search

fdu-sec / NestFuzz

A structure-aware grey box fuzzer based on modeling the input processing logic.
Apache License 2.0
159 stars 12 forks source link

Dealing with external libraries #16

Open hgarrereyn opened 1 month ago

hgarrereyn commented 1 month ago

Hi, some of the targets I'm building require some third party libraries. For example, I'm trying to compile NestFuzz for the freetype2 benchmark (i.e. in fuzzbench) which is trying to compile libarchive and link against bzip2.

With the ipl-modeling compiler, it's throwing errors like this:

/usr/bin/ld: ./.libs/libarchive.a(archive_read_support_filter_bzip2.o): in function `bzip2_filter_read':
/src/libarchive-3.4.3/libarchive/archive_read_support_filter_bzip2.c:252: undefined reference to `dfs$BZ2_bzDecompressInit'
/usr/bin/ld: /src/libarchive-3.4.3/libarchive/archive_read_support_filter_bzip2.c:258: undefined reference to `dfs$BZ2_bzDecompressInit'
/usr/bin/ld: /src/libarchive-3.4.3/libarchive/archive_read_support_filter_bzip2.c:308: undefined reference to `dfs$BZ2_bzDecompress'
/usr/bin/ld: /src/libarchive-3.4.3/libarchive/archive_read_support_filter_bzip2.c:314: undefined reference to `dfs$BZ2_bzDecompressEnd'
/usr/bin/ld: ./.libs/libarchive.a(archive_read_support_filter_bzip2.o): in function `bzip2_filter_close':
/src/libarchive-3.4.3/libarchive/archive_read_support_filter_bzip2.c:354: undefined reference to `dfs$BZ2_bzDecompressEnd'

Which I believe is due the fact that the system bzip2 library was compiled without the dataflow pass. I've seen this type of thing mentioned in some other issues.

I want to be able to build this target without separately recompiling bzip2 (or any other required dependencies).

What's the easiest way to just mark all of these external functions to be ignored in the dataflow pass? And/or is there a way to instrument them without a lot of extra work?

fdu-sec commented 1 month ago

Yes, this issue stems from DFSan (DataFlowSanitizer). To exclude specific functions from data flow tracking, you need to add them to the ABI list. For example:

fun:BZ2_bzDecompressInit=uninstrumented
fun:BZ2_bzDecompressInit=discard

NestFuzz includes a simple script to generate the ABI list: NestFuzz/ipl-modeling/tools/gen_library_abilist.sh. You can use it as follows:

NestFuzz/ipl-modeling/tools/gen_library_abilist.sh /lib/x86_64-linux-gnu/libbz2.so discard > abilist.txt
export ANGORA_TAINT_RULE_LIST=$(realpath abilist.txt)

After updating the ABI list, you need to recomplile the target library use NestFuzz. To discard additional functions, simply append them to abilist.txt.