Kelinci Java Fuzzing
320 views
Skip to first unread message
floyd
Feb 1, 2018, 8:37:46 AM2/1/18
to afl-users
Hi everyone,
Yay, found time to do some fuzzing again. I totally missed the AFL-based
Kelinci [0] fuzzer setup for Java. I just searched the mailing list and
I didn't find any post about it. Also sister_projects.txt doesn't
mention it (Michal, could you add it?).
I tried the setup and it works very well to fuzz Java code (although it
zzzzz for me like so many other more complicated fuzzing setups). I have
some issues with instrumentation in certain cases [1], but it seems I
already found other issues in JPEG parsing in the Apache commons library
by simply using the JPEG corpus of AFL, but I didn't investigate the
"crashes" yet [2]. I write "crashes" because obviously a Java exception
has much lower severity than a memory corruption in another language.
So from my perspective Kelinci is much more advanced than my dull
approach with gcj [3]. Worth trying next time you look at Java code.
cheers,
floyd
PS: Kelinci and the newest version of AFL run perfectly fine on ARM
[0] https://github.com/isstac/kelinci
[1] https://github.com/isstac/kelinci/issues/2
[2] https://github.com/isstac/kelinci/issues/1
[3] https://github.com/floyd-fuh/AFL_GCJ_Fuzzing_Simple
Yay, found time to do some fuzzing again. I totally missed the AFL-based
Kelinci [0] fuzzer setup for Java. I just searched the mailing list and
I didn't find any post about it. Also sister_projects.txt doesn't
mention it (Michal, could you add it?).
I tried the setup and it works very well to fuzz Java code (although it
zzzzz for me like so many other more complicated fuzzing setups). I have
some issues with instrumentation in certain cases [1], but it seems I
already found other issues in JPEG parsing in the Apache commons library
by simply using the JPEG corpus of AFL, but I didn't investigate the
"crashes" yet [2]. I write "crashes" because obviously a Java exception
has much lower severity than a memory corruption in another language.
So from my perspective Kelinci is much more advanced than my dull
approach with gcj [3]. Worth trying next time you look at Java code.
cheers,
floyd
PS: Kelinci and the newest version of AFL run perfectly fine on ARM
[0] https://github.com/isstac/kelinci
[1] https://github.com/isstac/kelinci/issues/2
[2] https://github.com/isstac/kelinci/issues/1
[3] https://github.com/floyd-fuh/AFL_GCJ_Fuzzing_Simple
Michal Zalewski
Feb 1, 2018, 7:39:25 PM2/1/18
to afl-users
> Yay, found time to do some fuzzing again. I totally missed the AFL-based
> Kelinci [0] fuzzer setup for Java. I just searched the mailing list and
> I didn't find any post about it. Also sister_projects.txt doesn't
> mention it (Michal, could you add it?).
Yep. Nice find!
> Kelinci [0] fuzzer setup for Java. I just searched the mailing list and
> I didn't find any post about it. Also sister_projects.txt doesn't
> mention it (Michal, could you add it?).
/mz
Rohan Padhye
Feb 2, 2018, 12:12:40 AM2/2/18
to afl-users
Hi Floyd,
That looks pretty cool!
We're also looking at fuzzing Java, and have a setup called JQF [1] that mixes Java + QuickCheck + AFL. We've been able to get about 300-500 execs per second for JPEG, and about 1,500-2,000 execs per second for simpler things like DateFormat parser on an Intel i7 [2].
Although it can trivially find bugs* in binary/string parsers [3], we are mostly interested in using it for smarter unit tests, and as such it is tightly integrated with junit-quickcheck [4]. The advantage is that you can fuzz data structures such as trees and graphs and DOMs and any other custom Java types directly (instead of reading an input file from stdin).
It's still a work in progress, but if you just want to fuzz file format parsers in Java, you can give it a go.
* bugs/crashes = undocumented runtime exceptions or assertion failures
Reply all
Reply to author
Forward
0 new messages