This is a skeleton for fuzzing binary-only targets with LibAFL-qemu. The skeleton is developed based on qemu_launcher in LibAFL, with newly added features such as a custom EmulatorModule (hook) and feedback functionality.
You can download prebuilt rootfs for aarch64 from [https://drive.google.com/file/d/1K5Gb-S6vpLb6xmYicPKAvMJPtJ5J9xSN/view?usp=drive_link], extract the rootfs and put it in the current directory.
- run
cargo make cleanto clean up all build - run
cargo make aarch64to build the fuzzer and target binaries.
RUST_LOG=info ./build/h1k0_qemu_launcher \
--input ./corpus \
--output ./output \
--tui \
--cores 0-2 --asan-cores 0 --cmplog-cores 1 --tokens ./build/tiff.dict -- \
-L ./rootfs ./build/bin/tiffinfo -Dcjrsw ./corpus/minisblack-1c-16b.tiffRUST_BACKTRACE=full RUST_LOG=info ./build/h1k0_qemu_launcher \
--input ./corpus \
--output ./output \
--tui \
--client-stdout-file ./stdout.txt --client-stderr-file ./stderr.txt \
--cores 0-2 --asan-cores 0 --cmplog-cores 1 --tokens ./build/tiff.dict -- \
-L ./rootfs ./build/bin/tiffinfo -Dcjrsw ./corpus/minisblack-1c-16b.tiff- Modify
Cargo.toml, add"simplemgr"in features - run following command
RUST_LOG=info ./build/h1k0_qemu_launcher \ --input ./corpus \ --output ./output \ --log ./output/log.txt \ --cores 0 --asan-cores 0 -r <input> -- \ -L ./rootfs ./build/bin/tiffinfo -Dcjrsw <input>
--verbose: Enable verbose output (Output clients' stdout and stderr to console, conflicts withclient_stdout_fileandclient_stderr_file)--client-stdout-file: Redirect client stdout to a file (/dev/nullis also a valid option)--client-stderr-file: Redirect client stderr to a file (/dev/nullis also a valid option)--log: Redirect fuzzer log to a file--tui: Enable TUI mode (no fuzzer log)RUST_BACKTRACE=full: Enable backtrace, useful for debugging clients' crashesRUST_LOG=info: Enable info level log
- Build with asan
ENABLE_ASAN=true cargo make x86_64 - Run crashes for testing.