Superion is a fuzzer which extends the famous AFL (http://lcamtuf.coredump.cx/afl/) to support structured inputs such as JavaScript and XML. The paper "Superion: Grammar-Aware Greybox Fuzzing" is accepted by ICSE 2019 (https://2019.icse-conferences.org/track/icse-2019-Technical-Papers#event-overview).
Superion mainly adds a mutation strategy to AFL. The mutation strategy first parses an input into Abstract Syntax Tree(AST) and then randomly choose another input from AFL’s queue and also parse it into AST. A sub tree of the target input can be replaced by another sub tree either from target input itself or randomly chosen supplementary sample. Therefore, hundreds of new samples are generated and executed to find a new path in tested programs.
The parsing ability of Superion is provided by ANTLR (https://www.antlr.org/), which can automatically generate a parser given the grammar file.
The following build instructions are tested on Ubuntu 16.04 with gcc-5.4.0 and clang-3.8.
To build Superion, we first need to build the ANTLR runtime. The ANTLR runtime is located in tree_mutation folder.
cd /path_to_Superion/tree_mutation/
cmake ./
make
If a missing uuid error is raised, you need to install uuid first.
sudo apt-get install uuid-dev
The project already included xml and javascript parsers generated as follows. If you need to support other input grammar, you caan refer to the following instructions.
add antlr-4.7-complete.jar to classpath
xml:
java -jar antlr-4.7-complete.jar -o path -visitor -no-listener -Dlanguage=Cpp XMLLexer.g4
java -jar antlr-4.7-complete.jar -o path -visitor -no-listener -Dlanguage=Cpp XMLParser.g4
javascript:
java -jar antlr-4.7-complete.jar -o path -visitor -no-listener -Dlanguage=Cpp ECMAScript.g4
The JS parser is located in tree_mutation/js_parser folder. Besides, we also have an xml_parser, vbs_parser there.
cd /path_to_Superion/tree_mutation/js_parser
for f in *.cpp; do g++ -I ../runtime/src/ -c $f -fPIC -std=c++11; done
g++ -shared -std=c++11 *.o ../dist/libantlr4-runtime.a -o libTreeMutation.so
To compile afl-clang-fast and afl-clang-fast++, which are used to instrument fuzzing targets.
cd /path_to_Superion/llvm_mode/
LLVM_CONFIG=llvm-config-3.8 CXXFLAGS="-DLLVM38" make
cd /path_to_Superion/
make
Webkit is one of our fuzzing targets. Its source code can be found in https://github.com/WebKit/webkit. The initial seeds we used is obtained from https://github.com/WebKit/webkit/tree/master/JSTests/stress.
To download WebKit source code:
svn checkout https://svn.webkit.org/repository/webkit/trunk WebKit
To fuzz it using AFL or Superion, we first need to instrument the executable.
export CC=~/path_to_Superion/afl-clang-fast
export CXX=~/path_to_Superion/afl-clang-fast++
export AFL_HARDEN=1
./Tools/Scripts/build-jsc --jsc-only --j14
In the experiments, we fuzzed it using four processes.
./afl-fuzz -M f1 -m 1G -t 100+ -i ~/stress/ -o ~/jscout/ ~/webkit/WebKitBuild/Release/bin/jsc @@
./afl-fuzz -S f2 -m 1G -t 100+ -i ~/stress/ -o ~/jscout/ ~/webkit/WebKitBuild/Release/bin/jsc @@
./afl-fuzz -S f3 -m 1G -t 100+ -i ~/stress/ -o ~/jscout/ ~/webkit/WebKitBuild/Release/bin/jsc @@
./afl-fuzz -S f4 -m 1G -t 100+ -i ~/stress/ -o ~/jscout/ ~/webkit/WebKitBuild/Release/bin/jsc @@
export CC=~/path_to_Superion/afl-gcc
export CXX=~/path_to_Superion/afl-g++
python ./tools/build.py --clean --debug --compile-flag=-fsanitize=address --compile-flag=-m32 --compile-flag=-fno-omit-frame-pointer --compile-flag=-fno-common --jerry-libc=off --static-link=off --lto=off --error-message=on --system-allocator=on
./afl-fuzz -M f1 -x ~/path_to_Superion/dictionaries/js.dict -t 40+ -m 2000 -i ~/jerry_seeds/ -o ~/jerry_out/ ~/jerryscript/build/bin/jerry @@
./afl-fuzz -S f2 -t 40+ -m 2000 -i ~/jerry_seeds/ -o ~/jerry_out/ ~/jerryscript/build/bin/jerry @@
./afl-fuzz -S f3 -t 40+ -m 2000 -i ~/jerry_seeds/ -o ~/jerry_out/ ~/jerryscript/build/bin/jerry @@
wget https://github.com/php/php-src/archive/master.zip
export CC=~/path_to_Superion/afl-gcc
export CXX=~/path_to_Superion/afl-g++
export AFL_HARDEN=1
./buildconf
./configure
make
configure: error: You will need re2c 0.13.4 or later to generate PHP lexers.
download re2c-1.0.1.tar.gz
cd re2c-1.0.1
./configure
make install
configure: error: bison is required to build PHP/Zend when building a GIT checkout!
download bison-3.2.tar.gz
cd bison-3.2
./configure
make install
configure: error: libxml2 not found. Please check your libxml2 installation.
sudo apt-get install libxml2-dev
configure: error: Please reinstall the sqlite distribution from http://www.sqlite.org
sudo apt-get install sqlite
sudo apt-get install libsqlite3-dev
./afl-fuzz -M f1 -m 1G -t 100+ -i ~/phpseeds/ -o ~/phpout/ ~/php-src-master/sapi/cli/php @@
./afl-fuzz -S f2 -m 1G -t 100+ -i ~/phpseeds/ -o ~/phpout/ ~/php-src-master/sapi/cli/php @@
./afl-fuzz -S f3 -m 1G -t 100+ -i ~/phpseeds/ -o ~/phpout/ ~/php-src-master/sapi/cli/php @@
./afl-fuzz -S f4 -m 1G -t 100+ -i ~/phpseeds/ -o ~/phpout/ ~/php-src-master/sapi/cli/php @@