search

cuhk-seclab / SelectFuzz

Apache License 2.0
62 stars 4 forks source link

Question about crash validation #7

Open Irene-ML opened 7 months ago

Irene-ML commented 7 months ago

Hi,

I have a question about how to validate the found crashes/vulnerabilities in selectFuzz. Does the repo validate the vulnerabilities automatically ( having scripts or code) or manually?

chluo1997 commented 7 months ago

You can run run.sh after the testing, this automatically generates ASAN error logs. You need to check the logs (e.g., the crash locations) to find whether the target vulnerabilities are triggered.

Irene-ML commented 3 months ago

I have copied select/fuzz/scripts/run.sh to libming-CVE-2016-9827/obj-aflgo and run run.sh under the new location. I saw many prints of "Killed". Does this mean the target program was "killed"?

The folder in ./asan contains many files, such as "1", "2", "17"... Taking file "17" as an example, it contains this: id:000015,2816160,sig:11,src:000021+000301,op:splice,rep:128. How can I tell if this found a vulnerability and what this vulnerability is?

chluo1997 commented 3 months ago

run.sh generates asan reports for each crash input.

We identify if we reproduce a target vulnerability based on its trace information. You can check the file id:000015,2816160,sig:11,src:000021+000301,op:splice,rep:128 to see the trace information.

steven-hh-ding commented 3 months ago

Thanks a lot for the prompt response.

The problem is that it seems like the asan logs are not generated.. The run script simply copies the file name under the cash folder into the asan folder then run the fuzzing target with the crash input but I don't see how it can save the asan reports.

/selectfuzz/scripts/fuzz/libming-CVE-2016-9827/obj-aflgo# tree asan
asan
├── 1
├── 10
├── 11
├── 12
├── 13
├── 14
├── 15
├── 16
├── 17
├── 18
├── 19
├── 2
├── 20
├── 3
├── 4
├── 5
├── 6
├── 7
├── 8
└── 9

0 directories, 20 files

/selectfuzz/scripts/fuzz/libming-CVE-2016-9827/obj-aflgo# cat asan/10
id:000008,1963818,sig:11,src:000018+000142,op:splice,rep:16

This is the run.sh file not sure if we are looking at the same one:

#! /bin/sh
mkdir asan
export AFL_USE_ASAN=1
export ASAN_OPTIONS="log_path=asan/asan.log"
make clean all

i=1
for file in `ls ./out/crashes/`:
do
        echo $file > ./asan/$i
        i=$(($i+1));
        ./util/swftophp ./out/crashes/$file
done

Typically the asan log should be generated by the stderr from ./util/swftophp ./out/crashes/$file but even if I tried this command manually it didn't produce the stack trace. And this line doesn't seem to save the output.