Launcher (#48)

* launcher in linux

* silence stdout and stderr linux

* arg parser and other changes

* retry instead of sleep

* no_std fixes

* reordered includes

* launcher for windows and kill clients when broker returns

* cargo fmt

* started launcher api cleanup

* use closures instead of functions

* small change

* reordered launcher params

* fixed clippy warnings

* fixed no_std

* moved launcher example to own folder

* docu

* cleanup launcher

* more docs

* Fix merge issues

* Rework the launcher code to provide a cleaner API

* Open file before spawning clients

* launcher: fix merge issue, sleep for a different amount for each core

* fixed no_std

* Tcp Broker to Broker Communication (#66)

* initial b2b implementation

* no_std and clippy fixes

* b2b testcase added

* more correct testcases

* fixed b2b

* typo

* fixed unused warning

* some clippy warning ignored

* using clippy.sh

* Update README.md

* fixed clippy run in workflow

* fixing clippy::match-same-arms

* make clippy less pedantic

* fixed some minor typos in the book

* launcher: use s1341's fork of core_affinity

* Build warning fix proposal, mostly about reference to packed fields. (#79)

* Observers refactor (#84)

* new observer structure with HasExecHooks

* adapt libafl_frida to new observers

* docstrings

* Composing feedback (#85)

* composing feedbacks as logic operations and bump to 0.2

* adapt fuzzers and libafl_frida

* fix windows build

* fixed clippy warnings

* Frida suppress instrumentation locations option (#87)

* Implement  frida option

* Format

* add append/discard_metadata for and/or/not feedback (#86)

* add append/discard_metadata for and/or/not feedback

* fix

* Call append_metadata on crash (#88)

* Call append_metadata on crash

* Formatting

* Reachability example (#65)

* add reachability observer/feedback

* add fuzzer exmaple

* fmt

* remove reachabilityobserver, use stdmapobserver instead

* update diff.patch

* update README

* fix the clippy warning

* Squashed commit of the following:

commit f20524e
Author: Andrea Fioraldi <[email protected]>
Date:   Tue May 4 16:00:39 2021 +0200

    Composing feedback (#85)

    * composing feedbacks as logic operations and bump to 0.2

    * adapt fuzzers and libafl_frida

    * fix windows build

commit e06efaa
Author: Andrea Fioraldi <[email protected]>
Date:   Tue May 4 13:54:46 2021 +0200

    Observers refactor (#84)

    * new observer structure with HasExecHooks

    * adapt libafl_frida to new observers

    * docstrings

commit 17c6fcd
Merge: 08a2d43 a78a4b7
Author: Andrea Fioraldi <[email protected]>
Date:   Mon May 3 11:16:49 2021 +0200

    Merge branch 'main' into dev

commit 08a2d43
Author: David CARLIER <[email protected]>
Date:   Mon May 3 10:15:28 2021 +0100

    Build warning fix proposal, mostly about reference to packed fields. (#79)

commit 88fe8fa
Merge: d5d46ad d2e7719
Author: Andrea Fioraldi <[email protected]>
Date:   Mon May 3 11:05:42 2021 +0200

    Merge pull request #80 from marcograss/book-typos

    fixed some minor typos in the book

commit a78a4b7
Author: s1341 <[email protected]>
Date:   Mon May 3 10:34:15 2021 +0300

    frida-asan: Un-inline report funclet to reduce code bloat (#81)

    * frida-asan: Outline report funclet to reduce code bloat

    * fmt

commit d2e7719
Author: Marco Grassi <[email protected]>
Date:   Sun May 2 21:58:33 2021 +0800

    fixed some minor typos in the book

commit d5d46ad
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 23:09:10 2021 +0200

    make clippy less pedantic

commit 52d25e9
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 22:23:59 2021 +0200

    fixing clippy::match-same-arms

commit cd66f88
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 14:02:07 2021 +0200

    fixed clippy run in workflow

commit ddcf086
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:53:29 2021 +0200

    Update README.md

commit c715f1f
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:48:38 2021 +0200

    using clippy.sh

commit 9374b26
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:47:44 2021 +0200

    some clippy warning ignored

commit b9e75c0
Author: Dominik Maier <[email protected]>
Date:   Sat May 1 13:24:02 2021 +0200

    Tcp Broker to Broker Communication (#66)

    * initial b2b implementation

    * no_std and clippy fixes

    * b2b testcase added

    * more correct testcases

    * fixed b2b

    * typo

    * fixed unused warning

* feedbacks now return a boolean value

* use feedback_or, and modify Cargo.toml

* fix diff between dev and this branch

* fmt

Co-authored-by: Dominik Maier <[email protected]>

* clippy fixes

* clippy fixes

* clippy fixes, x86_64 warnings

* more docs

* Observers lifetime (#89)

* introduce MatchName and alow lifetimes in observers

* adapt fuzzers to observers with lifetime

* introduce type_eq when on nightly

* fix no_std

* fmt

* Better docu (#90)

* more docs

* more docs:

* more docu

* more docu

* finished docs

* cleaned up markup

* must_use tags added

* more docs

* more docu, less clippy

* more fixes

* Clippy fixes (#92)

* more docs

* more docs:

* more docu

* more docu

* finished docs

* cleaned up markup

* must_use tags added

* more docs

* swapped if/else, as per clippy

* more docu, less clippy

* more fixes

* Fix merge issues

* Get rid of unneeded prints

* Fix merge errors

* added b2b to restarting interface

* Setting SO_REUSEPORT

* added b2b to launcher api

* more windows launcher

* Fix merge errors

* Add b2b support to frida_libpng

* make frida_libpng bind to a public address

* Convert launcher into a builder LauncherBuilder

* formatting

* Convert setup_restarting_mgr to a builder RestartingMgrBuilder; leave setup_restarting_mgr_std as is, so that fuzzers work

* RcShmem should be locked via a mutex

* Wait at least 1 second between broker and first client, to avoid race

* update frida_libpng README for cross-compiling to android (#100)

Co-authored-by: Ariel Zentner <[email protected]>

* Fixed build for Windows

* no_std fixes

* reverted aa6773d & windows fixes

* added pipes, moving to remove race conditions for rc shmem

* fix unix build

* fixed clippy:

* fixed no_std once more

* renamed b2b to remote_broker_addr

* you get a pre_fork, and you get a post_fork, forks for everyone

* switched to typed_builder

* Fix merge isseu

* Fix frida fuzzer with new Launcher builder

* Introspection (#97)

* Rework to put `ClientPerfStats` in `State` and pass that along. Still need to work on getting granular information from `Feedback` and `Observer`

* Add perf_stats feature to libafl/Cargo.toml

* Update feedbacks to have with_perf

* Remove unneeeded print statement

* cargo fmt all the things

* use local llvmint vs cpu specific asm for reading cycle counter

* Remove debug testing code

* Stats timeout to 3 seconds

* Inline smallish functions for ClientPerfStats

* Remove .libs/llvmint and have the correct conditional compilation of link_llvm_intrinsics on the perf_stats feature

* pub(crate) the NUM_FEEDBACK and NUM_STAGES consts

* Tcp Broker to Broker Communication (#66)

* initial b2b implementation

* no_std and clippy fixes

* b2b testcase added

* more correct testcases

* fixed b2b

* typo

* fixed unused warning

* clippy fixes

* fallback to systemtime on non-x86

* make clippy more strict

* small fixes

* bump 0.2.1

* readme

Co-authored-by: ctfhacker <[email protected]>
Co-authored-by: Dominik Maier <[email protected]>

* typos (please review)

* merged clippy.sh

* utils

* Add asan cores option (#102)

* added asan-cores option for frida fuzzer

When asan is enabled (via LIBBAFL_FRIDA_OPTIONS enable-asan), you can
filter exactly which of the cores asan should run on with the
asan-cores variable.

* add is_some check instead of !None

Co-authored-by: Ariel Zentner <[email protected]>

* moved utils to bolts

* fixed typo

* no_std fixes

* unix fixes

* fixed unix no_std build

* fix llmp.rs

* adapt libfuzzer_libpng_launcher

* added all fuzzers to ci

* fmt, improved ci

* tests crate not ready for prime time

* clippy fixes

* make ci script executable

* trying to fix example fuzzers

* working libfuzzer_libpng_laucnher

* frida_libpng builds

* clippy

* bump version

* fix no_std

* fix dep version

* clippy fixes

* more fies

* clippy++

* warn again

* clearer readme

Co-authored-by: Vimal Joseph <[email protected]>
Co-authored-by: Dominik Maier <[email protected]>
Co-authored-by: s1341 <[email protected]>
Co-authored-by: Marco Grassi <[email protected]>
Co-authored-by: s1341 <[email protected]>
Co-authored-by: Andrea Fioraldi <[email protected]>
Co-authored-by: David CARLIER <[email protected]>
Co-authored-by: Toka <[email protected]>
Co-authored-by: r-e-l-z <[email protected]>
Co-authored-by: Ariel Zentner <[email protected]>
Co-authored-by: ctfhacker <[email protected]>
Co-authored-by: hexcoder <[email protected]>

Author: 12 people

.github/workflows/build_and_test.yml

@@ -60,6 +60,8 @@ jobs:
       run: cargo test --all-features --doc
     - name: Run clippy
       run: ./clippy.sh
+    - name: Build fuzzers
+      run: ./build_all_fuzzers.sh
   windows:
     runs-on: windows-latest
     steps:

build_all_fuzzers.sh

@@ -0,0 +1,16 @@
+#!/bin/sh
+
+# TODO: This should be rewritten in rust, a Makefile, or some platform-independent language
+
+cd fuzzers
+
+for fuzzer in *;
+do
+    echo "[+] Checking fmt, clippy, and building $fuzzer"
+    cd $fuzzer \
+        && cargo fmt --all -- --check \
+        && ../../clippy.sh --no-clean \
+        && cargo build \
+        && cd .. \
+    || exit 1
+done

clippy.sh

@@ -1,14 +1,18 @@
 #!/bin/sh
 # Clippy checks
-cargo clean -p libafl
+if [ "$1" != "--no-clean" ]; then
+   # Usually, we want to clean, since clippy won't work otherwise.
+   echo "[+] Cleaning up previous builds..."
+   cargo clean -p libafl
+fi
 RUST_BACKTRACE=full cargo clippy --all --all-features --tests -- \
    -D clippy::pedantic \
-   -W clippy::similar-names \
    -W clippy::unused_self \
    -W clippy::too_many_lines \
    -W clippy::option_if_let_else \
    -W clippy::must-use-candidate \
    -W clippy::if-not-else \
+   -W clippy::similar-names \
    -A clippy::type_repetition_in_bounds \
    -A clippy::missing-errors-doc \
    -A clippy::cast-possible-truncation \

docs/src/baby_fuzzer.md

@@ -156,13 +156,13 @@ Now you can prepend the following `use` directives to your main.rs and compile i
 ```rust 
 use std::path::PathBuf;
 use libafl::{
+    bolts::{current_nanos, rands::StdRand},
     corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
     generators::RandPrintablesGenerator,
     state::State,
     stats::SimpleStats,
-    utils::{current_nanos, StdRand},
 };
 ```
 

fuzzers/baby_fuzzer/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "baby_fuzzer"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>"]
 edition = "2018"
 

fuzzers/baby_fuzzer/src/main.rs

@@ -1,7 +1,7 @@
 use std::path::PathBuf;
 
 use libafl::{
-    bolts::tuples::tuple_list,
+    bolts::{current_nanos, rands::StdRand, tuples::tuple_list},
     corpus::{InMemoryCorpus, OnDiskCorpus, QueueCorpusScheduler},
     events::SimpleEventManager,
     executors::{inprocess::InProcessExecutor, ExitKind},
@@ -13,25 +13,26 @@ use libafl::{
     stages::mutational::StdMutationalStage,
     state::StdState,
     stats::SimpleStats,
-    utils::{current_nanos, StdRand},
 };
 
-// Coverage map with explicit assignments due to the lack of instrumentation
+/// Coverage map with explicit assignments due to the lack of instrumentation
 static mut SIGNALS: [u8; 16] = [0; 16];
 
+/// Assign a signal to the signals map
 fn signals_set(idx: usize) {
     unsafe { SIGNALS[idx] = 1 };
 }
 
+#[allow(clippy::similar_names)]
 pub fn main() {
     // The closure that we want to fuzz
     let mut harness = |buf: &[u8]| {
         signals_set(0);
-        if buf.len() > 0 && buf[0] == 'a' as u8 {
+        if !buf.is_empty() && buf[0] == b'a' {
             signals_set(1);
-            if buf.len() > 1 && buf[1] == 'b' as u8 {
+            if buf.len() > 1 && buf[1] == b'b' {
                 signals_set(2);
-                if buf.len() > 2 && buf[2] == 'c' as u8 {
+                if buf.len() > 2 && buf[2] == b'c' {
                     panic!("=)");
                 }
             }
@@ -86,21 +87,21 @@ pub fn main() {
         &mut state,
         &mut mgr,
     )
-    .expect("Failed to create the Executor".into());
+    .expect("Failed to create the Executor");
 
     // Generator of printable bytearrays of max size 32
     let mut generator = RandPrintablesGenerator::new(32);
 
     // Generate 8 initial inputs
     state
         .generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8)
-        .expect("Failed to generate the initial corpus".into());
+        .expect("Failed to generate the initial corpus");
 
     // Setup a mutational stage with a basic bytes mutator
     let mutator = StdScheduledMutator::new(havoc_mutations());
     let mut stages = tuple_list!(StdMutationalStage::new(mutator));
 
     fuzzer
         .fuzz_loop(&mut stages, &mut executor, &mut state, &mut mgr)
-        .expect("Error in the fuzzing loop".into());
+        .expect("Error in the fuzzing loop");
 }

fuzzers/frida_libpng/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "frida_libpng"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>"]
 edition = "2018"
 build = "build.rs"
@@ -21,17 +21,18 @@ num_cpus = "1.0"
 which = "4.1"
 
 [target.'cfg(unix)'.dependencies]
-libafl = { path = "../../libafl/", features = [ "std", "llmp_compression" ] } #,  "llmp_small_maps", "llmp_debug"]}
+libafl = { path = "../../libafl/", features = [ "std", "llmp_compression", "llmp_bind_public" ] } #,  "llmp_small_maps", "llmp_debug"]}
+libafl_frida = { path = "../../libafl_frida" }
 capstone = "0.8.0"
-frida-gum = { version = "0.4", git = "https://github.com/s1341/frida-rust", features = [ "auto-download", "event-sink", "invocation-listener"] }
+frida-gum = { version = "0.4.1", git = "https://github.com/frida/frida-rust", features = [ "auto-download", "event-sink", "invocation-listener"] }
 #frida-gum = { version = "0.4", path = "../../../frida-rust/frida-gum", features = [ "auto-download", "event-sink", "invocation-listener"] }
-libafl_frida = { path = "../../libafl_frida", version = "0.2.0" }
 lazy_static = "1.4.0"
 libc = "0.2"
 libloading = "0.7.0"
 num-traits = "0.2.14"
 rangemap = "0.1.10"
 seahash = "4.1.0"
+clap = "2.33"
 serde = "1.0"
 
 backtrace = "0.3"

fuzzers/frida_libpng/README.md

@@ -11,6 +11,15 @@ This will call (the build.rs)[./build.rs], which in turn downloads a libpng arch
 Then, it will link (the fuzzer)[./src/fuzzer.rs] against (the C++ harness)[./harness.cc] and the instrumented `libpng`.
 Afterwards, the fuzzer will be ready to run, from `../../target/examples/libfuzzer_libpng`.
 
+### Build For Android
+When building for android using a cross-compiler, make sure you have a _standalone toolchain_, and then add the following:
+1. In the ~/.cargo/config file add a target with the correct cross-compiler toolchain name (in this case aarch64-linux-android, but names may vary)
+`[target.aarch64-linux-android]`
+`linker="aarch64-linux-android-clang"`
+2. add path to installed toolchain to PATH env variable.
+3. define CLANG_PATH and add target to the build command line:
+`CLANG_PATH=<path to installed toolchain>/bin/aarch64-linux-android-clang cargo -v build --release --target=aarch64-linux-android`
+
 ## Run
 
 The first time you run the binary, the broker will open a tcp port (currently on port `1337`), waiting for fuzzer clients to connect. This port is local and only used for the initial handshake. All further communication happens via shared map, to be independent of the kernel.

fuzzers/frida_libpng/build.rs

@@ -12,15 +12,14 @@ const LIBPNG_URL: &str =
     "https://deac-fra.dl.sourceforge.net/project/libpng/libpng16/1.6.37/libpng-1.6.37.tar.xz";
 
 fn build_dep_check(tools: &[&str]) {
-    for tool in tools.into_iter() {
+    for tool in tools {
         println!("Checking for build tool {}...", tool);
 
-        match which(tool) {
-            Ok(path) => println!("Found build tool {}", path.to_str().unwrap()),
-            Err(_) => {
-                println!("ERROR: missing build tool {}", tool);
-                exit(1);
-            }
+        if let Ok(path) = which(tool) {
+            println!("Found build tool {}", path.to_str().unwrap())
+        } else {
+            println!("ERROR: missing build tool {}", tool);
+            exit(1);
         };
     }
 }
@@ -35,7 +34,7 @@ fn main() {
     let cwd = env::current_dir().unwrap().to_string_lossy().to_string();
     let out_dir = out_dir.to_string_lossy().to_string();
     let out_dir_path = Path::new(&out_dir);
-    std::fs::create_dir_all(&out_dir).expect(&format!("Failed to create {}", &out_dir));
+    std::fs::create_dir_all(&out_dir).unwrap_or_else(|_| panic!("Failed to create {}", &out_dir));
 
     println!("cargo:rerun-if-changed=build.rs");
     println!("cargo:rerun-if-changed=../libfuzzer_runtime/rt.c",);