BI商业智能>> afl-pin>> 返回
项目作者: vanhauser-thc

项目描述 :
run AFL with pintool
高级语言: C++
项目地址: git://github.com/vanhauser-thc/afl-pin.git
创建时间: 2018-03-23T23:55:59Z
项目社区:https://github.com/vanhauser-thc/afl-pin
开源协议:GNU Affero General Public License v3.0
下载


Intro

This is the fastest pintool afl-fuzzer out there currently.
And it runs with pintool 3.6 up to 3.11, so 4.x x64 kernels are fine.
But … pintool is super slow.
So this is basically only if you have no other option.
I am currently developing an alternative with DynamoRIO and is 10x faster -
but still, afl qemu mode is 10-50x faster than that …

Installation

  1. download, compile and install afl => https://github.com/vanhauser-thc/AFLplusplus
    Optional: 2. download, compile and install dyninst => https://github.com/dyninst/dyninst
    Optional: 3. download, compile and install afl-dyninst => https://github.com/vanhauser-thc/afl-dyninst
  2. download and unpack pin => https://software.intel.com/en-us/articles/pintool-downloads (download version 3.6 to 3.11)
  3. export PIN_ROOT=/path/to/pin directory
  4. make a symlink to the afl folder in the afl-pin directory named “afl” , e.g. “ln -s ../AFLplusplus afl”
  5. make
  6. make install

Options

-libs also instrument the dynamic libraries
-exitpoint target exit the program when this address/function is reached. speeeed!
-forkserver install a forkserver. You must set PIN_APP_LD_PRELOAD - or use afl-fuzz-pin.sh
-entrypoint target function or address where you want to install the forkserver
-alternative a little bit faster but less quality

How to run

Optional: 1. afl-dyninst.sh -i program -o program_instrumented -D
It is a good idea to add -e and -E with well selected function addresses to
make the fuzzing faster

  1. afl-fuzz-pin.sh [normal afl-fuzz options]
    If you did not do step 1, add the option -forkserver (-forkserver is faster
    than afl-dyninst). You can increase speed more by selecting a good
    “-entrypoint function_name” or “-entrypoing 0x123456” location.
    That’s it! If you fuzzing does not run, afl-fuzz might need more memory, set
    AFL_MEM to a high value, e.g. 700 for 700MB
    Using -forkserver requires
    PIN_APP_LD_PRELOAD=/usr/local/lib/pintool/forkserver.so
    but afl-fuzz-pin.sh takes care of this.

When to use it

When you have no source code, normal afl-dyninst is crashing the binary,
qemu mode -Q is not an option and dynamorio is not working either.
Pin is even 90% slower than my dynamorio implementation …

Limitations

Pin is super slow … it is the tool of last resort on x86/x64.

Who and where

Marc “van Hauser” Heuse mh@mh-sec.de || vh@thc.org
https://github.com/vanhauser-thc/afl-pin