StateAFL: A Greybox Fuzzer for Stateful Network Servers

Overview

StateAFL: A Coverage-Driven (Greybox) Fuzzer for Stateful Network Protocols

StateAFL is a fuzzer designed for network servers. It extends the original idea of the AFL fuzzer, which automatically evolves fuzz inputs to maximize code coverage. In addition to code coverage, StateAFL seeks to maximize protocol state coverage.

StateAFL automatically infers the current protocol state of the server. At compile-time, it instruments the target server with probes on memory allocations and network I/O operations. At run-time, it takes snapshots of long-lived data within process memory for each protocol iteration (see figure), and it applies fuzzy hashing to map the in-memory state to a unique protocol state.

The fundamental loop of network servers

StateAFL blocks

More information about the internals of StateAFL are available in the following research paper.

StateAFL has been implemented on top of the codebase of AFL and AFLnet. To fuzz a server, it should be compiled using the afl-clang-fast tool in this project, to perform a compiler pass for instrumenting the target.

Licences

StateAFL is licensed under Apache License, Version 2.0.

StateAFL extends AFLnet, written and maintained by Van-Thuan Pham <[email protected]>, and American Fuzzy Lop written and maintained by Michał Zalewski <[email protected]>. For details about these fuzzers, we refer to README-AFLnet.md and README-AFL.md.

StateAFL uses the Trend Micro Locality Sensitive Hash (TLSH) library and the MVPTree C library for fuzzy hashing and for nearest neighbor search. StateAFL uses the Containers library for map, queue, and set data structures.

  • AFL: Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. Released under terms and conditions of Apache License, Version 2.0.

  • TLSH: Copyright 2013 Trend Micro Incorporated. Released under terms and conditions of Apache License, Version 2.0.

  • MVPTree C library: Copyright 2008-2009 by D. Grant Starkweather. Released under terms and conditions of GNU Public License, Version 3.0.

  • Containers library: Copyright (c) 2017-2020 Bailey Thompson. Released under terms and conditions of MIT License.

ProFuzzBench

If you want to run some experiments quickly, please take a look at ProFuzzBench. ProFuzzBench includes a suite of representative open-source network servers for popular protocols (e.g., TLS, SSH, SMTP, FTP, SIP), and tools to automate experimentation. StateAFL has been integrated into that benchmark.

Installation (Tested on Ubuntu 18.04 & 16.04 64-bit)

Prerequisites

# Install clang (required by afl-clang-fast)
sudo apt-get install clang
# Install graphviz development
sudo apt-get install graphviz-dev

StateAFL

Download StateAFL and compile it. We have tested StateAFL on Ubuntu 18.04 and Ubuntu 16.04 64-bit and it would also work on all environments that support the vanilla AFL and graphviz.

# First, clone this StateAFL repository to a folder named stateafl
git clone <links to the repository> stateafl
# Then move to the source code folder
cd stateafl
make clean all
cd llvm_mode
# The following make command may not work if llvm-config cannot be found
# To fix this issue, just set the LLVM_CONFIG env. variable to the specific llvm-config version on your machine
# On Ubuntu 18.04, it could be llvm-config-6.0 if you have installed clang using apt-get
make
# Move to StateAFL's parent folder
cd ../..
export STATEAFL=$(pwd)/stateafl

Setup PATH environment variables

export PATH=$STATEAFL:$PATH
export AFL_PATH=$STATEAFL

Usage

StateAFL can be run using the same command line options of AFLNet and AFL. Run afl-fuzz --help to see all options. Please also see README-AFLnet.md for more information.

  • -N netinfo: server information (e.g., tcp://127.0.0.1/8554)

  • -P protocol: application protocol to be tested (e.g., RTSP, FTP, DTLS12, DNS, DICOM, SMTP, SSH, TLS, DAAP-HTTP, SIP)

  • -D usec: (optional) waiting time (in microseconds) for the server to complete its initialization

  • -K : (optional) send SIGTERM signal to gracefully terminate the server after consuming all request messages

  • -E : (optional) enable state aware mode

  • -R : (optional) enable region-level mutation operators

  • -F : (optional) enable false negative reduction mode

  • -c script : (optional) name or full path to a script for server cleanup

  • -q algo: (optional) state selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

  • -s algo: (optional) seed selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

Example command:

afl-fuzz -d -i in -o out -N <server info> -x <dictionary file> -P <protocol> -D 10000 -q 3 -s 3 -E -K -R <executable binary and its arguments (e.g., port number)>
Issues
  • Build llvm_mode failed

    Build llvm_mode failed

    Thank you for your great job! But I have occured a problem while building this fuzzer.

    I cd llvm_mode and type make to build the llvm_mode, but error, the message is:

    /usr/bin/ld: ../afl-llvm-rt.o: in function `Tlsh_new':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh-wrapper.cpp:6: undefined reference to `operator new(unsigned long)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh-wrapper.cpp:6: undefined reference to `operator delete(void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `Tlsh_delete':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh-wrapper.cpp:46: undefined reference to `operator delete(void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `Tlsh::Tlsh()':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh.cpp:69: undefined reference to `operator new(unsigned long)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh.cpp:69: undefined reference to `operator delete(void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `Tlsh::Tlsh(Tlsh const&)':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh.cpp:74: undefined reference to `operator new(unsigned long)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh.cpp:74: undefined reference to `operator delete(void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `Tlsh::~Tlsh()':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh.cpp:80: undefined reference to `operator delete(void*)'
    /usr/bin/ld: /usr/bin/ld: DWARF error: could not find variable specification at offset 7e2
    /usr/bin/ld: DWARF error: could not find variable specification at offset 7ed
    /usr/bin/ld: DWARF error: could not find variable specification at offset 87a
    ../afl-llvm-rt.o: in function `TlshImpl::~TlshImpl()':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:88: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:89: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `TlshImpl::reset()':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:94: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:96: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `TlshImpl::update(unsigned char const*, unsigned int)':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:176: undefined reference to `operator new[](unsigned long)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `TlshImpl::final(int)':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:406: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:411: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:420: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:441: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:462: undefined reference to `operator delete[](void*)'
    /usr/bin/ld: ../afl-llvm-rt.o: in function `TlshImpl::hash(int) const':
    /home/ubuntu/stateafl/llvm_mode/tlsh/src/tlsh_impl.cpp:557: undefined reference to `operator new[](unsigned long)'
    /usr/bin/ld: ../afl-llvm-rt.o:(.eh_frame+0xf97): undefined reference to `__gxx_personality_v0'
    /usr/bin/ld: ../afl-llvm-rt.o:(.eh_frame+0x112f): undefined reference to `__gxx_personality_v0'
    clang-11: error: linker command failed with exit code 1 (use -v to see invocation)
    make: *** [Makefile:135: test_build] Error 1
    

    My OS is CentOS.

    opened by lcyfrank 3
  • Program crashes when compiled with stateafl and ASAN

    Program crashes when compiled with stateafl and ASAN

    Thank you, I use stateafl and AddressSanitier to compile the program. The program crashes which seems there is something wrong with the instrumentation of stateafl. The crash information:

    ==3564==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fbaef977020 at pc 0x000000435ccc bp 0x7fff557baf40 sp 0x7fff557ba700 WRITE of size 776 at 0x7fbaef977020 thread T0 #0 0x435ccb in memset /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:783:3 #1 0x5b4f6c in memset /usr/include/x86_64-linux-gnu/bits/string_fortified.h:71:10 #2 0x5b4f6c in new_alloc_record /stateafl/llvm_mode/afl-llvm-rt-state-tracer.o.c:579:3 #3 0x5b4f6c in new_stack_alloc_record /stateafl/llvm_mode/afl-llvm-rt-state-tracer.o.c:662:3 #4 0x4c802a in main/protocols/mqtt/mosquitto/mosquitto_stateafl/src/mosquitto.c:441:2 #5 0x7fbaf2beabf6 in __libc_start_main /build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310 #6 0x41f569 in _start (/mosquitto_stateafl/src/mosquitto+0x41f569)

    Address 0x7fbaef977020 is located in stack of thread T0 at offset 32 in frame #0 0x4c7f2f in main /mosquitto_stateafl/src/mosquitto.c:440

    This frame has 2 object(s): [32, 808) 'config' (line 441) <== Memory access at offset 32 is inside this variable [944, 960) 'tv' (line 449) HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions are supported) SUMMARY: AddressSanitizer: stack-use-after-scope /home/brian/src/final/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:783:3 in memset Shadow bytes around the buggy address: 0x0ff7ddf26db0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff7ddf26dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff7ddf26dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff7ddf26de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff7ddf26df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff7ddf26e00: f1 f1 f1 f1[f8]f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ff7ddf26e10: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ff7ddf26e20: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ff7ddf26e30: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ff7ddf26e40: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x0ff7ddf26e50: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3564==ABORTING

    opened by AAArdu 4
A modern C++ network library for developing high performance network services in TCP/UDP/HTTP protocols.

evpp Introduction 中文说明 evpp is a modern C++ network library for developing high performance network services using TCP/UDP/HTTP protocols. evpp provid

Qihoo 360 3k Jun 27, 2022
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 172 Jun 10, 2022
Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Feb 4, 2022
Netif - Header-only C++14 library for getting network addresses associated with network interface without name lookups on Windows, macOS, Linux, and FreeBSD

NetIF Get addresses associated with network interfaces on a system without using name lookups. Header-only, requires C++14. Usage Add the header file

GMLC-TDC 9 Feb 4, 2022
C library to create simple HTTP servers and Web Applications.

Onion http server library Travis status Coverity status Onion is a C library to create simple HTTP servers and Web Applications. master the developmen

David Moreno Montero 1.8k Jun 21, 2022
Async & Concurrent Servers implemented in C

Concurrent servers in c Imlementation of concurrent severs in c from scratch using this awesome blog as a tutorial. Project Structure . ├── readme.md

Rupanshu Yadav 7 Jun 21, 2021
STARTTLS implementation for mail servers that don't have it.

smtpd-starttls-proxy - a STARTTLS implementation for mail servers ----------------------------------------------------------------- smtpd-starttls-p

Laurent Bercot 6 Dec 21, 2021
The tiniest chat servers on earth!

yoctochat The tiniest chat servers on earth! Here will be a collection of the simplest possible TCP chat servers, to demonstrate how to write multiuse

Rob N ★ 49 Jun 21, 2022
Husarnet is a Peer-to-Peer VPN to connect your laptops, servers and microcontrollers over the Internet with zero configuration.

Husarnet Client Husarnet is a Peer-to-Peer VPN to connect your laptops, servers and microcontrollers over the Internet with zero configuration. Key fe

Husarnet 128 Jun 19, 2022
This repository to emulate the progression on World of Warcraft (AzerothCore) based servers, from the version 3.0 to 3.3.5a

WoltkProgression Author: Silker This repository contains all the files required to emulate the progression on World of Warcraft private servers runnin

Silker 16 Dec 28, 2021
An implementation of the Mobile Adapter GB protocol, to connect to custom game servers.

libmobile Library that implements the Mobile Adapter GB protocol, in a way that should be easy to integrate into a plethora of different emulators/har

REON Team 8 May 11, 2022
Provide translation, currency conversion, and voting services. First using telnet you create a connection to a TCP socket, then the server connects to 3 UDP sockets hosted on other servers to do tasks.

to run micro servers g++ translator.cpp -o translator ./translator <port 1> g++ voting.cpp -o voting ./voting <port 2> g++ currency_converter.cpp -o c

Jacob Artuso 1 Oct 29, 2021
Webdav-client-cpp - C++ WebDAV Client provides easy and convenient to work with WebDAV-servers.

WebDAV Client Package WebDAV Client provides easy and convenient to work with WebDAV-servers: Yandex.Disk Dropbox Google Drive Box 4shared ownCloud ..

Cloud Polis 100 Apr 13, 2022
Event-driven network library for multi-threaded Linux server in C++11

Muduo is a multithreaded C++ network library based on the reactor pattern. http://github.com/chenshuo/muduo Copyright (c) 2010, Shuo Chen. All righ

Shuo Chen 11.5k Jun 19, 2022
Good Game, Peace Out Rollback Network SDK

(日本語ドキュメントはこちら) What's GGPO? Traditional techniques account for network transmission time by adding delay to a players input, resulting in a sluggish,

Tony Cannon 2.5k Jun 24, 2022
A network library for client/server games written in C++

yojimbo yojimbo is a network library for client/server games written in C++. It's designed around the networking requirements of competitive multiplay

The Network Protocol Company 2.1k Jun 17, 2022
BingBing 53 Jun 10, 2022
Mars is a cross-platform network component developed by WeChat.

Mars is a cross-platform infrastructure component developed by WeChat Mobile Team

Tencent 16.2k Jun 24, 2022