diff options
Diffstat (limited to 'nyx_mode')
| -rw-r--r-- | nyx_mode/LIBNYX_VERSION | 2 | ||||
| -rw-r--r-- | nyx_mode/PACKER_VERSION | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NXY_VERSION | 1 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NYX_VERSION | 1 | ||||
| -rw-r--r-- | nyx_mode/README.md | 218 | ||||
| -rwxr-xr-x | nyx_mode/build_nyx_support.sh | 2 | ||||
| -rw-r--r-- | nyx_mode/custom_harness/example.c | 209 | ||||
| m--------- | nyx_mode/libnyx | 0 | ||||
| m--------- | nyx_mode/packer | 0 | ||||
| -rwxr-xr-x | nyx_mode/update_ref.sh | 2 |
11 files changed, 266 insertions, 171 deletions
diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index 1ac5611b..b45b4e90 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -ecbcb2d +2e45754 diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index 2596e40f..43488114 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -f91742c +76100c5 diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject d5a7011ad20ba5ba91f1371f9d40154035d5d76 +Subproject c2c69cfc528398d9db9363b92f8c50db4008c98 diff --git a/nyx_mode/QEMU_NXY_VERSION b/nyx_mode/QEMU_NXY_VERSION deleted file mode 100644 index d2f0328b..00000000 --- a/nyx_mode/QEMU_NXY_VERSION +++ /dev/null @@ -1 +0,0 @@ -acc90e462b diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION new file mode 100644 index 00000000..be13a784 --- /dev/null +++ b/nyx_mode/QEMU_NYX_VERSION @@ -0,0 +1 @@ +c2c69cfc52 diff --git a/nyx_mode/README.md b/nyx_mode/README.md index f975c764..09421f27 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -1,7 +1,7 @@ -# Nyx Mode +# Nyx mode -Nyx is a full system emulation fuzzing mode that supports snapshotting and -can be used for both source code based instrumentation and binary-only targets. +Nyx is a full system emulation fuzzing mode that supports snapshotting and can +be used for both source code based instrumentation and binary-only targets. It is recommended to be used if the target cannot be fuzzed in persistent mode (so default fork mode fuzzing is used). @@ -10,80 +10,83 @@ It is only available on Linux and is currently restricted to x86_x64 however aarch64 support is in the works (but the host must then run on aarch64 too). Underneath it is built upon KVM and QEMU and requires a modern Linux kernel -(5.11+) for fuzzing source code based instrumented targets (e.g. -`afl-clang-fast`). To fuzz binary-only targets, this is done via Intel PT -and requires an Intel processor (6th generation onwards) and a special -5.10 kernel (see [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx)). +(5.11+) for fuzzing source code based instrumented targets (e.g., +`afl-clang-fast`). To fuzz binary-only targets, this is done via Intel PT and +requires an Intel processor (6th generation onwards) and a special 5.10 kernel +(see [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx)). ## Building Nyx mode 1. Install all the packages from [docs/INSTALL.md](../docs/INSTALL.md). -2. Additionally install the following packages: +2. Additionally, install the following packages: -```shell -apt-get install -y libgtk-3-dev pax-utils python3-msgpack python3-jinja2 -``` + ```shell + apt-get install -y libgtk-3-dev pax-utils python3-msgpack python3-jinja2 + ``` -3. As Nyx is written in Rust, install the newest rust compiler (rust packages - in the Linux distribution are usually too old to be able to build Nyx): +3. As Nyx is written in Rust, install the newest rust compiler (rust packages in + the Linux distribution are usually too old to be able to build Nyx): -```shell -curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -``` + ```shell + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh + ``` 4. Finally build Nyx mode: -```shell -./build_nyx_support.sh -``` + ```shell + ./build_nyx_support.sh + ``` 5. Optionally, for binary-only fuzzing: set up the required 5.10 kernel, see - [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx). + [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx). ## Preparing to fuzz a target with Nyx mode +For source instrumented fuzzing you can use any afl-cc mode, with LTO even +auto-dictionary is supported. +Note the CMPLOG is currently not supported (yet). + Nyx uses full system emulation hence your fuzzing targets have to be especially packaged. -**For source code based instrumentation with `afl-clang-fast` for the time -being these must be instrumented to `AFL_LLVM_INSTRUMENT=AFL` to work!** - With your target ready at hand execute the following command (note that for binary-only fuzzing with the special 5.10 kernel switch the -option `instrumentation` below with `process_trace`): +option `instrumentation` below with `processor_trace`): ```shell python3 nyx_mode/packer/packer/nyx_packer.py \ - /PATH/TO/TARGET \ - PACKAGE-DIRECTORY \ - afl \ - instrumentation \ - --fast_reload_mode \ - --purge + /PATH/TO/TARGET \ + PACKAGE-DIRECTORY \ + afl \ + instrumentation \ + --fast_reload_mode \ + --purge ``` This will create a directory with all necessary files and the Nyx configuration. -The name of the directory will be whatever you choose for PACKAGE-DIRECTORY +The name of the directory will be whatever you choose for `PACKAGE-DIRECTORY` above. In the final step for the packaging we generate the Nyx configuration: + ```shell python3 nyx_mode/packer/packer/nyx_config_gen.py PACKAGE-DIRECTORY Kernel ``` ## Fuzzing with Nyx mode -All the hard parts are done, fuzzing with Nyx mode is easy - just supply -the PACKAGE-DIRECTORY as fuzzing target and specify the `-X` option to afl-fuzz: +All the hard parts are done, fuzzing with Nyx mode is easy - just supply the +`PACKAGE-DIRECTORY` as fuzzing target and specify the `-X` option to afl-fuzz: ```shell afl-fuzz -i in -o out -X -- ./PACKAGE-DIRECTORY ``` Most likely your first run will fail because the Linux modules have to be -specially set up, but afl-fuzz will tell you this on startup and how to -rectify the situation: +specially set up, but afl-fuzz will tell you this on startup and how to rectify +the situation: + ``` sudo modprobe -r kvm-intel # or kvm-amd for AMD processors sudo modprobe -r kvm @@ -94,10 +97,10 @@ sudo modprobe kvm-intel # or kvm-amd for AMD processors If you want to fuzz in parallel (and you should!), then this has to be done in a special way: - * Instead of `-X` (standalone mode) you specify `-Y` (multi processor mode). - * First a Main afl-fuzz instance has to be started with `-M 0` - * Only afterwards can you start Secondary afl-fuzz instances, which must have - an increasing number value, starting at 1, e.g. `-S 1` +* Instead of `-X` (standalone mode), you specify `-Y` (multi processor mode). +* First, a Main afl-fuzz instance has to be started with `-M 0`. +* Only afterwards you can start Secondary afl-fuzz instances, which must have an + increasing number value, starting at 1, e.g., `-S 1`. ```shell afl-fuzz -i in -o out -Y -M 0 -- ./PACKAGE-DIRECTORY @@ -115,21 +118,22 @@ afl-fuzz -i in -o out -Y -S 2 -- ./PACKAGE-DIRECTORY ### Fuzzing libxml2 with AFL++ in Nyx-mode -This tutorial is based on the [Fuzzing libxml2 with AFL++](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) tutorial. +This tutorial is based on the +[Fuzzing libxml2 with AFL++](https://aflplus.plus/docs/tutorials/libxml2_tutorial/) +tutorial. -### Preparing libxml2 +### Preparing libxml2 -First, get the latest libxml2 source files by using `git`: +First, get the latest libxml2 source files by using `git`: ``` git clone https://gitlab.gnome.org/GNOME/libxml2 cd libxml2 ``` -Remember that currently only classic AFL instrumentation is supported! +Next, compile libxml2: ``` -export AFL_LLVM_INSTRUMENT=AFL ./autogen.sh ./configure --enable-shared=no make CC=afl-clang-fast CXX=afl-clang-fast++ LD=afl-clang-fast @@ -139,43 +143,65 @@ make CC=afl-clang-fast CXX=afl-clang-fast++ LD=afl-clang-fast Nyx expects that the target is provided in a certain format. More specifically, the target is passed as a so-called „share directory“ to a Nyx-frontend implementation. The share directory contains the target as well as a folder containing all dependencies and other files that are copied over to the guest. But more importantly, this share directory also contains a bootstrap script (`fuzz.sh`if you are using `KVM-Nyx`otherwise `fuzz_no_pt.sh`) that is also executed right after launching the fuzzer. Both bootstrap scripts use several tools to communicate with the "outer world": -- `hcat` - this tool copies a given string to the host -- `hget` - this program requests a file from the host's share directory -- `hget_bulk` - an improved version of `hget`. It is quite useful if you want to transfer huge files. But please keep in mind that this version of `hget` has a much larger startup overhead and won't improve your transfer rates on small files (typically files smaller than 100MB). -- `habort` - this tool basically sends an abort signal to the host (useful if something went wrong during bootstrap) -- `hpush` - a tool to transfer a given file to the host (the transfered file will be put in the `dump/` folder of your Nyx workdir) - -Those tools are all using hypercalls which are defined in `packer/nyx.h`. We will give some more examples later on how to use these hypercalls directly to implement custom fuzzing harnesses. +- `hcat` - this tool copies a given string to the host +- `hget` - this program requests a file from the host's share directory +- `hget_bulk` - an improved version of `hget`. It is quite useful if you want to + transfer huge files. But please keep in mind that this version of `hget` has a + much larger startup overhead and won't improve your transfer rates on small + files (typically files smaller than 100 MB). +- `habort` - this tool basically sends an abort signal to the host (useful if + something went wrong during bootstrap) +- `hpush` - a tool to transfer a given file to the host (the transferred file + will be put in the `dump/` folder of your Nyx workdir) + +Those tools are all using hypercalls which are defined in `packer/nyx.h`. We +will give some more examples later on how to use these hypercalls directly to +implement custom fuzzing harnesses. ### Pack libxml2 into Nyx sharedir format -To turn a given linux target into the Nyx format, you can simply use `nyx_packer.py`. To do so, move to the following directory: +To turn a given linux target into the Nyx format, you can simply use +`nyx_packer.py`. To do so, move to the following directory: ``` cd nyx_mode/packer/packer ``` - And run the tool with the following options to pack `libxml2`: +And run the tool with the following options to pack `libxml2`: -```. -python3 ./nyx_packer.py \ - ~/libxml2/xmllint \ - /tmp/nyx_libxml2 \ - afl \ - instrumentation \ - -args "/tmp/input" \ - -file "/tmp/input" \ - --fast_reload_mode \ - --purge ``` - -In this example, the packer will take `xmllint`, recursively get all dependencies and put both into the specified share directory (`/tmp/nyx_libxml2` in this case). Because we have selected the `afl` option, an `ld_preload`-based agent is also automatically built and put into the sharedir. Another option would be `spec`. Without going into too much detail here, the `spec`mode is only used by Nyx's [spec-fuzzer](https://github.com/nyx-fuzz/spec-fuzzer) implementation. Next, since our target is built with compile-time instrumentations, we must select the `instrumentation` option, otherwise we could also use `processor-trace` option to enable Intel-PT fuzzing on targets without instrumentation. - -To specify that the input generated by the fuzzer is passed as a seperate file to the target, we need to set the `-file` option. Otherwise, the input will be passed over to the target via `stdin`. To specify any required `argv` options you can use the `-args`parameter. - -In case you want to fuzz the target only with fast snapshots enabled, you can also set the `--fast_reload_mode` option to improve performance. - -Finally, we need to generate a Nyx configuration file. Simply run the following command and you're good to proceed: +python3 ./nyx_packer.py \ + ~/libxml2/xmllint \ + /tmp/nyx_libxml2 \ + afl \ + instrumentation \ + -args "/tmp/input" \ + -file "/tmp/input" \ + --fast_reload_mode \ + --purge +``` + +In this example, the packer will take `xmllint`, recursively get all +dependencies and put both into the specified share directory (`/tmp/nyx_libxml2` +in this case). Because we have selected the `afl` option, an `ld_preload`-based +agent is also automatically built and put into the sharedir. Another option +would be `spec`. Without going into too much detail here, the `spec` mode is +only used by Nyx's [spec-fuzzer](https://github.com/nyx-fuzz/spec-fuzzer) +implementation. Next, since our target is built with compile-time +instrumentations, we must select the `instrumentation` option, otherwise we +could also use `processor-trace` option to enable Intel-PT fuzzing on targets +without instrumentation. + +To specify that the input generated by the fuzzer is passed as a separate file +to the target, we need to set the `-file` option. Otherwise, the input will be +passed over to the target via `stdin`. To specify any required `argv` options, +you can use the `-args` parameter. + +In case you want to fuzz the target only with fast snapshots enabled, you can +also set the `--fast_reload_mode` option to improve performance. + +Finally, we need to generate a Nyx configuration file. Simply run the following +command and you're good to proceed: ``` python3 ./nyx_config_gen.py /tmp/nyx_libxml2/ Kernel @@ -183,15 +209,17 @@ python3 ./nyx_config_gen.py /tmp/nyx_libxml2/ Kernel ### Run Nyx mode -From here on, we are almost done. Move to the AFL++ top directory and start the fuzzer with the following arguments: +From here on, we are almost done. Move to the AFL++ top directory and start the +fuzzer with the following arguments: ```shell -mkdir /tmp/in/ # create an input folder -echo "AAAA" >> /tmp/in/A # create a dummy input file +mkdir /tmp/in/ # create an input folder +echo "AAAA" >> /tmp/in/A # create a dummy input file ./afl-fuzz -i /tmp/in/ -o /tmp/out -X /tmp/nyx_libxml2/ ``` -If everything has been successfully set up to this point, you will now be welcomed by the following AFL++ screen: +If everything has been successfully set up to this point, you will now be +welcomed by the following AFL++ screen: ``` american fuzzy lop ++3.15a {default} (/tmp/nyx_libxml2/) [fast] - NYX @@ -220,46 +248,64 @@ If everything has been successfully set up to this point, you will now be welcom └────────────────────────────────────────────────────┘ ``` -If you want to run the fuzzer in distributed mode, which might be especially useful if you want to keep your memory footprint low, we got you covered. To start an initiating `parent` process, which will also create the snapshot which is later shared across all other `child`s, simply run AFL++Nyx with the following arguments: +If you want to run the fuzzer in distributed mode, which might be especially +useful if you want to keep your memory footprint low, we got you covered. To +start an initiating `parent` process, which will also create the snapshot which +is later shared across all other `child`s, simply run AFL++Nyx with the +following arguments: ``` ./afl-fuzz -i /tmp/in/ -o /tmp/out -d -Y -M 0 /tmp/nyx_libxml2/ ``` -To attach other child processes adjust the `-S <id>` and run the following command: +To attach other child processes adjust the `-S <id>` and run the following +command: ``` ./afl-fuzz -i /tmp/in/ -o /tmp/out -d -Y -S 1 /tmp/nyx_libxml2/ ``` -If you want to disable fast snapshots (except for crashes), you can simply set the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. +If you want to disable fast snapshots (except for crashes), you can simply set +the `NYX_DISABLE_SNAPSHOT_MODE` environment variable. ### Run AFL++Nyx with a custom agent -Most of the common use-cases for linux userland targets are already handled by our general purpose [agent](https://github.com/nyx-fuzz/packer/blob/main/packer/linux_x86_64-userspace/src/ld_preload_fuzz.c) implementation. But in case you want to build your own agent, or write a custom harness for a specific target or you just want to implement all the hypercall and shared memory communication on your own, you can use our custom harness example as a starting point for that. You can find the code [here](custom_harness/) +Most of the common use-cases for linux userland targets are already handled by +our general purpose +[agent](https://github.com/nyx-fuzz/packer/blob/main/packer/linux_x86_64-userspace/src/ld_preload_fuzz.c) +implementation. But in case you want to build your own agent, or write a custom +harness for a specific target or you just want to implement all the hypercall +and shared memory communication on your own, you can use our custom harness +example as a starting point for that. You can find the code in +[custom_harness/](./custom_harness/). -This custom harness can be statically compiled with by gcc or clang. There is no need to use an AFL compiler, because this agent implements its own very basic coverage tracking by simply setting specific bytes in the "coverage" bitmap after specific branches have been covered. +This custom harness can be statically compiled with by gcc or clang. There is no +need to use an AFL compiler, because this agent implements its own very basic +coverage tracking by simply setting specific bytes in the "coverage" bitmap +after specific branches have been covered. -To prepare this target, we must first create a new folder that will later become the sharedir. +To prepare this target, we must first create a new folder that will later become +the sharedir. ```` mkdir /tmp/nyx_custom_agent/ ```` - To compile this example, run the following command (remove the `-DNO_PT_NYX` option if you are using KVM-Nyx ): +To compile this example, run the following command (remove the `-DNO_PT_NYX` +option if you are using KVM-Nyx): ``` -gcc example.c -DNO_PT_NYX -static -I ./packer/ -o /tmp/nyx_custom_agent/target +gcc example.c -DNO_PT_NYX -static -I ../packer/ -o /tmp/nyx_custom_agent/target ``` -Copy both bootstrap scripts into the sharedir: +Copy both bootstrap scripts into the sharedir: ``` cp fuzz.sh /tmp/nyx_custom_agent cp fuzz_no_pt.sh /tmp/nyx_custom_agent ``` -Copy all `htools` executables into the sharedir: +Copy all `htools` executables into the sharedir: ``` cd ~/AFLplusplus/packer/packer/linux_x86_64-userspace/ @@ -267,7 +313,7 @@ sh compile_64.sh cp bin64/h* /tmp/nyx_custom_agent/ ``` -And finally, generate a Nyx configuration: +And finally, generate a Nyx configuration: ``` cd ~/AFLplusplus/packer/packer diff --git a/nyx_mode/build_nyx_support.sh b/nyx_mode/build_nyx_support.sh index 8626342d..b6c1d54e 100755 --- a/nyx_mode/build_nyx_support.sh +++ b/nyx_mode/build_nyx_support.sh @@ -53,7 +53,7 @@ fi echo "[*] Checking QEMU-Nyx ..." if [ ! -f "QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" ]; then cd QEMU-Nyx/ - ./compile_qemu_nyx.sh || exit 1 + ./compile_qemu_nyx.sh static || exit 1 cd .. fi diff --git a/nyx_mode/custom_harness/example.c b/nyx_mode/custom_harness/example.c index 0b12e60b..dd268534 100644 --- a/nyx_mode/custom_harness/example.c +++ b/nyx_mode/custom_harness/example.c @@ -4,88 +4,137 @@ #include <inttypes.h> #include "nyx.h" -/* this is our "bitmap" that is later shared with the fuzzer (you can also pass the pointer of the bitmap used by compile-time instrumentations in your target) */ -uint8_t* trace_buffer[64*1024] = {0}; - -int main(int argc, char** argv){ - /* if you want to debug code running in Nyx, hprintf() is the way to go. - * Long story short -- it's just a guest-to-hypervisor printf. Hence the name "hprintf" - */ - hprintf("Agent test\n"); - - /* Request information on available (host) capabilites (optional) */ - host_config_t host_config; - kAFL_hypercall(HYPERCALL_KAFL_GET_HOST_CONFIG, (uintptr_t)&host_config); - hprintf("[capablities] host_config.bitmap_size: 0x%"PRIx64"\n", host_config.bitmap_size); - hprintf("[capablities] host_config.ijon_bitmap_size: 0x%"PRIx64"\n", host_config.ijon_bitmap_size); - hprintf("[capablities] host_config.payload_buffer_size: 0x%"PRIx64"x\n", host_config.payload_buffer_size); - - /* Submit agent configuration */ - memset(trace_buffer, 0, 64*1024); // makes sure that the bitmap buffer is already mapped into the guest's memory (alternatively you can use mlock) */ - agent_config_t agent_config = {0}; - agent_config.agent_timeout_detection = 0; /* timeout detection is implemented by the agent (currently not used) */ - agent_config.agent_tracing = 1; /* set this flag to propagade that instrumentation-based fuzzing is availabe */ - agent_config.agent_ijon_tracing = 0; /* set this flag to propagade that IJON extension is implmented agent-wise */ - agent_config.trace_buffer_vaddr = (uintptr_t)trace_buffer; /* trace "bitmap" pointer - required for instrumentation-only fuzzing */ - agent_config.ijon_trace_buffer_vaddr = (uintptr_t)NULL; /* "IJON" buffer pointer */ - agent_config.agent_non_reload_mode = 1; /* non-reload mode is supported (usually because the agent implements a fork-server; currently not used) */ - kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config); - - /* Tell hypervisor the virtual address of the payload (input) buffer (call mlock to ensure that this buffer stays in the guest's memory)*/ - kAFL_payload* payload_buffer = mmap((void*)0x4000000ULL, PAYLOAD_SIZE, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS | MAP_FIXED, -1, 0); - mlock(payload_buffer, (size_t)PAYLOAD_SIZE); - memset(payload_buffer, 0, PAYLOAD_SIZE); - kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uintptr_t)payload_buffer); - hprintf("[init] payload buffer is mapped at %p\n", payload_buffer); - - /* the main fuzzing loop */ - while(1){ - - /* Creates a root snapshot on first execution. Also we requested the next input with this hypercall */ - kAFL_hypercall(HYPERCALL_KAFL_USER_FAST_ACQUIRE, 0); // root snapshot <-- +#define TRACE_BUFFER_SIZE (64) + +#define PAGE_SIZE 0x1000 +#define MMAP_SIZE(x) ((x & ~(PAGE_SIZE-1)) + PAGE_SIZE) + +int main(int argc, char **argv) { + + /* if you want to debug code running in Nyx, hprintf() is the way to go. + * Long story short -- it's just a guest-to-hypervisor printf. Hence the name + * "hprintf" + */ + hprintf("Agent test\n"); + + /* Request information on available (host) capabilites (optional) */ + host_config_t host_config; + kAFL_hypercall(HYPERCALL_KAFL_GET_HOST_CONFIG, (uintptr_t)&host_config); + hprintf("[capablities] host_config.bitmap_size: 0x%" PRIx64 "\n", + host_config.bitmap_size); + hprintf("[capablities] host_config.ijon_bitmap_size: 0x%" PRIx64 "\n", + host_config.ijon_bitmap_size); + hprintf("[capablities] host_config.payload_buffer_size: 0x%" PRIx64 "x\n", + host_config.payload_buffer_size); + + /* this is our "bitmap" that is later shared with the fuzzer (you can also + * pass the pointer of the bitmap used by compile-time instrumentations in + * your target) */ + uint8_t *trace_buffer = mmap(NULL, MMAP_SIZE(TRACE_BUFFER_SIZE), PROT_READ | + PROT_WRITE, MAP_SHARED | MAP_ANONYMOUS, -1, 0); + memset(trace_buffer, 0, + TRACE_BUFFER_SIZE); // makes sure that the bitmap buffer is already + // mapped into the guest's memory (alternatively + // you can use mlock) */ + + /* Submit agent configuration */ + agent_config_t agent_config = {0}; + agent_config.agent_magic = NYX_AGENT_MAGIC; + agent_config.agent_version = NYX_AGENT_VERSION; + agent_config.agent_timeout_detection = + 0; /* timeout detection is implemented by the agent (currently not used) + */ + agent_config.agent_tracing = + 1; /* set this flag to propagade that instrumentation-based fuzzing is + availabe */ + agent_config.agent_ijon_tracing = 0; /* set this flag to propagade that IJON + extension is implmented agent-wise */ + agent_config.trace_buffer_vaddr = + (uintptr_t)trace_buffer; /* trace "bitmap" pointer - required for + instrumentation-only fuzzing */ + agent_config.ijon_trace_buffer_vaddr = + (uintptr_t)NULL; /* "IJON" buffer pointer */ + agent_config.agent_non_reload_mode = + 1; /* non-reload mode is supported (usually because the agent implements a + fork-server; currently not used) */ + agent_config.coverage_bitmap_size = TRACE_BUFFER_SIZE; + kAFL_hypercall(HYPERCALL_KAFL_SET_AGENT_CONFIG, (uintptr_t)&agent_config); + + /* Tell hypervisor the virtual address of the payload (input) buffer (call + * mlock to ensure that this buffer stays in the guest's memory)*/ + kAFL_payload *payload_buffer = + mmap(NULL, host_config.payload_buffer_size, PROT_READ | PROT_WRITE, + MAP_SHARED | MAP_ANONYMOUS, -1, 0); + mlock(payload_buffer, (size_t)host_config.payload_buffer_size); + memset(payload_buffer, 0, host_config.payload_buffer_size); + kAFL_hypercall(HYPERCALL_KAFL_GET_PAYLOAD, (uintptr_t)payload_buffer); + hprintf("[init] payload buffer is mapped at %p\n", payload_buffer); + + /* the main fuzzing loop */ + while (1) { + + /* Creates a root snapshot on first execution. Also we requested the next + * input with this hypercall */ + kAFL_hypercall(HYPERCALL_KAFL_USER_FAST_ACQUIRE, 0); // root snapshot <-- #ifdef DEBUG - hprintf("Size: %ld Data: %x %x %x %x\n", payload_buffer->size, - payload_buffer->data[4], - payload_buffer->data[5], - payload_buffer->data[6], - payload_buffer->data[7] - ); + hprintf("Size: %ld Data: %x %x %x %x\n", payload_buffer->size, + payload_buffer->data[4], payload_buffer->data[5], + payload_buffer->data[6], payload_buffer->data[7]); #endif - uint32_t len = payload_buffer->size; - - /* set a byte to make AFL++ happy (otherwise the fuzzer might refuse to start fuzzing at all) */ - ((uint8_t*)trace_buffer)[0] = 0x1; - - if (len >= 4){ - /* set a byte in the bitmap to guide your fuzzer */ - ((uint8_t*)trace_buffer)[0] = 0x1; - if (payload_buffer->data[0] == '!'){ - ((uint8_t*)trace_buffer)[1] = 0x1; - if (payload_buffer->data[1] == 'N'){ - ((uint8_t*)trace_buffer)[2] = 0x1; - if (payload_buffer->data[2] == 'Y'){ - ((uint8_t*)trace_buffer)[3] = 0x1; - if (payload_buffer->data[3] == 'X'){ - ((uint8_t*)trace_buffer)[4] = 0x1; - /* Notifiy the hypervisor and the fuzzer that a "crash" has occured. Also a string is passed by this hypercall (this is currently not supported by AFL++-Nyx) */ - kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, (uintptr_t)"Something went wrong\n"); - } - } - } - } - } - /* this hypercall is used to notify the hypervisor and the fuzzer that a single fuzzing "execution" has finished. - * If the reload-mode is enabled, we will jump back to our root snapshot. - * Otherwise, the hypervisor passes control back to the guest once the bitmap buffer has been "processed" by the fuzzer. - */ - kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); - - /* This shouldn't happen if you have enabled the reload mode */ - hprintf("This should never happen :)\n"); - } - - - return 0; + uint32_t len = payload_buffer->size; + + /* set a byte to make AFL++ happy (otherwise the fuzzer might refuse to + * start fuzzing at all) */ + ((uint8_t *)trace_buffer)[0] = 0x1; + + if (len >= 4) { + + /* set a byte in the bitmap to guide your fuzzer */ + ((uint8_t *)trace_buffer)[0] = 0x1; + if (payload_buffer->data[0] == '!') { + + ((uint8_t *)trace_buffer)[1] = 0x1; + if (payload_buffer->data[1] == 'N') { + + ((uint8_t *)trace_buffer)[2] = 0x1; + if (payload_buffer->data[2] == 'Y') { + + ((uint8_t *)trace_buffer)[3] = 0x1; + if (payload_buffer->data[3] == 'X') { + + ((uint8_t *)trace_buffer)[4] = 0x1; + /* Notifiy the hypervisor and the fuzzer that a "crash" has + * occured. Also a string is passed by this hypercall (this is + * currently not supported by AFL++-Nyx) */ + kAFL_hypercall(HYPERCALL_KAFL_PANIC_EXTENDED, + (uintptr_t) "Something went wrong\n"); + + } + + } + + } + + } + + } + + /* this hypercall is used to notify the hypervisor and the fuzzer that a + * single fuzzing "execution" has finished. If the reload-mode is enabled, + * we will jump back to our root snapshot. Otherwise, the hypervisor passes + * control back to the guest once the bitmap buffer has been "processed" by + * the fuzzer. + */ + kAFL_hypercall(HYPERCALL_KAFL_RELEASE, 0); + + /* This shouldn't happen if you have enabled the reload mode */ + hprintf("This should never happen :)\n"); + + } + + return 0; + } + diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx -Subproject ecbcb2d7234fef0b5e1db8ca6019e6137ee0582 +Subproject 2e45754e271463f446c31a6f467231d8657910e diff --git a/nyx_mode/packer b/nyx_mode/packer -Subproject f91742ce6c51eee133b5675edd68f39202785db +Subproject 76100c52db96429350693a6c7284c5c6cbcb6b0 diff --git a/nyx_mode/update_ref.sh b/nyx_mode/update_ref.sh index 3e94a42b..898a803f 100755 --- a/nyx_mode/update_ref.sh +++ b/nyx_mode/update_ref.sh @@ -71,7 +71,7 @@ echo "$NEW_VERSION" > "$UC_VERSION_FILE" echo "Done. New XXX version is $NEW_VERSION." -UC_VERSION_FILE='./QEMU_NXY_VERSION' +UC_VERSION_FILE='./QEMU_NYX_VERSION' NEW_VERSION="" cd ./QEMU-Nyx || exit 1 |