T-Fuzz
T-Fuzz consists of 2 components:
- Fuzzing tool (TFuzz): a fuzzing tool based on program transformation
- Crash Analyzer (CrashAnalyzer): a tool that verifies whether crashes found transformed programs are true bugs in the original program or not (coming soon).
OS support
The current version is tested only on Ubuntu-16.04, while trying to run the code, please use our tested OS.
Prerequisite
T-Fuzz system is built on several opensource tools.
- angr
- shellphish fuzzer
- angr tracer
- radare2 and its python wrapper r2pipe
Installing radare2
$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh
Installing python libraries
installing some dependent libraries
Note: to use
apt-get build-dep, you need to uncomment the deb-src lines in your apt source file (/etc/apt/sources.list) and run apt-get update.
$ sudo apt-get install build-essential gcc-multilib libtool automake autoconf bison debootstrap debian-archive-keyring
$ sudo apt-get build-dep qemu-system
$ sudo apt-get install libacl1-dev
installing pip and setting up virtualenv & wrapper
$ sudo apt-get install python-pip python-virtualenv
$ pip install virtualenvwrapper
Add the following lines to your shell rc file (~/.bashrc or ~/.zshrc).
export WORKON_HOME=$HOME/.virtual_envs
source /usr/local/bin/virtualenvwrapper.sh
Creating a python virtual environment
$ mkvirtualenv tfuzz-env
Installing dependent libraries
This command will install all the dependent python libraries for you.
$ workon tfuzz-env
$ pip install -r req.txt
Fuzzing target programs with T-Fuzz
$ ./TFuzz --program
--work_dir
--target_opts
Where
-
: the path to the target program to fuzz -
: the directory to save the results -
: the options to pass to the target program, like AFL, use @@as placeholder for files to mutate.
Examples
- Fuzzing base64 with T-Fuzz
$ ./TFuzz --program target_programs/base64 --work_dir workdir_base64 --target_opts "-d @@"
- Fuzzing uniq with T-Fuzz
$ ./TFuzz --program target_programs/uniq --work_dir workdir_uniq --target_opts "@@"
- Fuzzing md5sum with T-Fuzz
$ ./TFuzz --program target_programs/md5sum --work_dir workdir_md5sum --target_opts "-c @@"
- Fuzzing who with T-Fuzz
$ ./TFuzz --program target_programs/who --work_dir workdir_who --target_opts "@@"
Using CrashAnalyzer to verify crashes
T-Fuzz CrashAnalyzer has been put in a docker image, however, it is still not working in all binaries we tested, we are still investigating it the cause.
Here is how:
Run the following command to run our docker image
$ [sudo] docker pull tfuzz/tfuzz-test
$ [sudo] docker run --security-opt seccomp:unconfined -it tfuzz/tfuzz-test /usr/bin/zsh
In the container:
There are 3 directories:
release: contains code the built lava binariesresults: contains some results we found in lava-m datasetradare2: it is a program used by T-Fuzz.
Currently, T-Fuzz may not work, because the tracer crashes accidentally. And the CrashAnalyzer can not work on all results. But some cases can be recovered.
For example:
To verify bugs in base64, first goto release and checkout ca_base64:
$ cd release
$ git checkout ca_base64
Then we use a transformed program to recover the crash in the original program:
- Choose a transformed program and run it on the input found by a fuzzer:
$ cd ~
$./results/ca_base64/554/base64_tfuzz_28/base64_tfuzz_28 -d ./results/ca_base64/554/crashing_inputs_from/results_saved_0_from
[1] 131 segmentation fault (core dumped) ./results/ca_base64/554/base64_tfuzz_28/base64_tfuzz_28 -d
- Recover an input from this transformed program and crashing input
). Re-hooking. WARNING | 2018-12-04 04:28:23,228 | angr.project | Address is already hooked, during hook(0x90dd000,
). Re-hooking. WARNING | 2018-12-04 04:28:23,229 | angr.simos.linux | Tracer has been heavily tested only for CGC. If you find it buggy for Linux binaries, we are sorry! Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 == 47))> Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 == 47))> Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 == 47))> Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 == 47))> results saved to /root/base64_result/recover_0 ">
$ ./release/CrashAnalyzer --tprogram ./results/ca_base64/554/base64_tfuzz_28/base64_tfuzz_28 --target_opts "-d @@" --crash_input ./results/ca_base64/554/crashing_inputs_from/results_saved_0_from --result_dir base64_result --save_to recover
WARNING | 2018-12-04 04:28:22,350 | angr.analyses.disassembly_utils | Your verison of capstone does not support MIPS instruction groups.
Trying /root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from
WARNING | 2018-12-04 04:28:23,228 | angr.project | Address is already hooked, during hook(0x9021cd0,
). Re-hooking.
WARNING | 2018-12-04 04:28:23,228 | angr.project | Address is already hooked, during hook(0x90dd000,
). Re-hooking.
WARNING | 2018-12-04 04:28:23,229 | angr.simos.linux | Tracer has been heavily tested only for CGC. If you find it buggy for Linux binaries, we are sorry!
Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_0_0_8 == 47))>
Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_1_1_8 == 47))>
Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_2_2_8 == 47))> Adding
= 65) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 90)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 >= 97) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 122)), ((file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 >= 48) && (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 <= 57)), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 == 43), (file_/root/results/ca_base64/554/crashing_inputs_from/results_saved_0_from_9_3_3_8 == 47))> results saved to /root/base64_result/recover_0
Then /root/base64_result/recover_0 is generated, we can use it to trigger a crash in the original program.
- verify the input by running the generated input on the original program
$ ./results/base64 -d base64_result/recover_0
Successfully triggered bug 554, crashing now!
Successfully triggered bug 554, crashing now!
Successfully triggered bug 554, crashing now!
[1] 177 segmentation fault (core dumped) ./results/base64 -d base64_result/recover_0
31 Dec 09, 2022
8 Oct 06, 2022
40 Dec 12, 2022
34 Dec 28, 2022
46 Jul 06, 2022
2.6k Jan 01, 2023
36 Dec 05, 2022
75 Dec 22, 2022
125 Nov 26, 2022
3 Oct 09, 2022
29 Aug 30, 2022
35 Nov 30, 2022
2.6k Jan 01, 2023
17 Nov 10, 2022
230 Jan 05, 2023
4.8k Jan 07, 2023
671 Jan 03, 2023
215 Dec 30, 2022
111 Dec 10, 2022
121 Dec 30, 2022