Setup

Paths

We need setup three paths: GOPATH, IMAGE and KERNEL.

GOPATH is the working directory for syzkaller

IMAGE is for Linux img and KERNEL is for kernel source and binary.

Read more »

Set up repo

From Google

1
2
3
4
mkdir ~/bin
PATH=~/bin:$PATH
curl https://storage.googleapis.com/git-repo-downloads/repo > ~/bin/repo
chmod a+x ~/bin/repo

From Tsinghua

Read more »

Transfer File Using rsync

  1. native cmd

    rsync -avuz –progress source_dir dest_dir

    • -v, –verbose Verbose output

    • -q, –quiet suppress message output

    • -a, –archive archive files and directory while synchronizing ( -a equal to following options -rlptgoD)
    • -r, –recursive sync files and directories recursively
    • -b, –backup take the backup during synchronization
    • -u, –update don’t copy the files from source to destination if destination files are newer
    • -l, –links copy symlinks as symlinks during the sync
    • -n, –dry-run perform a trial run without synchronization
    • -e, –rsh=COMMAND mention the remote shell to use in rsync
    • -z, –compress compress file data during the transfer
    • -h, –human-readable display the output numbers in a human-readable format
    • –progress show the sync progress during transfer
  2. parallelled wrapper

    http://moo.nac.uci.edu/~hjm/parsync/

    ./parsyncfp –NP=6 –startdir = ‘/home/zl/fuzz’ ./ remote_user@remote_ip:remote_dir

目标程序源代码

首先准备测试的目标程序

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#include <stdio.h> 
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <signal.h>

int vuln(char *str)
{
int len = strlen(str);
//如果输入的字符串的首字符为A并且长度为66,则异常退出
if(str[0] == 'A' && len == 66)
{
raise(SIGSEGV);
}
//如果输入的字符串的首字符为F并且长度为6,则异常退出
else if(str[0] == 'F' && len == 6)
{
raise(SIGSEGV);
}
else
{
printf("\nit is good!\n");
}
return 0;
}

int main(int argc, char *argv[])
{
int i;
char buf[100]={0};
printf( "Enter a value :");
scanf("%d", &i);
if ((i % 2) == 1)
{
getchar();
printf("Odd\nPlease enter a string: ");
gets(buf);//存在栈溢出漏洞
printf(buf);//存在格式化字符串漏洞
vuln(buf);
}
else
{
printf("Even\n");
}
return 0;
}

Read more »

AFL 源码学习

最近学习了由Google安全工程师Michał Zalewski开发的一款开源fuzzing测试工具American Fuzzy Lop。这里总结一下阅读源码中的收获和使用的相关技巧。

AFL安装和使用

AFL的安装非常简单,仅仅需要下载源码然后进行编译安装。

1
2
3
4
5
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xvf afl-latest.tgz
cd afl-*
$ make && make install
$ make install

Read more »