佚名MYHACK58:62201995093honggfuzz vulnerability mining technology principle analysis-vulnerability warning-the black bar safety net
Google AFL(WinAFL), the libfuzzer and honggfuzz is the most famous of the three based on code coverage fuzzer is. Online on the AFL(WinAFL)analysis of the articles more, and on the latter two Analysis Articles less. Before the spring brother has written about honggfuzz article: honggfuzz vulnerability mining technology to delve into the series. This article is your own study period of a note, readers may also like the spring brother article a little Supplement. The reader is advised to read first Springs, a brother of the article, the article no longer relates to duplicate content.
Compared to other fuzzer, the honggfuzz has the following features:
- Containing a plurality of fuzz real program(Apache/OpenSSL, etc.) of the sample
- Support for persistent-type fuzzing(Persistent Fuzzing)mode, i.e., long life cycle processes repeated calls to is fuzz the API
- Supports Linux/FreeBSD/NetBSD/MacOS/Windows(CygWin)/Android, etc. almost all majoroperating system
- Support for software-based and hardware-based(branch count(branch counting), the instruction count(instruction counting), and Intel’s BTS(Branch Trace Store), Intel PT(Processor Tracing))of the feedback drives(Feedback-Driven)
! [](/Article/UploadPic/2019-7/2019717203734231. png) - Use the bottom of the interface monitoring process(linux and NetBSD using ptrace), and other fuzzer compared to the more likely from the crash in the find and report on hijacked/ignored signals(to be fuzz the program may be intercepted and hidden)
The overall structure of the
The first thing we still look at the code the overall directory.
android&mac&linux&netbsd&posix&arch. h: the differentoperating systemsupport, header files unified in the arch. h, followed by analysis of the code to linux for example. The directory has these files:
arch. c: arch. h in the function implementation
bfd. c: based on the bfd(Binary File Descriptor)to achieve resolution symbol/disassembly, and other functions
perf. c/pt. c: by the perf to the use of PT, with hardware-based feedback to the drive about the
trace. c: sub-process suspend/terminate time analysis record
unwind. c: based on libunwind to achieve stack traceback
docs: document
examples: use honggfuzz to fuzz some examples
hfuzz_cc&libhfuzz: the hfuzz_cc compilation is fuzz the program’s source code, add libhfuzz. a library. libhfuzz directory has these files:
instrument. c: to achieve a variety of SanitizerCoverage need the callback function
linux. c: package the libhfcommon/ns. c nsEnter/nsIfaceUp/nsMountTmpfs and other functions
memorycmp. c: to the libc/Apache/SSL/libXML/Samba and other procedures involved in the comparison of the function package, add instrumentUpdateCmpMap function, the two parameters are the function’s return address and the first occurrence does not equal the character position. The first occurrence does not equal the character position more rearward of the two values closer to equal, more likely to go to the new path
! [](/Article/UploadPic/2019-7/2019717203734298. png)
fetch. c/persistent. c: here the following code is mainly used for persistent-type fuzzing mode, there are two methods of using the mode:
One is to be fuzz the API placed in the LLVMFuzzerTestOneInput, and then use the hfuzz_cc/hfuzz_clang test. c-o test command to compile, honggfuzz-P – ./ test run the fuzzer
! [](/Article/UploadPic/2019-7/2019717203734212. png)
The second is in the call to be fuzz the API before adding HF_ITER get input, and then use the hfuzz_cc/hfuzz_clang test. c-o test ~/honggfuzz/libfuzz/libfuzz. a command to compile, honggfuzz-P – ./ test run the fuzzer
! [](/Article/UploadPic/2019-7/2019717203734146. png)
libhfcommon: some common operations
libhfnetdriver: the fuzz the socket class program library
(libhfcommon and libhfnetdriver in the code are not too important, so will not be explained in detail)
third_party: third party file
tools: create a blacklist, to prevent the repeat fuzz the presence of the same vulnerability in the file
display. c: show statistics
honggfuzz. c&cmdline. c&fuzz. c: honggfuzz. c is the program entry, Call the cmdline. c a function in the set process Command-Line parameters, call the fuzz. c function to start the fuzz
input. c: processing input file
mangle. c: to achieve a variety of mutation strategy
report. c: generating report
sanitizers. c: set ASAN and other sanitizer of some of the signs
socketfuzzer. c&socketfuzzer: the socketfuzzer. c used to fuzz network server, socketfuzzer folder shows a vulnerability exists in the vulnserver_cov. c as an example
subproc. c: sub-process related
First give you one to use honggfuzz example, in order for the mpv-player fuzz, for example. Download a good source code after we first modify the wscript to add some compile options.
! [](/Article/UploadPic/2019-7/2019717203734652. png)
This time go directly to the compile then link this step will go wrong, we also did not write the insert callback function.
! [](/Article/UploadPic/2019-7/2019717203734350. png)
Then download and compile the honggfuzz, the libhfuzz directory where the compiled containing the callback function of the library to link in, the command should like the following.
cc-rdynamic-Wl-znoexecstack-pthread-rdynamic-Wl-version-script-Wlmpv. def… (The middle is the before compiled. o file) -u HonggfuzzNetDriver_main-u LIBHFUZZ_module_instrument-u LIBHFUZZ_module_memorycmp /home/hjy/Desktop/honggfuzz/libhfnetdriver/libhfnetdriver. a /home/hjy/Desktop/honggfuzz/libhfuzz/libhfuzz. a /home/hjy/Desktop/honggfuzz/libhfuzz/libhfuzz. a /home/hjy/Desktop/honggfuzz/libhfcommon/libhfcommon. a… (The rest of the command is omitted)
Link after the success of our re-confirm it.
! [](/Article/UploadPic/2019-7/2019717203734957. png)