StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

Overview

StochFuzz: A New Solution for Binary-only Fuzzing

test benchmark

loading-ag-167

StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries. It is facilitated by a novel incremental and stochastic rewriting technique that is particularly suitable for binary-only fuzzing. Any AFL-based fuzzer, which takes edge coverage (defined by AFL) as runtime feedback, can acquire benefits from StochFuzz to directly fuzz stripped binaries.

More data and the results of the experiments can be found here. Example cases of leveraging StochFuzz to improve advanced AFL-based fuzzers (AFL++ and Polyglot) can be found in system.md.

Clarifications

  • We adopt a new system design than the one from the paper. Details can be found at system.md.
  • In the paper, when we are talking about e9patch, we are actually talking about the binary-only fuzzing tool built upon e9patch, namely e9tool. Please refer to its website for more details.
  • StochFuzz provides sound rewriting for binaries without inlined data, and probabilistically sound rewriting for the rest.

Building StochFuzz

StochFuzz is built upon Keystone, Capstone, GLib, and libunwind.

These dependences can be built by build.sh. If you are trying to build StochFuzz in a clean container, make sure some standard tools like autoreconf and libtool are installed.

$ git clone https://github.com/ZhangZhuoSJTU/StochFuzz.git
$ cd StochFuzz
$ ./build.sh

StochFuzz itself can be built by GNU Make.

$ cd src
$ make release

We have tested StochFuzz on Ubuntu 18.04. If you have any issue when running StochFuzz on other systems, please kindly let us know.

How to Use

StochFuzz provides multiple rewriting options, which follows the AFL's style of passing arguments.

$ ./stoch-fuzz -h
stoch-fuzz 1.0.0 by <[email protected]>

./stoch-fuzz [ options ] -- target_binary [ ... ]

Mode settings:

  -S            - start a background daemon and wait for a fuzzer to attach (defualt mode)
  -R            - dry run target_binary with given arguments without an attached fuzzer
  -P            - patch target_binary without incremental rewriting
  -D            - probabilistic disassembly without rewriting
  -V            - show currently observed breakpoints

Rewriting settings:

  -g            - trace previous PC
  -c            - count the number of basic blocks with conflicting hash values
  -d            - disable instrumentation optimization
  -r            - assume the return addresses are only used by RET instructions
  -e            - install the fork server at the entrypoint instead of the main function
  -f            - forcedly assume there is data interleaving with code
  -i            - ignore the call-fallthrough edges to defense RET-misusing obfuscation

Other stuff:

  -h            - print this help
  -x execs      - set the number of executions after which a checking run will be triggered
                  set it as zero to disable checking runs (default: 200000)
  -t msec       - set the timeout for each daemon-triggering execution
                  set it as zero to ignore the timeout (default: 2000 ms)
  -l level      - set the log level, including INFO, WARN, ERROR, and FATAL (default: INFO)

Basic Usage

- It is worth first trying the advanced strategy (see below) because that is much more cost-effective.

To fuzz a stripped binary, namely example.out, we need to cd to the directory of the target binary. For example, if the full path of example.out is /root/example.out, we need to first cd /root/. Furthermore, it is dangerous to run two StochFuzz instances under the same directory. These restrictions are caused by some design faults and we will try to relax them in the future.

Assuming StochFuzz is located at /root/StochFuzz/src/stoch-fuzz, execute the following command to start rewriting the target binary.

$ cd /root/
$ /root/StochFuzz/src/stoch-fuzz -- example.out # do not use ./example.out here

After the initial rewriting, we will get a phantom file named example.out.phantom. This phantom file can be directly fuzzed by AFL or any AFL-based fuzzer. Note that the StochFuzz process would not stop during fuzzing, so please make sure the process is alive during fuzzing.

Here is a demo that shows how StochFuzz works.

asciicast

Advanced Usage

Compared with the compiler-based instrumentation (e.g., afl-clang-fast), StochFuzz has additional runtime overhead because it needs to emulate each CALL instruction to support stack unwinding.

Inspired by a recent work, we provide an advanced rewriting strategy where we do not emulate CALL instructions but wrap the _ULx86_64_step function from libunwind to support stack unwinding. This strategy works for most binaries but may fail in some cases like fuzzing statically linked binaries.

To enable such strategy, simply provide a -r option to StochFuzz.

$ cd /root/
$ /root/StochFuzz/src/stoch-fuzz -r -- example.out # do not use ./example.out here

Addtionally, before fuzzing, we need to prepare the AFL_PRELOAD environment variable for AFL.

$ export STOCHFUZZ_PRELOAD=$(/root/StochFuzz/scritps/stochfuzz_env.sh)
$ AFL_PRELOAD=$STOCHFUZZ_PRELOAD afl-fuzz -i seeds -o output -t 2000 -- example.out.phantom @@

Following demo shows how to apply this advanced strategy.

asciicast

Troubleshootings

Common issues can be referred to trouble.md. If it cannot help solve your problem, please kindly open a Github issue.

Besides, we provide some tips on using StochFuzz, which can be found at tips.md

Development

Currently, we have many todo items. We present them in todo.md.

We also present many pending decisions which we are hesitating to take, in todo.md. If you have any thought/suggestion, do not hesitate to let us know. It would be very appreciated if you can help us improve StochFuzz.

StochFuzz should be considered an alpha-quality software and it is likely to contain bugs.

I will try my best to maintain StochFuzz timely, but sometimes it may take me more time to respond. Thanks for your understanding in advance.

Cite

Zhang, Zhuo, et al. "STOCHFUZZ: Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting." 2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021.

References

  • Duck, Gregory J., Xiang Gao, and Abhik Roychoudhury. "Binary rewriting without control flow recovery." Proceedings of the 41st ACM SIGPLAN Conference on Programming Language Design and Implementation. 2020.
  • Meng, Xiaozhu, and Weijie Liu. "Incremental CFG patching for binary rewriting." Proceedings of the 26th ACM International Conference on Architectural Support for Programming Languages and Operating Systems. 2021.
  • Aschermann, Cornelius, et al. "Ijon: Exploring deep state spaces via fuzzing." 2020 IEEE Symposium on Security and Privacy (SP). IEEE, 2020.
  • Google. “Google/AFL.” GitHub, github.com/google/AFL.
You might also like...
conversion from absolute encoder and incremental encoder, control two robotis dynamixel motors, testing qserialport library in qt
conversion from absolute encoder and incremental encoder, control two robotis dynamixel motors, testing qserialport library in qt

Q_dxl This example is created for testing: Serial connection Testing two dynamixel motors (eg. MX-28AT) Doing the conversion from absolute encoder (of

tiny_csg is a C++ library that generates meshes from brush-based level data and supports incremental updates (real-time CSG).
tiny_csg is a C++ library that generates meshes from brush-based level data and supports incremental updates (real-time CSG).

tiny_csg is a C++ library that generates meshes from brush-based level data and supports incremental updates (real-time CSG). It is intended to be used as a backend in 3d level editors and/or generators.

USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types
USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types

Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types Nyx is fast full-VM snapshot fuzzer for type-2 hypervisors. It's built upon kAFL

CollabFuzz: A Framework for Collaborative Fuzzing

Collaborative Fuzzing Design In this cooperative framework, the fuzzers collaborate using a centralized scheduler.

The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Seed Selection for Successful Fuzzing The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary art

Owfuzz: a WiFi protocol fuzzing tool
Owfuzz: a WiFi protocol fuzzing tool

owfuzz owfuzz: a WiFi protocol fuzzing tool using openwifi. Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with

BSOD: Binary-only Scalable fuzzing Of device Drivers
BSOD: Binary-only Scalable fuzzing Of device Drivers

bsod-kernel-fuzzing This repository contains the implementations described in "BSOD: Binary-only Scalable fuzzing Of device Drivers". The paper and th

OSS-Fuzz - continuous fuzzing for open source software.
OSS-Fuzz - continuous fuzzing for open source software.

OSS-Fuzz: Continuous Fuzzing for Open Source Software Fuzz testing is a well-known technique for uncovering programming errors in software. Many of th

Project is to port original Zmodem for Unix to CP/M and provide binaries and source code for platform specific modification as needed. Based on 1986 C source code by Chuck Forsberg

Zmodem-CP-M This repository is intended to foster a RetroBrewComputers community effort to port the original Zmodem source code for Unix to CP/M so ev

Comments
  • Issue in `glib` build

    Issue in `glib` build

    While trying to build dependencies using the build.sh, it turns out the glib build fails. Using the latest commit on master and the OS is Ubuntu 18 LTS.

    opened by Silipwn 4
  • hello, when I ran AFL fuzz a demo program, the stoch-fuzz didn't respond.

    hello, when I ran AFL fuzz a demo program, the stoch-fuzz didn't respond.

    hello, when I ran AFL fuzz a demo program, the stoch-fuzz didn't respond. It keep stopping at “phantom file is create, please execute afldemo.phantom to communicate with the daemon”

    opened by bufferflyfly 2
  • bug in build.sh

    bug in build.sh

    I tried to install StochFuzz with build.sh, and the clang version in my environment is 10.0.0, but this script failed with message: "clang-6.0 or a newer version is required". So I checked this script and find that the regular expression that you used when matching with clang version output, is not correct if the version number is bigger than 9: clang --version | head -n 1 | grep -o -E "[[:digit:]].[[:digit:]].[[:digit:]]" | uniq | sort Maybe this is better: clang --version | head -n 1 | grep -o -E "[0-9]{1,2}.[0-9].[0-9]" | uniq | sort

    opened by Nova-xiao 1
  • undefined reference to `sysconf'

    undefined reference to `sysconf'

    OS: ubuntu 22 reproduce:

    ./build.sh
    sudo apt install libunwind-dev libglib-dev
    replace all libasan.so.4 with libasan.so.6 in src/Makefile
    cd src && make release
    

    error:

    clang -Wall -fno-stack-protector -fno-jump-tables -fpie -O3 -D_GNU_SOURCE -DNDEBUG -c loader.c
    clang -nostdlib -o loader.out loader.o -Wl,--entry=_entry
    /usr/bin/ld: loader.o: in function `loader_load':
    loader.c:(.text+0xb6): undefined reference to `sysconf'
    /usr/bin/ld: loader.c:(.text+0xd8): undefined reference to `sysconf'
    /usr/bin/ld: loader.c:(.text+0x11a): undefined reference to `sysconf'
    /usr/bin/ld: loader.c:(.text+0x74e): undefined reference to `sysconf'
    /usr/bin/ld: loader.c:(.text+0x75b): undefined reference to `sysconf'
    clang: error: linker command failed with exit code 1 (use -v to see invocation)
    make: *** [Makefile:97: loader] Error 1
    
    opened by syheliel 1
Owner
Zhuo Zhang
Zhuo Zhang
Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Sloth ?? Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch

Chaithu 82 Nov 3, 2022
Connected Santa Claus hat based on an ESP32, 8x8 matrices and LEDs stripped communicating over the internet with MQTT.

Protobonnet What is it? A connected Santa Claus hat! What is it called? Le ProtoBonnet! Why? This hat has been created entirely for the Noël des proto

Audrey Cigolotti 2 Dec 27, 2021
K-Closest Points and Maximum Clique Pruning for Efficient and Effective 3-D Laser Scan Matching (RA-L 2022)

KCP The official implementation of KCP: K-Closest Points and Maximum Clique Pruning for Efficient and Effective 3D Laser Scan Matching, accepted for p

Yu-Kai Lin 101 Oct 1, 2022
A C++11 large integer library with effective high performance, simplistic in nature and also clean in the eyes.

BigIntegerCPP BigIntegerCPP is a C++11 port of large integer library used in CryptoLib4Pascal. It allows mostly parsing of numbers as strings in diffe

Telepati 27 Nov 11, 2022
Open source Splatoon 2 save editor for the Nintendo Switch (NX) built on top of the effective-spoon project

Open source Splatoon 2 save editor for the Nintendo Switch (NX) built on top of the effective-spoon project

Crusty ★ 6 Sep 16, 2022
The whole design is modular, parametric (cost and others), field repairable, and super extensible

Easy-Transceiver The whole design is modular, parametric (cost and others), field repairable, and super extensible. It is almost trivial to add suppor

Dhiru Kholia 8 Oct 2, 2022
STM32Cube is an STMicroelectronics original initiative to ease the developers life by reducing efforts, time and cost.

STM32Cube covers the overall STM32 products portfolio. It includes a comprehensive embedded software platform (this repo), delivered for each series (such as the STM32CubeU5 for the STM32U5 series).

STMicroelectronics 59 Nov 24, 2022
Minimal tool for measuring cost of mode switch

CPU mode switch statistics The mode-switch-stat tool measures the cost of CPU mode switch, the round trip between user and kernel mode. At present, th

Steven Cheng 12 Feb 22, 2022
This project seeks to develop a low-cost, open-source braille display

This project seeks to develop a low-cost, open-source braille display. It is estimated that its cost is reduced to more than 90% compared to the cost of the cheapest screens that exist in the market today. // Este proyecto busca desarrollar una pantalla braille de código abierto y de bajo costo. Se estima que su coste se reduce a más de un 90%.

brailletouch 11 Nov 22, 2022
CC2500 Low-Cost Low-Power 2.4 GHz RF Transceiver driver for esp-idf

esp-idf-cc2500 CC2500 Low-Cost Low-Power 2.4 GHz RF Transceiver driver for esp-idf. I ported from this. 2.00mm pitch External Antena 1.27mm pitch PCB

null 3 May 29, 2022