This repo is incomplete and depreciated
For full code, please refer to: https://github.com/yiluwusbu/DEVFUZZ
This is AFL proxy(AP). This repo contains a lighweight proxy program(ap) launched by AFL. A library aplib used by client to communicate with AP.
|--------\ spawn AP process IPC with client using | AFL | <------------------> [./ap fuzz.data]<------------------> QEMU[KVM] ``````^``` create fuzz data | /dev/shm/afl-proxy | \ | | \ | | \ code coverage bitmap | enable perf-pt(PIDX) <------ap_attach_pt(PIDX) `--------------------------> | vmx_on()
At a high level, AP creates a shared memory(/dev/shm/afl-proxy) and accepts requests from the real client, QEMU e.g. Client get fuzz data location through SHM. The code coverage information is provided by client by explicitly calling ap_log_pc(uint64_t) at each basicblock or it could be provided by PT. If using PT, client need to call ap_attach_pt(PIDX) to enable PT-monitor in ap. Also, if PT is used, clients don't have to call ap_log_pc at each basic block thus saving time. The client program should be linked with aplib.
AP supports two different modes to collect code coverage. One is through explicit call to ap_log_pc(uint64_t pc), another is through PT.
AP relies on Linux perf subsystem to collect PT trace.
The device model build can be break down into two stage:
1) s2e symbolic execution - produce first device model that can pass probing
2) dynamic analysis to produce PCI bus master support model -- improve first model with DMA support
To run 2nd step, the guest kernel must be patched with 0001-sfp-Add-hypercall-to-let-host-know-dma-buffer-locati.patch
$(afl-proxy): make
S2E Repos:
https://github.com/lzto/guest-images https://github.com/lzto/s2e https://github.com/lzto/s2e-linux-kernel
First, run AP using the following command
cd run
./run.sh
After AP is launched, start QEMU in another terminal
use LLVM coding style and run make indent
pt_attach()
is called when KVM thread is created and ap_exit()
is called when one fuzzing test is done. AFL will update coverage information when ap_exit()
is called.
Device models are under afl-proxy/aplib/, you are more than welcome to send pull request, contribute and improve existing device models.