Skip to content

Instantly share code, notes, and snippets.

@qurben

qurben/setup.md

Last active April 19, 2019 14:31
Show Gist options
  • Save qurben/26ea949f6c1457e841164cdd6e923575 to your computer and use it in GitHub Desktop.
Save qurben/26ea949f6c1457e841164cdd6e923575 to your computer and use it in GitHub Desktop.
Download ZIP
Running Qsym
Raw
setup.md

Running Qsym on the LAVA-M corpus

Setup

This installation is done on a fresh installation of Ubuntu 16.04.

A few other dependencies are needed: virtualenv

sudo apt install virtualenv

Building afl

Because the version of afl shipped with Ubuntu 16.04 is fairly old it is recommended to download and build a newer version of afl.

cd
wget http://lcamtuf.coredump.cx/afl/releases/afl-2.52b.tgz
tar xzf afl-2.52b.tgz
cd afl-2.52b/
./configure
make

Building Qsym

Qsym can be obtained from the Github repository at https://github.com/sslab-gatech/qsym. And it can be build using the provided shell script.

cd
git clone https://github.com/sslab-gatech/qsym
cd qsym
./setup.sh
virtualenv venv
source venv/bin/activate
pip install .

The command source venv/bin/activate is required to start the environment in which qsym can run.

Downloading lava

The lava synthetic bug corpora can be found at http://moyix.blogspot.com/2016/10/the-lava-synthetic-bug-corpora.html

cd
wget http://panda.moyix.net/~moyix/lava_corpus.tar.xz
tar xJf lava_corpus

In the lava corpus there are several executables with seeded bugs.

Building for afl and Qsym

Afl requires instrumentation of the binaries, Qsym does not require this.

To build the binaries for a specific binary of lava execute the following commands. The specific commands are for the base64 executable.

cd ~/lava_corpus/LAVA-M/base64/binutils-8.24-lava-safe
CC=~/afl-2.52b/afl-gcc ./configure
make
cp src/base64 ../base64.afl

./configure
make
cp src/base64 ../base64.plain

Running afl and Qsym

Create a new directory called findings_dir which whill contain any findings by afl.

First run an afl master and slave instance

cd ~/lava_corpus/LAVA-M/base64
~/afl-2.52b/afl-fuzz -M afl-master -i fuzzing_input -o findings_dir -- ./base64.afl -c @@
cd ~/lava_corpus/LAVA-M/base64
~/afl-2.52b/afl-fuzz -S afl-slave -i fuzzing_input -o findings_dir -- ./base64.afl -c @@

Then start qsym

~/qsym/venv/bin/activate
~/qsym/bin/run_qsym_afl.py -a afl-slave -o findings_dir -n qsym -- ./base64.plain -c @@

Validating errors

To validate the errors generated by afl and Qsym you can use the following command which runs each crashing example and filters out duplicates.

cd ~/lava_corups/LAVA-M/base64
for f in findings_dir/afl-slave/crashes/*; do
  ./base64.afl -d $f 2> /dev/null
done | grep -a "^S" | sort | uniq
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment