bajinsheng / sgfuzz Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
Hi , I've been interested in this work. To extend it I tried to use it to fuzz older version of OpenSSL, like openssl 1.1.0, 1.0.1.
But I found that the coverage begins with 20+ and after one-day fuzzing it only came to 40+. While the coverage of fuzzing 3.0.0 and 1.1.1 begins with 4000+.
I tried to modify compilation options and other approaches but I couldn't fix this trouble. So, I'm writing this issue to see if you've countered this kind of problem and know what's wrong with it.
I'm trying to capture the requests and responses from the fuzzing target while I am running SGFuzz. I tried using Wireshark but it seems like I was wrong. How can I do this?
Hi ,
I am appreciating your work, and I have tried to reproduce result in fuzzing DCMTK, but I met some trouble while running your fuzzer:
After successfully building the fuzzer, I try to run it with the following command:
./dcmqrscp -close_fd_mask=3 -detect_leaks=0 -ignore_ooms=1 -ignore_timeouts=1 ../../../in-dicom-origin/ -- --single-process
it exited normally with some output like this, but without continuously fuzzing. :
INFO: Seed: 1601392419
INFO: Loaded 1 modules (59454 inline 8-bit counters): 59454 [0xdf7c40, 0xe0647e),
INFO: Loaded 1 PC tables (59454 PCs): 59454 [0xe06480,0xeee860),
INFO: 11 files found in ../../../in-dicom-origin/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 11 min: 301b max: 17755b total: 86977b rss: 44Mb
#12 INITED cov: 875 ft: 1238 corp: 10/84Kb exec/s: 0 rss: 49Mb states: 242 leaves: 9
#13 NEW cov: 875 ft: 1243 corp: 11/101Kb lim: 17755 exec/s: 0 rss: 50Mb states: 242 leaves: 9 L: 17755/17755 MS: 1 CMP- DE: "\xfe\xff\xff\xff"-
(exited normally)
So I attach to gdb and make breakpoint at HonggfuzzNetDriver_main
. The fuzzer continued running. and produce following thread:
(gdb) info threads
Id Target Id Frame
* 1 Thread 0x7f9530707800 (LWP 200361) "dcmqrscp" fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=<optimized out>) at ./FuzzerDriver.cpp:823
2 Thread 0x7f952b8ff700 (LWP 201238) "dcmqrscp" 0x00007f952ef2484d in poll () at ../sysdeps/unix/syscall-template.S:84
3 Thread 0x7f95293c4700 (LWP 203222) "dcmqrscp" 0x00007f952eef538d in nanosleep () at ../sysdeps/unix/syscall-template.S:84
When stop at /sfuzzer-evaluate/FuzzerDriver.cpp
906 F->Loop(CorporaFiles);
it output :
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 11 min: 301b max: 17755b total: 86977b rss: 55Mb
#2 pulse ft: 760 exec/s: 0 rss: 55Mb states: 70 leaves: 3
#4 pulse cov: 784 ft: 885 corp: 2/602b exec/s: 0 rss: 55Mb states: 120 leaves: 5
#8 pulse cov: 846 ft: 1064 corp: 5/12059b exec/s: 0 rss: 55Mb states: 179 leaves: 7
#12 INITED cov: 875 ft: 1232 corp: 9/74Kb exec/s: 0 rss: 55Mb states: 242 leaves: 9
and gdb grab thread exited
[Thread 0x7f95293c4700 (LWP 203222) exited] // syscall-template.S:84
[Thread 0x7f9530707800 (LWP 200361) exited] // FuzzerDriver.cpp:823
and then [Inferior 1 (process 200361) exited normally]
.
add breakpoint at F->Loop(CorporaFiles);
,and step into it, at ReadAndExecuteSeedCorpora(CorporaFiles);
(./FuzzerLoop.cpp:905) , it output
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 17 min: 301b max: 17755b total: 151635b rss: 44Mb
#2 pulse ft: 736 exec/s: 0 rss: 45Mb states: 70 leaves: 3
#4 pulse cov: 784 ft: 839 corp: 2/602b exec/s: 0 rss: 46Mb states: 112 leaves: 5
#8 pulse cov: 865 ft: 990 corp: 5/1807b exec/s: 0 rss: 46Mb states: 127 leaves: 6
#16 pulse cov: 926 ft: 1356 corp: 11/84Kb exec/s: 0 rss: 50Mb states: 249 leaves: 10
#18 INITED cov: 926 ft: 1365 corp: 13/119Kb exec/s: 0 rss: 51Mb states: 249 leaves: 10
(I give initial 4 seeds)
and exited at Min(MaxMutationLen, Max(size_t(4), Corpus.MaxInputSize()));
(ln 912). Stepping in, at
(FuzzerCorpus.h: 191~196)
size_t MaxInputSize() const {
size_t Res = 0;
for (auto II : Inputs)
Res = std::max(Res, II->U.size());
return Res;
}
current backtrace:
#0 0x00000000009d881b in fuzzer::InputCorpus::MaxInputSize (this=<optimized out>)
#1 fuzzer::Fuzzer::Loop (this=<optimized out>, CorporaFiles=...) at ./FuzzerLoop.cpp:912
#2 0x00000000009c4ed4 in fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=<optimized out>)
at ./FuzzerDriver.cpp:906
#3 0x00000000009bf7f3 in main (argc=1699954145, argv=<error reading variable: Cannot access memory at address 0x0>)
at ./FuzzerMain.cpp:20
setting breakpoint at ./FuzzerCorpus.h:194 and continue, it hit this breakpoint a few times and exited normally
Thread 1 "dcmqrscp" hit Breakpoint 5, fuzzer::InputCorpus::MaxInputSize (this=<optimized out>) at ./FuzzerCorpus.h:194
194 Res = std::max(Res, II->U.size());
(gdb)
Continuing.
Thread 1 "dcmqrscp" hit Breakpoint 5, fuzzer::InputCorpus::MaxInputSize (this=<optimized out>) at ./FuzzerCorpus.h:194
194 Res = std::max(Res, II->U.size());
(gdb)
Continuing.
[Thread 0x7f2f602c4700 (LWP 231525) exited]
[Thread 0x7f2f627ff700 (LWP 231524) exited]
[Inferior 1 (process 231464) exited normally]
and I only add breakpoint at NewCov = RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II,
(./FuzzerLoop.cpp:770)
gdb sometimes catch following error:
Thread 2 "dcmqrscp" received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x7f32a49ff700 (LWP 243876)]
0x00007f32a8fc44bd in write () at ../sysdeps/unix/syscall-template.S:84
84 ../sysdeps/unix/syscall-template.S: No such file or directory.
the breakpoint was hit a few times and the fuzzer exit again.
So why the fuzzer exited normally without continuing fuzzing?
and one more questions, is sgfuzz send all requests in seed in one connection without receiving any response messages?
I'm trying to apply SGFuzz to other targets like mbedtls.
Some main commands are as follow:
sed -i "s/ main/ HonggfuzzNetDriver_main/g" '/SGFuzz-evaluation/SGFuzz/mbedtls/programs/ssl/ssl_server2.c'
make CC=clang-10 CXX=clang++-10 CFLAGS="-fsanitize=fuzzer-no-link -fsanitize=address" -lsFuzzer -lhfnetdriver -lhfcommon
While during the link stage, error occurs:
CC ssl/ssl_server2.c /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../x86_64-linux-gnu/crt1.o:In function ‘_start’: (.text+0x20):undefined reference to ‘main’ clang: error: linker command failed with exit code 1 (use -v to see invocation) Makefile:359: recipe for target 'ssl/ssl_server2' failed make[1]: *** [ssl/ssl_server2] Error 1 Makefile:15: recipe for target 'programs' failed make: *** [programs] Error 2
Hi ,
I am insterested in this work, and I hvae tried to use it to fuzz live555 , but I met some trouble.
Firstly, I change testOnDemandRTSP.cpp main function ,like :
sed -i "s/ main/ HonggfuzzNetDriver_main/g" testProgs/testOnDemandRTSPServer.cpp
Then , I build the project with -fsanitize=fuzzer-no-link -fsanitize=address
Finally ,the compilation will fail at the final link stage, I add "-lsFuzzer -lhfnetdriver -lhfcommon" like openssl example in your project ,but I still fail , just like :
I hvae already changed main to HonggfuzzNetDriver_main, so really confused.
Can you help me or provide your operation process?
Hi, I am interested in your work while I was confusing how to extract state machine from the STT?
➜ openssl git:(c74188e86c) ✗ clang++-10 -fsanitize=fuzzer-no-link -fsanitize=address -lsFuzzer -lhfnetdriver -lhfcommon
-pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O3 -L.
-o apps/openssl
apps/lib/openssl-bin-cmp_mock_srv.o
apps/openssl-bin-asn1parse.o apps/openssl-bin-ca.o
apps/openssl-bin-ciphers.o apps/openssl-bin-cmp.o
apps/openssl-bin-cms.o apps/openssl-bin-crl.o
apps/openssl-bin-crl2pkcs7.o apps/openssl-bin-dgst.o
apps/openssl-bin-dhparam.o apps/openssl-bin-dsa.o
apps/openssl-bin-dsaparam.o apps/openssl-bin-ec.o
apps/openssl-bin-ecparam.o apps/openssl-bin-enc.o
apps/openssl-bin-engine.o apps/openssl-bin-errstr.o
apps/openssl-bin-fipsinstall.o apps/openssl-bin-gendsa.o
apps/openssl-bin-genpkey.o apps/openssl-bin-genrsa.o
apps/openssl-bin-info.o apps/openssl-bin-kdf.o
apps/openssl-bin-list.o apps/openssl-bin-mac.o
apps/openssl-bin-nseq.o apps/openssl-bin-ocsp.o
apps/openssl-bin-openssl.o apps/openssl-bin-passwd.o
apps/openssl-bin-pkcs12.o apps/openssl-bin-pkcs7.o
apps/openssl-bin-pkcs8.o apps/openssl-bin-pkey.o
apps/openssl-bin-pkeyparam.o apps/openssl-bin-pkeyutl.o
apps/openssl-bin-prime.o apps/openssl-bin-progs.o
apps/openssl-bin-rand.o apps/openssl-bin-rehash.o
apps/openssl-bin-req.o apps/openssl-bin-rsa.o
apps/openssl-bin-rsautl.o apps/openssl-bin-s_client.o
apps/openssl-bin-s_server.o apps/openssl-bin-s_time.o
apps/openssl-bin-sess_id.o apps/openssl-bin-smime.o
apps/openssl-bin-speed.o apps/openssl-bin-spkac.o
apps/openssl-bin-srp.o apps/openssl-bin-storeutl.o
apps/openssl-bin-ts.o apps/openssl-bin-verify.o
apps/openssl-bin-version.o apps/openssl-bin-x509.o
apps/libapps.a -lssl -lcrypto -ldl -pthread
/usr/bin/ld: cannot find -lsFuzzer
clang: error: linker command failed with exit code 1 (use -v to see invocation)
it say cannot find -lfFuzzer ,how to overcome this
How can I reproduce the results from SGFuzzer on H2O protocol implementation?
I‘m working on effect of corpus on fuzzers's code & state coverage. And I perform experiments on SGFUZZ fuzzing with live555 and openssl:
Each protocol implementation is provided with 2 type of corpus:
I counted state coverage by SGFUZZ's STT leave node number over time and code coverage by SGFUZZ's TPC coverage.
(openssl)(live555, the fuzzer stoped in the inflection point of line due to memory exhaustion)
It seemed strange that: Scattered corpus have more states found than origin one. I don't understand the reason.
Could you give me some explanation on the phenomenon?Is it ok to calculate code coverage by TPC coverage and state coverage by STT's leaves number?(In your paper, you said you calculate state cov by paths in the STTs and I think paths in STTs should be equal to number of Multi-forked trees’ leaves)
I've studied this project on OpenSSL. It's cool that it can cover so many states. While I found that it can not fuzz the DTLS over OpenSSL. Is there a way to achieve that?
Hi, I found a path editing error.
https://github.com/bajinsheng/SGFuzz/tree/master/example/openssl#9-run-the-target
You need to adjust the path
cd experiment/openssl-sfuzzer &&..
to
cd experiments/openssl-sfuzzer &&..
Best wish.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.