-
Saryn is a
warframe, a coverage-guided fuzzer implementedtaint inference
, and several tainte mutation strategies, includingtaint havoc
,input-to-state+
, andlinear search
. -
This project is based on AFL++ 3.15a, to see the original README please refer to README.md.
- Collect
critical bytes
for cmp, switch instructions based on cmplog instrumentation, refer to PATA for more details.
- Apply
havoc
tocritical bytes
only.
- Replace
colorization
withtaint inference
for instr. typeinput-to-state
.
- Refer to PATA for more details.
sudo apt-get update
sudo apt-get install -y build-essential python3-dev automake cmake git flex bison libglib2.0-dev libpixman-1-dev python3-setuptools
# try to install llvm 11 and install the distro default if that fails
sudo apt-get install -y lld-11 llvm-11 llvm-11-dev clang-11 || sudo apt-get install -y lld llvm llvm-dev clang
sudo apt-get install -y gcc-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-plugin-dev libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
git clone https://github.com/tl455047/Saryn.git
cd Saryn
# build project
make clean
make soure only
- LLVM version should be 11.
- Refer to INSTALL.md for more details.
- It is recommended to use gcc/g++ to compile, since sometimes error occurred when using clang/clang++.
- AF++ 3.15a supports several instrumentation mode, including
lto mode
,pcguard mode
,llvm mode
,gcc plugin mode
,gcc/clang mode
. - Our implementation is based AFL++
cmplog mode
, to supportcmplog mode
, we need to usellvm mode
,pcguard mode
, orlto mode
. - If you install
llvm-11
correctly, and chooseafl-cc
as compiler-wrapper, the default instrumentation mode will bepcguard mode
.
# set compiler-wrapper
export CC=/path/to/Saryn/afl-cc
export CXX=/path/to/Saryn/afl-c++
# AFL instrumentation
...
# build commands
# remember to disable shared ex. ./configure --disable-shared
...
make
...
# if is pcguard mode, you should see following messages
afl-cc++3.15a by Michal Zalewski, Laszlo Szekeres, Marc Heuse - mode: LLVM-PCGUARD warning: unknown warning option '-Wshadow=local' [-Wunknown-warning-option]
SanitizerCoveragePCGUARD++3.15a
[+] Instrumented xx locations with no collisions (non-hardened mode) of which are 0 handled and 0 unhandled selects.
...
# cmplog instrumentation
# build with a new target instance
export AFL_LLVM_CMPLOG=1
...
# build commands
# remember to disable shared ex. ./configure --disable-shared
...
make
...
# if is cmplog mode, you should see following messages
CmpLog mode by <[email protected]>
Running cmplog-switches-pass by [email protected]
Hooking xx switch instructions
Running split-switches-pass by [email protected]
...
Running cmplog-instructions-pass by [email protected]
Running cmplog-routines-pass by [email protected]
- Refer to README.md for more details.
- Same with
cmplog mode
, add command line option-c
with cmplog instrumentation binary path. - Our cmplog instrumentation is slightly different from AFL++ cmplog instrumentation, to enable our features, please use our
afl-cc
to compile target with cmplog instrumentation.
# if input is from stdin
./afl-fuzz -i input-dir -o output-dir -m none -M fuzz-node-name -c /path/to/target-binary-cmplog -- /path/to/target-afl
# if input is from command line with file
./afl-fuzz -i input-dir -o output-dir -m none -M fuzz-node-name -c /path/to/target-binary-cmplog -- /path/to/target-afl @@
- Refer to README.md for more details.
- Build
binutils 2.37
with afl-cc.
# get binutils
https://mirror.ossplanet.net/gnu/binutils/binutils-2.37.tar.gz
tar -xvf binutils-2.37.tar.gz
# set compiler wrapper
export CC=/path/to/Saryn/afl-cc
export CXX=/path/to/Saryn/afl-c++
cd binutils-2.37
mkdir afl
cd afl
# AFL instrumentation
../configure --disable-shared
make clean
make
cd ..
mkdir cmplog
cd cmplog
# cmplog instrumentation
export AFL_LLVM_CMPLOG=1
../configure --disable-shared
make clean
make
- Fuzz
objdump
with option-x
.
./afl-fuzz -i input-dir -o output-dir -m none -M fuzz-node-name -c /path/to/binutils-2.37/cmplog/binutils/objdump -- /path/to/binutils-2.37/afl/binutils/objdump -x @@
taint havoc
/taint linear search
/input-to-state+
new coverage
/executions
- c-bytes
critical bytes
/input length