Question: how to use this with AFL?

[4br3mm0rd]

Hi,

Sorry for this question which may sound stupid. I have been reading the code of this project for quite a while, and I am starting to understand it.

However, I would like to implement this on my computer for fuzzing with AFL, and it is not clear how I should do it...

From what I understand, if I want to try and run an example against curl, I just need to run the generate_corpus.py script, and then run the file against ./curl_fuzzer, which will write the file into curl's socket, instead of letting it go look over the network. However, with AFL, I do not see any quick way to do all this process with the semi-randomly generated files from the AFL program.

Can you please help me with this?

Thank you!

[cmeister2]

Hi @4br3mm0rd!

In general this isn't natively set up for AFL. This uses libfuzzer to do all the bits it needs to do. We support compiling against a LIB_FUZZING_ENGINE as the interface to oss-fuzz.

In practice the oss-fuzz service provided by Google manages to do this with AFL, so I would suggest looking at https://github.com/google/oss-fuzz/blob/master/infra/base-images/base-builder/compile_afl to see if that helps.

[geeknik]

Compiling the curl fuzzer suite with AFL is actually pretty easy. (@bagder @cmeister2)

1. Run this bash script:

#! /bin/bash
# Copyright 2019 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

set -e
CC=${CC:-clang}
CXX=${CXX:-clang++}

# Make sure we don't clobber anything in the current directory.
mkdir -p afl-build
cd afl-build

# Download AFL from Chromium repo (official download doesn't offer SSL)
declare -a afl_sources=(
  "afl-fuzz.c"
  "afl-showmap.c"
  "config.h"
  "types.h"
  "debug.h"
  "alloc-inl.h"
  "hash.h"
  "Makefile"
)
for source_file in "${afl_sources[@]}"
do
  curl -O "https://cs.chromium.org/codesearch/f/chromium/src/third_party/afl/src/$source_file"
done
make afl-fuzz afl-showmap

# Build AFL runtime sources needed to link against the fuzz target.
mkdir -p llvm_mode
curl "https://cs.chromium.org/codesearch/f/chromium/src/third_party/afl/src/llvm_mode/afl-llvm-rt.o.c" > "llvm_mode/afl-llvm-rt.o.c"
$CC -c llvm_mode/afl-llvm-rt.o.c -Wno-pointer-sign -O3
curl -O "https://cs.chromium.org/codesearch/f/chromium/src/third_party/libFuzzer/src/afl/afl_driver.cpp"
$CXX -c afl_driver.cpp -fsanitize=address -O3
ar r FuzzingEngine.a afl-llvm-rt.o.o afl_driver.o

mv FuzzingEngine.a afl-fuzz afl-showmap ../
echo "Success: link fuzz target against FuzzingEngine.a!"

2. Open up mainline.sh and add on line Unable to build using mainline.sh with Clang 11 / LLVM 11? #38:
   export LIB_FUZZING_ENGINE=/path/to/FuzzingEngine.a <-- we built this in step 1.

3. Run mainline.sh (make sure clang and clang++ are in your path)

4. Execute curl fuzzer program like so:
   afl-fuzz -m none -i input_dir -o output_dir -- ./curl-fuzzer

5. Profit. (Maybe)

[WTXCKAi]

Compiling the curl fuzzer suite with AFL is actually pretty easy. (@bagder @cmeister2)

1. Run this bash script:

#! /bin/bash
# Copyright 2019 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

set -e
CC=${CC:-clang}
CXX=${CXX:-clang++}

# Make sure we don't clobber anything in the current directory.
mkdir -p afl-build
cd afl-build

# Download AFL from Chromium repo (official download doesn't offer SSL)
declare -a afl_sources=(
  "afl-fuzz.c"
  "afl-showmap.c"
  "config.h"
  "types.h"
  "debug.h"
  "alloc-inl.h"
  "hash.h"
  "Makefile"
)
for source_file in "${afl_sources[@]}"
do
  curl -O "https://cs.chromium.org/codesearch/f/chromium/src/third_party/afl/src/$source_file"
done
make afl-fuzz afl-showmap

# Build AFL runtime sources needed to link against the fuzz target.
mkdir -p llvm_mode
curl "https://cs.chromium.org/codesearch/f/chromium/src/third_party/afl/src/llvm_mode/afl-llvm-rt.o.c" > "llvm_mode/afl-llvm-rt.o.c"
$CC -c llvm_mode/afl-llvm-rt.o.c -Wno-pointer-sign -O3
curl -O "https://cs.chromium.org/codesearch/f/chromium/src/third_party/libFuzzer/src/afl/afl_driver.cpp"
$CXX -c afl_driver.cpp -fsanitize=address -O3
ar r FuzzingEngine.a afl-llvm-rt.o.o afl_driver.o

mv FuzzingEngine.a afl-fuzz afl-showmap ../
echo "Success: link fuzz target against FuzzingEngine.a!"

1. Open up mainline.sh and add on line Unable to build using mainline.sh with Clang 11 / LLVM 11? #38:
   export LIB_FUZZING_ENGINE=/path/to/FuzzingEngine.a <-- we built this in step 1.
2. Run mainline.sh (make sure clang and clang++ are in your path)
3. Execute curl fuzzer program like so:
   afl-fuzz -m none -i input_dir -o output_dir -- ./curl-fuzzer
4. Profit. (Maybe)

Hello~Thanks for your approach！I implemented this on my computer and compiled curl-fuzzer successfully. But when I run those fuzzers with afl-fuzz command, I see " last new path : none yet (odd, check syntax!) " on the AFL UI. It looks like some problems with curl-fuzzer. Can you please help me with this?