libFuzzer的安装和使用

一、libFuzzer安装（机器kali2）

1. 首先安装clang编译器，可以使用以下脚本https://github.com/Dor1s/libfuzzer-workshop/blob/master/checkout_build_install_llvm.sh

#!/bin/bash -eux
# Copyright 2016 Google Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
################################################################################

sudo apt-get update
sudo apt-get upgrade -y
sudo apt-get autoremove -y

sudo apt-get install -y libc6-dev binutils libgcc-5-dev

LLVM_DEP_PACKAGES="build-essential make cmake ninja-build git python2.7"
sudo apt-get install -y $LLVM_DEP_PACKAGES

WORK_DIR=$PWD
mkdir -p $WORK_DIR/src

# Checkout
cd $WORK_DIR/src && git clone --depth 1 http://llvm.org/git/llvm.git
cd $WORK_DIR/src/llvm/tools && git clone --depth 1 http://llvm.org/git/clang.git
cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/compiler-rt.git
cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/libcxx.git
cd $WORK_DIR/src/llvm/projects && git clone --depth 1 http://llvm.org/git/libcxxabi.git

# Build & Install
mkdir -p $WORK_DIR/work/llvm
cd $WORK_DIR/work/llvm

# Consider adding of -DCMAKE_INSTALL_PREFIX=%PATH% flag, if you do not want to
# install fresh llvm binaries into standard system paths.
cmake -G "Ninja" \
      -DLIBCXX_ENABLE_SHARED=OFF -DLIBCXX_ENABLE_STATIC_ABI_LIBRARY=ON \
      -DCMAKE_BUILD_TYPE=Release -DLLVM_TARGETS_TO_BUILD="X86" \
      $WORK_DIR/src/llvm
ninja -j$(nproc)
sudo ninja install
rm -rf $WORK_DIR/work/llvm

2. 其它依赖包的安装

$ sudo apt-get install -y make autoconf automake libtool pkg-config zlib1g-dev
$ git clone https://github.com/Dor1s/libfuzzer-workshop.git
$ cd libfuzzer-workshop/libFuzzer
$ Fuzzer/build.sh

二、libFuzzer使用

1. libFuzzer的接口是

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)

2. 示例 vulnerableFunction1

bool VulnerableFunction1(const uint8_t* data, size_t size) {
  bool result = false;
  if (size >= 3) {
    result = data[0] == 'F' &&
             data[1] == 'U' &&
             data[2] == 'Z' &&
             data[3] == 'Z';
  }

  return result;
}

first_fuzzer

// Copyright 2016 Google Inc. All Rights Reserved.
// Licensed under the Apache License, Version 2.0 (the "License");

#include <stdint.h>
#include <stddef.h>

#include "vulnerable_functions.h"

extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  VulnerableFunction1(data, size);
  return 0;
}

3. 编译运行

clang++ -g -std=c++11 -fsanitize=address -fsanitize-coverage=trace-pc-guard \
first_fuzzer.cc ~/libFuzzer/libFuzzer.a \
-o first_fuzzer

屏幕快照 2018-09-13 上午11.36.37.png

三、参考资料

1.http://pwn4.fun/2017/07/15/libFuzzer%E4%BD%BF%E7%94%A8%E8%AF%B4%E6%98%8E/
2.http://llvm.org/docs/LibFuzzer.html#dictionaries