AFLSmart is an extension of AFL from Michał Zaleski. It makes AFL input-structure aware by taking in high-level structural representation of seed files. It combines AFL with Peach input model/grammar definitions. We thank Peach Tech for making Peach Community version open source.
The work was done by Van-Thuan Pham, Marcel Böhme, Andrew E. Santosa, Alexandru Răzvan Căciulescu, and Abhik Roychoudhury.
For more details, please checkout our preprint: Smart Greybox Fuzzing.
Install automake and some required packages
sudo apt-get install automake libtool libc6-dev-i386 python-pip g++-multilib
Compile and install mono package to support C# on Linux
sudo apt-get install mono-complete
Install gcc-4.4 and g++-4.4
sudo add-apt-repository ppa:ubuntu-toolchain-r/test
sudo apt-get update
sudo apt install gcc-4.4
sudo apt install g++-4.4
Download AFLSmart and compile it.
git clone https://github.com/aflsmart/aflsmart
cd aflsmart
make clean all
cd ..
export AFLSMART=$(pwd)/aflsmart
export WORKDIR=$(pwd)
cd $AFLSMART
wget https://sourceforge.net/projects/peachfuzz/files/Peach/3.0/peach-3.0.202-source.zip
unzip peach-3.0.202-source.zip
patch -p1 < peach-3.0.202.patch
cd peach-3.0.202-source
CC=gcc-4.4 CXX=g++-4.4 ./waf configure
CC=gcc-4.4 CXX=g++-4.4 ./waf install
export PATH=$PATH:$AFLSMART:$AFLSMART/peach-3.0.202-source/output/linux_x86_64_debug/bin
export AFL_PATH=$AFLSMART
export LD_LIBRARY_PATH=/usr/local/lib
AFLSmart adds four more options to AFL
-w: input model type. AFLSmart currently only supports Peach.
-g: input model file. Path to the input model file (a.k.a Peach pit) is required. We have provided 10 sample Peach pits in the input_models folder. To write a new Peach pit for a new file format, please follow this tutorial and revisit Section 4 - File Format Specification of the AFLSmart paper.
-h: stacking mutations mode which mixes normal and higher-order mutation operators together.
-H: limit the number of higher-order mutations for each input. This is an optional option; there is no limit if the option is not set.
Example command:
afl-fuzz -h -i in -o out -w peach -g <input model file> -x <dictionary file> <executable binary and its arguments> @@
During the fuzzing process, AFLSmart will interact with Peach to get the validity and chunks' boundary information. Please check the out/chunks folder and make sure that it is not empty. If it is empty, Peach executable may not be found and you need to compile Peach and/or check the PATH environment variable.
To fuzz WavPack and reproduce CVE-2018-10536. See Section 2 - Motivating Example in the AFLSmart paper.
Patch afl-fuzz.c to make it work with WavPack as WavPack only takes inputs having correct file extension (e.g., .wav)
cd $AFLSMART
sed -i 's/cur_input/cur_input.wav/g' afl-fuzz.c
make clean all
cd $WORKDIR
git clone https://github.com/dbry/WavPack.git
cd WavPack
git checkout 0a72951
./autogen.sh
CC=afl-gcc ./configure --disable-shared
make clean all
cd $WORKDIR/WavPack
timeout 24h $AFLSMART/afl-fuzz -m none -h -d -i $AFLSMART/testcases/aflsmart/wav -o out -w peach -g $AFLSMART/input_models/wav.xml -x $AFLSMART/dictionaries/wav.dict cli/wavpack -y @@ -o out