安装qsym
安装qsym可以参照:https://github.com/sslab-gatech/qsym和https://blog.csdn.net/qq_33669680/article/details/110140376链接。我在安装的时候是直接下载zip安装包,所以git submodule未能将z3下载下来,需要自己添加z3到相应目录。
qsym运行前需要启动虚拟环境,运行过程中可能回报错,如下:
DEBUG:qsym.afl:Total=0 s, Emulation=0 s, Solver=0 s, Return=-9。
解决:
To resolve this, either execute the following (as root):
$ echo 0 > /proc/sys/kernel/yama/ptrace_scope
安装driller
https://www.jianshu.com/p/6e3943474f41
https://n132.github.io/2020/03/04/2020-03-13-Driller-Installation/
先创建python3.7的虚拟环境,然后通过pip install git+导入所需的包。driller = afl + angr + driller接口,其中angr和driller接口的使用都需要通过import来导入,包含afl和angr的虚拟环境部署好之后,可以通过以下的脚本来调用driller运行。
#!/usr/bin/env python
import errno
import os
import os.path
import sys
import time
from driller import Driller
def save_input(content, dest_dir, count):
"""Saves a new input to a file where AFL can find it.
File will be named id:XXXXXX,driller (where XXXXXX is the current value of
count) and placed in dest_dir.
"""
name = 'id:%06d,driller' % count
with open(os.path.join(dest_dir, name), 'wb') as destfile:
destfile.write(content)
def main():
if len(sys.argv) != 3:
print('Usage: %s <binary> <fuzzer_output_dir>' % sys.argv[0])
sys.exit(1)
_, binary, fuzzer_dir = sys.argv
# Figure out directories and inputs
with open(os.path.join(fuzzer_dir, 'fuzz_bitmap'), 'rb') as bitmap_file:
fuzzer_bitmap = bitmap_file.read()
source_dir = os.path.join(fuzzer_dir, 'queue')
dest_dir = os.path.join(fuzzer_dir, '..', 'driller', 'queue')
# Make sure destination exists
try:
os.makedirs(dest_dir)
except os.error as e:
if e.errno != errno.EEXIST:
raise
seen = set() # Keeps track of source files already drilled
count = len(os.listdir(dest_dir)) # Helps us name outputs correctly
# Repeat forever in case AFL finds something new
while True:
# Go through all of the files AFL has generated, but only once each
for source_name in os.listdir(source_dir):
if source_name in seen or not source_name.startswith('id:'):
continue
seen.add(source_name)
with open(os.path.join(source_dir, source_name), 'rb') as seedfile:
seed = seedfile.read()
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
# Try a larger input too because Driller won't do it for you
seed = seed + b'0000'
print('Drilling input: %s' % seed)
for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
save_input(new_input, dest_dir, count)
count += 1
time.sleep(10)
if __name__ == '__main__':
main()
启动angr
source venv/bin/activate
python run_driller.py ./buggy workdir/output/fuzzer-master
启动afl
mkdir -p workdir/input
echo 'init' > workdir/input/seed1 # 提供初始化种子输入
echo core | sudo tee /proc/sys/kernel/core_pattern
afl-2.52b/afl-fuzz -M fuzzer-master -i workdir/input/ -o workdir/output/ -Q ./buggy
driller运行中会遇到的问题:
这意味着angr的CPU仿真所产生的下一个地址结果与qemu产生的结果不同,因此我们无法继续。发生这种情况的原因有很多,其中大多数涉及qemu和angr之间的不同步。例如:不同的cpuid或时间戳值。angr的elf加载程序或syscall实施中的错误。环境或辅助向量中的值不同。不同的地址空间随机化。对此还没有一个万能的解决方案,这是driller在实际应用中最主要障碍之一。
driller仅用于DECREE[1]的二进制程序和简单的Linux二进制程序,对于复杂的现实软件,由于qemu和angr之间可能存在的不同步问题而无法使用,这也是driller无法在现实中应用的主要障碍之一。由于driller的局限,其研究意义不大,还是建议研究qsym,其具有好的鲁棒性。
问题
1. 乐观约束求解器在哪?动态二进制符号转换器在哪?
2. 如何对种子进行解析?