go go1.10.3.linux-amd64.tar.gz moonshine sources_init.list
root@f36ad42a3ca5:/moon/moon# mv go goroot
root@f36ad42a3ca5:/moon/moon# export GOROOT=/moon/moon/goroot
root@f36ad42a3ca5:/moon/moon# export PATH=$GOROOT/bin:$PATH
root@f36ad42a3ca5:/moon/moon# go version
go version go1.10.3 linux/amd64
4. 安装Goyacc
- MoonShine使用Goyacc来扫描和解析trace文件。安装Goyacc:
go get golang.org/x/tools/cmd/goyacc
改为手动安装
go install报错
改为
go version go1.21.7 linux/amd64
export GOROOT=/moon/goroot
export PATH=$GOROOT/bin:$PATH
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc# ls
doc.go testdata yacc.go
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc# go install
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc# export PATH=$PATH:$GOPATH/bin
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc# echo $GOPATH
/moon/moon
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc# goyacc
usage: yacc [-o output] [-v parsetable] input
root@f36ad42a3ca5:/moon/moon/tools/cmd/goyacc#
解决:
环境变量问题。
切换docker使用syz-20.04-kvm-pri
goyacc路径配置
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc# ls
doc.go testdata yacc.go
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc# export GOPATH=/work/moon
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc# ls
doc.go testdata yacc.go
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc# export PATH=$PATH:$GOPATH/bin
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc# goyacc
usage: yacc [-o output] [-v parsetable] input
root@b21bd46e7d4a:/work/moon/tools/cmd/goyacc#
5. 构建MoonShine项目
- 获取并构建MoonShine项目:
go get -u -d github.com/shankarapailoor/moonshine/...
cd $GOPATH/pkg/mod/github.com/shankarapailoor
mv moonshine\@v0.0.0-20190509180242-95e5f6dfd276/ moonshine/
cd moonshine/
make
报错:
onshine1bd46e7d4a:/work/moon/src/github.com/shankarapailoor/moonshine# cd $GOPATH/src/github.com/shankarapailoor/moo
root@b21bd46e7d4a:/work/moon/src/github.com/shankarapailoor/moonshine# make
ragel -Z -G2 -o scanner/lex.go scanner/lex.rl
goyacc -o scanner/strace.go -p Strace scanner/strace.y
mkdir -p bin deserialized
go build -o ./bin/moonshine main.go
vendor/github.com/google/syzkaller/prog/rand.go:13:2: cannot find package "github.com/google/syzkaller/pkg/ifuzz" in any
of:
/work/moon/src/github.com/shankarapailoor/moonshine/vendor/github.com/google/syzkaller/pkg/ifuzz (vendor tree)
/work/moon/goroot/src/github.com/google/syzkaller/pkg/ifuzz (from $GOROOT)
/work/moon/src/github.com/google/syzkaller/pkg/ifuzz (from $GOPATH)
vendor/github.com/google/syzkaller/prog/rand.go:14:2: cannot find package "github.com/google/syzkaller/pkg/ifuzz/generate
d" in any of:
/work/moon/src/github.com/shankarapailoor/moonshine/vendor/github.com/google/syzkaller/pkg/ifuzz/generated (vendo
r tree)
/work/moon/goroot/src/github.com/google/syzkaller/pkg/ifuzz/generated (from $GOROOT)
/work/moon/src/github.com/google/syzkaller/pkg/ifuzz/generated (from $GOPATH)
vendor/github.com/google/syzkaller/pkg/db/db.go:22:2: cannot find package "github.com/google/syzkaller/pkg/osutil" in any
of:
/work/moon/src/github.com/shankarapailoor/moonshine/vendor/github.com/google/syzkaller/pkg/osutil (vendor tree)
/work/moon/goroot/src/github.com/google/syzkaller/pkg/osutil (from $GOROOT)
/work/moon/src/github.com/google/syzkaller/pkg/osutil (from $GOPATH)
make: *** [Makefile:5: default] Error 1
方法:
将下载到mod中的pkg复制到当前moonshine对应vendor的syzkaller的pkg中
root@b21bd46e7d4a:/work/moon/src/github.com/shankarapailoor/moonshine/vendor/github.com/google/syzkaller/pkg# ls
db hash ifuzz log pkg
root@b21bd46e7d4a:/work/moon/src/。。/moonshine/vendor/github.com/google/syzkaller/pkg# cp -r pkg ..
root@b21bd46e7d4a:/work/moon/src/github.com/shankarapailoor/moonshine/vendor/github.com/google/syzkaller/pkg# ls
ast config db gcs host ipc log report serializer
bisect cover email git ifuzz kd osutil repro signal
再次make
6. 运行MoonShine
- 构建完成后,可以使用MoonShine生成Syzkaller的种子:
./bin/moonshine -dir [tracedir] -distill [distillConfig.json]
-dir
参数指定要解析的trace文件目录。-distill
参数指定蒸馏配置文件--指定了蒸馏策略(例如隐式、仅显式)。如果追踪文件没有调用覆盖信息,或者不想蒸馏,可以省略这个参数。- MoonShine将“原样”生成追踪文件。我们在getting-started/distill.json下提供了一个示例配置
$ ./bin/moonshine -dir getting-started/sampletraces/ -distill getting-started/distill.json
总文件数:346 解析文件 1/346: ltp_accept4_01 解析文件 2/346: ltp_accept_01 ... 总蒸馏程序数:391 平均程序长度:10 总共贡献的调用:在388个隐式蒸馏程序中,639个调用来自总共43480个调用。总调用数:3250 MoonShine生成了一个corpus.db文件,其中包含了序列化的Syzkaller程序。将corpus.db移动到你的Syzkaller工作目录并开始模糊测试!
Total number of seeds: 43438
Performing implicit distillation with 43438 calls contributing coverage
Total Distilled Progs: 385
Average Program Length: 10
Total Contributing calls: 639 out of 43438, in 383 implicitly-distilled programs that consist of: 3342 calls
Deserializing programs => deserialized/
运行syzkaller,使用蒸馏后的种子
ubuntu@liyanlin:~/fuzz/new-syz/syzkaller$ ./bin/syz-manager -config=linux-5.11.cfg
2024/08/11 17:08:37 serving http on http://127.0.0.1:56745
2024/08/11 17:08:45 broken programs in the corpus: 130, broken seeds: 1
2024/08/11 17:08:47 serving rpc on tcp://45475
2024/08/11 17:08:47 booting test machines...
2024/08/11 17:08:47 wait for the connection from test machine...
7. 收集Trace文件
- 使用Strace收集trace文件。确保安装了4.16或更高版本的Strace:
strace -o tracefile -s 65500 -v -xx -f -k /path/to/executable arg1 arg2 .. argN
-s
指定每个调用写入的最大数据量,通常设置为65500。-v
表示参数不缩写,-xx
以十六进制格式写字符串,-f
跟踪子进程,-k
捕获每个调用的覆盖信息(仅在应用了kcov补丁的strace中支持)。
8. 集成MoonShine到Syzkaller
- 将生成的
corpus.db
文件移动到Syzkaller的工作目录,开始模糊测试。 - MoonShine还会在
deserialized
目录下写入反序列化的Syzkaller程序,你可以手动检查转换的结果。
9. 应用补丁并编译Strace
- 如果需要捕获覆盖信息,可以应用
strace_kcov.patch
补丁并编译Strace:
cd ~
git clone https://github.com/strace/strace strace
cd strace
git checkout a8d2417e97e71ae01095bee1a1e563b07f2d6b41
git apply $GOPATH/src/github.com/shankarapailoor/moonshine/strace_kcov.patch
./bootstrap
./configure
make
10. 调试和查看生成结果
- MoonShine会在
deserialized
目录下生成反序列化的Syzkaller程序,这些文件可以手动检查或进一步处理。