本文主要介绍模糊测试工具Driller的安装与使用。
1. Driller 简介
由于Driller依赖于模糊测试工具AFL和二进制分析工具angr, AFL目前在ubuntu18.04上不能使用gcc build,angr目前只能在64位系统中运行。
因此,本实验选择的系统环境是Ubuntu 16.04 64 bits.
2. Driller 的安装
这部分主要参考[2],注意安装时最好在Python虚拟环境中安装!!!
安装依赖:
sudo apt-get install build-essential libtol-bin automake bison flex python libglib2.0-dev
安装AFL:
mkdir driller
cd driller
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xf afl-latest.tgz
cd afl-2.52b
make
cd qemu_mode
./build_qemu_support.sh
安装Driller:
在安装与使用Driller时,最好在一个单独的Python虚拟环境中进行。
sudo apt install python virtualenv git python-dev
cd ~/driller
virtualenv venv
source venv/bin/activate
pip install git+https://github.com/angr/cle
pip install git+https://github.com/angr/angr
pip install git+https://github.com/angr/tracer
pip install git+https://github.com/shellphish/driller
安装成功的标识是可以import driller
python
import driller
3. Driller的使用
这种安装方法是采用一种Driller和AFL并行运行的过程,将driller中求解输入的部分和AFL fuzz的部分分别放在两个terminal运行 [2]。
Fuzz的程序源码为buggy.c
#include <stdio.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
char buffer[6] = {0};
int i;
int *null = 0;
read(0, buffer, 6);
if (buffer[0] == '7' && buffer[1] == '/' && buffer[2] == '4'
&& buffer[3] == '2' && buffer[4] == 'a' && buffer[5] == '8') {
i = *null;
}
puts("No problem");
}
编译,由于使用AFL QEMU模式,因此不需要对源码进行插桩:
gcc -o buggy buggy.c
打开一个terminal, 用AFL进行FUZZ:
mkdir -p workdir/input
echo 'init' > workdir/input/seed1 # 提供初始化种子输入
echo core | sudo tee /proc/sys/kernel/core_pattern
afl-2.52b/afl-fuzz -M fuzzer-master -i workdir/input/ -o workdir/output/ -Q ./buggy
[2] 提供了一个运行脚本run_driller.py:
#!/usr/bin/env python
import errno
import os
import os.path
import sys
import time
from driller import Driller
def save_input(content, dest_dir, count):
"""Saves a new input to a file where AFL can find it.
File will be named id:XXXXXX,driller (where XXXXXX is the current value of
count) and placed in dest_dir.
"""
name = 'id:%06d,driller' % count
with open(os.path.join(dest_dir, name), 'w') as destfile:
destfile.write(content)
def main():
if len(sys.argv) != 3:
print 'Usage: %s <binary> <fuzzer_output_dir>' % sys.argv[0]
sys.exit(1)
_, binary, fuzzer_dir = sys.argv
# Figure out directories and inputs
with open(os.path.join(fuzzer_dir, 'fuzz_bitmap')) as bitmap_file:
fuzzer_bitmap = bitmap_file.read()
source_dir = os.path.join(fuzzer_dir, 'queue')
dest_dir = os.path.join(fuzzer_dir, '..', 'driller', 'queue')
# Make sure destination exists
try:
os.makedirs(dest_dir)
except os.error as e:
if e.errno != errno.EEXIST:
raise
seen = set() # Keeps track of source files already drilled
count = len(os.listdir(dest_dir)) # Helps us name outputs correctly
# Repeat forever in case AFL finds something new
while True:
# Go through all of the files AFL has generated, but only once each
for source_name in os.listdir(source_dir):
if source_name in seen or not source_name.startswith('id:'):
continue
seen.add(source_name)
with open(os.path.join(source_dir, source_name)) as seedfile:
seed = seedfile.read()
print 'Drilling input: %s' % seed
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
# Try a larger input too because Driller won't do it for you
seed = seed + '0000'
print 'Drilling input: %s' % seed
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
time.sleep(10)
if __name__ == '__main__':
main()
再打开另一个窗口,运行driller部分。
source venv/bin/activate
python run_driller.py ./buggy workdir/output/fuzzer-master
参考文献:
[1] Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." NDSS. Vol. 16. 2016.
[2] https://blog.grimm-co.com/post/guided-fuzzing-with-driller/
[3] https://github.com/shellphish/driller
[4] https://github.com/shellphish/fuzzer
附录
安装脚本:
#! /bin/bash
sudo apt-get install build-essential libtol-bin automake bison flex python libglib2.0-dev
mkdir driller
cd driller
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xf afl-latest.tgz
cd afl-2.52b
make
cd qemu_mode
./build_qemu_support.sh
sudo apt-get install python virtualenv git python-dev
cd ../../
virtualenv venv
source venv/bin/activate
#!/bin/bash
pip install git+https://github.com/angr/cle
pip install git+https://github.com/angr/angr
pip install git+https://github.com/angr/tracer
pip install git+https://github.com/shellphish/driller