CollabFuzz: A Framework for Collaborative Fuzzing

Overview

Collaborative Fuzzing

Design

In this cooperative framework, the fuzzers collaborate using a centralized scheduler.

Components

The project consists of three parts: 1) the cooperative framework, 2) a scheduler, and 3) the drivers for the fuzzers. In this framework, the scheduler selects input seeds to be scheduled on different fuzzers, by communicating this over the fuzzer driver. At the same time the centralized scheduler collects newly generated inputs from the fuzzers, and repeats the loop.

Cooperative framework

Communication happens over ZeroMQ. The seeds are send with a message consisting of the fuzzer type ID and the seed (which contains the seed input and an optional conditional to be solved).

Scheduler

The scheduler component selects seed inputs from the global queue, evaluates them, and schedules them to the fuzzers.

Fuzzer drivers

The fuzzer drivers implement the communcation mechanisms with the centralized scheduler. The communication happens over ZeroMQ.

Docker setup

Th easiest way is to setup the framework using docker.

The setup consists of the following components:

  • fuzzer-framework
  • fuzzer-{afl,qsy,aflfast,fairfuzz..}-{target}
  • fuzzer-generic-driver

How to run:

  1. Setup virtualenv
    • virtualenv --python=python3 venv
    • source venv/bin/activate
  2. Build the container docker images (+ install deps):
    • make all
  3. Install the collab_fuzz_xxx tools
    • cd runners && python setup.py install
  4. Test run (runs 1 afl instance and collab framework):
    • mkdir myrun && cd myrun && collab_fuzz_compose -f afl --scheduler=enfuzz -- objdump && docker-compose up
    • To run with more fuzzers (2 afl + qsym + fairfuzz + aflfast): collab_fuzz_runner -f afl afl qsym fairfuzz aflfast --scheduler=enfuzz -- who

Alternatively, to avoid the long building times, you can fetch the docker images from a remote repo. For example collab_fuzz_build --remote sarek.osterlund.xyz --pull-reqs to pull all images.

Extra info

The afl__generic_driver runs in a container (fuzzer-generic-driver). This container needs to be privileged and mount /var/run/docker.sock, such that it can control the container of the fuzzer to sync with.

Docker settings

The logs generated by the containers might eat up a lot of space on your machine. To avoid this, edit your daemon.json (typically /etc/docker/daemon.json) to contain something like:

{
    "log-level":        "error",
    "storage-driver":   "overlay2",
    "log-opts": {
	    "max-size": "512m"
    }
}

Binutils Quickstart guide

At the moment the LAVA-M and GFT builds are broken. Binutils should still work, though.

Setup virtualenv

* ```virtualenv --python=python3 venv```
* ```source venv/bin/activate```

Build the framework (for now only supports binutils, other builds are broken):

make framework-binutils

Build fuzzer base images:

Remember the AFL/QSYM prerequisites (needed on every reboot):

echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
cd /sys/devices/system/cpu
echo performance | sudo tee cpu*/cpufreq/scaling_governor

Then build the docker images (we only build AFL for now):

cd docker && make fuzzer-afl

Build helper tools

make tools

You might need to install the collab_fuzz_runner tools in the following way:

cd runner && make collab_fuzz_runner

Build actual targets (for now only build binutils)

collab_fuzz_build -f afl -t objdump

Or to build all of binutils for all fuzzers: collab_fuzz_build -s binutils

Test it all (run objdump with afl)

mkdir tmp_run && cd tmp_run && collab_fuzz_compose -f afl -- objdump

And then try to start the campaign:

docker-compose up --abort-on-container-exit

To clean up the campaign after exiting (i.e., delete the volumes): docker-compose down -v

Cite

CollabFuzz was presented at EuroSec 2021. CollabFuzz: A Framework for Collaborative Fuzzing.

Video: available on YouTube

Bibtex:

@inproceedings{eurosec_collabfuzz_2021,
	title = {{CollabFuzz}: {A} {Framework} for {Collaborative} {Fuzzing}},
	booktitle = {{EuroSec}},
	author = {Österlund, Sebastian and Geretto, Elia and Jemmett, Andrea and Güler, Emre and Görz, Philipp and Holz, Thorsten and Giuffrida, Cristiano and Bos, Herbert},
	month = apr,
	year = {2021},
}

Related work

If you are interested in collaborative fuzzing, also check out our work on how to select the right set of fuzzers to use in a collaborative setting: Cupid: Automatic Fuzzer Selection for Collaborative Fuzzing. Code: https://github.com/RUB-SysSec/cupid

Issues
  • Build framework-binutils failing

    Build framework-binutils failing

    Following directions in https://github.com/vusec/collabfuzz#binutils-quickstart-guide to give collabFuzz a try.

    Used a plain vagrant init ubuntu/focal64 vbox VM.

    • In the VM, sudo apt update && sudo apt install -y python-virtualenv golang make docker.io
    • Added vagrant user to docker group
    • Modified /etc/docker/daemon.json to add the buildkit feature to see if it would make a difference. No difference.
    • Rebooted the VM and re-logged in with vagrant ssh

    make framework-binutils seems to always fails for me.

    (venv) [email protected]:/vagrant$ git log --oneline | head -n1
    8ccab61 Add CUPID link in README.md
    
    (venv) [email protected]:/vagrant$ make framework-binutils
    DOCKER_BUILDKIT=1 docker build --target=framework-binutils --tag=fuzzer-framework-binutils .
    [+] Building 54.3s (8/45)                                                                            
     => [internal] load build definition from Dockerfile                                            0.0s
     => => transferring dockerfile: 38B                                                             0.0s
     => [internal] load .dockerignore                                                               0.0s
     => => transferring context: 34B                                                                0.0s
     => [internal] load metadata for docker.io/library/golang:1.14                                  0.3s
     => [internal] load metadata for docker.io/library/fedora:31                                    0.3s
     => [internal] load build context                                                               0.5s
     => => transferring context: 321.97kB                                                           0.5s
     => [gllvm 1/2] FROM docker.io/library/golang:[email protected]:1a7173b5b9a3af3e29a5837e0b2027e1c438  0.0s
     => CACHED [base 1/1] FROM docker.io/library/fedora:[email protected]:444773966064dcc3c268d8b496e76dbb  0.0s
     => CACHED [gllvm 2/2] RUN go get github.com/SRI-CSL/gllvm/cmd/...                              0.0s
     => [runtime  1/10] RUN dnf install -y --refresh zeromq                                        53.9s
     => => # Fedora Modular 31 - x86_64                      3.9 MB/s | 5.2 MB     00:01                
     => => # Fedora Modular 31 - x86_64 - Updates            3.5 MB/s | 4.5 MB     00:01                
     => => # Fedora 31 - x86_64 - Updates                    5.3 MB/s |  27 MB     00:05                
     => => # Fedora 31 - x86_64                              5.2 MB/s |  71 MB     00:13                
     => [base-builder 1/4] RUN dnf install -y --refresh         cmake         clang         file   53.9s
     => => # Fedora Modular 31 - x86_64                      4.1 MB/s | 5.2 MB     00:01                
     => => # Fedora Modular 31 - x86_64 - Updates            4.8 MB/s | 4.5 MB     00:00                
     => => # Fedora 31 - x86_64 - Updates                    5.8 MB/s |  27 MB     00:04                
     => => # Fedora 31 - x86_64                              5.7 MB/s |  71 MB     00:12                
    Killed
    make: *** [Makefile:13: framework-binutils] Error 137
    

    What am I doing incorrectly?

    opened by irwincong 3
  • docker pull images failed.

    docker pull images failed.

    (venv) [email protected]:/workspace/collabfuzz$ collab_fuzz_build --remote sarek.osterlund.xyz --pull-reqs INFO:runner.build:Pulling remote image sarek.osterlund.xyz/fuzzer-framework-google:latest Traceback (most recent call last): File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/docker-5.0.3-py3.8.egg/docker/api/client.py", line 268, in _raise_for_status response.raise_for_status() File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/requests-2.27.1-py3.8.egg/requests/models.py", line 960, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 500 Server Error: Internal Server Error for url: http+docker://localhost/v1.41/images/create?tag=latest&fromImage=sarek.osterlund.xyz%2Ffuzzer-framework-google

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last): File "/workspace/collabfuzz/venv/bin/collab_fuzz_build", line 11, in load_entry_point('collab-fuzz-runner==0.2', 'console_scripts', 'collab_fuzz_build')() File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/collab_fuzz_runner-0.2-py3.8.egg/runner/build.py", line 286, in main File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/collab_fuzz_runner-0.2-py3.8.egg/runner/build.py", line 112, in pull_reqs File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/collab_fuzz_runner-0.2-py3.8.egg/runner/build.py", line 97, in pull_image File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/docker-5.0.3-py3.8.egg/docker/models/images.py", line 444, in pull pull_log = self.client.api.pull( File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/docker-5.0.3-py3.8.egg/docker/api/image.py", line 428, in pull self._raise_for_status(response) File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/docker-5.0.3-py3.8.egg/docker/api/client.py", line 270, in _raise_for_status raise create_api_error_from_http_exception(e) File "/workspace/collabfuzz/venv/lib/python3.8/site-packages/docker-5.0.3-py3.8.egg/docker/errors.py", line 31, in create_api_error_from_http_exception raise cls(e, response=response, explanation=explanation) docker.errors.APIError: 500 Server Error for http+docker://localhost/v1.41/images/create?tag=latest&fromImage=sarek.osterlund.xyz%2Ffuzzer-framework-google: Internal Server Error ("Head "https://sarek.osterlund.xyz/v2/fuzzer-framework-google/manifests/latest": no basic auth credentials")

    opened by gtt1995 0
  • make tools failed.

    make tools failed.

    Collecting watchdog==0.10.2 Downloading watchdog-0.10.2.tar.gz (95 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 95.5/95.5 KB 196.2 kB/s eta 0:00:00 Preparing metadata (setup.py): started Preparing metadata (setup.py): finished with status 'done' Collecting websocket-client==0.57.0 Downloading websocket_client-0.57.0-py2.py3-none-any.whl (200 kB) ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 200.9/200.9 KB 126.9 kB/s eta 0:00:00 Requirement already satisfied: setuptools in /usr/local/lib/python3.10/site-packages (from protobuf==3.11.3->-r requirements.txt (line 14)) (58.1.0) Building wheels for collected packages: pathtools, pyzmq, watchdog Building wheel for pathtools (setup.py): started Building wheel for pathtools (setup.py): finished with status 'done' Created wheel for pathtools: filename=pathtools-0.1.2-py3-none-any.whl size=8806 sha256=958678dcd513c4004a38adea70593ea6e9271eed6d735c9265bbe2e02070fb9b Stored in directory: /root/.cache/pip/wheels/e7/f3/22/152153d6eb222ee7a56ff8617d80ee5207207a8c00a7aab794 Building wheel for pyzmq (setup.py): started Building wheel for pyzmq (setup.py): still running... Building wheel for pyzmq (setup.py): finished with status 'error' error: subprocess-exited-with-error

    × python setup.py bdist_wheel did not run successfully. │ exit code: 1 ╰─> [883 lines of output]

    opened by double-blind-paper-data 1
  • Build failing

    Build failing

    Follow your instructions to try collabFuzz, but I ran into this error.

    DOCKER_BUILDKIT=1 docker build --target=framework-binutils --tag=fuzzer-framework-binutils .
    [+] Building 214.4s (39/42)                                                     
     => [internal] load .dockerignore                                          0.0s
     => => transferring context: 34B                                           0.0s
     => [internal] load build definition from Dockerfile                       0.0s
     => => transferring dockerfile: 38B                                        0.0s
     => [internal] load metadata for docker.io/library/golang:1.14             3.1s
     => [internal] load metadata for docker.io/library/fedora:31               3.1s
     => CACHED [internal] helper image for file operations                     0.0s
     => [internal] load build context                                          0.2s
     => => transferring context: 321.97kB                                      0.1s
     => [base 1/1] FROM docker.io/library/fedora:[email protected]:444773966064dcc3c2  0.0s
     => [gllvm 1/2] FROM docker.io/library/golang:[email protected]:1a7173b5b9a3af3  0.0s
     => CACHED [gllvm 2/2] RUN go get github.com/SRI-CSL/gllvm/cmd/...         0.0s
     => CACHED [base-builder 1/3] RUN dnf install -y --refresh         cmake   0.0s
     => CACHED [base-builder 2/3] RUN useradd -ms /bin/bash coll && chown -R   0.0s
     => CACHED [base-builder 3/3] RUN llvm-config --version > /work/llvm-vers  0.0s
     => CACHED [framework 1/3] RUN dnf install -y --refresh         cargo      0.0s
     => CACHED [framework 2/3] COPY --chown=coll:coll framework /work/collab-  0.0s
     => CANCELED [framework 3/3] RUN cargo install --root ~/.local --locked  211.0s
     => CACHED [llvm-passes 1/4] RUN dnf install -y --refresh         boost    0.0s
     => CACHED [llvm-passes 2/4] RUN curl --proto '=https' --tlsv1.2 -sSf --o  0.0s
     => CACHED [llvm-passes 3/4] COPY llvm-passes llvm-passes/                 0.0s
     => CACHED [llvm-passes 4/4] RUN rm -f CMakeCache.txt &&     rustup overr  0.0s
     => CACHED [runtime 1/9] RUN dnf install -y --refresh zeromq               0.0s
     => CACHED [runtime 2/9] RUN mkdir /work                                   0.0s
     => CACHED [runtime 3/9] COPY --from=llvm-passes /work/llvm-passes/build/  0.0s
     => CACHED [runtime 4/9] RUN /work/AnalysisPasses-0.1.1-Linux.sh --skip-l  0.0s
     => CACHED [runtime 5/9] RUN useradd -ms /bin/bash coll                    0.0s
     => CACHED [runtime 6/9] RUN mkdir /in                                     0.0s
     => CACHED [runtime 7/9] RUN mkdir /data && chown -R coll:coll /data       0.0s
     => CACHED [runtime 8/9] COPY docker/server/entry.sh /entry.sh             0.0s
     => CACHED [runtime 9/9] RUN mkdir analysis_binaries                       0.0s
     => CACHED [binutils-bc 1/5] COPY --from=gllvm /go/bin/gclang /usr/bin/gc  0.0s
     => CACHED [binutils-bc 2/5] COPY --from=gllvm /go/bin/get-bc /usr/bin/ge  0.0s
     => CACHED [binutils-bc 3/5] RUN dnf install -y --refresh texinfo          0.0s
     => CACHED [binutils-bc 4/5] COPY misc/binutils/build_binutils_bc.sh buil  0.0s
     => CACHED [binutils-bc 5/5] RUN ./build_binutils_bc.sh                    0.0s
     => CACHED [binutils 1/6] COPY --from=llvm-passes /work/llvm-passes/build  0.0s
     => CACHED [binutils 2/6] RUN dnf install -y --refresh         boost-stat  0.0s
     => CACHED [binutils 3/6] RUN /work/AnalysisPasses-0.1.1-Linux.sh --skip-  0.0s
     => CACHED [binutils 4/6] COPY --from=binutils-bc --chown=coll:coll /work  0.0s
     => CACHED [binutils 5/6] COPY misc/binutils/build_binutils_ab.sh build_b  0.0s
     => ERROR [binutils 6/6] RUN ./build_binutils_ab.sh                      210.6s
    ------
     > [binutils 6/6] RUN ./build_binutils_ab.sh:
    #36 88.91 /usr/bin/ld: /usr/lib64/libInstCountWrapperRT.so: undefined reference to `fmaf'
    #36 88.91 /usr/bin/ld: /usr/lib64/libInstCountWrapperRT.so: undefined reference to `fma'
    #36 88.95 clang-9: error: linker command failed with exit code 1 (use -v to see invocation)
    #36 210.4 Completed artifact: addr2line.analysis_binaries/addr2line-static-metrics
    #36 210.4 Completed artifact: addr2line.analysis_binaries/addr2line-bb-reach
    #36 210.4 Command was: clang -Xclang -load -Xclang /usr/lib64/LLVMIDAssigner.so -Xclang -load -Xclang /usr/lib64/LLVMInstCountWrapper.so -Xclang -load -Xclang /usr/lib64/LLVMInstructionCounter.so addr2line.bc -Wl,--whole-archive /usr/lib64/libInstCountWrapperRT.so -Wl,--no-whole-archive /usr/lib/linux/libclang_rt.icount-x86_64.a -ldl -lpthread -lrt -o addr2line.analysis_binaries/addr2line_instr_counter -mllvm -icount-abilist -mllvm /usr/share/icount_wrapper_abilist.txt -pie -fPIC -mllvm -ignore-default-blacklist -mllvm -icount-abilist -mllvm /usr/share/icount_abilist.txt -ldl
    ------
    executor failed running [/bin/sh -c ./build_binutils_ab.sh]: exit code: 1
    Makefile:13: recipe for target 'framework-binutils' failed
    make: *** [framework-binutils] Error 1
    
    

    Have you encountered a similar problem? Could you please give me some suggestions?

    opened by diewufeihong 3
Owner
VUSec
VUSec
Collaborative and comprehensive testing for libft project

first Draft Collaborate on libft tests, everything here is open to suggestions This is hopefully a way to both practice git collaboration and creat a

null 4 Nov 24, 2021
TAFuzzer: Effective and Efficient Targeted Fuzzing framework for Smart Contract Vulnerability Detection (CCS2022a Under Review).

TAFuzzer An effective and efficient targeted fuzzing framework for smart contract vulnerability detection. Requirements TAFuzzer is supported on Linux

null 2 Feb 7, 2022
The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Seed Selection for Successful Fuzzing The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary art

HexHive 28 Jul 21, 2022
USENIX 2021 - Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types

Nyx: Greybox Hypervisor Fuzzing using Fast Snapshots and Affine Types Nyx is fast full-VM snapshot fuzzer for type-2 hypervisors. It's built upon kAFL

Chair for Sys­tems Se­cu­ri­ty 156 Jul 18, 2022
Owfuzz: a WiFi protocol fuzzing tool

owfuzz owfuzz: a WiFi protocol fuzzing tool using openwifi. Openwifi is an open-source WiFi protocol stack based on SDR that is fully compatible with

Alipay 136 Jul 27, 2022
BSOD: Binary-only Scalable fuzzing Of device Drivers

bsod-kernel-fuzzing This repository contains the implementations described in "BSOD: Binary-only Scalable fuzzing Of device Drivers". The paper and th

Fabian Toepfer 131 Aug 5, 2022
StochFuzz - Sound and Cost-effective Fuzzing of Stripped Binaries by Incremental and Stochastic Rewriting

StochFuzz: A New Solution for Binary-only Fuzzing StochFuzz is a (probabilistically) sound and cost-effective fuzzing technique for stripped binaries.

Zhuo Zhang 160 Jul 30, 2022
OSS-Fuzz - continuous fuzzing for open source software.

OSS-Fuzz: Continuous Fuzzing for Open Source Software Fuzz testing is a well-known technique for uncovering programming errors in software. Many of th

Google 7.6k Jul 31, 2022
Threat Emulation and Red Teaming Framework, The Hacking Software for normal people.

The Remote Hacker Probe is a Threat Emulation and Red Teaming Framework built to be easy to use. The Remote Hacker Probe is Feature Rich! Including, K

QuantumCored 157 Jul 28, 2022
A C# hot reload framework for Unity3D, based on Mono's MONO_AOT_MODE_INTERP mode.

PureScript 一个支持Unity3D的C#热更框架,基于Mono的MONO_AOT_MODE_INTERP模式。 支持在iOS平台Assembly.Load 构建时自动绑定Unity的Il2cpp代码。 支持大部分Unity特性,包括MonoBehaviour、Coroutine。 支持配置

null 259 Jul 20, 2022
A framework for implementing block device drivers in user space

BDUS is a Linux 4.0+ framework for developing block devices in user space. More specifically, it enables you to implement block device drivers as regu

Alberto Faria 26 May 24, 2022
🎉 A framework for improving android 32bit app stability. (Alleviate crashes caused by insufficient virtual memory)

Patrons ?? A framework for improving android 32bit app stability. (Alleviate crashes caused by insufficient virtual memory) 一行代码解决 Android 32位应用因虚拟内存不

Alibaba 353 Aug 2, 2022
This is the Arduino® compatible port of the AIfES machine learning framework, developed and maintained by Fraunhofer Institute for Microelectronic Circuits and Systems.

AIfES for Arduino® AIfES (Artificial Intelligence for Embedded Systems) is a platform-independent and standalone AI software framework optimized for e

null 143 Aug 6, 2022
SynthLab is a synth plugin framework for developing software synthesizers.

SynthLab SynthLab is a synth plugin framework for developing software synthesizers.

willpirkleaudio 65 Jul 27, 2022
KernInfra, a unified kernel operation framework

KernInfra KernInfra is a developer-friendly kernel read-write framework. Why KernInfra KernInfra is built to address the following engineering issues:

null 26 Jul 21, 2022
A data plane framework that supports any layer-7 protocols.

中文 meta-protocol-proxy Why MetaProtocol is needed? Almost all open source and commercial Service Meshes currently support only two Layer-7 protocols -

Aeraki 51 Jul 22, 2022
Fast and easy to use, high frequency trading framework for betfair

Hedg Fast and easy to use, high frequency trading framework for betfair About Hedg In the sports trading industry, low latency is really important. Th

Oluwatosin Alagbe 8 Jun 11, 2022
Provide a unified trading framework and connectors to popular trading venues

Boost.connector Provide a unified trading framework and connectors to popular trading venues This is currently NOT an official Boost library. Introduc

Richard Hodges 6 Nov 24, 2021
The Msg framework by cpp

The Msg framework by cpp

Hotakus 1 Nov 25, 2021