afl-cov with CGC binaries

Question

afl-cov with CGC binaries

strongcourage opened this issue 6 years ago · 4 comments

Hi,

Any idea on how to run afl-cov when fuzzing CGC DARPA binaries? Thanks.

Answer 1 · 2019-05-14T12:01:27.000Z

@strongcourage You could try using the ./afl-cov --help for more information.
Here is what I found to run my test case (LAVA-M):
./afl-cov -d ../output/fast_uniq/ -e "cat AFL_FILE | ./uniq " --code-dir ../lavam/uniq/coreutils-8.24-lava-safe/src/ --overwrite --src-file uniq.c

In detail, -d points to the output folder specified with -o for AFL, -e is the running arguments for the binary program, --code-dir is the path to source which is used to compile binary with coverage. You don't need to change cat AFL_FILE, just leave it as this.

Answer 2 · 2019-05-14T12:11:25.000Z

Thanks, @zhangysh1995 . I've run successfully afl-cov on LAVA-M benchmark, but still failed on CGC binaries.

Answer 3 · 2021-08-25T09:05:06.000Z

@strongcourage How did you managed to run afl-cov on LAVA-M? I'm currently getting the errors lcov: ERROR: no valid records found in tracefile at each AFL test case.

Answer 4 · 2021-08-25T09:09:18.000Z

Hi @MarwanNour, Please find my notes below. Hope that help :)

- Tutorial: https://foxglovesecurity.com/2016/03/15/fuzzing-workflows-a-fuzz-job-from-start-to-finish/

sudo apt-get install lcov

- Rebuild PUT with extra option. For example, modify Makefile:
CFLAGS= -g -O0 -fprofile-arcs -ftest-coverage

make clean; make



- Run afl-fuzz FIRST:
dungnguyen@cea:~/Downloads/lava_corpus/LAVA-M/base64/coreutils-8.24-lava-safe/src$ ~/afl-2.52b/afl-fuzz -i in -o out ./base64 @@

- Run afl-cov on other terminal:
dungnguyen@cea:~/Downloads/lava_corpus/LAVA-M/base64/coreutils-8.24-lava-safe/src$ ~/afl-cov/afl-cov -d out --live --coverage-cmd "./base64 AFL_FILE" --code-dir . --enable-branch-coverage


[-] Sleep for 60 seconds waiting for afl-fuzz to be started....
    
*** Imported 17 new test cases from: out/queue

    [+] AFL test case: id:000000,orig:in (0 / 17), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)
    
    Coverage diff (init) id:000000,orig:in
    diff (init) -> id:000000,orig:in
    New src file: /home/dungnguyen/Downloads/lava_corpus/LAVA-M/base64/coreutils-8.24-lava-safe/src/base64.c
      New 'function' coverage: do_encode()
      New 'function' coverage: lava_get()
      New 'function' coverage: main()
      New 'function' coverage: wrap_write()
      New 'line' coverage: 11
      New 'line' coverage: 12
      New 'line' coverage: 124
      New 'line' coverage: 129
      New 'line' coverage: 13
      New 'line' coverage: 136
      New 'line' coverage: 138
      New 'line' coverage: 139
      New 'line' coverage: 140
      New 'line' coverage: 142
      New 'line' coverage: 144
      New 'line' coverage: 146
      New 'line' coverage: 150
      New 'line' coverage: 152
      New 'line' coverage: 153
      New 'line' coverage: 156
      New 'line' coverage: 159
      New 'line' coverage: 161
      New 'line' coverage: 170
      New 'line' coverage: 173
      New 'line' coverage: 174
      New 'line' coverage: 176
      New 'line' coverage: 178
      New 'line' coverage: 182
      New 'line' coverage: 184
      New 'line' coverage: 188
      New 'line' coverage: 19
      New 'line' coverage: 191
      New 'line' coverage: 194
      New 'line' coverage: 196
      New 'line' coverage: 258
      New 'line' coverage: 265
      New 'line' coverage: 267
      New 'line' coverage: 269
      New 'line' coverage: 272
      New 'line' coverage: 273
      New 'line' coverage: 274
      New 'line' coverage: 275
      New 'line' coverage: 277
      New 'line' coverage: 279
      New 'line' coverage: 305
      New 'line' coverage: 311
      New 'line' coverage: 312
      New 'line' coverage: 316
      New 'line' coverage: 324
      New 'line' coverage: 325
      New 'line' coverage: 329
      New 'line' coverage: 331
      New 'line' coverage: 334
      New 'line' coverage: 336
    
    

++++++ BEGIN - first exec output for CMD: ./base64 out/queue/id:000000,orig:in
        Cgo=
    ++++++ END

    [+] AFL test case: id:000001,src:000000,op:havoc,rep:2,+cov (1 / 17), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)
    [+] AFL test case: id:000002,src:000000,op:havoc,rep:64,+cov (2 / 17), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)
    [+] AFL test case: id:000003,src:000000,op:havoc,rep:2,+cov (3 / 17), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)
    [+] AFL test case: id:000004,src:000000,op:havoc,rep:8,+cov (4 / 17), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)

*** Imported 1 new test cases from: out/queue

    [+] AFL test case: id:000017,src:000005,op:havoc,rep:128 (0 / 18), cycle: 0
        lines......: 0.2% (50 of 25813 lines)
        functions..: 0.3% (4 of 1336 functions)
        branches...: 16.2% (26 of 160 branches)
    [-] No new AFL test cases, sleeping for 60 seconds
    [-] No new AFL test cases, sleeping for 60 seconds


- See more outputs in /out/cov
afl-cov.log  afl-cov-status  diff  id-delta-cov  lcov  web