From 8b07b3a5ec82da2dced82e3b5461ad181cbb8a33 Mon Sep 17 00:00:00 2001 From: jeffball Date: Mon, 30 Jul 2018 14:06:10 -0400 Subject: [PATCH 1/5] Modified the CMakeLists.txt build process to build the corpus test programs on Linux --- CMakeLists.txt | 1 + corpus/CMakeLists.txt | 17 +++++++++++++++++ corpus/hang/CMakeLists.txt | 4 ++++ corpus/libtest/CMakeLists.txt | 12 ++++++++++++ corpus/persist/CMakeLists.txt | 22 ++++++++++++++++++++++ corpus/test/CMakeLists.txt | 4 ++++ 6 files changed, 60 insertions(+) create mode 100644 corpus/CMakeLists.txt create mode 100644 corpus/hang/CMakeLists.txt create mode 100644 corpus/libtest/CMakeLists.txt create mode 100644 corpus/persist/CMakeLists.txt create mode 100644 corpus/test/CMakeLists.txt diff --git a/CMakeLists.txt b/CMakeLists.txt index a94653a..a867f5a 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -32,6 +32,7 @@ include_directories (${CMAKE_SOURCE_DIR}/../killerbeez-utils/utils/) # compile mutators, which will compile utils add_subdirectory(${CMAKE_SOURCE_DIR}/../killerbeez-mutators/ ${CMAKE_BINARY_DIR}/killerbeez-mutators/) +add_subdirectory(corpus) # test programs add_subdirectory(fuzzer) # instantiates & coordinates other parts add_subdirectory(driver) # starts program, feeds input, determines when program is done add_subdirectory(instrumentation) # inserts instructions to program to tell whether an input makes the binary take a new path diff --git a/corpus/CMakeLists.txt b/corpus/CMakeLists.txt new file mode 100644 index 0000000..8ba2bce --- /dev/null +++ b/corpus/CMakeLists.txt @@ -0,0 +1,17 @@ +cmake_minimum_required (VERSION 2.8.8) +project (corpus) + +# All of the Windows test programs have precompiled versions, as the DynamoRIO +# instrumentation needs exact offsets into the program to know where to hook. +# As such, we've included precompiled versions with and listed the offsets, +# rather than having the user compile them. +if (UNIX) +SET( CMAKE_RUNTIME_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ ) +SET( CMAKE_LIBRARY_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ ) +SET( CMAKE_ARCHIVE_OUTPUT_DIRECTORY ${BUILD_DIRECTORY}/killerbeez/corpus/ ) + +add_subdirectory(hang) +add_subdirectory(libtest) +add_subdirectory(persist) +add_subdirectory(test) +endif () diff --git a/corpus/hang/CMakeLists.txt b/corpus/hang/CMakeLists.txt new file mode 100644 index 0000000..21590ee --- /dev/null +++ b/corpus/hang/CMakeLists.txt @@ -0,0 +1,4 @@ +cmake_minimum_required (VERSION 2.8.8) +project (hang-linux) + +add_executable(hang-linux ${PROJECT_SOURCE_DIR}/hang.c) diff --git a/corpus/libtest/CMakeLists.txt b/corpus/libtest/CMakeLists.txt new file mode 100644 index 0000000..3b09a36 --- /dev/null +++ b/corpus/libtest/CMakeLists.txt @@ -0,0 +1,12 @@ +cmake_minimum_required (VERSION 2.8.8) +project (libtest) + +add_executable(libtest ${PROJECT_SOURCE_DIR}/test.c) +add_executable(libtest_pie ${PROJECT_SOURCE_DIR}/test.c) +add_library(lib1test SHARED ${PROJECT_SOURCE_DIR}/lib1.c) +add_library(lib2test SHARED ${PROJECT_SOURCE_DIR}/lib2.c) + +set_target_properties(libtest PROPERTIES LINK_FLAGS "-no-pie") + +target_link_libraries(libtest lib1test lib2test) +target_link_libraries(libtest_pie lib1test lib2test) diff --git a/corpus/persist/CMakeLists.txt b/corpus/persist/CMakeLists.txt new file mode 100644 index 0000000..090d70a --- /dev/null +++ b/corpus/persist/CMakeLists.txt @@ -0,0 +1,22 @@ +cmake_minimum_required (VERSION 2.8.8) +project (persist) + +set(PERSIST_SRC ${PROJECT_SOURCE_DIR}/test.c) + +add_executable(nopersist ${PERSIST_SRC}) +add_executable(persist ${PERSIST_SRC}) +add_executable(persist_hang ${PERSIST_SRC}) +add_executable(deferred ${PERSIST_SRC}) +add_executable(deferred_nohook ${PERSIST_SRC}) + +target_compile_definitions(persist PUBLIC PERSIST) +target_compile_definitions(persist_hang PUBLIC PERSIST PUBLIC HANG) +target_compile_definitions(deferred PUBLIC SLOW_STARTUP) +target_compile_definitions(deferred_nohook PUBLIC SLOW_STARTUP PUBLIC DEFERRED_NOHOOK) + +target_link_libraries(persist forkserver) +target_link_libraries(persist_hang forkserver) +target_link_libraries(deferred forkserver) +target_link_libraries(deferred_nohook forkserver) + +include_directories(${PROJECT_SOURCE_DIR}/../../instrumentation/) diff --git a/corpus/test/CMakeLists.txt b/corpus/test/CMakeLists.txt new file mode 100644 index 0000000..2f5b493 --- /dev/null +++ b/corpus/test/CMakeLists.txt @@ -0,0 +1,4 @@ +cmake_minimum_required (VERSION 2.8.8) +project (test-linux) + +add_executable(test-linux ${PROJECT_SOURCE_DIR}/test.c) From 211129ede24c44158d81e89b2dbb9df0a20ad7a3 Mon Sep 17 00:00:00 2001 From: jeffball Date: Mon, 30 Jul 2018 14:27:19 -0400 Subject: [PATCH 2/5] Fixed the names of the libtest libraries (to remove duplicate lib) and updated the IPT.md readme to point to the built test programs, rather than their location in the repo source --- IPT.md | 11 +++++------ corpus/libtest/CMakeLists.txt | 8 ++++---- 2 files changed, 9 insertions(+), 10 deletions(-) diff --git a/IPT.md b/IPT.md index 3e910d4..ccf99df 100644 --- a/IPT.md +++ b/IPT.md @@ -155,7 +155,7 @@ command will cause a crash in the test-linux binary on the seventh iteration. The IPT instrumentation tracks the TNT and TIP packets that are generated from the main test-linux executable. ``` -./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/test/test-linux\"}" -n 10 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt +./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/test-linux\"}" -n 10 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt ``` If instead of tracking code coverage for the main executable, you wish to track @@ -165,9 +165,8 @@ to track coverage information for. The below command illustrates how to use this option with the included example program. This command tracks the code coverage of libtest1.so and libtest2.so. ``` -env LD_LIBRARY_PATH=$HOME/killerbeez/killerbeez/corpus/libtest/ ./fuzzer stdin ipt bit_flip \ - -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/libtest/test\"}" -n 10 \ - -i '{"coverage_libraries":["$HOME/killerbeez/killerbeez/corpus/libtest/libtest1.so","$HOME/killerbeez/killerbeez/corpus/libtest/libtest2.so"]}' \ +./fuzzer stdin ipt bit_flip -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/libtest\"}" -n 10 \ + -i "{\"coverage_libraries\":[\"$HOME/killerbeez/build/killerbeez/corpus/libtest1.so\",\"$HOME/killerbeez/build/killerbeez/corpus/libtest2.so\"]}" \ -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt ``` @@ -216,12 +215,12 @@ shown below. This example runs 5000 iterations of the persist binary, mutates the input with the afl mutator, and feeds the input over stdin to the target program. The IPT module will run 1000 iterations per persist process. ``` -./fuzzer stdin ipt afl -i "{\"persistence_max_cnt\":1000}" -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/persist/persist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt +./fuzzer stdin ipt afl -i "{\"persistence_max_cnt\":1000}" -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/persist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt ``` For comparison, a non-persistence mode run with a similar binary can be started with this command: ``` -./fuzzer stdin ipt afl -d "{\"path\":\"$HOME/killerbeez/killerbeez/corpus/persist/nopersist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt +./fuzzer stdin ipt afl -d "{\"path\":\"$HOME/killerbeez/build/killerbeez/corpus/nopersist\"}" -n 5000 -sf $HOME/killerbeez/killerbeez/corpus/test/inputs/close.txt ``` # Deferred Startup Mode diff --git a/corpus/libtest/CMakeLists.txt b/corpus/libtest/CMakeLists.txt index 3b09a36..7a62f34 100644 --- a/corpus/libtest/CMakeLists.txt +++ b/corpus/libtest/CMakeLists.txt @@ -3,10 +3,10 @@ project (libtest) add_executable(libtest ${PROJECT_SOURCE_DIR}/test.c) add_executable(libtest_pie ${PROJECT_SOURCE_DIR}/test.c) -add_library(lib1test SHARED ${PROJECT_SOURCE_DIR}/lib1.c) -add_library(lib2test SHARED ${PROJECT_SOURCE_DIR}/lib2.c) +add_library(test1 SHARED ${PROJECT_SOURCE_DIR}/lib1.c) +add_library(test2 SHARED ${PROJECT_SOURCE_DIR}/lib2.c) set_target_properties(libtest PROPERTIES LINK_FLAGS "-no-pie") -target_link_libraries(libtest lib1test lib2test) -target_link_libraries(libtest_pie lib1test lib2test) +target_link_libraries(libtest test1 test2) +target_link_libraries(libtest_pie test1 test2) From ec0e4d00ff512e1494672fef73d3c6149268fc15 Mon Sep 17 00:00:00 2001 From: jeffball Date: Mon, 30 Jul 2018 14:28:41 -0400 Subject: [PATCH 3/5] Removed prebuilt linux binaries and makefiles for corpus test programs, as we now use CMakeLists.txt instead of including of Makefile's or prebuilt binaries for Linux --- corpus/hang/hang-linux | Bin 8552 -> 0 bytes corpus/libtest/Makefile | 14 -------------- corpus/persist/Makefile | 22 ---------------------- corpus/test/test-linux | Bin 8912 -> 0 bytes 4 files changed, 36 deletions(-) delete mode 100755 corpus/hang/hang-linux delete mode 100644 corpus/libtest/Makefile delete mode 100644 corpus/persist/Makefile delete mode 100755 corpus/test/test-linux diff --git a/corpus/hang/hang-linux b/corpus/hang/hang-linux deleted file mode 100755 index f0f1ca2316b62ffe1b05b738f16f76338558c664..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 8552 zcmeHNU2Ggz6+XLb$4-;1H*V56KQyC~Ah*<$b#R;w6=c>w$v9dk!C4m}aK>xz+Fn@i zhTYlVgsLra8)0aQB~a@=@WhWm;=#Ot#RF+@<-nT@3LupSg9xNe3#n3~AW<*p+&O1| z#uHQ_Azpl?nRCx~&v)**KXZNWT|d(sJLdQKK$0Im38bwA3D$?23*`XJ5`a#uh@=vzMPY$Y@q#rfZDCTYW&>W!hrwdzNihgn8*1smM zU*EAX@|(_o9?lY19?X8=v3nC5{4wqumS?gY!Cyj8FhdE1&yq_c>OPv)|W zSa3Yn*VSzu)DP;1(33N;K8%v$l>RL4N^hjH$GNV1O~WcjW5ZKH=`A4#Z$ORslFaG1 z8_loR4{g@KeEwCt{^m!q#GHPuanZ3T9U8!*(*8KUoAw%*BYlDj-&`qS+W!dZW3!Gm zK>Is=Gq0aDXZ~bP|M~Xmc;B^GPvcB7uU%cKBXRAwC~p1~dGC!i?d<_rIE;Y}nr&ee z=JdUwIdkLu?gjEj;cOkcLItH2G=5H1F|>Y4WPJn5Q#Ul7}(HK{UwBacT`PRv>*j`6pHn? zzKOiDvv-M5S{{1yB628yYn394emeSObfy#?jK*V^_dmQ*!{9Erkv!8kbGL8idhF2~ zs?V>!AGrC z;sE%jLcZOb8yaVQ4I#p5O>9N}V`RX|+a6#amXrN2-!GLkvJHlg1zS!uZTeEH(O~G3zk7?yb6FDQJeH?WLRT>K4S!d#<;6g6P`g~$6>NQ> z-VBB>Z7_q8>4yHGkq<_q!EiL#+7;B$4(+>wjjCNgLi+E~PxbdeF4xm~53KjVdJnAk zzMNT2f?Br0b_x<0 z_EWS!r?kTnFvax?KFqqrEqpu#s3baWcT{@}w#RLr(tT`qoAn5nGyFdna*lOZv~-_1 zj(2x|Tx%U1DQ4}Wc1Z8g!)={KrL{lZ-l>N>^dpZtxOOny-Wl!;A91^0qX%$yMf`>b z?k}I0s|y2oa&o+`*1jGVJneB7d9*VC4d68n0i2yOezpEL!my{G2g>uM)_xPn zcTv~YW*~Ue22Ao2!{Flti`vM?-y$EW|;G|f3SRiQft2rpPka~9G1Q#`AgfWO#E02Bc(+tRoE)ul zK3qNA@zeU|haiMp>m+$5{Im<#8F#O%bmsCwB~FTi(iwbwcv^Dz=S9TH|GdlpC1t;M zT)v06SG(@lUOJok@CN0p8w|`<($6sK)emIh<$p<0A6ygv@06dlu zK472)fZQSc1aY!=e=omad%7p0v_ZWAt|6{*zFNG2IK}Vw^Vj>>&m-Op9_!&~-Y(e1 zu`zuVui;K~4_L9jGjYp;WGbH;PZ#V|-m)jH(M&FzDxgI&XN_laBZ-Wav~&4_l_*ZZ zXm0XcCS|9R`r$)II=qdnv2-?VCGz>i1uK=c^A}(&pO{Qp$>QYX1*BAI7FyahrW1+m zxQg%CK(xQt>OI+m0Xor2zJ`+otLHN(qy2r|XjN6Bt{f4<%TTM=v>b0{&j47*W2d^J zG3(T^V`qBfRy^7j>!ljhMdfIrsGpO*3$#m8#7E;)pN+i@A)JF;hcH`Wjo;Ys}@OX7+ z5`}^qER0Y(i$a$HtqC0T!i7mYF@n<0J90vD=`0TaInc8?JEcdv`r7QoIBVnCqCQeg zRZWXp~c3tfwY;woD|^iD(YhnKlkX@}D0?Gpr^tnI6R$ayGd~gvLw9egqvS@FY&k z>hJ5n&C}l{{M5?(T-k5Q?=Q0d7XM^hoj!~T?RjNAjr$GMD!*@NN~^qNeG;S{Gu3?A zzuD|?pBS=q^Lr4#i+g0Lf6i|x%Q*%le!63&B>Qnk12~BpIui(A_Ja!ym~2Sv8?{~d zxZ_aiNqp0pLHH0b6s|zbMI5dCcK6>|ETKKW@MV7);e&{*s}jH1iTncc=?o#d!Sx%= z*SKbP{0sx_8>ml(Kg|4L=1V)Jes}wyV}2JqlylIO2cLYo`7a_yeIo6g<@#rtFXusa zuVR%v$r*gA`SZ-5ceP(Q@_UTPZ@Ku(%wJ}{#4CKa{%se3h50MY&r@(!N$M5oJD4F8 zX}|2xF&Q@Ax=M`a(9)_5AwUC+up5TM{ZLUU-rc<5e2G)s2v77?%n&B+m;GIsiEexD4xvK;0m8y%#K{QXJ^zF+ax0ok-PJB$;f0HS sGpkN6Rn;wXzuIns;}7$|J&c71@R9bgd;EU~@A~H+a=iIm&fWF@8|c0sVka^9Ph>xL zX*F23Kqs#&i=aZ)5UA2%>!y7u(#8;)NUBz?(DorrW1F;U>ZXAb3R_rN$s}m@JNMmV zKfl--`>=04)_doi-#zEt|M%T{{mpRCcDKtVnB3w%A+;J!Le^Ud-#WGsLKE#`CEn}B z&7uZyH6FIpl*D{dg=Su>!g#=|@U*)vpxv!Wf%(lAj2tZD5)!BUiliyg;#GB)%3KJ) z1jvud>hnq!d_W4!_o#9VD9(PQl3$bZYf^s9XH~(NbN#4p^z^EDy>1N}=^8Q7CErC( zwnTg0Hlrk;SAovgY6L^Kc&pTeV9tJDgddgj(~?ga?p66!YL^97KjummcP8S4ZLN1E zqRokTDmUId-rm;S)*8sB1Dj>NDL&cm*xe^{;&${yqcX3>Lt}u_eJ5@`7@KeS!Ng5*`kckK%>5Fg`B<6gr0dTDognmy2oZ7RT{S6iH<_dVI z0=^HpACHq(0VtR6t-#laMls+UkS;u~1loOwnz>C3r^jL`F_ts4!Z5OCWav?2X!KEI zI1*2YtQn1`L^77l#!N9hlt^b|VmK3vL}5x1$Ub8l$q1|rVK zHuW!4gQ`E-Qa((68?L69Olq>>G`^UEHk{`SrM25|`?{jpaQnQ{ZFr$i5J#VUuU0=? z{ZgG@=ugg=)pO5C@J#J#%B4t4Tb_o=(x#($*RR(gkv>WW^B0yto4!jrRds$=>fa`v zsyII*^@F5S)#gu1JwrNGY5us>A0eHpGCw8tLDH!T^Al2cLm!@kE~(}H?);k%>-oRx zlYd*-)7yP+W(q5fe(scCvU8VfG%@#MIDR->zrIU|S4YqQeR?zXmp-}Z)$?!fU-v47 zqH3?{pQePR3ow2{#_vB(wHywx{yL@i>EHUh3~=g-2Lbf_f_`f5e%*CefAflYeIeQ^ zj#j^3^q;o!pSbtsm3|>|Yx>|gmqNk%&sM(x$aP8PH0{R%txw)Ba@7}~fnOom2js9c z+dqF0J|v^Zg89eJ>-pSlR6ks`sfp^44==XN=;y+7RCx5~y@(9(!sKJ;U60?b9}dsz zlQZaO@%oF@KKXNV&s|wsA`5-;u?r%%cKQVHxmy6fD*Ny`igP5q@EY~d>oO{wwv*H0 zz6+G1=ijsv$(|zq`x8n;M97~&u74%Guq~7egMYBCBi91{&uyK#&wyXr)|Fcc+qttM zd@(TnE6V$)aJjf)`V7f0kbJ}RZ%BTcJL2}GEPqwGrWZPBICh=rVgzy znZeJC&U7vjP2FnxY0>i!#}lzS@lYn68u8zy_-4gh6b}m5I?p{p#GuJ=6h-?6_(oK) z2fPtI@FI8@M#CBKpM$SP572js$aQe9aE<$1>sGI*opP=45l(xNS;V=W3>1~OM?Od= zdmrp4$kyxI?rqpvzv}C?6XO2Hdv3pL;|7AsrVCFB(6ByiFZmKkQ)N z;jNYR`Wf7hBaVH&q>xwXY71O#fvYV*EihZ7$%Z(oxK!|>rHP37YD*P*wI(HO`Xn92 z=Y{Ad`KI&MfRy<7SgY_x#T!&Qt%F3I{;w-bY0{6mHDZM`-${?9^PX(RZRvHwqH)Dn zDc+#?^@=m24U{BoM~HY$JR!B>cYyb(H!A#il_n*|$CS?Hrtb|A?_oKAEW5HknzF~| zM(W(23rcTN=~k5g|C`UT&YTXZetlN)A1VHd;%62Az2fgE?u@gev-1o7roO>k%FOw< z1X=^Z=C+*FS{`p{3j|vOTW_;)|K?yzTd*y-)fr-$?!hQ*cWY&Ecj0_(PxRnCVwSb9 zDvYmE`)V;$*1ksY_$#$vA!M36 zFF&n^Zs8R{NBdJ`!p9tVK;h1HxJ$-w6r-yAyngJH`11BVsN&2z;vbUs%lqXe;N|L7 zslK$QbkPk)od&5$uR$!=4rEa-{#ogI-LmoU2N`F1zh6-H{C$xsUYDe>e0*X6F5{HilJ=DfcoKNI`<)5kK72jtcx9>8-q~*VsrYn{K_t&u;GGheP|52-;QkWC zQXTW7FU%~zk8NbZBJ(MxCW^Q;mFocV@ot=A)p6-3Uh9RP{Ol%~cHDejWOd7bc zOU3A3FPb(+66wK6!ibvbOxB3x#>G%NIhKf-v1s7#En8d58yUm#RNRPUGLZvDEM;a6 z;QB9;j2Y2fGI;C&vZgHG_PwE9VI#b|3k9@F%W{biZWX(}ygRh3yAxKn z6nV)A2$#G@SU0R_de>fI?C5!*Bh+I&uzmZ!aIeuD>gWkm4)SVpD4Ua|7e;sQE~D5k zy}LT8ReB?XiI}|h)HJ@Uq#H_ky;%y$ThLO-h(#l2L|utGk{p+)#ne`HlUhV5!(}(A z&Sc8Tx>kj4$sH^DHJdg@BdI8=Vst+ME8N!_xooU(K})SbO$pb*Y*vMl_qFog*OAxG z{l;E3d^!`6Y*vmPG#K|CwIq+Pl6Dko79V9Pp2BDx6MRzj1Qp1@XSyx%^l4s7F=S>f$$zlV`RXDjySeR-3r=vw8;=Z`u3Ie%yUpHTiCDj=T+jw}BY3MYSRGpGMk zz^F~Ad_;Uc*Hwmm?zU2`va(D(kH_xM=Zi7rKS4$|@+q15QRsGmK8GwQe=aYFaO%%H z{P{c26?&Q*){!sA`=P_1&oxI?Mtm-3d)2J0ik~Qd&W86Z$CdxKf~6%m{a<$Y^Z&N| ze{So4@t=11^Lfgr3jU$P-`Rd|ARW6SIfuxU_s9JIuG8MBzXhLqn?Ik=8Yn2pY46nk z0vqaoHC+qmIRB^ge+RxacG;iLd;I_VECmPg_~!h1{2fD@J%9ecagizoVtY#~>Wu#b z33mU&`B7!ChaDAXKjw=Lf8ICmQT|*`4#R$|Ux7dv*Pr*B0~P$8@jNIzl|RS<6=#3v z_#;~)=JdZg=PeWXr4|nQkHk(6RmS1DW4Ak|3i?OYai2xvop`wZw3ZRkFfW(?n7V+Q Jas+qg{~zK+1IYjY From 8896febe90cbf9cf61e5ebf3835da8ce28c1c4c1 Mon Sep 17 00:00:00 2001 From: jeffball Date: Mon, 30 Jul 2018 23:19:02 -0400 Subject: [PATCH 4/5] Updated the linux example instructions in README.md to reflect the new paths to the example program binaries --- README.md | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 1053c5c..403cc07 100644 --- a/README.md +++ b/README.md @@ -184,8 +184,7 @@ running it on a test program from our corpus. ``` # assuming that you're in the same directory as above ($WORKDIR/build) cd ../build/killerbeez/ -./fuzzer file return_code honggfuzz -n 20 \ - -sf /bin/bash -d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}' +./fuzzer file return_code honggfuzz -n 20 -sf /bin/bash -d '{"path":"corpus/test-linux","arguments":"@@"}' ``` If it ran correctly, you should see something like this: @@ -228,9 +227,7 @@ containing ./fuzzer. ``` # assuming that you're in the same directory as the above commands (%WORKDIR%/build) echo "ABC@" > test1 # ABC@ is one bit different than ABCD, the crashing input -./fuzzer file return_code honggfuzz -n 2000 \ - -sf ./test1 \ - -d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}' +./fuzzer file return_code honggfuzz -n 2000 -sf ./test1 -d '{"path":"corpus/test-linux","arguments":"@@"}' ``` Which should yield output similar to this: @@ -250,9 +247,9 @@ crash this target and reproduce the crash manually. ``` $ ls output/crashes/ 2B81D0C867F76051FD33D8690AA2AC68 5220E572A6F9DAAF522EF5C5698EAF4C 59F885D0289BE9A83E711C5E7CFCBE4D ED5D34C74E59D16BD6D5B3683DB655C3 -$ cat output/crashes/2B81D0C867F76051FD33D8690AA2AC68 ; echo +$ cat output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D ; echo ABCDJ -$ ../../killerbeez/corpus/test/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D +$ corpus/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D Segmentation fault (core dumped) ``` From 66ed788174d658760ef625fae0f94b3adabb087b Mon Sep 17 00:00:00 2001 From: jeffball Date: Tue, 31 Jul 2018 16:21:10 -0400 Subject: [PATCH 5/5] Updated docs/README.md and made README.md a symlink to it --- README.md | 290 +------------------------------------------------ docs/README.md | 13 +-- 2 files changed, 6 insertions(+), 297 deletions(-) mode change 100644 => 120000 README.md diff --git a/README.md b/README.md deleted file mode 100644 index 403cc07..0000000 --- a/README.md +++ /dev/null @@ -1,289 +0,0 @@ -# Killerbeez -Killerbeez is a fuzzing framework which aims to bring together as many of -the awesome tools out there as possible into a standard format. The goal -is not just to get them to work with this project, but ideally each other -as well, which can be accomplished by writing things to a common API. As a -side effect, it means writing cross-platform tools should be easier as well -on account of encouraging clean interfaces which inherently discourages -spaghetti code. - -## Getting Started - -These instructions will get you a copy of Killerbeez up and running on your -local machine. We provide build instructions for Windows and Linux, and -probably-outdated binaries for Windows. Currently only the standalone -client is available, server coming soon! - -### Standalone Client - Windows - -#### Prerequisites - -To build Killerbeez on Windows you will need Microsoft Visual Studio 2017, -Cygwin, Radamsa, and DynamoRIO. Unless otherwise noted, all of the snippets -below use cmd.exe. - -#### Installation -1. Install [Visual Studio 2017 -Community](https://www.visualstudio.com/downloads/). Version 15.5.7 has -been tested to work with Killerbeez. Anything later should also work. -Earlier versions which support cmake will likely work but have not been -tested and may require slight changes to the build settings. - + The following workloads/components will be needed to build Killerbeez. -They can be added with the Visual Studio Installer. - 1. Desktop development with C++ - 2. Linux development with C++ - 3. Visual C++ tools for CMake - -2. Install [Cygwin](https://cygwin.com/install.html) (only required for -the radamsa mutator). - + Use `C:\cygwin64` as the installation directory. - + Make sure the packages `gcc-core`, `make`, `git`, and `wget` are being -installed. - + Add the Cygwin `bin/` (e.g. `C:\cygwin64\bin`) to your PATH environment -variable. - -3. Create a working directory to store all of the Killerbeez components, -for example `C:\killerbeez` - -``` -mkdir C:\killerbeez -set WORKDIR=C:/killerbeez -:: We'll use forward slashes for minimal escaping, Windows doesn't care -``` - -4. Build [Radamsa](https://gitlab.com/akihe/radamsa) (optional). - + Clone the Radamsa repository into %WORKDIR% from a Cygwin terminal and -build: - - ``` - cd /cydrive/c/killerbeez - git clone https://gitlab.com/akihe/radamsa.git - cd radamsa - make - ``` - -5. Install [DynamoRIO](http://dynamorio.org/). Use the [latest build -available](https://console.cloud.google.com/storage/browser/chromium-dynamorio/builds). -A direct link to the latest build as of 3/14/18 can be found -[here](https://storage.googleapis.com/chromium-dynamorio/builds/DynamoRIO-Windows-6.2.17295-0xa77808f.zip). - + Download the zip file and extract it so that the main directory (the -one containing bin32/ and bin64/ directories) is `%WORKDIR%/dynamorio` - + *Note:* The reason we have to use the latest build is that [commit -c575ad](https://github.com/DynamoRIO/dynamorio/commit/c575ad16f8943eb6946e8c875eb248d948390537) -is needed to support binaries built with VS 2017 on Windows 10. This commit -is not included in the 7.0.0-RC1 release. - -6. Download the Killerbeez source code - - ``` - cd %WORKDIR% - git clone https://github.com/grimm-co/killerbeez.git - git clone https://github.com/grimm-co/killerbeez-mutators.git - git clone https://github.com/grimm-co/killerbeez-utils.git - ``` - -7. Build Killerbeez - + Open the repository `killerbeez` within Visual Studio (File -> Open -> -CMake..) and build it using (CMake -> Build All). This should build the -fuzzer and its dependencies from the other repos. If successful, you'll -see an aggregate `build/` directory in the root of your working directory. -In it, the compiled executables and libraries from all three projects will -be found in folders named after the architecture (e.g. x64) and build type -(e.g. Debug). - + The fuzzer.exe executable can be found at -`%WORKDIR%/build/x64/Debug/killerbeez/fuzzer.exe` - -#### Binary Release -If you don't want to build the project from source, give the binary release -a try (though be warned it's likely to be out of date). The latest release -can be found [here](https://github.com/grimm-co/killerbeez/releases) and -has been tested with the following operating systems: - -| Windows Version| 64-Bit | 32-Bit | -| -------------- | ------------ | --------------- | -| Windows 7 | Not Working [1] | Not Working [1] | -| Windows 8 | Working | Experimental [2] | -| Windows 8.1 | Working | Experimental [2] | -| Windows 10 | Experimental [2] | Experimental [2] | - -You will also need to install the 2017 Microsoft Visual C++ -Redistributable. Please note that if you are running Killerbeez on a 64-bit -host, you will need to install both the 64-bit and the 32-bit versions of -the redistributable. -- [64-Bit Redistributable Download](https://aka.ms/vs/15/release/vc_redist.x64.exe) -- [32-Bit Redistributable Download](https://aka.ms/vs/15/release/vc_redist.x86.exe) - -[1] This is due to a compatibility problem with Windows 7 and DynamoRIO see -[this issue](https://github.com/DynamoRIO/dynamorio/issues/2658) for more -info. -[2] Experimental status means that most of the features are working as -expected, and a few are not. - -#### Quickstart and Examples - -Let's start by fuzzing a test program first, to keep things simple. -``` -REM Assuming you: set WORKDIR=C:/killerbeez -REM Note if using backslashes they need to be escaped to be proper JSON. - -cd %WORKDIR%/build/x64/Debug/killerbeez -fuzzer.exe file debug bit_flip -n 9 ^ - -sf "%WORKDIR%/killerbeez/corpus/test/inputs/close.txt" ^ - -d "{\"path\":\"%WORKDIR%/killerbeez/corpus/test/test.exe\",\"arguments\":\"@@\"}" -``` - -For the next example, download a small video file you would like to use as -a seed file and you can quickly fuzz Windows Media Player with the below -example command. Be sure to replace the seed file argument `-sf` with the -path to the video file you just downloaded. Note that because -`wmplayer.exe` is a 32-bit executable you'll either need to use the 32-bit -fuzzer.exe, or manually specify the path to the 32-bit `winafl.dll` with -the instrumentation's `winafl_dir` option. Additionally, the -`-target_offset` argument that is passed to the instrumentation will need -to be updated depending on your Windows version. In this case we are just -using the entry point of wmplayer.exe, below there is a table to use as -reference but it is best to verify the entry point of your binary. - -| WMP Version | Offset | -| --------------- | ------ | -| 12.0.7601 | 0x176D | -| 12.0.9200 | 0x1BAD | -| 12.0.9600 | 0x1F00 | -| 12.0.17134 | 0x1F20 | - -``` -fuzzer.exe wmp dynamorio nop -n 3 -sf "C:\Users\\Desktop\test.mp4" -d "{\"timeout\":20}" -i "{\"timeout\":5000,\"coverage_modules\":[\"wmp.DLL\"],\"target_path\":\"C:\\Program Files (x86)\\Windows Media Player\\wmplayer.exe\"}" -``` -You may need to modify these parameters to match your environment. In -order to speed up fuzzing, it may be useful to enable persistence mode. -See PersistenceMode.md for instructions. - -### Standalone Client - Linux -Clone the killerbeez, killerbeez-mutators and killerbeez-utils repos next -to each other. - -``` -WORKDIR=~/killerbeez -mkdir $WORKDIR -cd $WORKDIR -git clone https://github.com/grimm-co/killerbeez.git -git clone https://github.com/grimm-co/killerbeez-mutators.git -git clone https://github.com/grimm-co/killerbeez-utils.git -``` - -Make a build directory and compile the code. - -``` -mkdir build; cd build; cmake ../killerbeez; make -``` - -At this point everything should be compiled and you should be ready to -change into the right directory and run the fuzzer. Here's an example of -running it on a test program from our corpus. - -``` -# assuming that you're in the same directory as above ($WORKDIR/build) -cd ../build/killerbeez/ -./fuzzer file return_code honggfuzz -n 20 -sf /bin/bash -d '{"path":"corpus/test-linux","arguments":"@@"}' -``` - -If it ran correctly, you should see something like this: -``` -Thu Jul 19 09:40:46 2018 - INFO - Logging Started -Thu Jul 19 09:40:46 2018 - INFO - Ran 20 iterations in 0 seconds -``` - -In the example above, we're using the file driver, the return_code -instrumentation, and the honggfuzz mutator module. We are only going to do 20 -executions and our seed file is /bin/bash, because why not? - -The -d option are for the driver. We need to give it the path to our executable -and the command line arguments, which in our case is just the filename, -represented by "@@" here. - -We don't need to specify any options for the mutator nor the instrumentation, so -we won't. We are just relying on the default values. To see the options -available, you can use the help flag. Below are some examples. - -``` -./fuzzer -h -./fuzzer -h driver -``` - -Looking at the results in the "output" directory, we see that it didn't find -any crashes, hangs or new paths. At first glance, it might seem like it didn't -work. However, we were using the return_code instrumentation, which does not -actually track code coverage, so it can not determine the execution path, thus -it can't determine if a new path was hit. Instead, it just looks at the return -code to determine if the process crashed or not. It's very efficient, however -this is effectively dumb fuzzing. - -To see a crash, we can just change our seed file to be close to the file which -will cause a crash. It's cheating, but it works well to demonstrate the -importance of seed files as well as illustrating what the output of finding a -crash looks like. The following commands assume you are still in the directory -containing ./fuzzer. - -``` -# assuming that you're in the same directory as the above commands (%WORKDIR%/build) -echo "ABC@" > test1 # ABC@ is one bit different than ABCD, the crashing input -./fuzzer file return_code honggfuzz -n 2000 -sf ./test1 -d '{"path":"corpus/test-linux","arguments":"@@"}' -``` - -Which should yield output similar to this: - -``` -Thu Jul 19 12:03:11 2018 - INFO - Logging Started -Thu Jul 19 12:03:13 2018 - CRITICAL - Found crashes -Thu Jul 19 12:03:13 2018 - CRITICAL - Found crashes -Thu Jul 19 12:03:19 2018 - CRITICAL - Found crashes -Thu Jul 19 12:03:22 2018 - CRITICAL - Found crashes -Thu Jul 19 12:03:22 2018 - INFO - Ran 2000 iterations in 11 seconds -``` - -Looking in the output/crashes folder, we can see the inputs which were found to -crash this target and reproduce the crash manually. - -``` -$ ls output/crashes/ -2B81D0C867F76051FD33D8690AA2AC68 5220E572A6F9DAAF522EF5C5698EAF4C 59F885D0289BE9A83E711C5E7CFCBE4D ED5D34C74E59D16BD6D5B3683DB655C3 -$ cat output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D ; echo -ABCDJ -$ corpus/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D -Segmentation fault (core dumped) -``` - -## Documentation -Documentation of the API can be found in the docs folder. It's written in -LaTeX which can be used to generate a PDF, HTML, or various other formats. -PDFs are also included so the documentation is easy to read for those who -do not have a LaTeX typesetting environment set up. - -## Troubleshooting -Q: The target program doesn't start -A: Windows Media Player won't automatically play media the first time is run. - There's a pop-up which requires you to configure some settings. Just run it - manually once and you should be good to go after that. - -Q: I'm getting an error about a pipe timing out -A: This is related to the instrumentation and the target taking too long to - start up. If running it again doesn't work, try increasing the "timeout" on - the -i argument and that should take care of it. - -## Still Having a Problem? - -Please create an issue on GitHub and we will address it as soon as possible. - -## Have questions? Wanna chat? - -Feel free to join the mailing list! Send a request to join to -`killerbeez-join@lists.grimm-co.com` then post your questions to -`killerbeez@lists.grimm-co.com`! We've also got #killerbeez on freenode, -but it's pretty quiet. - -## License - -This project is licensed under the UIUC License - see the -[LICENSE](LICENSE) file for details. Some parts of this project have been -included from other software and will be under different licenses, where -marked. diff --git a/README.md b/README.md new file mode 120000 index 0000000..0e01b43 --- /dev/null +++ b/README.md @@ -0,0 +1 @@ +docs/README.md \ No newline at end of file diff --git a/docs/README.md b/docs/README.md index ec6951b..bb8e64b 100644 --- a/docs/README.md +++ b/docs/README.md @@ -92,8 +92,7 @@ Here's an example of running it on a test program from our corpus. ``` # assuming that you're in the same directory as above ($WORKDIR/build) cd ../build/killerbeez/ -./fuzzer file return_code honggfuzz -n 20 \ - -sf /bin/bash -d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}' +./fuzzer file return_code honggfuzz -n 20 -sf /bin/bash -d '{"path":"corpus/test-linux","arguments":"@@"}' ``` If it ran correctly, you should see something like this: @@ -138,9 +137,7 @@ containing ./fuzzer. ``` # assuming that you're in the same directory as the above commands (%WORKDIR%/build) echo "ABC@" > test1 # ABC@ is one bit different than ABCD, the crashing input -./fuzzer file return_code honggfuzz -n 2000 \ - -sf ./test1 \ - -d '{"path":"../../killerbeez/corpus/test/test-linux","arguments":"@@"}' +./fuzzer file return_code honggfuzz -n 2000 -sf ./test1 -d '{"path":"corpus/test-linux","arguments":"@@"}' ``` Which should yield output similar to this: @@ -160,9 +157,9 @@ crash this target and reproduce the crash manually. ``` $ ls output/crashes/ 2B81D0C867F76051FD33D8690AA2AC68 5220E572A6F9DAAF522EF5C5698EAF4C 59F885D0289BE9A83E711C5E7CFCBE4D ED5D34C74E59D16BD6D5B3683DB655C3 -$ cat output/crashes/2B81D0C867F76051FD33D8690AA2AC68 ; echo -ABCDJ -$ ../../killerbeez/corpus/test/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D +$ cat output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D ; echo +ABCD +$ corpus/test-linux output/crashes/59F885D0289BE9A83E711C5E7CFCBE4D Segmentation fault (core dumped) ```