목차
- AFL
- AFL++
- 입힌 뒤 확인
AFL - Makefile의 CFLAGS를 수정한다.
Makefile의 CFLAGS부분에 -fsanitize=address을 추가한다.
CFLAGS += -fsanitize=address -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-DAFL_PATH=\"\\((HELPER\_PATH)\" -DDOC\_PATH=\"\\)(DOC_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\"
실패담
export AFL_USE_ASAN=1 은 왜인지 먹지 않는다.
AFL++ - ASAN_BUILD 환경변수를 설정한다.
cd ./AFLplusplus && ASAN_BUILD="1" make clean all
ASAN crashlog에 줄 번호가 나오지 않을 것이다. addr2line을 쓰자.
ASAN crashlog에 나온 포인터를 addr2line으로 확인한다.
e.g. 로그가 아래와 같다면,
#0 0x55c8f033ceb2 (/fuzzer/(...생략...)/afl-fuzz+0xe1eb2)
#1 0x55c8f0348338 (/fuzzer/(...생략...)/afl-fuzz+0xed338)
#2 0x55c8f02cad71 (/fuzzer/(...생략...)/afl-fuzz+0x6fd71)
#3 0x55c8f02e2554 (/fuzzer/(...생략...)/afl-fuzz+0x87554)
#4 0x55c8f03190cd (/fuzzer/(...생략...)/afl-fuzz+0xbe0cd)
#5 0x7fb81b3e6082 (/lib/x86_64-linux-gnu/libc.so.6+0x24082)
#6 0x55c8f02858ed (/fuzzer/(...생략...)/afl-fuzz+0x2a8ed)
AddressSanitizer can not provide additional info.
다음과 같이 확인한다.
addr2line -e /fuzzer/(...생략...)/afl-fuzz 0xe1eb2 0xed338 0x6fd71 0x87554 0xbe0cd 0x2a8ed
/fuzzer/(...생략...)/src/afl-fuzz-bitmap.c:779
/fuzzer/(...생략...)/src/afl-fuzz-run.c:1341
/fuzzer/(...생략...)/src/afl-fuzz-one.c:3536 (discriminator 1)
/fuzzer/(...생략...)/src/afl-fuzz-one.c:6722 (discriminator 1)
/fuzzer/(...생략...)/src/afl-fuzz.c:3814
??:?
실패담
export ASAN_OPTIONS=abort_on_error=1,symbolize=1
export ASAN_SYMBOLIZER_PATH=$(which llvm-symbolizer)
vi GNUmakefile
- [ ] # ifdef ASAN_BUILD 가서 -g 추가하기
instrumentation이 잘 되었는지 nm으로 사후 점검하자.
nm ./afl-fuzz | grep asan