz.fuzz.log -L ./work/honggfuzz.fuzz.err.log \
  -- ../libjpeg-turbo-1.5.1/djpeg ./work/.honggfuzz.input

timeout -k 3 $((60 * 60 * 4)) ./driver/driver -i fairfuzz -f ./work/fairfuzz.afl.conf \
  -c ./work/fairfuzz/out/fairfuzz/queue -d ./work/fairfuzz/driver \
  -l ./work/fairfuzz.fuzz.log -L ./work/fairfuzz.fuzz.err.log \
  -- ../libjpeg-turbo-1.5.1/djpeg ./work/.fairfuzz.input

timeout -k 3 $((60 * 60 * 4)) ./driver/driver -i aflfast -f ./work/aflfast.afl.conf \
  -c ./work/aflfast/out/aflfast/queue -d ./work/aflfast/driver \
  -l ./work/aflfast.fuzz.log -L ./work/aflfast.fuzz.err.log \
  -- ../libjpeg-turbo-1.5.1/djpeg ./work/.aflfast.input

About

A Cooperative Fuzzing Framework - Implementation of my Master project

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published