KleeFL - Seeding Fuzzers With Symbolic Execution
Prepare dependencies or simply grab the provisioned vagrant box
http://bit.ly/download_kleefl_box
- Download the package.box file.
- Install vagrant (if not already installed)
sudo apt-get install vagrant
- Add the package.box file to vagrant
vagrant box add kleefl package.box
- Initialize the vagrant box (kleefl)
vagrant init kleefl
- Bring the box up
vagrant up
- SSH to the box
vagrant ssh
Setup a project structure like this:
mkdir project_xyz
cd project_xyz
python /vagrant/tools/kleefl_init -- sets up two directories called 'klee' and 'fuzz' in your root project directory
Select your source code, e.g.:
cp -r /vagrant/example source
Build source using wllvm & afl-clang
cd source
/vagrant/tools/kleefl_build_make make
Choose & set up a target binary for evaluation
./kleefl_pick target_binary_name
Generate the test cases for AFL (KLEE symbolic execution)
The previous script will add a file called app.bc within the klee directory.
Change into the klee folder and run:
./run_klee.sh
Prepare klee's findings for afl-fuzz
python /vagrant/tools/kleefl_prepare_afl
Finally: Fuzz, fuzz, fuzz!
./kleefl_crash_inspector fuzz/out
(fuzz/out is the afl sync dir, report saved by default in vagrant shared dir /vagrant/crash_report/)
Analyze coverage & generate report
python kleefl_cov_inspector {make, binary fuzz/sync_dir}
zcov genhtml coverage.zcov cov_report