Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework similar. It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.

ManuFuzzer makes use of custom breakpoint handler. When you select a module to instrument, ManuFuzzer replaces the branch instructions with breakpoint instruction at each and every basic-block by disassembling the module runtime using LLVM MC and stores the original bytes in a shadow memory mapping, whose address is fixed and can be computed from any address of the modified library and executes the program. Everytime any breakpoint gets hit, ManuFuzzer updates the coverage for the basic-block using custom breakpoint handler setup for SIGTRAP, deletes the breakpoint and resumes execution.

ManuFuzzer is dependent on LLVM MC for disassembly and LLVM libFuzzer for fuzzing. ManuFuzzer patches LLVM-MC to increase the speed and evaluate an instruction type. ManuFuzzer pulls LLVM version 12.0.1-rc3 from https://github.com/llvm/llvm-project and applies llvm_ManuFuzzer.patch to LLVM MC and libFuzzer.

➜ git clone https://github.com/ant4g0nist/ManuFuzzer

To compile with debug logs:

➜ cd ManuFuzzer
➜ make
➜ make install

To compile without debug logs, pass FUZZ=1 in env:

➜ cd ManuFuzzer
➜ FUZZ=1 make
➜ make install

For examples, let's try fuzzing CGFontCreateWithDataProvider function from CoreGraphics. This seems to be an easy target to reach.

ManuFuzzer exports 4 functions we need to use in our harness.

void installHandlers(void);
void libFuzzerCleanUp(void);
int instrumentMe(const char * module);
int libFuzzerStart(int argc, char **argv, UserCallback LLVMFuzzerTestOneInput);

• instrumentMe(const char * module) function is used to instrument a target module.
• installHandlers function installs the breakpoint handler required by ManuFuzzer to handle breakpoints.
• libFuzzerStart is the main entry point to libFuzzer that takes argc, argv and a function LLVMFuzzerTestOneInput with signature LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
• libFuzzerCleanUp just cleans up the mallocs.

These functions can be used in our harness as shown here:

#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>
#import <CoreGraphics/CoreGraphics.h>

#include "libManuFuzzer.h"

extern uint16_t previousLoc;

void LLVMFuzzerInitialize(int *argc, char ***argv) {
    installHandlers();

    instrumentMe("/System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO");
    instrumentMe("/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics");
    instrumentMe("/System/Library/Frameworks/CoreText.framework/Versions/A/CoreText");
    instrumentMe("/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib");
}

int LLVMFuzzerTestOneInput(const uint8_t *fuzz_buff, size_t size)
{
    previousLoc = 0;

    NSData *inData = [[NSData alloc] initWithBytes:fuzz_buff length:size];
    CFErrorRef error;
    
    CGDataProviderRef provider = CGDataProviderCreateWithCFData((__bridge CFDataRef)inData);
    
    CGFontRef font = CGFontCreateWithDataProvider(provider);
    
    if (font)
        CFRelease(font);
 
    CFRelease(provider);

    [inData release];

    return 0;
}

int main(int argc, char* argv[])
{
    LLVMFuzzerInitialize(&argc, &argv);
    libFuzzerStart(argc, argv, LLVMFuzzerTestOneInput);
    libFuzzerCleanUp();

    return 0;
}

Makefile to compile above sample code:

example.o: examples/main.mm
	SDKROOT=$(SDKROOT) $(CXX) -c -o bin/$@ examples/main.mm
	
example: example.o
	SDKROOT=$(SDKROOT) $(CXX) $(FUZZ_EXAMPLE_CFLAGS) ./bin/example.o -o bin/example
	rm bin/*.o

To compile the example:

➜ make example

• replace Capstone with LLVM MC
• make support for macOS on M1 public
• make support for macOS on Intel public
• clean the setup
• test, test and tesssttt
• fuzz, fuzzzz and more fuzzzzz

let me know if you have found any vulnerabilities using this and will add it here :)

• @r3dsm0k3
• Samuel Groß
• Madhu