diff options
Diffstat (limited to 'nyx_mode')
| -rw-r--r-- | nyx_mode/LIBNYX_VERSION | 2 | ||||
| -rw-r--r-- | nyx_mode/PACKER_VERSION | 2 | ||||
| m--------- | nyx_mode/QEMU-Nyx | 0 | ||||
| -rw-r--r-- | nyx_mode/QEMU_NYX_VERSION | 2 | ||||
| -rw-r--r-- | nyx_mode/README.md | 49 | ||||
| -rwxr-xr-x | nyx_mode/build_nyx_support.sh | 5 | ||||
| m--------- | nyx_mode/libnyx | 0 | ||||
| m--------- | nyx_mode/packer | 0 |
8 files changed, 46 insertions, 14 deletions
diff --git a/nyx_mode/LIBNYX_VERSION b/nyx_mode/LIBNYX_VERSION index 00165a63..86b32eec 100644 --- a/nyx_mode/LIBNYX_VERSION +++ b/nyx_mode/LIBNYX_VERSION @@ -1 +1 @@ -acaf7f6 +2da7f08 diff --git a/nyx_mode/PACKER_VERSION b/nyx_mode/PACKER_VERSION index a8ebe13a..7db88233 100644 --- a/nyx_mode/PACKER_VERSION +++ b/nyx_mode/PACKER_VERSION @@ -1 +1 @@ -86b159b +202bace diff --git a/nyx_mode/QEMU-Nyx b/nyx_mode/QEMU-Nyx -Subproject 5c8cf793ec615b0df5fa722878c8f6906ad7936 +Subproject 60c216bc9e4c79834716d4099993d8397a3a8fd diff --git a/nyx_mode/QEMU_NYX_VERSION b/nyx_mode/QEMU_NYX_VERSION index f5888136..98cb134f 100644 --- a/nyx_mode/QEMU_NYX_VERSION +++ b/nyx_mode/QEMU_NYX_VERSION @@ -1 +1 @@ -5c8cf793ec +60c216bc9e diff --git a/nyx_mode/README.md b/nyx_mode/README.md index 1afedd9b..eee7d363 100644 --- a/nyx_mode/README.md +++ b/nyx_mode/README.md @@ -15,6 +15,7 @@ Underneath it is built upon KVM and QEMU and requires a modern Linux kernel requires an Intel processor (6th generation onwards) and a special 5.10 kernel (see [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx)). + ## Building Nyx mode 1. Install all the packages from [docs/INSTALL.md](../docs/INSTALL.md). @@ -41,6 +42,7 @@ requires an Intel processor (6th generation onwards) and a special 5.10 kernel 5. Optionally, for binary-only fuzzing: set up the required 5.10 kernel, see [KVM-Nyx](https://github.com/nyx-fuzz/KVM-Nyx). + ## Preparing to fuzz a target with Nyx mode For source instrumented fuzzing you can use any afl-cc mode, with LTO even @@ -68,12 +70,21 @@ This will create a directory with all necessary files and the Nyx configuration. The name of the directory will be whatever you choose for `PACKAGE-DIRECTORY` above. -In the final step for the packaging we generate the Nyx configuration: +Note that if the target reads from a file then use the `-file /path/to/file` +parameter to the above command. + +Note that Nyx does **not** support the afl `@@` argument. Instead pass +something like `-file /foo.file -args "--file /foo.file --other-args"` to +the above command. + + +Then the final step: we generate the Nyx package configuration: ```shell python3 nyx_mode/packer/packer/nyx_config_gen.py PACKAGE-DIRECTORY Kernel ``` + ## Fuzzing with Nyx mode All the hard parts are done, fuzzing with Nyx mode is easy - just supply the @@ -97,7 +108,7 @@ sudo modprobe kvm-intel # or kvm-amd for AMD processors If you want to fuzz in parallel (and you should!), then this has to be done in a special way: -* Instead of `-X` (standalone mode), you specify `-Y` (multi processor mode). +* Instead of `-X` (standalone mode), you specify `-Y` (multiprocessor mode). * First, a Main afl-fuzz instance has to be started with `-M 0`. * Only afterwards you can start Secondary afl-fuzz instances, which must have an increasing number value, starting at 1, e.g., `-S 1`. @@ -114,13 +125,39 @@ afl-fuzz -i in -o out -Y -S 1 -- ./PACKAGE-DIRECTORY afl-fuzz -i in -o out -Y -S 2 -- ./PACKAGE-DIRECTORY ``` + ## AFL++ companion tools (afl-showmap etc.) -Please note that AFL++ companion tools like afl-cmin, afl-showmap, etc. are -not supported with Nyx mode, only afl-fuzz. +AFL++ companion tools support Nyx mode and can be used to analyze or minimize one specific input or an entire output corpus. These tools work similarly to `afl-fuzz`. + +To run a target with one of these tools, add the `-X` parameter to the command line to enable Nyx mode, and pass the path to a Nyx package directory: + +```shell +afl-tmin -i in_file -o out_file -X -- ./PACKAGE-DIRECTORY +``` + +```shell +afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY +``` + +```shell +afl-showmap -i in_dir -o out_file -X -- ./PACKAGE-DIRECTORY +``` + +```shell +afl-cmin -i in_dir -o out_dir -X -- ./PACKAGE-DIRECTORY +``` + +On each program startup of one the AFL++ tools in Nyx mode, a Nyx VM is spawned, and a bootstrapping procedure is performed inside the VM to prepare the target environment. As a consequence, due to the bootstrapping procedure, the launch performance is much slower compared to other modes. However, this can be optimized by reusing an existing fuzzing snapshot to avoid the slow re-execution of the bootstrap procedure. + +A fuzzing snapshot is automatically created and stored in the output directory at `out_dir/workdir/snapshot/` by the first parent process of `afl-fuzz` if parallel mode is used. To enable this feature, set the path to an existing snapshot directory in the `NYX_REUSE_SNAPSHOT` environment variable and use the tools as usual: + +```shell +afl-fuzz -i ./in_dir -o ./out_dir -Y -M 0 ./PACKAGE-DIRECTORY + +NYX_REUSE_SNAPSHOT=./out_dir/workdir/snapshot/ afl-analyze -i in_file -X -- ./PACKAGE-DIRECTORY +``` -For source based instrumentation just use these tools normally, for -binary-only targets use with -Q for qemu_mode. ## Real-world examples diff --git a/nyx_mode/build_nyx_support.sh b/nyx_mode/build_nyx_support.sh index e7fca64f..581a8292 100755 --- a/nyx_mode/build_nyx_support.sh +++ b/nyx_mode/build_nyx_support.sh @@ -60,11 +60,6 @@ fi echo "[*] Checking QEMU-Nyx ..." if [ ! -f "QEMU-Nyx/x86_64-softmmu/qemu-system-x86_64" ]; then - - if ! dpkg -s gtk3-devel > /dev/null 2>&1; then - echo "[-] Disabling GTK because gtk3-devel is not installed." - sed -i 's/--enable-gtk//g' QEMU-Nyx/compile_qemu_nyx.sh - fi (cd QEMU-Nyx && ./compile_qemu_nyx.sh static) fi diff --git a/nyx_mode/libnyx b/nyx_mode/libnyx -Subproject acaf7f6346eeb5f1e2cf043543316909fca4365 +Subproject 2da7f08b6e0267ccfe64e1320b24cdb29223459 diff --git a/nyx_mode/packer b/nyx_mode/packer -Subproject 86b159bafc0b2ba8feeaa8761a45b6201d34084 +Subproject 202bace888d237e4e8f4507d0eba6791a811554 |