search

kirasys / unicorn-fuzzer

expansion of afl-unicorn using c++
26 stars 10 forks source link

actually fuzzing inputs? #1

Open jbachell opened 5 years ago

jbachell commented 5 years ago

Hi! I've currently been looking at your code and you don't take in any inputs.

Does your original code work for fuzzing?

I have modified the code (sort of) to work with ARM and also tried to actually fuzz inputs (adding an input directory to the command line). It doesn't seem to work. I'm not sure if this is an issue with the additions I've made, or if it's an issue with adding it to afl-unicorn. _I don't fully understand the use of a loop at the end of the unicornloader.cpp. What did your original tests actually do?

Note: The C++ version of this compared to python is significantly faster, maybe about 8 times faster (if I can get it working)

kirasys commented 4 years ago

Sorry for the late reply. "unicorn_loader.cpp" is a harness file for fuzzing and "tests" folder just takes a binary for testing. I don't think you understand about afl-unicorn completely. Please check this post. (afl-unicorn: Fuzzing Arbitrary Binary Code)

ps. I've updated the project. If any problem is found, please let me know

jbachell commented 4 years ago

I should be sending you a pull request! I updated the harness to how I was using it, as well ARM support. "Dumb fuzzing" works, but the path finding does not work with AFL. AFL cannot distinguish unique errors with this unicorn fuzzer, but with python it can. Do you know why?

kirasys commented 4 years ago

Thank for your PR!! I'll reflect your code on the project soon. Anyway, can you tell me what kind of unique errors it doesn't find? Such as heap corruption or stack overflow. Do you mean the unicorn loader which was built from my project doesn't emit a crash though an edge case is given?

jbachell commented 4 years ago

No, I mean to tell you that the pathfinding is broken. For the python fuzzer, the program can detect where it is in the program and find ways to fully explore the program to get full coverage. I believe that I have the test I was using in my arm branch which was forked from yours. I'm not currently working on the project, but I don't mind picking it back up for a little. It shouldn't take that long to just look through my test and new loader and see what it does ... My goal was for it to be the exact same usage as the original AFL Unicorn, just in C++, including the same command line usage.