基于AFL++的模糊测试

简介：课程作业，对路由固件进行模糊测试。
一、虚拟机安装好AFL++（不会的自己搜一搜）:

二、选取合适的路由器固件:

 TL-R479GPE-AC V8.0升级软件20240418_1.0.3

https://resource.tp-link.com.cn/pc/docCenter/showDoc?id=1714437353098084

选取的固件中jshn适合做模糊测试

是mips架构的：

用使qemu-mips-static查看用法：

试运行：

三、Fuzz

构建目标架构的 qemu_mode:

$ cd qemu_mode
$ CPU_TARGET=mips ./build_qemu_support.sh # 这里编译mips架构的

构建输入.json文件： 

### 简单对象 
{ 
"name": "John Doe", 
"age": 30, 
"is_student": false 
} 

### 嵌套对象 
{ "person": { 
"name": "Jane Doe", "age": 25, 
"contact": { 
"email": "jane.doe@example.com", 
"phone": "123-456-7890" } } } 

### 数组 
{ "students": [ { "name": "Alice", 
"age": 20 }, { "name": "Bob", "age": 22 } ] } 
### 混合类型数组 
{ 
"data": [123, "string", true, null, {"key": "value"}] 
} 

### 带有特殊字符的字符串 
{ "message": "Hello, world! \n This is a test with \t special cha racters." }

### 空对象和数组 
{ 
"empty_object": {}, 
"empty_array": [] 
} 

### 深度嵌套对象 
{ "level1": { "level2": { "level3": { "level4": { "level5": { "value": "deep" } } } } } } 

### 包含所有基本类型的对象 
{ "string": "text", 
"number": 12345, 
"boolean_true": true, 
"boolean_false": false, 
"null_value": null, 
"object": {"key": "value"}, 
"array": [1, 2, 3] } 

### 复杂结构 
{ "users": [ { 
"id": 1, 
"name": "Alice", 
"roles": ["admin", "editor"], 
"preferences": { 
"notifications": true, 
"theme": "dark" }, 
"address": { "city": "Wonderland", 
"zipcode": "12345" } }, 
{ "id": 2, 
"name": "Bob", 
"roles": ["viewer"], 
"preferences": { 
"notifications": false, 
"theme": "light" }, 
"address": { "city": "Builderland", 
"zipcode": "67890" } } ] } 

### 包含长字符串 
{ "description": "Lorem ipsum dolor sit amet, consectetur adipisc 
ing elit. Nulla condimentum, lorem a facilisis consectetur, ligula 
nibh ultricies purus, sit amet pharetra nisi quam in libero. Vivamu 
s non iaculis dolor. Fusce fermentum consectetur sagittis. Donec vo 
lutpat, mi quis dapibus varius, neque libero iaculis orci, vel tinc 
idunt ipsum leo in urna." 
} 

创建好输入输出目录input和output:

QEMU_LD_PREFIX=./squashfs-root/ ~/AFLplusplus/afl-fuzz \
            -Q \
            -i input/ \
            -o output/ \
            -- ./squashfs-root/usr/bin/jshn -R @@ 

运行一段时间后，出现一个 saved crashes

对测试集进行裁剪:

cmin:

首先创建input-cmin 和 input-cmin-tmin两个文件夹

QEMU_LD_PREFIX=./squashfs-root ~/AFLplusplus/afl-cmin -Q -i ./input -o ./input-cmin -- ./squashfs-root/usr/bin/jshn  -R @@ 

tmin:

# tmin.sh
cd input-cmin
for i in *; do
QEMU_LD_PREFIX=../squashfs-root ~/AFLplusplus/afl-tmin -Q -i "$i" -o "../input-cmin-tmin/    $i" -- ../squashfs-root/usr/bin/jshn -R @@
done

使用字典:

AFL++ 提供有json的字典

要使用字典，在运行fuzz时添加参数 -x [path_to_dict] 即可

QEMU_LD_PREFIX=./squashfs-root/ ~/AFLplusplus/afl-fuzz \

            -Q -x json.dict \

            -i input-cmin-tmin/ \

            -o output/ \

            -- ./squashfs-root/usr/bin/jshn -R @@

并行模糊测试

采用4个并行任务进行 fuzz

常规主任务

QASAN任务

CMPLOG任务

COMPCOV任务