Sloth 🦥 is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation

Overview

Sloth 🦥

Sloth is a fuzzing setup that makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch64 Android libraries to fuzz the target Android native library.

Introduction

Sloth makes use of libFuzzer and QEMU’s user-mode emulation (qemu/linux-user) on x86_64/aarch64 host to emulate aarch64 Android libraries to fuzz the target Android native library. Internals of why and how about Sloth are available at : https://fuzzing.science/page/fuzzing-android-native-libraries-with-libfuzzer-qemu/

High level execution flow of QEMU user-mode emulation:

QEMU linux-user flow

Build Instructions

To build and launch the docker container:

export image="sloth:v1"
docker build -t $image .
docker run --rm -v `pwd`/resources/rootfs:/rootfs -v `pwd`/resources/examples:/examples -it $image bash

Check resources/examples folder to build an example android native library.

Usage:

You can copy the /system/ from a rooted Android device into resources/rootfs directory.

In the examples folder, check the signature of libQemuFuzzerTestOneInput function in jni/lib/fuzz.cpp file. This function is equivalent to LLVMFuzzerTestOneInput function that we define when creating any libFuzzer harness.

To compile the sample from examples:

cd examples/jni
ndk-build

This builds and generates libBooFuzz.so and an executable boofuzz. Copy libBooFuzz.so to rootfs/system/lib64/ and boofuzz to /rootfs/

[email protected]:/examples/jni# make
[email protected]:/examples/jni# cp ../libs/arm64-v8a/libBooFuzz.so /rootfs/system/lib64/
[email protected]:/examples/jni# cp ../libs/arm64-v8a/boofuzz /rootfs/
[email protected]:/examples/jni# 

Add your target library path that exports libQemuFuzzerTestOneInput (libBooFuzz.so in our example) to SLOTH_TARGET_LIBRARY env variable.

To start fuzzing:

root@45d7511a2802:/sloth/src# SLOTH_TARGET_LIBRARY=/rootfs/system/lib64/libBooFuzz.so ./sloth /rootfs/boofuzz test/
==== SLOTH ====
WARNING: Failed to find function "__sanitizer_acquire_crash_state".
WARNING: Failed to find function "__sanitizer_print_stack_trace".
WARNING: Failed to find function "__sanitizer_set_death_callback".
INFO: Running with entropic power schedule (0xFF, 100).
INFO: Seed: 557648595
INFO: 65536 Extra Counters
INFO:        1 files found in test/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 4096 bytes
INFO: seed corpus: files: 1 min: 6b max: 6b total: 6b rss: 66Mb
#2	INITED ft: 3 corp: 1/6b exec/s: 0 rss: 66Mb
#10	REDUCE ft: 3 corp: 1/4b lim: 6 exec/s: 0 rss: 66Mb L: 4/4 MS: 3 CopyPart-CopyPart-CrossOver-
#11	REDUCE ft: 3 corp: 1/2b lim: 6 exec/s: 0 rss: 66Mb L: 2/2 MS: 1 EraseBytes-
#12	REDUCE ft: 3 corp: 1/1b lim: 6 exec/s: 0 rss: 66Mb L: 1/1 MS: 1 EraseBytes-
#4655	REDUCE ft: 5 corp: 2/37b lim: 48 exec/s: 0 rss: 66Mb L: 36/36 MS: 3 ShuffleBytes-ChangeBit-InsertRepeatedBytes-
#4676	REDUCE ft: 5 corp: 2/20b lim: 48 exec/s: 0 rss: 66Mb L: 19/19 MS: 1 EraseBytes-
#4694	REDUCE ft: 5 corp: 2/11b lim: 48 exec/s: 0 rss: 66Mb L: 10/10 MS: 3 ChangeBinInt-ChangeBinInt-EraseBytes-
#4710	REDUCE ft: 5 corp: 2/7b lim: 48 exec/s: 0 rss: 66Mb L: 6/6 MS: 1 EraseBytes-
#4736	REDUCE ft: 5 corp: 2/5b lim: 48 exec/s: 0 rss: 66Mb L: 4/4 MS: 1 EraseBytes-
#4830	REDUCE ft: 5 corp: 2/3b lim: 48 exec/s: 0 rss: 66Mb L: 2/2 MS: 4 ChangeByte-CopyPart-ChangeByte-CrossOver-
#4896	REDUCE ft: 5 corp: 2/2b lim: 48 exec/s: 0 rss: 66Mb L: 1/1 MS: 1 EraseBytes-
#36480	REDUCE ft: 7 corp: 3/4b lim: 357 exec/s: 0 rss: 66Mb L: 2/2 MS: 4 ShuffleBytes-CrossOver-ShuffleBytes-ChangeByte-
#89256	NEW    ft: 9 corp: 4/26b lim: 877 exec/s: 0 rss: 66Mb L: 22/22 MS: 1 InsertRepeatedBytes-
#89282	REDUCE ft: 9 corp: 4/21b lim: 877 exec/s: 0 rss: 66Mb L: 17/17 MS: 1 EraseBytes-
#89288	REDUCE ft: 9 corp: 4/16b lim: 877 exec/s: 0 rss: 66Mb L: 12/12 MS: 1 EraseBytes-
#89407	REDUCE ft: 9 corp: 4/14b lim: 877 exec/s: 0 rss: 66Mb L: 10/10 MS: 4 ChangeBinInt-InsertByte-ChangeBinInt-EraseBytes-
#89458	REDUCE ft: 9 corp: 4/13b lim: 877 exec/s: 0 rss: 66Mb L: 9/9 MS: 1 EraseBytes-
#89480	REDUCE ft: 9 corp: 4/11b lim: 877 exec/s: 0 rss: 66Mb L: 7/7 MS: 2 ShuffleBytes-EraseBytes-
#89496	REDUCE ft: 9 corp: 4/10b lim: 877 exec/s: 0 rss: 66Mb L: 6/6 MS: 1 EraseBytes-
#89647	REDUCE ft: 9 corp: 4/8b lim: 877 exec/s: 0 rss: 66Mb L: 4/4 MS: 1 EraseBytes-
#92983	REDUCE ft: 9 corp: 4/7b lim: 904 exec/s: 0 rss: 66Mb L: 3/3 MS: 1 EraseBytes-
#350518	REDUCE ft: 11 corp: 5/77b lim: 3458 exec/s: 350518 rss: 66Mb L: 70/70 MS: 2 ShuffleBytes-InsertRepeatedBytes-
#350594	REDUCE ft: 11 corp: 5/44b lim: 3458 exec/s: 350594 rss: 66Mb L: 37/37 MS: 1 EraseBytes-
#350611	REDUCE ft: 11 corp: 5/28b lim: 3458 exec/s: 350611 rss: 66Mb L: 21/21 MS: 2 ChangeBinInt-EraseBytes-
#350787	REDUCE ft: 11 corp: 5/26b lim: 3458 exec/s: 350787 rss: 66Mb L: 19/19 MS: 1 EraseBytes-
#350994	REDUCE ft: 11 corp: 5/22b lim: 3458 exec/s: 350994 rss: 66Mb L: 15/15 MS: 2 InsertByte-EraseBytes-
#351305	REDUCE ft: 11 corp: 5/21b lim: 3458 exec/s: 351305 rss: 66Mb L: 14/14 MS: 1 EraseBytes-
#351466	REDUCE ft: 11 corp: 5/19b lim: 3458 exec/s: 351466 rss: 66Mb L: 12/12 MS: 1 EraseBytes-
#351487	REDUCE ft: 11 corp: 5/18b lim: 3458 exec/s: 351487 rss: 66Mb L: 11/11 MS: 1 EraseBytes-
#351753	REDUCE ft: 11 corp: 5/16b lim: 3458 exec/s: 351753 rss: 66Mb L: 9/9 MS: 1 EraseBytes-
#351760	REDUCE ft: 11 corp: 5/15b lim: 3458 exec/s: 351760 rss: 66Mb L: 8/8 MS: 2 ChangeBit-EraseBytes-
#351867	REDUCE ft: 11 corp: 5/13b lim: 3458 exec/s: 351867 rss: 66Mb L: 6/6 MS: 2 ChangeBit-EraseBytes-
#352673	REDUCE ft: 11 corp: 5/12b lim: 3458 exec/s: 352673 rss: 66Mb L: 5/5 MS: 1 EraseBytes-
#524288	pulse  ft: 11 corp: 5/12b lim: 4096 exec/s: 262144 rss: 66Mb
#1048576	pulse  ft: 11 corp: 5/12b lim: 4096 exec/s: 209715 rss: 66Mb
==17== ERROR: libFuzzer: deadly signal
NOTE: libFuzzer has rudimentary signal handlers.
      Combine libFuzzer with AddressSanitizer or similar for better crash reports.
SUMMARY: libFuzzer: deadly signal
MS: 2 CMP-InsertRepeatedBytes- DE: "\x18\xd6^\x04U\x00\x00\x00"-; base unit: 4504839cf31d63eae201804d840610ae0ffcecea
0xde,0xad,0xbe,0x6f,0xef,0x18,0xd6,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0xca,0x5e,0x4,0x55,0x0,0x0,0x0,
\xde\xad\xbeo\xef\x18\xd6\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca\xca^\x04U\x00\x00\x00
artifact_prefix='./'; Test unit written to ./crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a
Base64: 3q2+b+8Y1srKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKysrKyl4EVQAAAA==

root@c4627f563a99:/rootfs/src# ls
Makefile  crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a  fuzzer  qemu  sloth  sloth.c  test

root@45d7511a2802:/sloth/src# xxd crash-7ac2928ac40e554032d95ebc28cdccd7ee133b1a 
00000000: dead be6f ef18 d6ca caca caca caca caca  ...o............
00000010: caca caca caca caca caca caca caca caca  ................
00000020: caca caca caca caca caca caca caca caca  ................
00000030: caca caca caca caca caca caca caca caca  ................
00000040: caca caca caca caca caca caca caca caca  ................
00000050: caca caca caca caca 5e04 5500 0000       ........^.U...

Happy Fuzzing :)

TODO

  • Fix signal handling in QEMU for libFuzzer to handle
  • Use QEMU as a library
  • Fuzzing support for Android JNI libraries
  • Make sure this is thread safe since I moved some variables to global.
  • Add CMP coverage
  • Add ASAN

Credits

Issues
  • Can sloth support arm32 programs compiled by ndk?

    Can sloth support arm32 programs compiled by ndk?

    Hi,I want to modify your project to test the arm32 program, I copy the /system/ from a rooted Android device into resources/rootfs directory as you mentioned in the usage, but I got the error as blow: libc: error getting old personality value: Operation not permitted.

    I used the unmodified qemu to test and the same error occurred. So the error comes from qemu-arm. I searched for this error and found that the error was in the linker: http://androidxref.com/6.0.0_r1/xref/bionic/libc/bionic/libc_init_common.cpp#__initialize_personality

    personality(0xffffffff); probability means to get the current process execution domain value, it seems that in the qemu-arm it returns -1. So I debug the qemu-arm, the relevant value in qemu is stored in info->personality, but until it runs to cpu_loop, this value is all 0. It may also be that the linker from the mobile phone does not have permission to obtain the value in qemu-arm.

    I am confused why the aarch64 program compiled by ndk can be run directly in qemu-aarch, but the arm program compiled by ndk cannot be run in qemu-arm.

    would you mind to give me some ideals? This problem has bothered me for a long time.

    opened by Po1lux 7
  • Having problem when using ubuntu 20.04 build Sloth

    Having problem when using ubuntu 20.04 build Sloth

    Environment: Virtual Machine: Vmware WorkStation 16 OS: Ubuntu 20.04

    I try to modify the /resources/examples/Skia/Makefile and using the ndk-build. However I got the this exception below.

    image

    opened by william31212 2
Owner
Chaithu
Independent Security Researcher
Chaithu
Coverage-guided grammar aware fuzzer that uses grammar automatons

Gramatron Gramatron is a coverage-guided fuzzer that uses grammar automatons to perform grammar-aware fuzzing. Technical details about our framework a

HexHive 37 May 8, 2022
A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems.

droidports: A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems. Discla

João Henrique 21 Jun 13, 2022
A collection of user-space Linux kernel specific guided fuzzers based on LKL

kBdysch kBdysch is a collection of fast Linux kernel specific fuzzing harnesses supposed to be run in userspace in a guided fuzzing manner. It was des

Anatoly Trosinenko 59 Jun 14, 2022
Cloud Native Data Plane (CNDP) is a collection of user space libraries to accelerate packet processing for cloud applications.

CNDP - Cloud Native Data Plane Overview Cloud Native Data Plane (CNDP) is a collection of userspace libraries for accelerating packet processing for c

Cloud Native Data Plane 19 Jun 28, 2022
A Lilu plugin that makes System Information recognize your Realtek card reader as a native one

Realtek Card Reader Driver Friend Introduction A Lilu plugin that makes System Information recognize your Realtek card reader as a native one. Support

FireWolf 44 Jun 23, 2022
Unicorn is a lightweight, multi-platform, multi-architecture CPU emulator framework, based on QEMU.

Unicorn Engine Unicorn is a lightweight, multi-platform, multi-architecture CPU emulator framework, based on QEMU. Unicorn offers some unparalleled fe

lazymio 1 Nov 7, 2021
A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview.

AndroidJSModule A simple library that helps Android developers to execute JavaScript code from Android native side easily without using Webview. Insta

Hung Nguyen 5 May 24, 2022
OffensivePH - use old Process Hacker driver to bypass several user-mode access controls

offensiveph OffensivePH is a post-exploitation tool that utilizes an old Process Hacker driver to bypass several user-mode access controls. Usage Comp

Red Section 257 Jun 23, 2022
Bobby Cooke 266 Jun 20, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

QuantumCored 153 Jun 23, 2022
Remote hacker probe - Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

Fahad 153 Jun 23, 2022
Add tensilica esp32 cpu and a board to qemu and dump the rom to learn more about esp-idf

qemu_esp32 Add tensilica esp32 cpu and a board to qemu and dump the rom to learn more about esp-idf ESP32 in QEMU. This documents how to add an esp32

null 333 Jun 22, 2022
QEMU port for t8030

QEMU README QEMU is a generic and open source machine & userspace emulator and virtualizer. QEMU is capable of emulating a complete machine in softwar

null 1.2k Jun 28, 2022
runing qemu in Docker by BOA

myQemu runing qemu in Docker by BOA It currently only supports mipsel configuration, other architectures have not been added yet, please wait for subs

null 21 May 30, 2022
A patched QEMU that exposes an interface for LibAFL-based fuzzers

QEMU LibAFL Bridge This is a patched QEMU that exposes an interface for LibAFL-based fuzzers. This raw interface is used in libafl_qemu that expose a

Advanced Fuzzing League ++ 24 Apr 26, 2022
Example virtual PCI devices for QEMU.

QEMU virtual device playground ?? UNDER CONSTRUCTION ?? Chicken or Egg? Development or Exploit..? Description Here are some example of QEMU virtual PC

smallkirby 2 Apr 5, 2022
A test of judging code using qemu

QEMU Judger Test This project was done abandoned 2 months ago, and I can't remember everything very well, so the steps here may be wrong. Setup First,

null 7 Nov 13, 2021
This is an upgrade to the initial TerminalOS source, supporting real hardware other than just QEMU, using GRUB as a bootloader instead of the crappy one i wrote

Terminal OS Author: Maheswaran Date: 20th Nov 2021 PROGRESS Multiboot compilance achieved VGA driver from complete with print_hex, print_dec, printf f

Maheswaran Parameswaran 1 Nov 28, 2021
POCO C++ Libraries are powerful cross-platform C++ libraries for building network

The POCO C++ Libraries are powerful cross-platform C++ libraries for building network- and internet-based applications that run on desktop, server, mobile, IoT, and embedded systems.

POCO C++ Libraries 6.2k Jul 2, 2022