search

twistlock / kisaten

Ruby MRI extension for fuzzing Ruby code with afl-fuzz
MIT License
60 stars 4 forks source link

No instrumentation detected #2

Open ioquatix opened 4 years ago

ioquatix commented 4 years ago

Here is my test script.rb:

#!/usr/bin/env ruby

require 'kisaten'

Kisaten.init

puts Integer($stdin.read)

I have one file in the input directory: number.txt containing a valid integer.

Here is the output of afl-fuzz -i input/ -o output/ -t 1000 -m 1000 -- ruby script.rb @@

koyoko% afl-fuzz -i input/ -o output/ -t 1000  -m 1000 -- ruby script.rb @@
afl-fuzz 2.56b by <lcamtuf@google.com>
[+] You have 8 CPU cores and 1 runnable tasks (utilization: 12%).
[+] Try parallel jobs - see /usr/share/doc/afl/parallel_fuzzing.txt.
[*] Checking CPU core loadout...
[+] Found a free CPU core, binding to #0.
[*] Checking core_pattern...
[*] Checking CPU scaling governor...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning 'input/'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...

[-] Looks like the target binary is not instrumented! The fuzzer depends on
    compile-time instrumentation to isolate interesting test cases while
    mutating the input data. For more information, and for tips on how to
    instrument binaries, please see /usr/share/doc/afl/README.

    When source code is not available, you may be able to leverage QEMU
    mode support. Consult the README for tips on how to enable this.
    (It is also possible to use afl-fuzz as a traditional, "dumb" fuzzer.
    For that, you can use the -n option - but expect much worse results.)

[-] PROGRAM ABORT : No instrumentation detected
         Location : check_binary(), afl-fuzz.c:6959
ioquatix commented 4 years ago

Okay, I got this working.

One thing I'd like to know, is if we can make this slightly more ergonomic. Here is what my script looks like:

#!/usr/bin/env ruby

require 'socket'
require_relative '../../lib/protocol/http1'

def test
    sockets = Socket.pair(Socket::PF_UNIX, Socket::SOCK_STREAM)

    client = Protocol::HTTP1::Connection.new(sockets.first)
    server = Protocol::HTTP1::Connection.new(sockets.last)

    sockets.first.write($stdin.read)
    sockets.first.close

    begin
        host, method, path, version, headers, body = server.read_request

        body = server.read_request_body(method, headers)
    rescue Protocol::HTTP1::InvalidRequest
        # Ignore.
    end
end

if ENV["_"] =~ /afl/
    require 'kisaten'
    Kisaten.crash_at [Exception], [], Signal.list['USR1']

    while Kisaten.loop 1000
        test
    end
else
    test
end

First question: Is there a better check than ENV["_"] =~ /afl/?

bluebellRoot commented 1 year ago

Hi, I meet the same problem "No instrumentation detected" as you. Can I know how you solved it? Thanks very much.

ioquatix commented 1 year ago

The full working example is here: https://github.com/socketry/protocol-http1/blob/e6a9235102986a7a5462aea251f2fc9cdc00d65b/fuzz/request/bake.rb#L8

bluebellRoot commented 1 year ago

Thanks for your reply. I got this error solved!