DIE安装教程
简介:
研究领域:JS引擎Fuzzing测试
发表会议:In S&P’20
文章地址:文章
源码地址:源码
系统环境
- Ubuntu16.04
DIE依赖工具安装
- 安装nodejs和npm
sudo apt-get -y install npm sudo npm install -g n sudo n stable
- 安装redis-server
sudo apt install redis-server
- 安装clang编译器
sudo apt-get -y install clang-6.0
DIE依赖软件安装
- DIE源码下载:
git clone https://github.com/sslab-gatech/DIE.git --depth=1
- 安装npm包依赖:
cd ./DIE/fuzz/TS/ npm i node_modules/.bin/tsc
- 安装AFL
DIE的源码中包含AFL软件源码,位于DIE/fuzz/afl
(此处最好使用DIE提供的afl版本)
相信安装步骤,请移步这篇文章:AFL安装教程 - 成功安装AFL后,插桩JS引擎(此处使用ChakraCore引擎):
使用AFL插桩引擎时,必须保证afl-clang-fast的版本与clang的版本一致,否则可能出现错误。# 进入engines目录 cd ~/DIE/engines # 下载chakra1.11.24源码 wget https://github.com/chakra-core/ChakraCore/archive/v1.11.24.zip # 解压并重命名 unzip v1.11.24.zip # 此处必须改为小写 mv ChakraCore-1.11.24 chakracore-1.11.24 # 修改proxy.py文件 vi ./compiler/proxy.py 修改代码: line8: this_is_chakra = True line9: this_is_v8 = False 注释代码: line114: new_cmdline = rewrite(new_cmdline) # 利用AFL为引擎插桩 ./build-ch-cov.sh 1.11.24 # 检验插桩引擎是否安装正确(自己编写测试用例测试,这个就不说了)
DIE服务端安装
-
语料库准备
cd ~/DIE/ git clone https://github.com/sslab-gatech/DIE-corpus.git python3 ./fuzz/scripts/make_initial_corpus.py ./DIE-corpus ./corpus
-
安装tmux(类似于screen),教程在此
sudo apt-get install tmux
-
创建端口映射:
tmux new-session -s ssh-tunneling -d 'ssh -L 9000:localhost:6379 user@host'
-
查看会话,可能需要输入密码:
tmux attach -t ssh-tunneling ctrl+b+d 退出会话
-
语料库数据装填
./fuzz/scripts/populate.sh ./engines/chakracore-1.11.24/out/Debug/ch ./DIE-corpus/ ch
-
此时会新创建会话corpus,进入查看
tmux attach -t corpus ctrl+b+d 退出会话
出现以下字段时,说明安装成功:
[*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-11/001487-corpus.js output-11/.cov_diff [*] Checking corpus: ./corpus/output-11/001488-corpus.js [*] Insert a new path: ./corpus/output-11/001488-corpus.js [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-11/001488-corpus.js output-11/.cov_diff [*] Checking corpus: ./corpus/output-11/001489-corpus.js [*] Insert a new path: ./corpus/output-11/001489-corpus.js [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-11/001489-corpus.js output-11/.cov_diff [*] Checking corpus: ./corpus/output-11/001490-corpus.js [*] Insert a new path: ./corpus/output-11/001490-corpus.js [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-11/001490-corpus.js output-11/.cov_diff +++ Testing aborted by user +++ [+] We're done here. Have a nice day!
-
检查redis-data:
redis-cli -p 9000 127.0.0.1:9000> keys * 1) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1086" 2) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1044" 3) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1069" 4) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3869" 5) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3880" 6) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3885" 7) "newPathsQueue" 8) "oldPathsQueue" 9) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1076" 10) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3848" 11) "crashBitmap" 12) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3897" 13) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3852" 14) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1053" 15) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1032" 16) "pathBitmap" 17) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3875" 18) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3892" 19) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1049" 20) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1081" 21) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3858" 22) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1027" 23) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1037" 24) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3902" 25) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3842" 26) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1059" 27) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-3863" 28) "fuzzers" 29) "crashQueue" 30) "fuzzers:fuzzer-xibeiidaxue-X299-WU8-9e57fc045c2444df-1064"
DIE客户端启动
- 检查是否存在会话“ssh-tunneling”
如果存在,执行第二步 如果不存在,跳转《DIE服务端安装》的第三步
- 执行测试
./fuzz/scripts/run.sh ./engines/chakracore-1.11.24/out/Debug/ch ./DIE-corpus/ ch
- 此时会创建新会话fuzzer
出现下面的字段说明成功:tmux attach -t fuzzer ctrl+b+d 退出会话
[*] Get a next testcase [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js getNextTestcase output-11/.cur_input.js [*] Generating testcases... [*] Command: timeout 30 node ./fuzz/afl/../TS/esfuzz.js output-11/.cur_input.js output-11/fuzz_inputs 100 1464420064 > /dev/null [*] Scanning 'output-11/fuzz_inputs'... [*] Time - Generation: 202.00 ea/s, Execution: 15.54 ea/s
- 查看测试结果
cd ~/DIE cd output-* crashes: 崩溃测试用例 hangs: 超时测试用例 其他目录暂不确定