diff options
| -rw-r--r-- | GNUmakefile | 3 | ||||
| -rw-r--r-- | include/envs.h | 1 | ||||
| -rw-r--r-- | qemu_taint/README.md | 6 | ||||
| -rwxr-xr-x | qemu_taint/build_qemu_taint.sh (renamed from qemu_taint/build.sh) | 6 | ||||
| -rwxr-xr-x | qemu_taint/clean.sh | 4 |
5 files changed, 15 insertions, 5 deletions
diff --git a/GNUmakefile b/GNUmakefile index 4a0fcdb6..9b064eb6 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -513,6 +513,7 @@ clean: $(MAKE) -C examples/argv_fuzzing clean $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean + test -d qemu_taint/qemu && { cd qemu_taint ; ./clean.sh ; } rm -rf qemu_mode/qemu-3.1.1 ifeq "$(IN_REPO)" "1" test -d unicorn_mode/unicornafl && $(MAKE) -C unicorn_mode/unicornafl clean || true @@ -523,6 +524,7 @@ endif deepclean: clean rm -rf qemu_mode/qemu-3.1.1.tar.xz + rm -rf qemu_taint/qemu rm -rf unicorn_mode/unicornafl git reset --hard >/dev/null 2>&1 || true @@ -580,6 +582,7 @@ install: all $(MANPAGES) install -m 755 $(PROGS) $(SH_PROGS) $${DESTDIR}$(BIN_PATH) rm -f $${DESTDIR}$(BIN_PATH)/afl-as if [ -f afl-qemu-trace ]; then install -m 755 afl-qemu-trace $${DESTDIR}$(BIN_PATH); fi + if [ -f afl-qemu-taint ]; then install -m 755 afl-qemu-taint $${DESTDIR}$(BIN_PATH); fi if [ -f afl-gcc-fast ]; then set e; install -m 755 afl-gcc-fast $${DESTDIR}$(BIN_PATH); ln -sf afl-gcc-fast $${DESTDIR}$(BIN_PATH)/afl-g++-fast; install -m 755 afl-gcc-pass.so afl-gcc-rt.o $${DESTDIR}$(HELPER_PATH); fi if [ -f afl-clang-fast ]; then $(MAKE) -C llvm_mode install; fi if [ -f libdislocator.so ]; then set -e; install -m 755 libdislocator.so $${DESTDIR}$(HELPER_PATH); fi diff --git a/include/envs.h b/include/envs.h index 96ae91ba..bd97b9cd 100644 --- a/include/envs.h +++ b/include/envs.h @@ -123,6 +123,7 @@ static char *afl_environment_variables[] = { "AFL_SKIP_BIN_CHECK", "AFL_SKIP_CPUFREQ", "AFL_SKIP_CRASHES", + "AFL_TAINT_INPUT", "AFL_TMIN_EXACT", "AFL_TMPDIR", "AFL_TOKEN_FILE", diff --git a/qemu_taint/README.md b/qemu_taint/README.md index e78e918d..c842da0e 100644 --- a/qemu_taint/README.md +++ b/qemu_taint/README.md @@ -1,9 +1,11 @@ # qemu_taint + First level taint implementation with qemu for linux user mode **THIS IS NOT WORKING YET** **WIP** ## What is this for + On new queue entries (newly discovered paths into the target) this tainter is run with the new input and the data gathered which bytes in the input file are actually touched. @@ -11,17 +13,21 @@ file are actually touched. Only touched bytes are then fuzzed by afl-fuzz ## How to build + ./build_qemu_taint.sh ## How to use + Add the -T flag to afl-fuzz ## Caveats + For some targets this is amazing and improves fuzzing a lot, but if a target copies all input bytes first (e.g. for creating a crc checksum or just to safely work with the data), then this is not helping at all. ## Future + Two fuzz modes for a queue entry which will be switched back and forth: 1. fuzz all touched bytes diff --git a/qemu_taint/build.sh b/qemu_taint/build_qemu_taint.sh index 461ead68..b54c3e04 100755 --- a/qemu_taint/build.sh +++ b/qemu_taint/build_qemu_taint.sh @@ -1,7 +1,7 @@ #!/bin/bash test -d qemu || git clone https://github.com/vanhauser-thc/qemu_taint qemu || exit 1 cd qemu || exit 1 -test -d .git || { git stash ; git pull ; } -cp -fv ../../include/config.h ../../include/types.h . -./build.sh +test -d .git && { git stash ; git pull ; } +cp -fv ../../include/config.h ../../include/types.h . || exit 1 +./build.sh || exit 1 cp -fv ./afl-qemu-taint ../.. diff --git a/qemu_taint/clean.sh b/qemu_taint/clean.sh index 0046c6c0..10c44cac 100755 --- a/qemu_taint/clean.sh +++ b/qemu_taint/clean.sh @@ -1,3 +1,3 @@ #!/bin/sh -rm -f afl-qemu-taint -test -d qemu && rm -f qemu +rm -f afl-qemu-taint qemu/afl-qemu-taint ../afl-qemu-taint +test -d qemu && { cd qemu ; ./clean.sh ; } |