bajinsheng / sgfuzz Goto Github PK

I'm trying to apply SGFuzz to other targets like mbedtls.

Some main commands are as follow:

sed -i "s/ main/ HonggfuzzNetDriver_main/g" '/SGFuzz-evaluation/SGFuzz/mbedtls/programs/ssl/ssl_server2.c'

make CC=clang-10 CXX=clang++-10 CFLAGS="-fsanitize=fuzzer-no-link -fsanitize=address" -lsFuzzer -lhfnetdriver -lhfcommon

While during the link stage, error occurs:

CC ssl/ssl_server2.c /usr/bin/../lib/gcc/x86_64-linux-gnu/7.5.0/../../../x86_64-linux-gnu/crt1.o：In function ‘_start’： (.text+0x20)：undefined reference to ‘main’ clang: error: linker command failed with exit code 1 (use -v to see invocation) Makefile:359: recipe for target 'ssl/ssl_server2' failed make[1]: *** [ssl/ssl_server2] Error 1 Makefile:15: recipe for target 'programs' failed make: *** [programs] Error 2

Hi ,
I am insterested in this work, and I hvae tried to use it to fuzz live555 , but I met some trouble.

Firstly, I change testOnDemandRTSP.cpp main function ,like :

sed -i "s/ main/  HonggfuzzNetDriver_main/g" testProgs/testOnDemandRTSPServer.cpp

as u can see :

Then , I build the project with -fsanitize=fuzzer-no-link -fsanitize=address

Finally ,the compilation will fail at the final link stage, I add "-lsFuzzer -lhfnetdriver -lhfcommon" like openssl example in your project ,but I still fail , just like :

I hvae already changed main to HonggfuzzNetDriver_main, so really confused.

Can you help me or provide your operation process?

➜ openssl git:(c74188e86c) ✗ clang++-10 -fsanitize=fuzzer-no-link -fsanitize=address -lsFuzzer -lhfnetdriver -lhfcommon
-pthread -m64 -Wa,--noexecstack -Qunused-arguments -Wall -O3 -L.
-o apps/openssl
apps/lib/openssl-bin-cmp_mock_srv.o
apps/openssl-bin-asn1parse.o apps/openssl-bin-ca.o
apps/openssl-bin-ciphers.o apps/openssl-bin-cmp.o
apps/openssl-bin-cms.o apps/openssl-bin-crl.o
apps/openssl-bin-crl2pkcs7.o apps/openssl-bin-dgst.o
apps/openssl-bin-dhparam.o apps/openssl-bin-dsa.o
apps/openssl-bin-dsaparam.o apps/openssl-bin-ec.o
apps/openssl-bin-ecparam.o apps/openssl-bin-enc.o
apps/openssl-bin-engine.o apps/openssl-bin-errstr.o
apps/openssl-bin-fipsinstall.o apps/openssl-bin-gendsa.o
apps/openssl-bin-genpkey.o apps/openssl-bin-genrsa.o
apps/openssl-bin-info.o apps/openssl-bin-kdf.o
apps/openssl-bin-list.o apps/openssl-bin-mac.o
apps/openssl-bin-nseq.o apps/openssl-bin-ocsp.o
apps/openssl-bin-openssl.o apps/openssl-bin-passwd.o
apps/openssl-bin-pkcs12.o apps/openssl-bin-pkcs7.o
apps/openssl-bin-pkcs8.o apps/openssl-bin-pkey.o
apps/openssl-bin-pkeyparam.o apps/openssl-bin-pkeyutl.o
apps/openssl-bin-prime.o apps/openssl-bin-progs.o
apps/openssl-bin-rand.o apps/openssl-bin-rehash.o
apps/openssl-bin-req.o apps/openssl-bin-rsa.o
apps/openssl-bin-rsautl.o apps/openssl-bin-s_client.o
apps/openssl-bin-s_server.o apps/openssl-bin-s_time.o
apps/openssl-bin-sess_id.o apps/openssl-bin-smime.o
apps/openssl-bin-speed.o apps/openssl-bin-spkac.o
apps/openssl-bin-srp.o apps/openssl-bin-storeutl.o
apps/openssl-bin-ts.o apps/openssl-bin-verify.o
apps/openssl-bin-version.o apps/openssl-bin-x509.o
apps/libapps.a -lssl -lcrypto -ldl -pthread
/usr/bin/ld: cannot find -lsFuzzer
clang: error: linker command failed with exit code 1 (use -v to see invocation)

it say cannot find -lfFuzzer ,how to overcome this

Hi, I am interested in your work while I was confusing how to extract state machine from the STT?

I‘m working on effect of corpus on fuzzers's code & state coverage. And I perform experiments on SGFUZZ fuzzing with live555 and openssl:
Each protocol implementation is provided with 2 type of corpus:

1. Origin Corpus: corpus from profuzzbench
2. Scattered corpus: corpus from profuzzbench, but were divided into single message in one seed by different protocol message type.

I counted state coverage by SGFUZZ's STT leave node number over time and code coverage by SGFUZZ's TPC coverage.

(live555, the fuzzer stoped in the inflection point of line due to memory exhaustion)

It seemed strange that: Scattered corpus have more states found than origin one. I don't understand the reason.

Could you give me some explanation on the phenomenon？Is it ok to calculate code coverage by TPC coverage and state coverage by STT's leaves number?(In your paper, you said you calculate state cov by paths in the STTs and I think paths in STTs should be equal to number of Multi-forked trees’ leaves)

I've studied this project on OpenSSL. It's cool that it can cover so many states. While I found that it can not fuzz the DTLS over OpenSSL. Is there a way to achieve that?

I'm trying to capture the requests and responses from the fuzzing target while I am running SGFuzz. I tried using Wireshark but it seems like I was wrong. How can I do this?

Hi ,
I am appreciating your work, and I have tried to reproduce result in fuzzing DCMTK, but I met some trouble while running your fuzzer:

why exit normally without continuing fuzzing?

After successfully building the fuzzer, I try to run it with the following command:

 ./dcmqrscp -close_fd_mask=3 -detect_leaks=0 -ignore_ooms=1 -ignore_timeouts=1  ../../../in-dicom-origin/ -- --single-process

it exited normally with some output like this, but without continuously fuzzing. :

INFO: Seed: 1601392419
INFO: Loaded 1 modules   (59454 inline 8-bit counters): 59454 [0xdf7c40, 0xe0647e), 
INFO: Loaded 1 PC tables (59454 PCs): 59454 [0xe06480,0xeee860), 
INFO:       11 files found in ../../../in-dicom-origin/
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 11 min: 301b max: 17755b total: 86977b rss: 44Mb
#12     INITED cov: 875 ft: 1238 corp: 10/84Kb exec/s: 0 rss: 49Mb states: 242 leaves: 9
#13     NEW    cov: 875 ft: 1243 corp: 11/101Kb lim: 17755 exec/s: 0 rss: 50Mb states: 242 leaves: 9 L: 17755/17755 MS: 1 CMP- DE: "\xfe\xff\xff\xff"-
(exited normally)

So I attach to gdb and make breakpoint at HonggfuzzNetDriver_main. The fuzzer continued running. and produce following thread:

(gdb) info threads 
  Id   Target Id         Frame 
* 1    Thread 0x7f9530707800 (LWP 200361) "dcmqrscp" fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=<optimized out>) at ./FuzzerDriver.cpp:823
  2    Thread 0x7f952b8ff700 (LWP 201238) "dcmqrscp" 0x00007f952ef2484d in poll () at ../sysdeps/unix/syscall-template.S:84
  3    Thread 0x7f95293c4700 (LWP 203222) "dcmqrscp" 0x00007f952eef538d in nanosleep () at ../sysdeps/unix/syscall-template.S:84

When stop at /sfuzzer-evaluate/FuzzerDriver.cpp

906       F->Loop(CorporaFiles);

it output ：

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 11 min: 301b max: 17755b total: 86977b rss: 55Mb
#2      pulse  ft: 760 exec/s: 0 rss: 55Mb states: 70 leaves: 3
#4      pulse  cov: 784 ft: 885 corp: 2/602b exec/s: 0 rss: 55Mb states: 120 leaves: 5
#8      pulse  cov: 846 ft: 1064 corp: 5/12059b exec/s: 0 rss: 55Mb states: 179 leaves: 7
#12     INITED cov: 875 ft: 1232 corp: 9/74Kb exec/s: 0 rss: 55Mb states: 242 leaves: 9

and gdb grab thread exited

[Thread 0x7f95293c4700 (LWP 203222) exited]  // syscall-template.S:84
[Thread 0x7f9530707800 (LWP 200361) exited]  // FuzzerDriver.cpp:823

and then [Inferior 1 (process 200361) exited normally].

add breakpoint at F->Loop(CorporaFiles); ,and step into it, at ReadAndExecuteSeedCorpora(CorporaFiles);(./FuzzerLoop.cpp:905) , it output

INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 17755 bytes
INFO: seed corpus: files: 17 min: 301b max: 17755b total: 151635b rss: 44Mb
#2      pulse  ft: 736 exec/s: 0 rss: 45Mb states: 70 leaves: 3
#4      pulse  cov: 784 ft: 839 corp: 2/602b exec/s: 0 rss: 46Mb states: 112 leaves: 5
#8      pulse  cov: 865 ft: 990 corp: 5/1807b exec/s: 0 rss: 46Mb states: 127 leaves: 6
#16     pulse  cov: 926 ft: 1356 corp: 11/84Kb exec/s: 0 rss: 50Mb states: 249 leaves: 10
#18     INITED cov: 926 ft: 1365 corp: 13/119Kb exec/s: 0 rss: 51Mb states: 249 leaves: 10
(I give initial 4 seeds)

and exited at Min(MaxMutationLen, Max(size_t(4), Corpus.MaxInputSize()));(ln 912). Stepping in, at

(FuzzerCorpus.h: 191~196)
  size_t MaxInputSize() const {
    size_t Res = 0;
    for (auto II : Inputs)
        Res = std::max(Res, II->U.size());
    return Res;
  }

current backtrace:

#0  0x00000000009d881b in fuzzer::InputCorpus::MaxInputSize (this=<optimized out>)
#1  fuzzer::Fuzzer::Loop (this=<optimized out>, CorporaFiles=...) at ./FuzzerLoop.cpp:912
#2  0x00000000009c4ed4 in fuzzer::FuzzerDriver (argc=<optimized out>, argv=<optimized out>, Callback=<optimized out>)
    at ./FuzzerDriver.cpp:906
#3  0x00000000009bf7f3 in main (argc=1699954145, argv=<error reading variable: Cannot access memory at address 0x0>)
    at ./FuzzerMain.cpp:20

setting breakpoint at ./FuzzerCorpus.h:194 and continue, it hit this breakpoint a few times and exited normally

Thread 1 "dcmqrscp" hit Breakpoint 5, fuzzer::InputCorpus::MaxInputSize (this=<optimized out>) at ./FuzzerCorpus.h:194
194             Res = std::max(Res, II->U.size());
(gdb) 
Continuing.

Thread 1 "dcmqrscp" hit Breakpoint 5, fuzzer::InputCorpus::MaxInputSize (this=<optimized out>) at ./FuzzerCorpus.h:194
194             Res = std::max(Res, II->U.size());
(gdb) 
Continuing.
[Thread 0x7f2f602c4700 (LWP 231525) exited]
[Thread 0x7f2f627ff700 (LWP 231524) exited]
[Inferior 1 (process 231464) exited normally]

and I only add breakpoint at NewCov = RunOne(CurrentUnitData, Size, /*MayDeleteFile=*/true, &II,(./FuzzerLoop.cpp:770)

gdb sometimes catch following error:

Thread 2 "dcmqrscp" received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x7f32a49ff700 (LWP 243876)]
0x00007f32a8fc44bd in write () at ../sysdeps/unix/syscall-template.S:84
84      ../sysdeps/unix/syscall-template.S: No such file or directory.

the breakpoint was hit a few times and the fuzzer exit again.

So why the fuzzer exited normally without continuing fuzzing?

How sgfuzz handle inputs

and one more questions, is sgfuzz send all requests in seed in one connection without receiving any response messages?

How can I reproduce the results from SGFuzzer on H2O protocol implementation?

Hi , I've been interested in this work. To extend it I tried to use it to fuzz older version of OpenSSL, like openssl 1.1.0, 1.0.1.

But I found that the coverage begins with 20+ and after one-day fuzzing it only came to 40+. While the coverage of fuzzing 3.0.0 and 1.1.1 begins with 4000+.

I tried to modify compilation options and other approaches but I couldn't fix this trouble. So, I'm writing this issue to see if you've countered this kind of problem and know what's wrong with it.