robertswiecki
commented
4 years ago I suggest contacting author of this blog post, maybe they will be able to help you with creating the fuzzing binary.
Closed Vilumbre closed 4 years ago
robertswiecki
commented
4 years ago I suggest contacting author of this blog post, maybe they will be able to help you with creating the fuzzing binary.
nclman
commented
4 years ago Just to add, I think the author of https://webassembly-security.com/fuzzing-wasm-javascript-dharma-chrome-v8/ did not use hfuzz-cc for instrumentation. Hence, there is no feedback-based coverage (notice the picture in the article. No coverage data). Anyway, he used a generational engine, so it won't matter much anyway.
I tried to build d8 binary with hfuzz-cc but it seems that the resultant argument length to clang is simply too large (V8 arguments + hfuzz arguments) and I kept getting "too many positional arguments" error.
Currently, I have not found a solution, but am using linux perf feature for feedback coverage. Would be great if someone has a workaround for the argument size problem.
robertswiecki
commented
4 years ago We can increase the number of positional args if it helps: please try with this https://github.com/google/honggfuzz/commit/9e34b1bc435462e5e568b0ec079ea0769dfed617
nclman
commented
4 years ago Apologies for the false alarm. It turns out I made a dumb mistake while inserting hfuzz-cc into V8's toolchain.
But while compiling seems to work fine now, linking failed as V8's toolchain bypasses clang and uses ld linker directly. I don't have a good working knowledge of V8 to fiddle around there, but I was able to hack hfuzz-cc to make it all build/link OK.
robertswiecki
commented
4 years ago Congratz! :) This is anyway an useful piece of knowledge for anyone :)
Hello. I'm new in themes of fuzzing. I downloaded with gsutil a new version of chromium, this is the manifest. name='84.0.4135.0' version= ==== file name= chrome_elf.dll My question: I am implement bad the code of use. I was looking this pag: https://webassembly-security.com/fuzzing-wasm-javascript-dharma-chrome-v8/ And I want use honggfuzz for search vulnerabilitys or bugs of chrome, or chromium does not matter. I get it than needed a "d8" binary. But I dont know how use it with downloaded it. I want test bugs or create a remote code execution for html, or search a bug for exploit this. I want to know too how create this "d8" binary. I created the dharma grammars, and I implement so: honggfuzz -t 5 -n 4 -i /home/myuser/fuzzing/example_wasm_api.js/ -- ./home/demian/asan1/chrome.exe FILE [2020-05-03T06:43:44-0300][E][1813] cmdlineParse():783 Your fuzzed binary './home/demian/asan1/chrome.exe' doesn't seem to exist [2020-05-03T06:43:44-0300][F][1813] main():327 Parsing of the cmd-line arguments failed I needed a "d8", or binary, or form for created a binary. Vi varios tutoriales pero ninguno funciona. Hablo mal ingles, disculpen, esto lo pongo así porque sino tardo mucho en explicar las cosas. Ahi en una foto pone ./asan-linux-release-702759/d8 FILE pero yo no encuentro, y no se como crear este archivo binario d8.