This repository contains several modified versions of AFL components which we utilize in our experiments on fixed (pre-generated) fuzzing input datasets:
- afl-saveinputs - dumps AFL-generated inputs and their sizes to file (for fixed input dataset experiments).
- afl-testtrace - evaluates any tracer's (e.g., QEMU, Dyninst) execution time on a fixed input dataset.
- afl-cc forkserver-only extension - inserts only a forkserver during AFL's assembly-time instrumentation (useful for benchmarking).
Presented in our paper Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing (to appear in the 2019 IEEE Symposium on Security and Privacy). |
|
Citing this repository: |
@inproceedings{nagy:fullspeedfuzzing, title = {Full-speed Fuzzing: Reducing Fuzzing Overhead through Coverage-guided Tracing}, author = {Stefan Nagy and Matthew Hicks}, booktitle = {{IEEE} Symposium on Security and Privacy (Oakland)}, year = {2019},}
|
Developer: | Stefan Nagy ([email protected]) and Matthew Hicks ([email protected]) |
License: | MIT License |
Disclaimer: | This software is strictly a research prototype. |
git clone https://github.com/FoRTE-Research/afl-fid
cd afl
make all
sudo apt-get install libtool-bin libglib2.0-dev automake flex bison
cd afl-fid/qemu_mode_v1
sudo ./build_qemu_support.sh
chmod +x ../afl-qemu-trace
Note the following:
- The build may finish with an error even though
afl-qemu-trace
was built correctly. We recommend checking a few build status messages in the log to determine if the build was successful. - For running with the optimized QEMU with block chaining enabled, build instead from
qemu_mode_v2
. When runningafl-saveinputs
orafl-testtrace
, replace-Q
with-QQ
.
afl-saveinputs
is a modified version of afl-fuzz
for dumping generated inputs to file. Usage is as follows:
afl-saveinputs -i [/path/to/seed_dir] -o [/path/to/out_dir] -e [time budget (# minutes)] [optional_args] -Q -- [/path/to/target] [target_args]
Input dump and sizes will be stored in out_dir/_INPUT_DUMP
and out_dir/_INPUT_SIZES
, respectively.
- Note: QEMU mode is recommended, otherwise dumps may be explosively large in size (depending on fuzzing speed).
afl-testtrace
is an afl-fuzz
modification for logging each fuzzed input's tracing time. Given an input dump and corresponding sizes file (produced by afl-saveinputs
), It recreates each input and logs its execution (function run_target()
in afl-fuzz
) time. Usage is as follows:
afl-testrace -i [/path/to/input/data/dump] -s [/path/to/input/sizes/dump] -o [/path/to/outdir] -f [/path/to/outfile] -c [max execs | skip for full dump] -t [exec timeout | skip for default (100ms)] -- [/path/to/target] [target_args]
- Note: only non-position-independent target binaries are supported. Be sure to compile all target binaries with the
-no-pie
compiler flag (unnecessary for Clang).
We extend the afl-cc
assembly-time instrumentation with a forkserver-only instrumentation mode for use in benchmarking experiments. To invoke this mode, simply append -Wa,-F
to your afl-cc
(e.g., afl-gcc
, afl-clang
) compiler flags and compile as usual. Example:
./configure --disable-shared CC=afl-clang CXX=afl-clang++ CFLAGS="-g -O2 -no-pie -Wa,F" CXXFLAGS="-g -O2 -no-pie -Wa,-F"
make all