Git Product home page Git Product logo

afliot's Introduction

AFLIoT Setup

Instrumentation

We tested instrumentation phase on Windows 10 Pro 64-bit Version 1909.

Instrumentation requires IDA Pro 7.0. Please install it at first.

You could setup the instrumentation enviroment by the following commands:

git clone https://github.com/SocietyMaster/AFLIoT.git AFLIoT
cd AFLIoT
git clone https://github.com/SocietyMaster/ELFPatcher.git ELFPatcher
git clone https://github.com/SocietyMaster/keystone.git keystone
cd keystone/binding/python
python setup.py install

Please make sure:

  1. The variable ELFPATCHER_PATH in line 324 of file cov-instrument/afl-instrument.pyis the path of ELFPatcher repository you just cloned. 
    def do_instrument(...): # line 417
    ELFPATCHER_PATH = os.path.abspath(os.path.join("..", "ELFPatcher"))
    sys.path.append(ELFPATCHER_PATH)
  2. Keystone is installed to IDA python.

Then you can instrument the binary file by following commands:

Usage: afl-instrument.py -f elfpath [-o output] [-i idapath] [-d mode] [-s] [-p pass] [-h]

-f      target elf file path
-o      patched output file path, default is elfpath-patch
-i      ida pro executable path, default is hardcoded
-d      target is daemon, using 'desock' or 'client' mode
-s      single thread mode without TLS
-h      show this

For common binary program, you should identify the path of IDA by -i. We only tested IDA Pro 7.0.

For example:

python afl-instrument.py -f elfpath -o elfpath-patch -i c:/ida/ida.exe

For daemon program, AFLIoT leveraging the desock hooking to forwarding the inputs. Please add -d desock to instrument the daemon binary.

python afl-instrument.py -f elfpath -o elfpath-desock -d desock -i c:/ida/ida.exe

Fuzzing

We directly using the American Fuzzy Lop to fuzz the binary we instrumented before. The version of AFL we tested is 2.52b.

We already provided an copy (in orginal-source/) of AFL 2.52b in this repository. You can also download it from offical website.

Compile the AFL by following commmand:

    export CC=arm-linux-gcc
    export AFL_NO_X86=1
    make

Then copy the compiled AFL binaries to target devices.

Then you should update the fuzzing script based on the following template:

# libraries path
export LD_LIBRARY_PATH=path_to_libraries

# patched timeout, will exit fuzz-instance when timeout
export AFL_DAEMON_TIMEOUT=1000000

# client mode, timeout for forwarding to the daemon
export AFL_FORWARD_TIMEOUT=1000

# enable debug for desock mode
# export DESOCK_DEBUG=1

# desock mode which port to capture
export DESOCK_PORT=784

# stupid check for AFL_SHM_ENV string, but it is in the libaflinit.so
export AFL_SKIP_BIN_CHECK=1

# core scheduling (it may be required to fuzz the binary by some system)
# export AFL_NO_AFFINITY=1

# afl setup
echo core >/proc/sys/kernel/core_pattern
./afl-fuzz $@

And place the scripts in the same directory of AFL binaries.

Then you can test the common binaries by the following command, for instance:

./runafl -i input -o output [-d] -- ./targets/target-patch program_parameters(using `@@` if you want to input a file)

To test daemon program, you should make sure the daemon is already run in the background.

# configure the DESOCK target port
export DESOCK_PORT=784
# fuzz
./runafl -i input -o output [-d] -- ./targets/target-desock program_parameters

afliot's People

Contributors

xcdu avatar

Stargazers

\xe3qrh44r avatar item avatar avatar HN avatar karzan avatar Lays avatar ling avatar avatar xiaozhouzhou avatar Guangyu (Gary) HU avatar Katze avatar Ryota Sakai avatar Nguyen Anh Quynh avatar avatar avatar avatar

Watchers

avatar avatar

afliot's Issues

what is bb_index_path

what bb_index_path denotes in the code. the program is expecting an input for the path.
what files should be included in the path

An error occured in the Instrumentation Phase

here is the command and result:

the command is :
python afl-instrument.py -f D:\IOT_file\datset\20140617\x64\VirusShare_f99c1d6cd8874aabedd0129cf592f5ed -o D:\design_experiment\output -i D:\design_experiment\IDA_Pro_v7.0_Portable\ida64.exe

and it is the output:
Traceback (most recent call last):
File "afl-instrument.py", line 701, in
main()
File "afl-instrument.py", line 696, in main
parameters = setup()
File "afl-instrument.py", line 680, in setup
bbs = json.loads(open(jsonconfig, 'r').read())
IOError: [Errno 2] No such file or directory: 'D:\design_experiment\AFLIoT\cov-instrument\VirusShare_f99c1d6cd8874aabedd0129cf592f5ed.config'

how to solve the problem? and where is the config file?

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.