简单的活着

afl-cov

Posted on Mar 08, 2019 By Mista Cai

afl-cov

获取afl的路径覆盖率工具。

afl-cov -d fuzz_out/ --live --coverage-cmd "cat AFL_FILE | ./afl-test" --code-dir . --enable-branch-coverage

怎么用make编译

-fprofile-arcs -ftest-coverage应该加到哪里?

make CFLAG='-g -fprofile-arcs -ftest-coverage' CXXFLAGS='-g -fprofile-arcs -ftest-coverage'

Overriding Variables of makefiles

Workflow

将项目源复制到新目录/path/to/project-gcov/。 该目录应包含gcov profiling支持编译的项目二进制文件(gcc -fprofile-arcs -ftest-coverage)。

在启动afl-fuzz模糊测试循环之前,以--live模式启动afl-covafl-cov的命令行参数必须指定afl-fuzz使用的输出目录的路径,以及与相关参数一起执行的命令。

这个命令和参数应该非常类似于在模糊测试循环期间afl-fuzz执行目标二进制文件的方式。 如果已存在AFL模糊测试结果的现有目录,则只需省略—live参数即可处理现有结果。 这是一个例子:

$ cd /path/to/project-gcov/
$ afl-cov -d /path/to/afl-fuzz-output/ --live --coverage-cmd \
"cat AFL_FILE | LD_LIBRARY_PATH=./lib/.libs ./bin/.libs/somebin -a -b -c" \
--code-dir .

/path/to/afl-fuzz-output/afl-fuzz的输出目录。

上面的AFL_FILE字符串是指AFL将在/path/to/afl-fuzz-output下的queue/目录中构建的测试用例文件。 只需将此字符串保留为原样,因为afl-cov会自动将其替换为每个AFLqueue/id:NNNNNN,因为它会构建代码覆盖率报告。

此外,上面的命令是,AFL模糊测试循环通过stdin模糊测试目标二进制文件的情况。 这解释了cat AFL_FILE | ... ./bin/.lib/somebin …调用。对于从文件系统读取文件的AFL模糊测试,下面是一个例子:

$ cd /path/to/project-gcov/
$ afl-cov -d /path/to/afl-fuzz-output/ --live --coverage-cmd \
"LD_LIBRARY_PATH=./lib/.libs ./bin/.libs/somebin -f AFL_FILE -a -b -c" \
--code-dir .

运行afl-cov后,打开一个单独的terminal/shell,然后启动afl-fuzz

$ LD_LIBRARY_PATH=./lib/.libs afl-fuzz -T somebin -t 1000 \
-i /path/to/test-cases/ -o /path/to/afl-fuzz-output/ ./bin/.libs/somebin -a -b -c

将显示熟悉的AFL状态屏幕,并且afl-cov将开始生成代码覆盖数据。

Note:默认情况下,afl-cov不会指示lcov包含分支覆盖结果。 这是因为queue/目录中通常有数百个AFL测试用例,并且在所有这些情况下生成分支覆盖可能会显着降低afl-cov。 如果需要分支覆盖,只需将--enable-branch-coverage参数添加到afl-cov即可。

$ afl-cov -d /path/to/afl-fuzz-output/ --live --coverage-cmd \
"LD_LIBRARY_PATH=./lib/.libs ./bin/.libs/somebin -f AFL_FILE -a -b -c" \
--code-dir . --enable-branch-coverage
[+] Imported 184 files from: /path/to/afl-fuzz-output/queue
[+] AFL file: id:000000,orig:somestr.start (1 / 184), cycle: 0
    lines......: 18.6% (1122 of 6032 lines)
    functions..: 30.7% (100 of 326 functions)
    branches...: 14.0% (570 of 4065 branches)
[+] AFL file: id:000001,orig:somestr256.start (2 / 184), cycle: 2
    lines......: 18.7% (1127 of 6032 lines)
    functions..: 30.7% (100 of 326 functions)
    branches...: 14.1% (572 of 4065 branches)
[+] Coverage diff id:000000,orig:somestr.start id:000001,orig:somestr256.start
    Src file: /path/to/project-gcov/lib/proj_decode.c
      New 'line' coverage: 140
      New 'line' coverage: 141
      New 'line' coverage: 142
    Src file: /path/to/project-gcov/lib/proj_util.c
      New 'line' coverage: 217
      New 'line' coverage: 218
[+] AFL file: id:000002,orig:somestr384.start (3 / 184), cycle: 10
    lines......: 18.8% (1132 of 6032 lines)
    functions..: 30.7% (100 of 326 functions)
    branches...: 14.1% (574 of 4065 branches)
[+] Coverage diff id:000001,orig:somestr256.start id:000002,orig:somestr384.start
    Src file: /path/to/project-gcov/lib/proj_decode.c
      New 'line' coverage: 145
      New 'line' coverage: 146
      New 'line' coverage: 147
    Src file: /path/to/project-gcov/lib/proj_util.c
      New 'line' coverage: 220
      New 'line' coverage: 221
[+] AFL file: id:000003,orig:somestr.start (4 / 184), cycle: 5
    lines......: 18.9% (1141 of 6032 lines)
    functions..: 31.0% (101 of 326 functions)
    branches...: 14.3% (581 of 4065 branches)
[+] Coverage diff id:000002,orig:somestr384.start id:000003,orig:somestr.start
    Src file: /path/to/project-gcov/lib/proj_message.c
      New 'function' coverage: validate_cmd_msg()
      New 'line' coverage: 244
      New 'line' coverage: 247
      New 'line' coverage: 248
      New 'line' coverage: 250
      New 'line' coverage: 255
      New 'line' coverage: 262
      New 'line' coverage: 263
      New 'line' coverage: 266
.
.
.
[+] Coverage diff id:000182,src:000000,op:havoc,rep:64 id:000184,src:000000,op:havoc,rep:4
[+] Processed 184 / 184 files

[+] Final zero coverage report: /path/to/afl-fuzz-output/cov/zero-cov
[+] Final positive coverage report: /path/to/afl-fuzz-output/cov/pos-cov
[+] Final lcov web report: /path/to/afl-fuzz-output/cov/web/lcov-web-final.html

在上面的最后几行中,显示了最终Web覆盖范围和零覆盖率报告的位置。零覆盖率报告包含从未在整个afl-fuzz运行中执行的函数名称。

代码覆盖率结果在/path/to/afl-fuzz-output/cov/web/lcov-web-final表示所有AFL测试用例的累积代码覆盖率。然后可以检查这些数据以确保所有预期的功能确实由AFL执行,只需用Web浏览器打开/path/to/afl-fuzz-output/cov/web/lcov-web-final.html即可。

下面是该报告对累积AFL模糊测试运行的示例,这是针对fwknop项目的,完整报告可在此处获得。请注意,即使fwknop具有一组专用的AFL wrappers,仍然难以实现高百分比的代码覆盖率。AFL未执行的每个branch/line/function表示AFL没有机会在这些位置查找错误。

afl-cov

tips

遇到apt无法定位安装包,更新sudo apt update;

更新慢的问题,清空/usr/apt/sources.list,Software & Update里面找到中国最快服务器。

reference

[“Unable to locate package” while trying to install packages with APT]

How to compile AFL’s LLVM mode in OS X

Ubuntu中sudo apt-get update很慢解决办法