apr-fuzz - a Python rewrite of afl-fuzz?
136 views
Skip to first unread message
Jacek Wielemborek
Oct 2, 2015, 12:45:56 PM10/2/15
to afl-users
List,
While trying to understand how AFL works, I decided to have a go at
reimplementing it in Python. I already wrote code to interact with
AFL-instrumented binaries [1] and a silly 20-line "genetic algorithm"
that randomly mutates a fixed-size payload. It's currently just a
proof-of-concept (112 lines of code). Is there anybody who would like to
continue the experimentation with me?
Cheers,
d33tah
[1] https://github.com/d33tah/afr-fuzz
While trying to understand how AFL works, I decided to have a go at
reimplementing it in Python. I already wrote code to interact with
AFL-instrumented binaries [1] and a silly 20-line "genetic algorithm"
that randomly mutates a fixed-size payload. It's currently just a
proof-of-concept (112 lines of code). Is there anybody who would like to
continue the experimentation with me?
Cheers,
d33tah
[1] https://github.com/d33tah/afr-fuzz
Jakub Wilk
Oct 2, 2015, 1:48:23 PM10/2/15
to afl-...@googlegroups.com
* Jacek Wielemborek <d33...@gmail.com>, 2015-10-02, 18:45:
>[1] https://github.com/d33tah/afr-fuzz
... but I had cursory glance at the code, and here's my review:
>MINUS_ONE = 2**64 - 1
That's a very big value of minus one...
>libc = ctypes.cdll.LoadLibrary("libc.so.6")
I'd write it as:
libc = ctypes.CDLL(None)
so that you don't rely on exact SONAME of libc (which varies even among
Linux architectures).
>libc.__errno_location.restype = ctypes.POINTER(ctypes.c_int)
>errno = lambda: libc.__errno_location().contents.value
If you passed use_errno=True to CDLL, you could just use
ctypes.get_errno().
> self.shm_id = shmget(IPC_PRIVATE, MAP_SIZE, shm_perms)
> if self.shm_id == MINUS_ONE:
On error, shmget() returns -1, not MINUS_ONE.
> self.trace_bytes_addr = shmat(self.shm_id, 0, 0)
> if self.trace_bytes_addr == 2**64 - 1:
> raise RuntimeError("shmat() failed (%s)" % os.strerror(errno()))
This won't work on 32-bit architectures. I'd write:
if self.trace_bytes_addr == ctypes.c_void_p(-1).value: ...
--
Jakub Wilk
>Is there anybody who would like to continue the experimentation with
>me?
Not me...
>me?
>[1] https://github.com/d33tah/afr-fuzz
... but I had cursory glance at the code, and here's my review:
>MINUS_ONE = 2**64 - 1
That's a very big value of minus one...
>libc = ctypes.cdll.LoadLibrary("libc.so.6")
I'd write it as:
libc = ctypes.CDLL(None)
so that you don't rely on exact SONAME of libc (which varies even among
Linux architectures).
>libc.__errno_location.restype = ctypes.POINTER(ctypes.c_int)
>errno = lambda: libc.__errno_location().contents.value
If you passed use_errno=True to CDLL, you could just use
ctypes.get_errno().
> self.shm_id = shmget(IPC_PRIVATE, MAP_SIZE, shm_perms)
> if self.shm_id == MINUS_ONE:
On error, shmget() returns -1, not MINUS_ONE.
> self.trace_bytes_addr = shmat(self.shm_id, 0, 0)
> if self.trace_bytes_addr == 2**64 - 1:
> raise RuntimeError("shmat() failed (%s)" % os.strerror(errno()))
This won't work on 32-bit architectures. I'd write:
if self.trace_bytes_addr == ctypes.c_void_p(-1).value: ...
--
Jakub Wilk
Jacek Wielemborek
Oct 2, 2015, 2:12:35 PM10/2/15
to afl-...@googlegroups.com
W dniu 02.10.2015 o 19:48, Jakub Wilk pisze:
Thanks for the review, that's definitely welcome! I applied your
suggestions in two commits [1][2], as well as a few other changes.
I know that the quality of the code leaves a bit to be desired - I was
sketching this program with no idea whether any of this would work and
wanted to get to the "PoC" as quickly as I could. In most of the places,
I hadn't looked back yet and refactored it (for example,
SHMInstrumentation.go probably already needs to be split), so I really
appreciate commits like this.
Cheers,
d33tah
[1] https://github.com/d33tah/apr-fuzz/commit/7d190a4b4
[2] https://github.com/d33tah/apr-fuzz/commit/c08a1ce7a
suggestions in two commits [1][2], as well as a few other changes.
I know that the quality of the code leaves a bit to be desired - I was
sketching this program with no idea whether any of this would work and
wanted to get to the "PoC" as quickly as I could. In most of the places,
I hadn't looked back yet and refactored it (for example,
SHMInstrumentation.go probably already needs to be split), so I really
appreciate commits like this.
Cheers,
d33tah
[1] https://github.com/d33tah/apr-fuzz/commit/7d190a4b4
[2] https://github.com/d33tah/apr-fuzz/commit/c08a1ce7a
Reply all
Reply to author
Forward
0 new messages