This installation is done on a fresh installation of Ubuntu 16.04.
A few other dependencies are needed: virtualenv
sudo apt install virtualenv
Because the version of afl shipped with Ubuntu 16.04 is fairly old it is recommended to download and build a newer version of afl.
cd
wget http://lcamtuf.coredump.cx/afl/releases/afl-2.52b.tgz
tar xzf afl-2.52b.tgz
cd afl-2.52b/
./configure
make
Qsym can be obtained from the Github repository at https://github.com/sslab-gatech/qsym. And it can be build using the provided shell script.
cd
git clone https://github.com/sslab-gatech/qsym
cd qsym
./setup.sh
virtualenv venv
source venv/bin/activate
pip install .
The command source venv/bin/activate
is required to start the environment in which qsym can run.
The lava synthetic bug corpora can be found at http://moyix.blogspot.com/2016/10/the-lava-synthetic-bug-corpora.html
cd
wget http://panda.moyix.net/~moyix/lava_corpus.tar.xz
tar xJf lava_corpus
In the lava corpus there are several executables with seeded bugs.
Afl requires instrumentation of the binaries, Qsym does not require this.
To build the binaries for a specific binary of lava execute the following commands. The specific commands are for the base64
executable.
cd ~/lava_corpus/LAVA-M/base64/binutils-8.24-lava-safe
CC=~/afl-2.52b/afl-gcc ./configure
make
cp src/base64 ../base64.afl
./configure
make
cp src/base64 ../base64.plain
Create a new directory called findings_dir
which whill contain any findings by afl.
First run an afl master and slave instance
cd ~/lava_corpus/LAVA-M/base64
~/afl-2.52b/afl-fuzz -M afl-master -i fuzzing_input -o findings_dir -- ./base64.afl -c @@
cd ~/lava_corpus/LAVA-M/base64
~/afl-2.52b/afl-fuzz -S afl-slave -i fuzzing_input -o findings_dir -- ./base64.afl -c @@
Then start qsym
~/qsym/venv/bin/activate
~/qsym/bin/run_qsym_afl.py -a afl-slave -o findings_dir -n qsym -- ./base64.plain -c @@
To validate the errors generated by afl and Qsym you can use the following command which runs each crashing example and filters out duplicates.
cd ~/lava_corups/LAVA-M/base64
for f in findings_dir/afl-slave/crashes/*; do
./base64.afl -d $f 2> /dev/null
done | grep -a "^S" | sort | uniq