[DynInst_API:] Fuzzing tool leveraging Dyninst static binary rewriting

[Aleksandar Nikolich <anikolich@xxxxxxxxxxxxxx>]

Hello,

We have just published a tool that leverages Dyninst'sÂ

static binary rewriting capabilities to enable fuzz testing

with American Fuzzy Lop [0] to binaries whose source isÂ

unavailable.Â

American Fuzzy Lop (AFL) is a file fuzzer that employsÂ

genetic algorithms and source code instrumentation Âto achieve high code

coverage and discover interesting test cases. The core of AFL is it'sÂ

instrumentation that tracks edge transitions during testcase execution and

employs a number of heuristics for selecting new interesting testcases.Â

AFL works as a compiler addon, adding its instrumentation during compile time

which makes it usable on open source applications. By using Dyninst staticÂ

binary rewriting, our tool adds AFL-compatible instrumentation to already compiled

binaries.Â

Instrumentation tool (afl-dyninst) instruments the supplied binary by

inserting callbacks for each basic block and an initializationÂ

callback either at _init or at specified entry point. A "libAflDyninst"

library contains the callbacks. Â

During instrumentation, every basic block is assigned a random ID which isÂ

used to record the paths as explained in [1]. A special initialization

callback is inserted at the binary entry point which spins up the forkÂ

server with the logic copied from afl-as.Â

Sources can be found at https://github.com/vrtadmin/moflow/tree/master/afl-dyninst .

Usage: ./afl-dyninst -i <binary> -o <binary> -l <library> -e <address> -s <number>

      Â-i: Input binaryÂ

      Â-o: Output binary

      Â-l: Library to instrument (repeat for more than one)

      Â-e: Entry point address to patch (required for stripped binaries)

      Â-r: Runtime library to instrument (path to, repeat for more than one)

      Â-s: Number of basic blocks to skip

      Â-v: Verbose output

Switch -l is used to supply the names of the libraries that shouldÂ

be instrumented along the binary. Instrumented libraries will be copied

to the current working directory. This option can be repeated as many times

as needed. Depending on the environment, the LD_LIBRARY_PATH should be setÂ

to point to instrumented libraries while fuzzing.

Runtime loaded shared libraries (loaded via dlopen(3)) can be specified with switch -r.

Instrumented runtime libraries will beÂ

written to the same location with a ".ins" suffix as not to overwrite

the original ones. Make sure to backup the originals and then rename the

instrumented ones to original name.Â

If the binary being instrumented is not stripped and switch -e isn't specified,

callback to fork server initialization is inserted at _init. Otherwise, it is insertedÂ

at the specified address. Address of main is usually a good place to start.

In some cases on stripped binaries, static analysis can fail leading to wrong basic block

detection. Coupled with verbose output, switch -s can be used to skip specified numberÂ

of initial basic blocks.Â

The afl-users mailing list anouncement is atÂhttps://groups.google.com/forum/#!topic/afl-users/HlSQdbOTlpg .Â

We would be happy to receive any feedback.Â

[0]Âhttp://lcamtuf.coredump.cx/afl/Â

[1] http://lcamtuf.coredump.cx/afl/technical_details.txt