Skip to content
/ VmaxFuzz Public

Seed Selection For Variables Indicating The Scale Of Memory Operation

License

Apache-2.0 license
1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

springflo/VmaxFuzz

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
.travis
.travis
 
 
.vscode
.vscode
 
 
dictionaries
dictionaries
 
 
docs
docs
 
 
experimental
experimental
 
 
libdislocator
libdislocator
 
 
libtokencap
libtokencap
 
 
llvm_mode
llvm_mode
 
 
qemu_mode
qemu_mode
 
 
scripts
scripts
 
 
testcases
testcases
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
README_zh.md
README_zh.md
 
 
afl-analyze.c
afl-analyze.c
 
 
afl-as.c
afl-as.c
 
 
afl-as.h
afl-as.h
 
 
afl-cmin
afl-cmin
 
 
afl-fuzz.c
afl-fuzz.c
 
 
afl-gcc.c
afl-gcc.c
 
 
afl-gotcpu.c
afl-gotcpu.c
 
 
afl-plot
afl-plot
 
 
afl-showmap.c
afl-showmap.c
 
 
afl-tmin.c
afl-tmin.c
 
 
afl-whatsup
afl-whatsup
 
 
alloc-inl.h
alloc-inl.h
 
 
config.h
config.h
 
 
debug.h
debug.h
 
 
hash.h
hash.h
 
 
test-instr.c
test-instr.c
 
 
test-libfuzzer-target.c
test-libfuzzer-target.c
 
 
types.h
types.h
 
 

Repository files navigation

VmaxFuzz: Seed Selection For Variables Indicating The Scale Of Memory Operation

github:

Developed by Cai Chunfang .

1) Project

Out-of-Bound is a kind of dangerous and common vulnerability in programs. The software does not restrict or incorrectly restricts operations within the boundaries of memory that is accessed using an index or pointer. In some complex cases, to trigger the out of bounds errors not only needs to satisfy control flow conditions, but also data conditions. In these cases, the scale of memory operation should exceed the memory boundary or specific range. However, detecting such vulnerability is challenging, as the state-of-the-art fuzzing techniques focus on code coverage but not memory operation and scale, failing to give additional energy to test cases which changed the memory scale. To achieve higher efficiency on detecting this kind of out-of-bound errors with grey-box fuzzing, we introduced memory scale indicating variable, shortly MemsVar, which is the variable that indicates the index, pointer or size of a memory operation in a program. The MemsVar were instrumented to monitor the change of memory operation scale. We then proposed a seed metric for MemsVar. With this metric, test cases which updated the actual range of MemsVar were kept as effective seeds, thus guiding the scale of memory operation to exceed the memory boundary or specific range and triggering memory out-of-bound errors quickly. Finally, based on the proposed seed metric, we designed a gray box fuzzer named Vmaxfuzz, implemented on the basis of AFL.

Uage

1) Environment and Main Code

System:ubuntu 16.04
tools:llvm clang valgrind etc.

./afl-fuzz.c    fuzzing Loop
./llvm_mode/afl-llvm-pass.so.cc Static analyze and Instrumentation
./llvm_mode/afl-llvm-rt.o.c      Instrumentation
./scripts/      compile,analyze,run scripts

2) Compile vmaxfuzz

./
$make
$cd llvm_mode/
$make

Get executable files: afl-clang-fast,afl-clang-fast++,afl-fuzz, and some run-time files.
    afl-clang-fast  afl-clang-fast++    VmaxFuzz compiler
    afl-fuzz                            fuzzer

3) Compile programs

-get programs
$./scripts/get_program.py program_src.json exiv2

-Comple programs with afl-clang-fast  afl-clang-fast++, with python
$./scripts/compile.py ./scripts/compile_arg.json exiv2
Or shell scripts
./scripts/run_fuzzer.sh exiv2

4) Start Fuzzing

$./scripts/run_fuzzer.py ./scripts/fuzz_arg.json exiv2

5) Analyze Results

out/crash_file
Use valgrind,AS to reproduce the call stack,compare with CVE
$./scripts/get_cves.py exiv2    crawl CVE informations

About

Seed Selection For Variables Indicating The Scale Of Memory Operation

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages