|
1 | 1 | # Usage of afl-fuzz |
2 | 2 |
|
| 3 | +Refer to [AFL Tutorial](https://rust-fuzz.github.io/book/afl/tutorial.html). |
| 4 | + |
3 | 5 | ## Install *cargo-afl* |
4 | 6 |
|
5 | | -```shell |
| 7 | +```sh |
6 | 8 | cargo install cargo-afl |
7 | 9 | ``` |
8 | 10 |
|
| 11 | +Upgrade: |
| 12 | + |
| 13 | +```sh |
| 14 | +cargo install --force cargo-afl |
| 15 | +``` |
| 16 | + |
9 | 17 | ## Build & run fuzz testing |
10 | 18 |
|
11 | | -```shell |
| 19 | +```sh |
12 | 20 | cd afl-fuzz/ |
13 | 21 | cargo afl build --release |
14 | | -cargo afl fuzz -i ../testdata/ -o out target/release/afl-fuzz |
| 22 | +cd .. |
| 23 | +cargo afl fuzz -i ./testdata -o out target/release/afl-fuzz |
15 | 24 | ``` |
16 | 25 |
|
17 | 26 | ## Reproduce a crash |
18 | 27 |
|
19 | | -```shell |
| 28 | +```sh |
20 | 29 | cargo afl run ./target/release/afl-fuzz < out/default/crashes/[SAVED_CRASH_FILE] |
21 | 30 | ``` |
| 31 | + |
| 32 | +## System Config Issues |
| 33 | + |
| 34 | +❯ cargo afl fuzz -i ../testdata/ -o out target/release/afl-fuzz |
| 35 | +afl-fuzz++4.36a based on afl by Michal Zalewski and a large online community |
| 36 | +[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt |
| 37 | +[+] AFL++ is open source, get it at <https://github.com/AFLplusplus/AFLplusplus> |
| 38 | +[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md |
| 39 | +[+] No -M/-S set, autoconfiguring for "-S default" |
| 40 | +[*] Getting to work... |
| 41 | +[+] Using exploration-based constant power schedule (EXPLORE) |
| 42 | +[+] CmpLog level: 2 |
| 43 | +[+] Enabled testcache with 50 MB |
| 44 | +[+] Generating fuzz data with a length of min=1 max=1048576 |
| 45 | + |
| 46 | +[-] Whoops, your system is configured to forward crash notifications to an |
| 47 | + external crash reporting utility. This will cause issues due to the |
| 48 | + extended delay between the fuzzed binary malfunctioning and this fact |
| 49 | + being relayed to the fuzzer via the standard waitpid() API. |
| 50 | + |
| 51 | + To avoid having crashes misinterpreted as timeouts, please run the |
| 52 | + following commands: |
| 53 | + |
| 54 | + SL=/System/Library; PL=com.apple.ReportCrash |
| 55 | + launchctl unload -w ${SL}/LaunchAgents/${PL}.plist |
| 56 | + sudo launchctl unload -w ${SL}/LaunchDaemons/${PL}.Root.plist |
| 57 | + |
| 58 | +[-] PROGRAM ABORT : Crash reporter detected |
| 59 | + Location : check_crash_handling(), src/afl-fuzz-init.c:2618 |
| 60 | + |
| 61 | +If you see an error message like `shmget() failed` above, try running the following command: |
| 62 | + |
| 63 | + cargo afl system-config |
| 64 | + |
| 65 | +Note: You might be prompted to enter your password as root privileges are required and hence sudo is run within this command. |
| 66 | + |
| 67 | +❯ cargo afl system-config |
| 68 | +Running: "sudo" "--reset-timestamp" "~/.local/share/afl.rs/rustc-1.92.0-ded5c06/afl.rs-0.17.1/afl/bin/afl-system-config" |
| 69 | +Password: |
| 70 | +This reconfigures the system to have a better fuzzing performance. |
| 71 | +WARNING: this reduces the security of the system! |
| 72 | + |
| 73 | +kern.sysv.shmmax: 4194304 -> 524288000 |
| 74 | +kern.sysv.shmmin: 1 -> 1 |
| 75 | +kern.sysv.shmseg: 8 -> 48 |
| 76 | +kern.sysv.shmall: 1024 -> 131072000 |
| 77 | +Settings applied. |
| 78 | + |
| 79 | +Unloading the default crash reporter |
| 80 | + |
| 81 | +It is recommended to disable System Integrity Protection for increased performance. |
| 82 | +See: <https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection> |
0 commit comments