actually fuzzing inputs?

Question

actually fuzzing inputs?

jbachell opened this issue 5 years ago · comments

Hi! I've currently been looking at your code and you don't take in any inputs.

Does your original code work for fuzzing?

I have modified the code (sort of) to work with ARM and also tried to actually fuzz inputs (adding an input directory to the command line). It doesn't seem to work. I'm not sure if this is an issue with the additions I've made, or if it's an issue with adding it to afl-unicorn. I don't fully understand the use of a loop at the end of the unicorn_loader.cpp. What did your original tests actually do?

Note: The C++ version of this compared to python is significantly faster, maybe about 8 times faster (if I can get it working)

Namjun Jo · Answer 1 · Thu Aug 29 2019 23:28:24 GMT+0800 (China Standard Time)

Sorry for the late reply. "unicorn_loader.cpp" is a harness file for fuzzing and "tests" folder just takes a binary for testing. I don't think you understand about afl-unicorn completely. Please check this post. (afl-unicorn: Fuzzing Arbitrary Binary Code)

ps. I've updated the project. If any problem is found, please let me know

John Bacheller · Answer 2 · Fri Aug 30 2019 00:14:29 GMT+0800 (China Standard Time)

I should be sending you a pull request! I updated the harness to how I was using it, as well ARM support. "Dumb fuzzing" works, but the path finding does not work with AFL. AFL cannot distinguish unique errors with this unicorn fuzzer, but with python it can. Do you know why?

Namjun Jo · Answer 3 · Fri Aug 30 2019 08:52:24 GMT+0800 (China Standard Time)

Thank for your PR!! I'll reflect your code on the project soon. Anyway, can you tell me what kind of unique errors it doesn't find? Such as heap corruption or stack overflow. Do you mean the unicorn loader which was built from my project doesn't emit a crash though an edge case is given?

John Bacheller · Answer 4 · Sun Sep 01 2019 03:51:58 GMT+0800 (China Standard Time)

No, I mean to tell you that the pathfinding is broken. For the python fuzzer, the program can detect where it is in the program and find ways to fully explore the program to get full coverage. I believe that I have the test I was using in my arm branch which was forked from yours. I'm not currently working on the project, but I don't mind picking it back up for a little. It shouldn't take that long to just look through my test and new loader and see what it does ... My goal was for it to be the exact same usage as the original AFL Unicorn, just in C++, including the same command line usage.