This is a fuzzer written in Rust language based on binary instrumentation from Intel PIN to obtain coverage on executables run under MacOS (10.15.4 - Catalina in my case).
You need to have rust/cargo ecosystem installed on your system and pin directory in $PATH. What is more, Intel PIN needs to have System Integrity Protection disabled on MacOS (https://support.apple.com/en-us/HT204899).
Having Rust, Intel PIN in your $PATH you run fuzzer with the following manner:
$ cargo run example.jpg ./fuzzed_binaryDirectories:
crashes/- directory with unique crashes (with the corresponding id based on PC, e.g.SIGSEGV_PC_29498)queue/- queue with the files which created a new coverage to mutate
$ cargo run example.jpg ./exif
Finished dev [unoptimized + debuginfo] target(s) in 0.04s
Running `target/debug/fuzzer example.jpg ./exif`
Filename: example.jpg
Length of corpus file: 5958 bytes
Fuzz case 0 | 0.00 fuzz cases/second | 0 crash (0 unique) | 0 coverage
Fuzz case 1 | 0.35 fuzz cases/second | 0 crash (0 unique) | 487 coverage
Fuzz case 2 | 0.48 fuzz cases/second | 0 crash (0 unique) | 502 coverage
Fuzz case 3 | 0.54 fuzz cases/second | 0 crash (0 unique) | 523 coverage
Fuzz case 4 | 0.60 fuzz cases/second | 0 crash (0 unique) | 526 coverage
Fuzz case 5 | 0.63 fuzz cases/second | 0 crash (0 unique) | 533 coverage
Fuzz case 6 | 0.65 fuzz cases/second | 0 crash (0 unique) | 535 coverage
Fuzz case 7 | 0.66 fuzz cases/second | 0 crash (0 unique) | 535 coverage
Fuzz case 8 | 0.69 fuzz cases/second | 0 crash (0 unique) | 537 coverage
Fuzz case 9 | 0.69 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 10 | 0.71 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 11 | 0.72 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 12 | 0.73 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 13 | 0.74 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 14 | 0.74 fuzz cases/second | 0 crash (0 unique) | 542 coverage
Fuzz case 15 | 0.73 fuzz cases/second | 0 crash (0 unique) | 543 coverage
Fuzz case 16 | 0.73 fuzz cases/second | 1 crash (1 unique) | 543 coverageThe aim of writing such a fuzzer was to:
- Learn Rust language
- Learn binary instrumentation with Intel PIN
- Get familiar with blackbox fuzzing and obtaining coverage
- Coverage is obtained from Intel PIN module which observes control-flows and new branch taken
- Learn how to work with ASLR
- I was able to obtain Relative Virtual Address by subtracting IMG_LowAddress() base within Intel PIN module
Rust is a great language - safe & ultra fast.
Unfortunately, running binary with Intel PIN to obtain coverage is not the best idea due to the performance.
- https://www.youtube.com/user/gamozolabs
- https://www.twitch.tv/videos/603019865?t=13h25m56s
- https://www.instytutpwn.pl/wp-content/uploads/2016/11/%C5%9Aledzenie-%C5%9Bcie%C5%BCki-wykonania-procesu-dla-security-researchera-i-programisty-ROBERT-%C5%9AWI%C4%98CKI.pdf
- Practical Binary Analysis, Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly by Dennis Andriesse