New OS Primitives Specialized for Fuzzing

Paper

Designing New Operating Primitives to Improve Fuzzing Performance (ACM CCS 2017)

The snapshot() system call

The prototype is built on linux-4.8.10.
Enable CONFIG_SNAPSHOT when compiling the kernel and check snapshot-test/ for its example.

AFL

afl/ contains the modified afl source code which leverages the snapshot() system call and the in-memory test case log.
To enable snapshot(), make sure #define MYFORK in config.h and compile with AFL_PERF=1 make.
We add a new option -u to indicate the afl instance id and the total number of afl instances running in parallel.
Currently only 64bit fuzzing targets are supported.

Example

We provide an example of using modified AFL to fuzz libjpeg (afl-test/).
Compile libjpeg.

cd jpeg-9b
CC=../../afl/afl-gcc ./configure
make
./djpeg -h (This step cannot be skipped in order to get lt-djpeg)

Launch afl (here 2 instances)

sudo ./prepare.sh
../afl/afl-fuzz -i input -o output -S slave0 -u 0/2 jpeg-9b/.libs/lt-djpeg

In another terminal,

../afl/afl-fuzz -i input -o output -S slave1 -u 1/2 jpeg-9b/.libs/lt-djpeg

Note that both of the AFL instances will start fuzzing only when both of them have been launched.

Contributors

Wen Xu (wen.xu@gatech.edu)
Sanidhya Kashyap (sanidhya@gatech.edu)
Changwoo Min (changwoo@vt.edu)
Taesoo Kim (taesoo@gatech.edu)

About

Languages

Language:C 95.4%Language:Assembly 1.8%Language:C++ 1.4%Language:Objective-C 0.6%Language:Makefile 0.3%Language:Shell 0.3%Language:Perl 0.2%Language:Python 0.1%Language:Yacc 0.0%Language:Roff 0.0%Language:Lex 0.0%Language:Awk 0.0%Language:GDB 0.0%Language:M4 0.0%Language:SAS 0.0%Language:WebAssembly 0.0%Language:Module Management System 0.0%Language:UnrealScript 0.0%Language:HTML 0.0%Language:Gherkin 0.0%Language:Smalltalk 0.0%Language:XS 0.0%Language:Perl 6 0.0%Language:Clojure 0.0%Language:PLpgSQL 0.0%Language:Rich Text Format 0.0%Language:JavaScript 0.0%