vusec/libaflgo
GitHub: vusec/libaflgo
LibAFLGo 是一个基于 LibAFL 和 LLVM/SVF 的研究框架,用于评估和推进定向灰盒模糊测试技术。
Stars: 23 | Forks: 2
# LibAFLGo
_LibAFLGo:评估与推进定向 Greybox Fuzzing_
(论文)。
LibAFLGo 扩展了 [LibAFL](https://github.com/AFLplusplus/LibAFL) 以支持定向 fuzzing。它
以模块化的方式重新实现了三种定向 fuzzing 策略:AFLGo、Hawkeye 和 DAFL。基于
LLVM 的编译器 passes 与 [SVF](https://github.com/SVF-tools/SVF) 集成,后者开箱即用地提供了
大量的分析功能。
研究工件分布在三个仓库中:
- 本仓库包含 LibAFL 的定向 fuzzing 扩展以及重新实现的 fuzzer
- [MAGMA-directed](https://github.com/vusec/magma-directed) 扩展了 MAGMA 以用于定向 fuzzing
- [LibAFL-directed](https://github.com/vusec/LibAFL-directed) 包含对 LibAFL 的小幅补丁
我们的目标是将 LibAFLGo 上游合并到 LibAFL。
## 项目结构
```
.
├── fuzzers <- contains re-implemented fuzzers
│ ├── aflgo
│ ├── dafl
│ └── hawkeye
├── include <- header files for LLVM passes
│ ├── AFLGoCompiler <- compile-time plugin
│ │ └── TargetInjection.hpp <- instruments target locations
│ ├── AFLGoLinker <- link-time plugin
│ │ ├── DAFL.hpp <- DAFL instrumentation
│ │ ├── DistanceInstrumentation.hpp <- AFLGo distance instrumentation
│ │ ├── DuplicateTargetRemoval.hpp <- supporting target instrumentation
│ │ ├── FunctionDistanceInstrumentation.hpp <- Hawkeye distance instrumentation
│ │ └── TargetInjectionFixup.hpp <- supporting target instrumentation
│ └── Analysis <- analyses used by plugins
│ ├── BasicBlockDistance.hpp <- AFLGo basic block distance analysis
│ ├── DAFL.hpp <- DAFL data-flow distance
│ ├── ExtendedCallGraph.hpp <- enhance CFG with PTA
│ ├── FunctionDistance.hpp <- Hawkeye function distance analysis
│ └── TargetDetection.hpp <- supporting target instrumentation
├── libaflgo <- LibAFL fuzzer components
├── libaflgo_targets <- LibAFL target instrumentation components
├── passes <- implementation of LLVM passes
├── test <- tests for LLVM passes
├── wrapper <- compiler wrapper libaflgo_cc
├── Cargo.lock
├── Cargo.toml
├── CMakeLists.txt <- cmake build entrypoint
├── README.md
├── rust-toolchain.toml
├── SVF-1282.patch <- patch SVF for ASan compatibility
```
## 构建
你可以使用 `cmake` 来构建 LLVM passes 和 LibAFL 组件。在编辑器中打开我们的 devcontainer 后(我们推荐使用 VSCode),你可以使用以下命令构建项目:
```
cmake -S /workspaces/libaflgo \
-B /workspaces/libaflgo/build \
-G Ninja \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCMAKE_EXPORT_COMPILE_COMMANDS=TRUE \
-DCMAKE_C_COMPILER=/usr/bin/clang-15 \
-DCMAKE_CXX_COMPILER=/usr/bin/clang++-15 \
-DBUILD_TESTING=ON \
--no-warn-unused-cli
cmake --build /workspaces/libaflgo/build \
--config RelWithDebInfo \
--target all \
--
```
然后你可以使用 check 目标运行测试
## MAGMA 集成(效果可能因情况而异,因为最近未进行测试)
我们扩展了 [MAGMA](https://github.com/vusec/magma-directed) 以用于定向 fuzzing。原始
文档同样适用于我们的 fork。启动并运行以 fuzz 目标的最简单方法是
查看该仓库中 `fuzzers` 文件夹里的 LibAFLGo 集成。
_LibAFLGo:评估与推进定向 Greybox Fuzzing_
(论文)。
LibAFLGo 扩展了 [LibAFL](https://github.com/AFLplusplus/LibAFL) 以支持定向 fuzzing。它
以模块化的方式重新实现了三种定向 fuzzing 策略:AFLGo、Hawkeye 和 DAFL。基于
LLVM 的编译器 passes 与 [SVF](https://github.com/SVF-tools/SVF) 集成,后者开箱即用地提供了
大量的分析功能。
研究工件分布在三个仓库中:
- 本仓库包含 LibAFL 的定向 fuzzing 扩展以及重新实现的 fuzzer
- [MAGMA-directed](https://github.com/vusec/magma-directed) 扩展了 MAGMA 以用于定向 fuzzing
- [LibAFL-directed](https://github.com/vusec/LibAFL-directed) 包含对 LibAFL 的小幅补丁
我们的目标是将 LibAFLGo 上游合并到 LibAFL。
## 项目结构
```
.
├── fuzzers <- contains re-implemented fuzzers
│ ├── aflgo
│ ├── dafl
│ └── hawkeye
├── include <- header files for LLVM passes
│ ├── AFLGoCompiler <- compile-time plugin
│ │ └── TargetInjection.hpp <- instruments target locations
│ ├── AFLGoLinker <- link-time plugin
│ │ ├── DAFL.hpp <- DAFL instrumentation
│ │ ├── DistanceInstrumentation.hpp <- AFLGo distance instrumentation
│ │ ├── DuplicateTargetRemoval.hpp <- supporting target instrumentation
│ │ ├── FunctionDistanceInstrumentation.hpp <- Hawkeye distance instrumentation
│ │ └── TargetInjectionFixup.hpp <- supporting target instrumentation
│ └── Analysis <- analyses used by plugins
│ ├── BasicBlockDistance.hpp <- AFLGo basic block distance analysis
│ ├── DAFL.hpp <- DAFL data-flow distance
│ ├── ExtendedCallGraph.hpp <- enhance CFG with PTA
│ ├── FunctionDistance.hpp <- Hawkeye function distance analysis
│ └── TargetDetection.hpp <- supporting target instrumentation
├── libaflgo <- LibAFL fuzzer components
├── libaflgo_targets <- LibAFL target instrumentation components
├── passes <- implementation of LLVM passes
├── test <- tests for LLVM passes
├── wrapper <- compiler wrapper libaflgo_cc
├── Cargo.lock
├── Cargo.toml
├── CMakeLists.txt <- cmake build entrypoint
├── README.md
├── rust-toolchain.toml
├── SVF-1282.patch <- patch SVF for ASan compatibility
```
## 构建
你可以使用 `cmake` 来构建 LLVM passes 和 LibAFL 组件。在编辑器中打开我们的 devcontainer 后(我们推荐使用 VSCode),你可以使用以下命令构建项目:
```
cmake -S /workspaces/libaflgo \
-B /workspaces/libaflgo/build \
-G Ninja \
-DCMAKE_BUILD_TYPE=RelWithDebInfo \
-DCMAKE_EXPORT_COMPILE_COMMANDS=TRUE \
-DCMAKE_C_COMPILER=/usr/bin/clang-15 \
-DCMAKE_CXX_COMPILER=/usr/bin/clang++-15 \
-DBUILD_TESTING=ON \
--no-warn-unused-cli
cmake --build /workspaces/libaflgo/build \
--config RelWithDebInfo \
--target all \
--
```
然后你可以使用 check 目标运行测试
## MAGMA 集成(效果可能因情况而异,因为最近未进行测试)
我们扩展了 [MAGMA](https://github.com/vusec/magma-directed) 以用于定向 fuzzing。原始
文档同样适用于我们的 fork。启动并运行以 fuzz 目标的最简单方法是
查看该仓库中 `fuzzers` 文件夹里的 LibAFLGo 集成。标签:AFLGo, Bash脚本, C++, DAFL, Directed Greybox Fuzzing, Fuzzing, Hawkeye, LibAFL, LLVM, Rust, SVF, TLS抓取, UML, 代码覆盖率, 反取证, 可视化界面, 可配置连接, 域名收集, 安全评估, 定向灰盒模糊测试, 数据擦除, 程序分析, 编译器插桩, 网络流量审计, 误配置预防, 软件安全, 通知系统, 通知系统