Initial commit

Makefile

@@ -0,0 +1,171 @@
+#
+# UnTracer-AFL - makefile
+# -----------------------------
+#
+# Written by Stefan Nagy <snagy2@vt.edu>
+#
+# Based on AFL (american fuzzy lop) by Michal Zalewski <lcamtuf@google.com>
+# 
+# ------------Original copyright below------------
+# 
+# Copyright 2013, 2014, 2015, 2016, 2017 Google Inc. All rights reserved.
+# 
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at:
+# 
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+
+##################################################################
+
+# UnTracer vars - edit DYN_ROOT accordingly
+
+DYN_ROOT 	= /home/osboxes/fuzzing/dynBuildDir
+CC 			= gcc 
+CXX 		= g++
+CXXFLAGS 	= -g -Wall -O3 -std=c++11
+LIBFLAGS 	= -fpic -shared
+LDFLAGS 	= -I/usr/include -I$(DYN_ROOT)/include -L$(DYN_ROOT)/lib -lcommon -liberty -ldyninstAPI -lboost_system
+
+##################################################################
+
+PROGNAME    = afl
+VERSION     = $(shell grep '^\#define VERSION ' config.h | cut -d '"' -f2)
+
+PREFIX     ?= /usr/local
+BIN_PATH    = $(PREFIX)/bin
+HELPER_PATH = $(PREFIX)/lib/afl
+DOC_PATH    = $(PREFIX)/share/doc/afl
+MISC_PATH   = $(PREFIX)/share/afl
+
+# PROGS intentionally omit afl-as, which gets installed elsewhere.
+
+PROGS       = untracer-afl libUnTracerDyninst UnTracerDyninst cov-check afl-gcc afl-showmap
+SH_PROGS    = afl-plot
+
+CFLAGS     ?= -O3 -funroll-loops
+CFLAGS     += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
+	      -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
+	      -DBIN_PATH=\"$(BIN_PATH)\"
+
+ifneq "$(filter Linux GNU%,$(shell uname))" ""
+  LDFLAGS  += -ldl
+endif
+
+ifeq "$(findstring clang, $(shell $(CC) --version 2>/dev/null))" ""
+  TEST_CC   = afl-gcc
+else
+  TEST_CC   = afl-clang
+endif
+
+COMM_HDR    = alloc-inl.h config.h debug.h types.h
+
+all: test_x86 $(PROGS) afl-as test_build all_done
+
+ifndef AFL_NO_X86
+
+test_x86:
+	@echo "[*] Checking for the ability to compile x86 code..."
+	@echo 'main() { __asm__("xorb %al, %al"); }' | $(CC) -w -x c - -o .test || ( echo; echo "Oops, looks like your compiler can't generate x86 code."; echo; echo "Don't panic! You can use the LLVM or QEMU mode, but see docs/INSTALL first."; echo "(To ignore this error, set AFL_NO_X86=1 and try again.)"; echo; exit 1 )
+	@rm -f .test
+	@echo "[+] Everything seems to be working, ready to compile."
+
+else
+
+test_x86:
+	@echo "[!] Note: skipping x86 compilation checks (AFL_NO_X86 set)."
+
+endif
+
+# UnTracer dependencies
+
+untracer-afl: untracer-afl.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS) libUnTracerHashmap.c
+
+libUnTracerDyninst: libUnTracerDyninst.cpp
+	$(CXX) $(CXXFLAGS) -o libUnTracerDyninst.so libUnTracerDyninst.cpp $(LDFLAGS) $(LIBFLAGS) libUnTracerHashmap.c
+
+UnTracerDyninst: UnTracerDyninst.cpp
+	$(CXX) -Wl,-rpath-link,$(DYN_ROOT)/lib -Wl,-rpath-link,$(DYN_ROOT)/include $(CXXFLAGS) -o UnTracerDyninst UnTracerDyninst.cpp $(LDFLAGS)
+
+cov-check: cov-check.c
+	$(CC) -Wall -o cov-check cov-check.c libUnTracerHashmap.c
+
+
+# AFL dependencies
+
+afl-gcc: afl-gcc.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $$i; done
+
+afl-as: afl-as.c afl-as.h $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+	ln -sf afl-as as
+
+afl-showmap: afl-showmap.c $(COMM_HDR) | test_x86
+	$(CC) $(CFLAGS) $@.c -o $@ $(LDFLAGS)
+
+ifndef AFL_NO_X86
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[*] Testing the CC wrapper and instrumentation output..."
+	unset AFL_USE_ASAN AFL_USE_MSAN; AFL_QUIET=1 AFL_INST_RATIO=100 AFL_PATH=. ./$(TEST_CC) $(CFLAGS) test-instr.c -o test-instr $(LDFLAGS)
+	echo 0 | ./afl-showmap -m none -q -o .test-instr0 ./test-instr
+	echo 1 | ./afl-showmap -m none -q -o .test-instr1 ./test-instr
+	@rm -f test-instr
+	@cmp -s .test-instr0 .test-instr1; DR="$$?"; rm -f .test-instr0 .test-instr1; if [ "$$DR" = "0" ]; then echo; echo "Oops, the instrumentation does not seem to be behaving correctly!"; echo; echo "Please ping <lcamtuf@google.com> to troubleshoot the issue."; echo; exit 1; fi
+	@echo "[+] All right, the instrumentation seems to be working!"
+
+else
+
+test_build: afl-gcc afl-as afl-showmap
+	@echo "[!] Note: skipping build tests (you may need to use LLVM or QEMU mode)."
+
+endif
+
+all_done: test_build
+	@if [ ! "`which clang 2>/dev/null`" = "" ]; then echo "[+] LLVM users: see llvm_mode/README.llvm for a faster alternative to afl-gcc."; fi
+	@echo "[+] All done! Be sure to review README - it's pretty short and useful."
+	@if [ "`uname`" = "Darwin" ]; then printf "\nWARNING: Fuzzing on MacOS X is slow because of the unusually high overhead of\nfork() on this OS. Consider using Linux or *BSD. You can also use VirtualBox\n(virtualbox.org) to put AFL inside a Linux or *BSD VM.\n\n"; fi
+	@! tty <&1 >/dev/null || printf "\033[0;30mNOTE: If you can read this, your terminal probably uses white background.\nThis will make the UI hard to read. See docs/status_screen.txt for advice.\033[0m\n" 2>/dev/null
+
+.NOTPARALLEL: clean
+
+clean:
+	rm -f $(PROGS) afl-as as afl-g++ afl-clang afl-clang++ *.o *~ a.out core core.[1-9][0-9]* *.stackdump test .test test-instr .test-instr0 .test-instr1 
+
+install: all
+	mkdir -p -m 755 $${DESTDIR}$(BIN_PATH) $${DESTDIR}$(HELPER_PATH) $${DESTDIR}$(DOC_PATH) $${DESTDIR}$(MISC_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-plot.sh
+	install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH)
+	rm -f $${DESTDIR}$(BIN_PATH)/afl-as
+	if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi
+ifndef AFL_TRACE_PC
+	if [ -f afl-clang-fast -a -f afl-llvm-pass.so -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-pass.so afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
+else
+	if [ -f afl-clang-fast -a -f afl-llvm-rt.o ]; then set -e; install -m 755 afl-clang-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-clang-fast $${DESTDIR}$(BIN_PATH)/afl-clang-fast++; install -m 755 afl-llvm-rt.o $${DESTDIR}$(HELPER_PATH); fi
+endif
+	if [ -f afl-llvm-rt-32.o ]; then set -e; install -m 755 afl-llvm-rt-32.o $${DESTDIR}$(HELPER_PATH); fi
+	if [ -f afl-llvm-rt-64.o ]; then set -e; install -m 755 afl-llvm-rt-64.o $${DESTDIR}$(HELPER_PATH); fi
+	set -e; for i in afl-g++ afl-clang afl-clang++; do ln -sf afl-gcc $${DESTDIR}$(BIN_PATH)/$$i; done
+	install -m 755 afl-as $${DESTDIR}$(HELPER_PATH)
+	ln -sf afl-as $${DESTDIR}$(HELPER_PATH)/as
+	install -m 644 docs/README docs/ChangeLog docs/*.txt $${DESTDIR}$(DOC_PATH)
+	cp -r testcases/ $${DESTDIR}$(MISC_PATH)
+	cp -r dictionaries/ $${DESTDIR}$(MISC_PATH)
+
+publish: clean
+	test "`basename $$PWD`" = "afl" || exit 1
+	test -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz; if [ "$$?" = "0" ]; then echo; echo "Change program version in config.h, mmkay?"; echo; exit 1; fi
+	cd ..; rm -rf $(PROGNAME)-$(VERSION); cp -pr $(PROGNAME) $(PROGNAME)-$(VERSION); \
+	  tar -cvz -f ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz $(PROGNAME)-$(VERSION)
+	chmod 644 ~/www/afl/releases/$(PROGNAME)-$(VERSION).tgz
+	( cd ~/www/afl/releases/; ln -s -f $(PROGNAME)-$(VERSION).tgz $(PROGNAME)-latest.tgz )
+	cat docs/README >~/www/afl/README.txt
+	cat docs/status_screen.txt >~/www/afl/status_screen.txt
+	cat docs/historical_notes.txt >~/www/afl/historical_notes.txt
+	cat docs/technical_details.txt >~/www/afl/technical_details.txt
+	cat docs/ChangeLog >~/www/afl/ChangeLog.txt
+	cat docs/QuickStartGuide.txt >~/www/afl/QuickStartGuide.txt
+	echo -n "$(VERSION)" >~/www/afl/version.txt

QuickStartGuide.txt

@@ -0,0 +1 @@
+docs/QuickStartGuide.txt

README.md

@@ -0,0 +1,63 @@
+# UnTracer-AFL
+This repository contains an implementation of our coverage-guided tracing framework [UnTracer](https://github.com/FoRTE-Research/Untracer) in the popular coverage-guided fuzzer [AFL](http://lcamtuf.coredump.cx/afl).
+
+**DISCLAIMER:** This software is strictly a research prototype.
+
+## Getting Started
+#### 1. Build Dyninst
+```
+sudo apt-get install cmake m4 zlib1g-dev libboost-all-dev libiberty-dev
+wget https://github.com/dyninst/dyninst/archive/v9.3.2.tar.gz
+tar -xf v9.3.2.tar.gz dyninst-9.3.2/
+mkdir dynBuildDir
+cd dynBuildDir
+cmake ../dyninst-9.3.2/ -DCMAKE_INSTALL_PREFIX=`pwd`
+make
+make install
+```
+
+#### 2. Download UnTracer-AFL
+```
+git clone https://github.com/FoRTE-Research/UnTracer-AFL
+```
+
+#### 3. Configure environment variables
+```
+export DYNINST_INSTALL=''
+export UNTRACER_AFL_PATH=''
+
+export DYNINSTAPI_RT_LIB=$DYNINST_INSTALL/lib/libdyninstAPI_RT.so
+export LD_LIBRARY_PATH=$DYNINST_INSTALL/lib:$UNTRACER_AFL_PATH
+export PATH=$PATH:$UNTRACER_AFL_PATH
+```
+
+#### 4. Build UnTracer-AFL
+Update `DYN_ROOT` in `UnTracer-AFL/Makefile` to your Dyninst install directory. 
+Then, run the following commands:
+```
+make clean && make all
+```
+
+## Running UnTracer-AFL
+First, compile all binaries using [FoRTE-afl-cc's forkserver-only ("basline")](https://github.com/FoRTE-Research/afl#forte-afl-cc) mode. Note that only **non-position-independent** target binaries are supported, so compile all target binaries with CFLAG `-no-pie` (unnecessary for Clang).
+
+Then, run as follows:
+```
+untracer-afl -i [/path/to/seed/dir] -o [/path/to/out/dir] -- [/path/to/target-BASELINE] [target_args]
+```
+
+## Running QSYM-UnTracer-AFL:
+See [here](https://github.com/FoRTE-Research/qsym#run-qsym-untracer-afl-for-24-hrs).
+
+## Checking accumulated coverage with Cov-Check:
+We provide a utility `cov-check` to calculate some block coverage statistics given an input queue. Note that like UnTracer-AFL, this tool also requires the forkserver-only (baseline) instrumented version of the target binary.
+
+Run as follows:
+```
+cov-check -q [/path/to/out/dir/queue] -o [/path/to/working/dir] -f [/path/to/log] -t [optional timeout] -- [/path/to/target-BASELINE] [target_args]
+```
+
+This tool can also be similarly used on AFL or (below) QSYM-UnTracer-AFL input queues:
+```
+cov-check -q [/path/to/out/dir/queue] -o [/path/to/working/dir/afl-slave] -f [/path/to/log] -t [optional timeout] -- [/path/to/target-BASELINE] [target_args]
+```