afl with thread sanitizer
689 views
Skip to first unread message
aghuf...@gmail.com
Nov 14, 2017, 2:01:32 PM11/14/17
to afl-users
I am pretty new to afl and fuzzing as a whole. I want to know if and how can i use afl with thread sanitizer. I would prefer an example with dataraces where i can apply it. I have tried to use
afl-gcc -fsanitize=thread -fno-stack-protector -z exestack program.c -o a.out
afl-fuzz -i ./testcases/ -o ./results/ ./a.out
afl-fuzz -i ./testcases/ -o ./results/ ./a.out
thanks a lot for any sort of help.
Jakub Wilk
Nov 14, 2017, 6:16:07 PM11/14/17
to afl-...@googlegroups.com
* aghuf...@gmail.com, 2017-11-14, 10:47:
>afl-gcc -fsanitize=thread -fno-stack-protector -z exestack program.c
>-o a.out
I guess "exestack" is a typo for "execstack"? (I don't know why would
you want to make the stack executable, though...)
afl-gcc's instrumentation doesn't play well with heavy use of threads.
I recommend using afl-clang-fast instead.
>afl-fuzz -i ./testcases/ -o ./results/ ./a.out
TSan outright refuses to work if there's any virtual memory limit, so
you will need to pass "-m none" to afl-fuzz. (But that means afl-fuzz
won't protect you from the target program eating all the memory...)
You will also need to set TSAN_OPTIONS=abort_on_error=1:symbolize=0 in
the environment, so that afl-fuzz can catch TSan's warnings, and TSan
doesn't waste time on prettifying backtraces. (Old versions of TSan
runtime might not support these options, so you should check they
actually work before you start fuzzing.)
There might be more gotchas! I haven't tried fuzzing anything with
TSan myself.
--
Jakub Wilk
>I want to know if and how can i use afl with thread sanitizer.
It's not supported out-of-the-box, but I guess you could make it work.
>afl-gcc -fsanitize=thread -fno-stack-protector -z exestack program.c
>-o a.out
you want to make the stack executable, though...)
afl-gcc's instrumentation doesn't play well with heavy use of threads.
I recommend using afl-clang-fast instead.
>afl-fuzz -i ./testcases/ -o ./results/ ./a.out
you will need to pass "-m none" to afl-fuzz. (But that means afl-fuzz
won't protect you from the target program eating all the memory...)
You will also need to set TSAN_OPTIONS=abort_on_error=1:symbolize=0 in
the environment, so that afl-fuzz can catch TSan's warnings, and TSan
doesn't waste time on prettifying backtraces. (Old versions of TSan
runtime might not support these options, so you should check they
actually work before you start fuzzing.)
There might be more gotchas! I haven't tried fuzzing anything with
TSan myself.
--
Jakub Wilk
Brian Carpenter
Nov 15, 2017, 12:32:23 AM11/15/17
to afl-...@googlegroups.com
Every time I've tried using AFL with TSan, I receive the dreaded `No instrumentation detected` message and I haven't been able to figure out why.
Michal Zalewski
Nov 15, 2017, 1:00:40 AM11/15/17
to afl-users
> Every time I've tried using AFL with TSan, I receive the dreaded `No
> instrumentation detected` message and I haven't been able to figure out why.
May want to use afl-showmap to see if tsan barfs out with some error message.
> instrumentation detected` message and I haven't been able to figure out why.
/mz
Brian Carpenter
Nov 15, 2017, 3:38:27 AM11/15/17
to afl-...@googlegroups.com
May want to use afl-showmap to see if tsan barfs out with some error message.
I crossed my fingers, but alas, no.
afl-showmap 2.51b by <lca...@google.com>
[*] Executing '../program'...
-- Program output begins --
*SNIP*
-- Program output ends --
[+] Captured 1 tuples in 'trace'.
afl-analyze also reports `No instrumentation detected` while afl-tmin reports "minimizing in `instrumented` mode", but then in error red it says "Down to zero bytes - check the command line and mem limit", but I always run with `-m none` and the command line is just `./program input` so not seeing an issue there either. That `1 tuples` is suspect though as running the program compiled with USan and ASan returns `2845 tuples`.
Ahmed Ghufran
Nov 15, 2017, 4:45:01 AM11/15/17
to afl-users
thanks Jakub
When i try to use the command inside the llvm_mode directory of the afl
LLVM_CONFIG=llvm-config-3.8 make
I got the folllowing reply. although i have already installed clang and afl-clang . i am using linux mint 18.2-mate 64 bit.iso. i dnt know which number it should be there in place of 3.8 . afl version is 2.51b. how can i deal with it. thanks for ur reply.
[*] Checking for working 'llvm-config'...
[-] Oops, can't find 'llvm-config'. Install clang or set $LLVM_CONFIG or $PATH beforehand.
(Sometimes, the binary will be named llvm-config-3.5 or something like that.)
Makefile:67: recipe for target 'test_deps' failed
make: *** [test_deps] Error 1
When i try to use the command inside the llvm_mode directory of the afl
LLVM_CONFIG=llvm-config-3.8 make
I got the folllowing reply. although i have already installed clang and afl-clang . i am using linux mint 18.2-mate 64 bit.iso. i dnt know which number it should be there in place of 3.8 . afl version is 2.51b. how can i deal with it. thanks for ur reply.
[*] Checking for working 'llvm-config'...
[-] Oops, can't find 'llvm-config'. Install clang or set $LLVM_CONFIG or $PATH beforehand.
(Sometimes, the binary will be named llvm-config-3.5 or something like that.)
Makefile:67: recipe for target 'test_deps' failed
make: *** [test_deps] Error 1
Jakub Wilk
Nov 16, 2017, 6:19:17 PM11/16/17
to afl-...@googlegroups.com
* Brian Carpenter <brian.c...@gmail.com>, 2017-11-14, 23:31:
test program shipped with AFL:
$ afl-clang-fast -fsanitize=thread test-instr.c -o test-instr
$ TSAN_OPTIONS=abort_on_error=1:symbolize=0 afl-fuzz -m none -i testcases/others/text/ -o out -- ./test-instr
(Although of course I haven't found any race condition in this program.
:-P)
--
Jakub Wilk
>Every time I've tried using AFL with TSan, I receive the dreaded `No
>instrumentation detected` message and I haven't been able to figure out
>why.
As a data point, it works here (amd64, clang 3.8.1, AFL 2.52b) on the
>instrumentation detected` message and I haven't been able to figure out
>why.
test program shipped with AFL:
$ afl-clang-fast -fsanitize=thread test-instr.c -o test-instr
$ TSAN_OPTIONS=abort_on_error=1:symbolize=0 afl-fuzz -m none -i testcases/others/text/ -o out -- ./test-instr
(Although of course I haven't found any race condition in this program.
:-P)
--
Jakub Wilk
Jakub Wilk
Nov 17, 2017, 11:59:20 AM11/17/17
to afl-...@googlegroups.com
* Ahmed Ghufran <aghuf...@gmail.com>, 2017-11-15, 01:45:
binary, so there's no need to build it from source. As I understand it,
Linux Mint is based on Ubuntu, so I guess "apt-get install afl-clang"
should do the trick, too?
>[-] Oops, can't find 'llvm-config'. Install clang or set $LLVM_CONFIG or $PATH beforehand.
"Install clang" is a bit inaccurate. You need to install the package
that ships LLVM development files, which is llvm-dev on Ubuntu (and
Mint?).
--
Jakub Wilk
>I got the folllowing reply. although i have already installed clang and
>afl-clang . i am using linux mint 18.2-mate 64 bit.iso.
On Ubuntu, the afl-clang package already ships the afl-clang-fast
>afl-clang . i am using linux mint 18.2-mate 64 bit.iso.
binary, so there's no need to build it from source. As I understand it,
Linux Mint is based on Ubuntu, so I guess "apt-get install afl-clang"
should do the trick, too?
>[-] Oops, can't find 'llvm-config'. Install clang or set $LLVM_CONFIG or $PATH beforehand.
that ships LLVM development files, which is llvm-dev on Ubuntu (and
Mint?).
--
Jakub Wilk
Ahmed Ghufran
Nov 20, 2017, 5:28:16 AM11/20/17
to afl-users
Thanks Jakub
Ahmed Ghufran
Nov 20, 2017, 6:08:35 PM11/20/17
to afl-users
I am using
afl-clang-fast -fsanitize=thread -fno-stack-protector thread2.c
TSAN_OPTIONS=abort_on_error=1:symbolize=0 afl-fuzz -m none -i ./test_thread/ -o ./results/ ./a.out
but still could not get data races crash in a very simple test program. which i get easily with only TSAN. any suggestions
On Wednesday, 15 November 2017 00:16:07 UTC+1, Jakub Wilk wrote:
Nishh
Dec 6, 2017, 6:01:51 PM12/6/17
to afl-users
May be this is useful...
Reply all
Reply to author
Forward
0 new messages