2019-07-01 09:28:12 +00:00
<!DOCTYPE html>
2019-08-09 03:54:43 +00:00
< html class = "theme-next gemini use-motion" lang = "zh-Hans" >
2019-07-01 09:28:12 +00:00
< head > < meta name = "generator" content = "Hexo 3.8.0" >
< meta charset = "UTF-8" >
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1, maximum-scale=1" >
< meta name = "theme-color" content = "#222" >
< meta http-equiv = "Cache-Control" content = "no-transform" >
< meta http-equiv = "Cache-Control" content = "no-siteapp" >
< link href = "/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel = "stylesheet" type = "text/css" >
< link href = "/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel = "stylesheet" type = "text/css" >
< link href = "/css/main.css?v=5.1.4" rel = "stylesheet" type = "text/css" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "/images/hackerrank.png?v=5.1.4" >
< link rel = "mask-icon" href = "/images/logo.svg?v=5.1.4" color = "#222" >
2019-07-01 11:52:45 +00:00
< meta name = "keywords" content = "AFL,模糊测试," >
2019-07-01 09:28:12 +00:00
2019-07-01 11:52:45 +00:00
< meta name = "description" content = "接触这个词语已经有一年了, , , , , , ( ) , , , >
< meta name = "keywords" content = "AFL,模糊测试" >
2019-07-01 09:28:12 +00:00
< meta property = "og:type" content = "article" >
2019-07-09 09:27:51 +00:00
< meta property = "og:title" content = "模糊测试与AFL" >
2019-07-01 09:28:12 +00:00
< meta property = "og:url" content = "https://cool-y.github.io/2019/07/01/AFL-first-learn/index.html" >
< meta property = "og:site_name" content = "混元霹雳手" >
2019-07-01 11:52:45 +00:00
< meta property = "og:description" content = "接触这个词语已经有一年了, , , , , , ( ) , , , >
2019-07-01 09:28:12 +00:00
< meta property = "og:locale" content = "zh-Hans" >
2019-07-09 09:11:34 +00:00
< meta property = "og:image" content = "https://image.3001.net/images/20181207/1544168163_5c0a22e3eedce.jpg" >
< meta property = "og:image" content = "http://lcamtuf.coredump.cx/afl/afl_gzip.png" >
2019-07-09 09:27:51 +00:00
< meta property = "og:updated_time" content = "2019-07-09T09:27:22.887Z" >
2019-07-01 09:28:12 +00:00
< meta name = "twitter:card" content = "summary" >
2019-07-09 09:27:51 +00:00
< meta name = "twitter:title" content = "模糊测试与AFL" >
2019-07-01 11:52:45 +00:00
< meta name = "twitter:description" content = "接触这个词语已经有一年了, , , , , , ( ) , , , >
2019-07-09 09:11:34 +00:00
< meta name = "twitter:image" content = "https://image.3001.net/images/20181207/1544168163_5c0a22e3eedce.jpg" >
2019-07-01 09:28:12 +00:00
< script type = "text/javascript" id = "hexo.configurations" >
var NexT = window.NexT || {};
var CONFIG = {
root: '/',
2019-08-09 03:54:43 +00:00
scheme: 'Gemini',
2019-07-01 09:28:12 +00:00
version: '5.1.4',
sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
fancybox: true,
tabs: true,
motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
duoshuo: {
userId: '0',
author: '博主'
},
algolia: {
applicationID: '',
apiKey: '',
indexName: '',
hits: {"per_page":10},
labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
}
};
< / script >
< link rel = "canonical" href = "https://cool-y.github.io/2019/07/01/AFL-first-learn/" >
2019-07-09 09:27:51 +00:00
< title > 模糊测试与AFL | 混元霹雳手< / title >
2019-07-01 09:28:12 +00:00
< / head >
< body itemscope itemtype = "http://schema.org/WebPage" lang = "zh-Hans" >
< div class = "container sidebar-position-left page-post-detail" >
< div class = "headband" > < / div >
< header id = "header" class = "header" itemscope itemtype = "http://schema.org/WPHeader" >
< div class = "header-inner" > < div class = "site-brand-wrapper" >
< div class = "site-meta " >
< div class = "custom-logo-site-title" >
< a href = "/" class = "brand" rel = "start" >
< span class = "logo-line-before" > < i > < / i > < / span >
< span class = "site-title" > 混元霹雳手< / span >
< span class = "logo-line-after" > < i > < / i > < / span >
< / a >
< / div >
2019-07-24 03:51:42 +00:00
< p class = "site-subtitle" > < / p >
2019-07-01 09:28:12 +00:00
< / div >
< div class = "site-nav-toggle" >
< button >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< span class = "btn-bar" > < / span >
< / button >
< / div >
< / div >
< nav class = "site-nav" >
< ul id = "menu" class = "menu" >
< li class = "menu-item menu-item-home" >
< a href = "/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-home" > < / i > < br >
首页
< / a >
< / li >
< li class = "menu-item menu-item-about" >
< a href = "/about/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-user" > < / i > < br >
关于
< / a >
< / li >
< li class = "menu-item menu-item-tags" >
< a href = "/tags/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-tags" > < / i > < br >
标签
< / a >
< / li >
< li class = "menu-item menu-item-categories" >
< a href = "/categories/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-th" > < / i > < br >
分类
< / a >
< / li >
< li class = "menu-item menu-item-archives" >
< a href = "/archives/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-archive" > < / i > < br >
归档
< / a >
< / li >
< li class = "menu-item menu-item-bookmarks" >
< a href = "/bookmarks/" rel = "section" >
< i class = "menu-item-icon fa fa-fw fa-map" > < / i > < br >
书签
< / a >
< / li >
2019-08-08 12:42:56 +00:00
2019-08-08 12:47:43 +00:00
< li class = "menu-item menu-item-hack之外" >
2019-08-08 12:42:56 +00:00
< a href = "/hack之外/" rel = "section" >
2019-08-08 12:52:19 +00:00
< i class = "menu-item-icon fa fa-fw fa-heartbeat" > < / i > < br >
2019-08-08 12:42:56 +00:00
2019-08-08 12:52:19 +00:00
HACK之外
2019-08-08 12:42:56 +00:00
< / a >
< / li >
2019-07-01 09:28:12 +00:00
< / ul >
< / nav >
< / div >
< / header >
< main id = "main" class = "main" >
< div class = "main-inner" >
< div class = "content-wrap" >
< div id = "content" class = "content" >
< div id = "posts" class = "posts-expand" >
< article class = "post post-type-normal" itemscope itemtype = "http://schema.org/Article" >
< div class = "post-block" >
< link itemprop = "mainEntityOfPage" href = "https://cool-y.github.io/2019/07/01/AFL-first-learn/" >
< span hidden itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< meta itemprop = "name" content = "Cool-Y" >
< meta itemprop = "description" content >
< meta itemprop = "image" content = "/images/avatar.png" >
< / span >
< span hidden itemprop = "publisher" itemscope itemtype = "http://schema.org/Organization" >
< meta itemprop = "name" content = "混元霹雳手" >
< / span >
< header class = "post-header" >
2019-07-09 09:27:51 +00:00
< h1 class = "post-title" itemprop = "name headline" > 模糊测试与AFL< / h1 >
2019-07-01 09:28:12 +00:00
< div class = "post-meta" >
< span class = "post-time" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-calendar-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 发表于< / span >
< time title = "创建于" itemprop = "dateCreated datePublished" datetime = "2019-07-01T17:25:36+08:00" >
2019-07-01
< / time >
< / span >
< span class = "post-category" >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-folder-o" > < / i >
< / span >
< span class = "post-meta-item-text" > 分类于< / span >
< span itemprop = "about" itemscope itemtype = "http://schema.org/Thing" >
< a href = "/categories/二进制/" itemprop = "url" rel = "index" >
< span itemprop = "name" > 二进制< / span >
< / a >
< / span >
< / span >
2019-07-09 09:27:51 +00:00
< span id = "/2019/07/01/AFL-first-learn/" class = "leancloud_visitors" data-flag-title = "模糊测试与AFL" >
2019-07-01 09:28:12 +00:00
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-eye" > < / i >
< / span >
< span class = "post-meta-item-text" > 阅读次数: < / span >
< span class = "leancloud-visitors-count" > < / span >
< / span >
< div class = "post-wordcount" >
< span class = "post-meta-item-icon" >
< i class = "fa fa-file-word-o" > < / i >
< / span >
< span title = "字数统计" >
2019-07-09 09:11:34 +00:00
11.4k 字
2019-07-01 09:28:12 +00:00
< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-clock-o" > < / i >
< / span >
< span title = "阅读时长" >
2019-07-09 09:11:34 +00:00
42 分钟
2019-07-01 09:28:12 +00:00
< / span >
< / div >
< / div >
< / header >
< div class = "post-body" itemprop = "articleBody" >
< p > 接触这个词语已经有一年了, , , , , < / p >
2019-07-01 11:52:45 +00:00
< hr >
2019-07-01 09:28:12 +00:00
< h1 id = "0x01-模糊测试" > < a href = "#0x01-模糊测试" class = "headerlink" title = "0x01 模糊测试" > < / a > 0x01 模糊测试< / h1 > < p > 首先, ( ) , , , , , , ( ) < br > 模糊测试的过程,就好像是一个不断探测系统可以承受的输入极限的过程,让我想起学电子的时候对一个滤波器进行带宽的评估,如果我们知道内部电路原理,那么这个器件对于我们就是白盒了,可以直接通过公式计算理论带宽,现在系统对于我们而言是一个黑盒,我们通过在足够大频率范围内对其不断输入信号,就能测试出其实际带宽。< / p >
< p > < strong > 模糊测试方法一览< / strong > < / p >
2019-07-01 12:01:56 +00:00
< table >
< tr >
< th rowspan = "2" > 基于变种的Fuzzer< / th >
< th rowspan = "2" > 基于模板的Fuzzer< / th >
< th colspan = "2" > 基于反馈演进的Fuzzer< / th >
< / tr >
< tr >
< td > 基于追踪路径覆盖率< / td >
< td > 基于分支覆盖率< / td >
< / tr >
< tr >
< td rowspan = "2" > 在已知合法的输入的基础上,对该输入进行随机变种或者依据某种经验性的变种,从而产生不可预期的测试输入。< / td >
< td rowspan = "2" > 此类Fuzzer工具的输入数据, , , < / td >
< td colspan = "2" > 此类Fuzzer会实时的记录当前对于目标程序测试的覆盖程度, < / td >
< / tr >
< tr >
< td > PAP:路径编码的算法;后面会产生路径爆炸的问题< / td >
< td > 漏洞的爆发往往由于触发了非预期的分支< / td >
< / tr >
< tr >
< td > Taof, GPF, ProxyFuzz, Peach Fuzzer< / td >
< td > SPIKE, Sulley, Mu‐ < / td >
< td > < / td >
< td > AFL< / td >
< / tr >
< / table >
2019-07-01 09:28:12 +00:00
2019-07-01 11:52:45 +00:00
< hr >
2019-07-16 09:15:34 +00:00
< h1 id = "0x02-AFL快速入门" > < a href = "#0x02-AFL快速入门" class = "headerlink" title = "0x02 AFL快速入门" > < / a > 0x02 < a href = "http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt" target = "_blank" rel = "noopener" > AFL快速入门< / a > < / h1 > < p > 1) < code > make< / code > 编译AFL。如果构建失败, < br > 2) , < strong > < em > 文件或标准输入< / em > < / strong > 中获取数据, , , , < br > 遇到故障时, , < code > docs/README< / code > 中的第11节。< br > 3) < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ CC = /path/to/afl-gcc CXX =/path/to/afl-g++ ./configure --disable-shared< / span > < br > < span class = "line" > $ make clean all< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2021-01-08 08:35:03 +00:00
< p > 如果程序构建失败,请联系 < a href = "mailto:afl-users@googlegroups.com" target = "_blank" rel = "noopener" > a f l - u s e r s @ g o o g l e g r o u p s . c o m < / a > 。< br > 4) ( , ) , , < code > dictionaries/README.dictionaries< / code > 中所述。< br > 5) , < code > afl-fuzz< / code > ,如下所示:< br > < code > ./afl-fuzz -i testcase_dir -o findings_dir -- /path/to/tested/program [... program' s cmdline ...]< / code > < br > 如果程序从文件中获取输入,则可以在程序的命令行中输入@@; AFL会为您放置一个自动生成的文件名。< / p >
2019-07-09 09:11:34 +00:00
< p > < strong > 一些参考文档< / strong > < / p >
< blockquote >
< p > < a href = "http://lcamtuf.coredump.cx/afl/README.txt" target = "_blank" rel = "noopener" > docs/README< / a > - AFL的一般介绍, < br > < a href = "https://github.com/mirrorer/afl/blob/master/docs/perf_tips.txt" target = "_blank" rel = "noopener" > docs/perf_tips.txt< / a > - 关于如何快速模糊的简单提示,< br > < a href = "http://lcamtuf.coredump.cx/afl/status_screen.txt" target = "_blank" rel = "noopener" > docs/status_screen.txt< / a > - UI中显示的花絮的解释, < br > < a href = "https://github.com/mirrorer/afl/blob/master/docs/parallel_fuzzing.txt" target = "_blank" rel = "noopener" > docs/parallel_fuzzing.txt< / a > - 关于在多个核上运行AFL的建议< br > < a href = "http://lcamtuf.coredump.cx/afl/demo/" target = "_blank" rel = "noopener" > Generated test cases for common image formats< / a > - 生成图像文件测试用例的demo< br > < a href = "http://lcamtuf.coredump.cx/afl/technical_details.txt" target = "_blank" rel = "noopener" > Technical “whitepaper” for afl-fuzz< / a > - 技术白皮书< / p >
< / blockquote >
< p > < strong > 适用环境< / strong > < br > 该工具已确认适用于32位和64位的x86 Linux, , , , , , < / p >
< p > AFL的变体和衍生物允许您模糊Python, , , , , , , , , < a href = "https://github.com/google/oss-fuzz/" target = "_blank" rel = "noopener" > OSS-Fuzz< / a > 背后的模糊引擎之一。< / p >
< p > 哦 - 如果你安装了gnuplot, < / p >
< hr >
< h1 id = "0x03-AFL特点" > < a href = "#0x03-AFL特点" class = "headerlink" title = "0x03 AFL特点" > < / a > 0x03 < a href = "http://lcamtuf.coredump.cx/afl/" target = "_blank" rel = "noopener" > AFL特点< / a > < / h1 > < ol >
< li > < strong > 非常复杂< / strong > 。它是一种插桩器( ) , < a href = "http://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html" target = "_blank" rel = "noopener" > 合成复杂的文件语义< / a > ,减少了对专用的语法识别工具的需求。它还带有一个独特的< a href = "http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html" target = "_blank" rel = "noopener" > 崩溃浏览器< / a > ,一个< a href = "https://groups.google.com/d/msg/afl-users/eWb2PgjLnUo/8AKqadYzSBoJ" target = "_blank" rel = "noopener" > 测试用例最小化器< / a > ,一个< a href = "https://groups.google.com/forum/#!topic/afl-users/RW4RF6x9aBc" target = "_blank" rel = "noopener" > 故障触发分配器< / a > 和一个< a href = "https://lcamtuf.blogspot.com/2016/02/say-hello-to-afl-analyze.html" target = "_blank" rel = "noopener" > 语法分析器< / a > - 使评估崩溃错误的影响变得简单。< / li >
< li > < strong > 智能< / strong > 。它围绕一系列经过< a href = "http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html" target = "_blank" rel = "noopener" > 精心研究< / a > ,高增益的测试用例预处理和模糊测试策略而构建,在其他模糊测试框架中很少采用与之相当的严格性。结果,它发现了真正的< a href = "http://lcamtuf.coredump.cx/afl/#bugs" target = "_blank" rel = "noopener" > 漏洞< / a > 。< / li >
< li > < strong > 它很快< / strong > 。由于其低级编译时间或仅二进制检测和< a href = "http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html" target = "_blank" rel = "noopener" > 其他优化< / a > ,该工具提供了针对常见现实世界目标的近原生或优于原生的模糊测试速度。新增的< a href = "http://lcamtuf.blogspot.com/2015/06/new-in-afl-persistent-mode.html" target = "_blank" rel = "noopener" > 持久模式< / a > 允许在最少的代码修改的帮助下,对许多程序进行异常快速的模糊测试。< / li >
< li > < strong > 可以链接到其他工具< / strong > 。模糊器可以生成优质,紧凑的测试语料库,可以作为更专业,更慢或劳动密集型流程和测试框架的种子。它还能够与任何其他软件进行即时语料库同步。< / li >
< / ol >
< hr >
< h1 id = "0x04-AFL-README" > < a href = "#0x04-AFL-README" class = "headerlink" title = "0x04 AFL README" > < / a > 0x04 < a href = "http://lcamtuf.coredump.cx/afl/README.txt" target = "_blank" rel = "noopener" > AFL README< / a > < / h1 > < blockquote >
2021-01-08 08:35:03 +00:00
< p > Written and maintained by Michal Zalewski < a href = "mailto:lcamtuf@google.com" target = "_blank" rel = "noopener" > l c a m t u f @ g o o g l e . c o m < / a > < / p >
2019-07-09 09:11:34 +00:00
< p > Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.< br > Released under terms and conditions of Apache License, Version 2.0.< / p >
< p > For new versions and additional information, check out:< br > < a href = "http://lcamtuf.coredump.cx/afl/" target = "_blank" rel = "noopener" > http://lcamtuf.coredump.cx/afl/< / a > < / p >
2021-01-08 08:35:03 +00:00
< p > To compare notes with other users or get notified about major new features,< br > send a mail to < a href = "mailto:afl-users+subscribe@googlegroups.com" target = "_blank" rel = "noopener" > a f l - u s e r s + s u b s c r i b e @ g o o g l e g r o u p s . c o m < / a > .< / p >
2019-07-09 09:11:34 +00:00
< p > < strong > See QuickStartGuide.txt if you don’ < / strong > < / p >
< / blockquote >
< h2 id = "1) > < a href = "#1) class = "headerlink" title = "1) > < / a > 1) < / h2 > < p > Fuzzing是用于识别真实软件中的安全问题的最强大且经过验证的策略之一;它负责安全关键软件中迄今为止发现的绝大多数远程代码执行和权限提升漏洞。< br > 不幸的是,模糊测试也不够有力。盲目的、随机的变异使得它不太可能在测试代码中达到某些代码路径,从而使一些漏洞超出了这种技术的范围。< br > 已经有许多尝试来解决这个问题。早期方法之一 - 由Tavis Ormandy开创 - 是一种 < strong > 语义库蒸馏( ) < / strong > 。网上找到的一些大型语料库中往往包含大量的文件,这时就需要对其精简,该方法依赖于覆盖信号从大量高质量的候选文件语料库中选择有趣种子的子集,然后通过传统方式对其进行模糊处理。该方法非常有效,但需要这样的语料库随时可用。正因为如此,< strong > 代码覆盖率< / strong > 也只是衡量程序执行状态的一个简单化的度量, < br > 其他更复杂的研究集中在诸如 < strong > 程序流分析( ) , < / strong > 等技术上。所有这些方法在实验环境中都非常有前景,但在实际应用中往往会遇到可靠性和性能问题 - 部分高价值的程序都有非常复杂的内部状态和执行路径, ( ) , < / p >
< h2 id = "2) > < a href = "#2) class = "headerlink" title = "2) > < / a > 2) < / h2 > < p > American Fuzzy Lop是一种暴力模糊测试, < strong > 引导遗传算法< / strong > 。它使用修改后的边覆盖率,轻松地获取程序控制流程的细微局部变化。< br > 简化一下,整体算法可以概括为:< / p >
2019-07-01 09:28:12 +00:00
< ul >
2019-07-09 09:11:34 +00:00
< li > 1) , < / li >
< li > 2) , < / li >
< li > 3) , < / li >
< li > 4) , < / li >
< li > 5) , < / li >
2019-07-09 09:27:51 +00:00
< li > 6) < / li >
2019-07-01 09:28:12 +00:00
< / ul >
2019-07-09 09:27:51 +00:00
< p > < img src = "https://image.3001.net/images/20181207/1544168163_5c0a22e3eedce.jpg" width = "60%" div align = "center/" > < / p >
< p > 发现的测试用例也会定期被淘汰, , ( ) < br > 作为模糊测试过程的一个副作用,该工具创建了一个小型,独立的有趣测试用例集。这些对于播种其他劳动力或资源密集型测试方案非常有用 - 例如,用于压力测试浏览器,办公应用程序,图形套件或闭源工具。< br > 该模糊器经过全面测试,可提供远远优于盲目模糊或仅覆盖工具的开箱即用性能。< / p >
2019-07-09 09:11:34 +00:00
< h2 id = "3) ( ) > < a href = "#3) ( ) class = "headerlink" title = "3) ( ) > < / a > 3) ( ) < / h2 > < p > 当源代码可用时,可以通过配套工具 < strong > 注入instrumentation< / strong > , < br > instrumentation具有相当适度的性能影响;与afl-fuzz实现的其他优化相结合, < / p >
2019-07-16 09:15:34 +00:00
< p > < strong > 重新编译目标程序< / strong > 的正确方法可能会有所不同,具体取决于构建过程的具体情况,但几乎通用的方法是:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ CC = /path/to/afl/afl-gcc ./configure< / span > < br > < span class = "line" > $ make clean all< / span > < br > < span class = "line" > 对于C ++程序, < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > clang组件( , < / p >
2019-07-16 09:15:34 +00:00
< p > 在测试库时, , , < strong > 将此可执行文件与已检测库的静态版本相链接< / strong > ,或者确保在运行时加载正确的.so文件( ) < strong > 静态构建< / strong > ,通常可以通过以下方式实现:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ CC = /path/to/afl/afl-gcc ./configure --disable-shared< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 调用< code > make< / code > 时设置AFL_HARDEN = 1将导致CC组件自动启用代码强化选项, , ( ) < br > PS。建议ASAN用户查看notes_for_asan.txt文件以获取重要警告。< / p >
2019-07-16 09:15:34 +00:00
< h2 id = "4) > < a href = "#4) class = "headerlink" title = "4) > < / a > 4) < / h2 > < p > 当源代码为不可得时, < br > QEMU是一个独立于AFL的项目, : < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ cd qemu_mode< / span > < br > < span class = "line" > $ ./build_qemu_support.sh< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 有关其他说明和注意事项, < br > 该模式比编译时插桩( ) , , < / p >
< h2 id = "5) > < a href = "#5) class = "headerlink" title = "5) > < / a > 5) < / h2 > < p > 为了正确操作,模糊器需要一个或多个起始文件,其中包含目标应用程序通常所需的输入数据的良好示例。 有两个基本规则:< / p >
< blockquote >
< p > 测试用例足够小。 1 kB以下是理想的, , < / p >
< p > 只有在功能上彼此不同时才使用多个测试用例。 使用五十张不同的度假照片来模糊图像库是没有意义的。< br > 您可以在此工具附带的< code > testcases/子目录< / code > 中找到许多启动文件的好例子。< br > PS。 如果有大量数据可用于筛选,您可能希望使用< code > afl-cmin< / code > 实用程序来识别在目标二进制文件中使用不同代码路径的功能不同的文件的子集。< / p >
< / blockquote >
2019-07-16 09:15:34 +00:00
< h2 id = "6) > < a href = "#6) class = "headerlink" title = "6) > < / a > 6) < / h2 > < p > 测试过程本身由afl-fuzz实用程序执行。该程序需要一个带有初始测试用例的只读目录, , < br > 对于直接从 < strong > stdin< / strong > 接受输入的目标二进制文件,通常的语法是:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program [... params ...]< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
< p > 对于从 < strong > 文件< / strong > 中获取输入的程序,使用“@@”标记目标命令行中应放置输入文件名的位置。模糊器将替换为您:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ ./afl-fuzz -i testcase_dir -o findings_dir /path/to/program @@< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 您还可以使用-f选项将变异数据写入特定文件。如果程序需要特定的文件扩展名, < br > 非插桩二进制文件可以在QEMU模式下( ) ( ) < br > 您可以使用-t和-m覆盖已执行进程的默认超时和内存限制;< br > perf_tips.txt中讨论了优化模糊测试性能的技巧。< / p >
< p > 请注意, , , < / p >
< h2 id = "7) > < a href = "#7) class = "headerlink" title = "7) > < / a > 7) < / h2 > < p > 有关如何解释显示的统计信息以及监视进程运行状况的信息,请参阅< code > status_screen.txt< / code > 文件。请务必查阅此文件, < br > 模糊过程将持续到按< code > Ctrl-C< / code > 为止。至少,您希望允许模糊器完成一个队列周期,这可能需要几个小时到一周左右的时间。< br > 在输出目录中创建了三个子目录并实时更新:< / p >
< ul >
< li > 队列queue/ - 测试每个独特执行路径的案例, , , < / li >
< li > 崩溃crash/ - 导致被测程序接收致命信号的独特测试用例( , , , ) < / li >
< li > 挂起hang/ - 导致测试程序超时的独特测试用例。将某些内容归类为挂起之前的默认时间限制是1秒内的较大值和-t参数的值。可以通过设置AFL_HANG_TMOUT来微调该值, < / li >
< / ul >
2019-07-16 09:15:34 +00:00
< p > 崩溃和挂起的文件名与父、非错误的队列条目相关联。这应该有助于调试。< br > 如果无法重现 < strong > afl-fuzz< / strong > 发现的崩溃,最可能的原因是您没有设置与工具使用的内存限制相同的内存限制。尝试:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > $ LIMIT_MB = 50< / span > < br > < span class = "line" > $( < < 10]; /path/to/tested_binary ...) < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 更改LIMIT_MB以匹配传递给afl-fuzz的-m参数。在OpenBSD上, < br > 尝试:< code > $ ./afl-fuzz -i-o_ existing_output_dir [...etc...]< / code > < br > 如果安装了gnuplot, , < a href = "http://lcamt target = "_blank" rel = "noopener" > http://lcamt < / a > 。< / p >
< h2 id = "8) > < a href = "#8) class = "headerlink" title = "8) > < / a > 8) < / h2 > < p > 每个afl-fuzz的实例大约占用一个核。 这意味着在多核系统上,并行化是充分利用硬件所必需的。< br > 有关如何在多个核心或多个联网计算机上模糊常见目标的提示,请参阅< code > parallel_fuzzing.txt< / code > 。< br > < strong > < em > 并行模糊测试模式< / em > < / strong > 还提供了一种简单的方法, , ( , ) < code > parallel_fuzzing.txt< / code > 的最后一节以获取提示。< / p >
< h2 id = "9) > < a href = "#9) class = "headerlink" title = "9) > < / a > 9) < / h2 > < p > 默认情况下, , , , , , < br > 为了避免构建语法感知工具的麻烦, , , , : < a href = "http://lcamt target = "_blank" rel = "noopener" > http://lcamt < / a > < br > 要使用此功能,首先需要使用< code > dictionaries/README.dictionaries< / code > 中讨论的两种格式之一创建字典;然后通过命令行中的-x选项将模糊器指向它。( ) < br > 没有办法提供基础语法的更多结构化描述, , : < br > < a href = "http://lcamt target = "_blank" rel = "noopener" > http://lcamt < / a > < br > PS。即使没有给出明确的字典, , < br > 如果字典真的很难找到, , , < code > libtokencap/README.tokencap< / code > 。< / p >
< h2 id = "10) > < a href = "#10) class = "headerlink" title = "10) > < / a > 10) < / h2 > < p > 基于coverage的崩溃分组通常会生成一个小型数据集, , < br > 话虽如此, , , , < br > 在此模式下,模糊器将一个或多个崩溃测试用例作为输入,并使用其反馈驱动的模糊测试策略,非常快速地枚举程序中可以达到的所有代码路径,同时使其保持在崩溃状态。< br > < strong > < em > 不会导致崩溃的变异会被拒绝;任何不影响执行路径的更改也是如此。< / em > < / strong > < br > 输出是一个小文件集,可以非常快速地检查以查看攻击者对错误地址的控制程度,或者是否有可能超过初始越界读取,并查看下面的内容。< / p >
< p > 哦,还有一件事:对于测试用例最小化,请尝试< code > afl-tmin< / code > 。该工具可以以非常简单的方式操作:< br > < code > $ ./afl-tmin -i test_case -o minimize_result - /path/to/program [...]< / code > < / p >
< p > 该工具适用于崩溃和非崩溃的测试用例。在崩溃模式下,它将很乐意接受 instrumented 和 non-instrumented 的二进制文件。在非崩溃模式下, , , , , < / p >
< p > AFL的另一个新成员是afl-analyze工具。需要输入文件, , , , < code > technical_details.txt< / code > 的末尾找到。< / p >
< h2 id = "11) > < a href = "#11) class = "headerlink" title = "11) > < / a > 11) < / h2 > < p > 模糊测试是一种很好的, , < / p >
< ul >
< li > 当给出相同的模糊输入时, , < / li >
< li > 当要求连续多次解码相同的输入图像时,图像库会产生不同的输出,< / li >
< li > 在对模糊提供的数据进行迭代序列化和反序列化时,序列化/反序列化库无法生成稳定的输出,< / li >
< li > 当要求压缩然后解压缩特定blob时, ( ) ( ) < / li >
< / ul >
< h2 id = "12) > < a href = "#12) class = "headerlink" title = "12) > < / a > 12) < / h2 > < p > 请记住,与许多其他计算密集型任务类似,模糊测试可能会给您的硬件和操作系统带来压力。特别是:< / p >
< ul >
< li > 你的CPU会很热, , , , ( , ) , < / li >
< li > 有针对性的程序可能最终不正常地抓取千兆字节的内存或用垃圾文件填满磁盘空间。 AFL试图强制执行基本的内存限制, , < / li >
< li > 模糊测试涉及数十亿次对文件系统的读写操作。在现代系统中, , , ’ ’ : < code > $ iostat -d 3 -x -k [...可选磁盘ID ...]< / code > < / li >
< / ul >
< h2 id = "13) > < a href = "#13) class = "headerlink" title = "13) > < / a > < strong > 13) < / strong > < / h2 > < p > 以下是AFL的一些最重要的警告: < / p >
< ul >
< li > AFL通过检查由于信号( , ) , , < / li >
< li > 与任何其他强力工具一样, , , , , ( , , < / li >
< li > ASAN和64位二进制文 < / li >
< li > 没有直接支持模糊网络服务, , < a href = "https://github.com/zardus/preeny" target = "_blank" rel = "noopener" > https://github.com/zardus/preeny< / a > < br > 有关修改基于网络的服务的一些有用提示也可以在以下位置找到:< br > < a href = "https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop" target = "_blank" rel = "noopener" > https://www.fastly.com/blog/how-to-fuzz-server-american-fuzzy-lop< / a > < / li >
< li > AFL不输出人类可读的覆盖数据。如果你想监控覆盖, : : < / li >
< li > 偶尔,敏感的机器会对抗他们的创造者。如果您遇到这种情况,请访问< a href = "http://lcamt target = "_blank" rel = "noopener" > http://lcamt < / a > < / li >
< / ul >
< hr >
< h1 id = "0x05-afl-fuzz白皮书" > < a href = "#0x05-afl-fuzz白皮书" class = "headerlink" title = "0x05 afl-fuzz白皮书" > < / a > 0x05 < a href = "http://lcamtuf.coredump.cx/afl/technical_details.txt" target = "_blank" rel = "noopener" > afl-fuzz白皮书< / a > < / h1 > < p > 本文档提供了American Fuzzy Lop的简单的概述。想了解一般的使用说明, < code > README< / code > 。想了解AFL背后的动机和设计目标, < a href = "http://lcamtuf.coredump.cx/afl/historical_notes.txt" target = "_blank" rel = "noopener" > historical_notes.txt< / a > 。< / p >
< h2 id = "0) > < a href = "#0) class = "headerlink" title = "0) > < / a > 0) < / h2 > < p > American Fuzzy Lop 不关注任何单一的操作规则(singular principle of operation),也不是一个针对任何特定理论的概念验证(proof of concept)。这个工具可以被认为是一系列在实践中测试过的hacks行为, < br > 唯一的设计宗旨在于速度、可靠性和易用性。< / p >
< h2 id = "1) > < a href = "#1) class = "headerlink" title = "1) > < / a > 1) < / h2 > < p > 在编译过的程序中插桩能够捕获分支(边缘)的覆盖率,并且还能检测到粗略的分支执行命中次数(branch-taken hit counts)。在分支点注入的代码大致如下:< / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > cur_location = < COMPILE_TIME_RANDOM> ; //用一个随机数标记当前基本块< / span > < br > < span class = "line" > shared_mem[cur_location ^ prev_location]++; //将当前块和前一块异或保存到shared_mem[]< / span > < br > < span class = "line" > prev_location = cur_location > > 1; //cur_location右移1位区分从当前块到当前块的转跳< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
2019-07-09 09:11:34 +00:00
< p > cur_location 的值是随机产生的, < br > shared_mem[] 数组是一个调用者 (caller) 传给被插桩的二进制程序的64kB的共享空间。其中的每一字节可以理解成对于插桩代码中特别的元组(branch_src, branch_dst)的一次命中( ) < br > 选择这个数组大小的原因是让冲突(collisions)尽可能减少。这样通常能处理2k到10k的分支点。同时, < / p >
< table >
< thead >
< tr >
< th > Branch cnt< / th >
< th > Colliding tuples< / th >
< th > Example targets< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > 1,000< / td >
< td > 0.75%< / td >
< td > giflib, lzo< / td >
< / tr >
< tr >
< td > 2,000< / td >
< td > 1.5%< / td >
< td > zlib, tar, xz< / td >
< / tr >
< tr >
< td > 5,000< / td >
< td > 3.5%< / td >
< td > libpng, libwebp< / td >
< / tr >
< tr >
< td > 10,000< / td >
< td > 7%< / td >
< td > libxml< / td >
< / tr >
< tr >
< td > 20,000< / td >
< td > 14%< / td >
< td > sqlite< / td >
< / tr >
< tr >
< td > 50,000< / td >
< td > 30%< / td >
< td > -< / td >
< / tr >
< / tbody >
< / table >
< p > 这种形式的覆盖率,相对于简单的基本块覆盖率来说,对程序运行路径提供了一个更好的描述(insight)。特别地,它能很好地区分以下两个执行路径:< / p >
< blockquote >
< p > A -> B -> C -> D -> E (tuples: AB, BC, CD, DE)< br > A -> B -> D -> C -> E (tuples: AB, BD, DC, CE)< / p >
< / blockquote >
< p > 这有助于发现底层代码的微小错误条件。因为 < strong > 安全漏洞通常是一些非预期(或不正确)的语句转移(一个tuple就是一个语句转移)< / strong > ,而不是没覆盖到某块代码。< br > 上边伪代码的最后一行移位操作是为了让tuple具有定向性(没有这一行的话, , , < / p >
2019-07-16 09:15:34 +00:00
< h2 id = "2) > < a href = "#2) class = "headerlink" title = "2) > < / a > 2) < / h2 > < p > AFL的fuzzers使用一个< strong > 全局Map< / strong > 来存储之前执行时看到的tuple。这些数据可以被用来对不同的trace进行快速对比, < br > 当一个变异的输入产生了一个包含新tuple的执行路径时, , , , < br > 这种算法考虑了一个非常细粒度的、长期的对程序状态的探索,同时它还不必执行复杂的计算,不必对整个复杂的执行流进行对比,也避免了路径爆炸的影响。< br > 为了说明这个算法是怎么工作的, , < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > #1: A -> B -> C -> D -> E< / span > < br > < span class = "line" > #2: A -> B -> C -> A -> E< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 因为#2的原因, , : < br > < code > #3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E< / code > < / p >
< p > 除了检测新的tuple之外, < strong > 命中数(hit counts)< / strong > 。这些被分割成几个buckets: < / p >
< p > 从某种意义来说, : , < br > 单个bucket的改变会被忽略掉: 在程序控制流中, , < br > 通过命中次数(hit count),我们能够分辨控制流是否发生变化。例如一个代码块被执行了两次,但只命中了一次。并且这种方法对循环的次数不敏感(循环47次和48次没区别)。< br > 这种算法通过限制内存和运行时间来保证效率。< / p >
< p > 另外, , < / p >
2019-07-09 09:27:51 +00:00
< h2 id = "3) > < a href = "#3) class = "headerlink" title = "3) > < / a > 3) < / h2 > < p > 经变异的测试用例,会使程序产生 < strong > < em > 新的状态转移< / em > < / strong > 。这些测试用例稍后被添加到 input 队列中,用作下一个 fuzz 循环。它们补充但不替换现有的发现。< br > 这种算法允许工具可以持续探索不同的代码路径,即使底层的数据格式可能是完全不同的。如下图:< br > < img src = "http://lcamtuf.coredump.cx/afl/afl_gzip.png" width = "60%" div align = "center/" > < / p >
2019-07-09 09:11:34 +00:00
< p > 这里有一些这种算法在实际情况下例子:< / p >
< p > < a href = "https://lcamtuf.blogspot.com/2014/11/pulling-jpegs-out-of-thin-air.html" target = "_blank" rel = "noopener" > pulling-jpegs-out-of-thin-air< / a > < / p >
< p > < a href = "http://lcamtuf.blogspot.com/2014/11/afl-fuzz-nobody-expects-cdata-sections.html" target = "_blank" rel = "noopener" > afl-fuzz-nobody-expects-cdata-sections< / a > < / p >
< p > 这种过程下产生的语料库基本上是这些输入文件的集合:它们都能触发一些新的执行路径。产生的语料库,可以被用来作为其他测试的种子。< br > 使用这种方法, , < br > 下表比较了不同 fuzzing 方法在发现文件句法(file syntax)和探索程序执行路径的能力。插桩的目标程序是 < code > GNU patch 2.7.3 compiled with -O3 and seeded with a dummy text file:< / code > < / p >
< table >
< thead >
< tr >
< th > Fuzzer guidance strategy used< / th >
< th > Blocks reached< / th >
< th > Edges reached< / th >
< th > Edge hit cnt var< / th >
< th > Highest-coverage test case generated< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > (Initial file)< / td >
< td > 156< / td >
< td > 163< / td >
< td > 1.00< / td >
< td > (none)< / td >
< / tr >
< tr >
< td > Blind fuzzing S< / td >
< td > 182< / td >
< td > 205< / td >
< td > 2.23< / td >
< td > First 2 B of RCS diff< / td >
< / tr >
< tr >
< td > Blind fuzzing L< / td >
< td > 228< / td >
< td > 265< / td >
< td > 2.23< / td >
< td > First 4 B of -c mode diff< / td >
< / tr >
< tr >
< td > Block coverage< / td >
< td > 855< / td >
< td > 1,130< / td >
< td > 1.57< / td >
< td > Almost-valid RCS diff< / td >
< / tr >
< tr >
< td > Edge coverage< / td >
< td > 1,452< / td >
< td > 2,070< / td >
< td > 2.18< / td >
< td > One-chunk -c mode diff< / td >
< / tr >
< tr >
< td > AFL model< / td >
< td > 1,765< / td >
< td > 2,597< / td >
< td > 4.99< / td >
< td > Four-chunk -c mode diff< / td >
< / tr >
< / tbody >
< / table >
< p > 第一行的blind fuzzing (“S”)代表仅仅执行了一个回合的测试。< br > 第二行的Blind fuzzing L表示在一个循环中执行了几个回合的测试, , < / p >
< p > 在另一个独立的实验中也取得了大致相似的结果。在新实验中, ( ) , ( ) < / p >
< table >
< thead >
< tr >
< th > Queue extension strategy used< / th >
< th > Blocks reached< / th >
< th > Edges reached< / th >
< th > Edge hit cnt var< / th >
< th > Number of unique crashes found< / th >
< / tr >
< / thead >
< tbody >
< tr >
< td > (Initial file)< / td >
< td > 624< / td >
< td > 717< / td >
< td > 1.00< / td >
< td > -< / td >
< / tr >
< tr >
< td > Blind fuzzing< / td >
< td > 1,101< / td >
< td > 1,409< / td >
< td > 1.60< / td >
< td > 0< / td >
< / tr >
< tr >
< td > Block coverage< / td >
< td > 1,255< / td >
< td > 1,649< / td >
< td > 1.48< / td >
< td > 0< / td >
< / tr >
< tr >
< td > Edge coverage< / td >
< td > 1,259< / td >
< td > 1,734< / td >
< td > 1.72< / td >
< td > 0< / td >
< / tr >
< tr >
< td > AFL model< / td >
< td > 1,452< / td >
< td > 2,040< / td >
< td > 3.16< / td >
< td > 1< / td >
< / tr >
< / tbody >
< / table >
< p > 在之前提到的基于遗传算法的fuzzing, < / p >
< h2 id = "4) ( ) > < a href = "#4) ( ) class = "headerlink" title = "4) ( ) > < / a > 4) ( ) < / h2 > < p > 上文提到的渐进式语句探索路径的方法意味着: , < br > 为了优化fuzzing, < strong > 周期性的重新评估< / strong > (re-evaluates)队列, , < br > 算法通过指定每一个队列入口(queue entry), ( ) ( ) < strong > 最低分值的entry< / strong > 。< br > 这些tuples按下述流程进行处理: < / p >
2019-07-16 09:15:34 +00:00
< figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > 1) Find next tuple not yet in the temporary working set,< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 2) Locate the winning queue entry for this tuple,< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 3) Register *all* tuples present in that entry' s trace in the working set,< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > 4) Go to #1 if there are any missing tuples in the set.< / span > < br > < / pre > < / td > < / tr > < / table > < / figure >
< p > “favored” entries 产生的语料, , , : < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < span class = "line" > 8< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > - If there are new, yet-to-be-fuzzed favorites present in the queue,< / span > < br > < span class = "line" > 99% of non-favored entries will be skipped to get to the favored ones.< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > - If there are no new favorites:< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > - If the current non-favored entry was fuzzed before, it will be skipped 95% of the time.< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > - If it hasn' t gone through any fuzzing rounds yet, the odds of skipping drop down to 75%.< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 基于以往的实验经验,这种方法能够在队列周期速度(queue cycling speed)和测试用例多样性(test case diversity)之间达到一个合理的平衡。< br > 使用< strong > afl-cmin工具< / strong > 能够对输入或输出的语料库进行稍微复杂但慢得多的的处理。这一工具将永久丢弃冗余entries, < / p >
< h2 id = "5) ( ) > < a href = "#5) ( ) class = "headerlink" title = "5) ( ) > < / a > 5) ( ) < / h2 > < p > 文件的大小对fuzzing的性能有着重大影响(dramatic impact)。因为大文件会让目标二进制文件运行变慢;大文件还会减少变异触及重要格式控制结构(format control structures)的可能性(< strong > 我们希望的是变异要触及冗余代码块(redundant data blocks)< / strong > )。这个问题将在< a href = "https://github.com/mirrorer/afl/blob/master/docs/perf_tips.txt" target = "_blank" rel = "noopener" > perf_tips.txt< / a > 细说。< br > 用户可能提供低质量初始语料(starting corpus),某些类型的变异会迭代地增加生成文件的大小。所以要抑制这种趋势(counter this trend)。< br > 幸运的是,< strong > 插桩反馈(instrumentation feedback)< / strong > 提供了一种简单的方式自动削减( ) , < br > afl-fuzz内置的修剪器(trimmer)使用变化的长度和步距(variable length and stepover)来连续地(sequentially)删除数据块; < br > 这个修剪器的设计并不算特别地周密(thorough),相反地,它试着在精确度(precision)和进程调用execve()的次数之间选取一个平衡, < br > 独立的< strong > afl-tmin工具< / strong > 使用更完整(exhaustive)、迭代次数更多(iteractive)的算法,并尝试对被修剪的文件采用字母标准化的方式处理。< / p >
2019-07-16 09:15:34 +00:00
< h2 id = "6-模糊测试策略-Fuzzing-strategies" > < a href = "#6-模糊测试策略-Fuzzing-strategies" class = "headerlink" title = "6) 模糊测试策略(Fuzzing strategies)" > < / a > 6) 模糊测试策略(Fuzzing strategies)< / h2 > < p > 插桩提供的反馈(feedback)使得我们更容易理解各种不同fuzzing策略的价值, ( ) , : < br > < a href = "http://lcamtuf.blogspot.com/2014/08/binary-fuzzing-strategies-what-works.html" target = "_blank" rel = "noopener" > binary-fuzzing-strategies-what-works< / a > < br > 值得注意的一点是, < strong > 确定性的策略< / strong > 包括:< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > - Sequential bit flips with varying lengths and stepovers,使用变化的长度和步距来连续进行位反转< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > - Sequential addition and subtraction of small integers,对小的整型数来连续进行加法和减法< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > - Sequential insertion of known interesting integers (0, 1, INT_MAX, etc),对已知的感兴趣的整型数连续地插入< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 使用这些确定步骤的目的在于,生成紧凑的(compact)测试用例, , < br > < strong > 非确定性(non-deterministic)策略< / strong > 的步骤包括: < / p >
< p > 由于在< a href = "http://lcamtuf.coredump.cx/afl/historical_notes.txt" target = "_blank" rel = "noopener" > historical_notes.txt< / a > 中提到的原因(性能、简易性、可靠性), < / p >
< p > fuzzing的步骤名义上来说是盲目的(nominally blind),只被输入队列的进化方式的设计所影响(< strong > 见第三部分< / strong > )。< / p >
< p > 这意味着,这条规则有一个例外:< br > 当一个新的队列条目, , , < br > 尤其是对那些冗长的数据格式, , , , < / p >
< h2 id = "7-字典-Dictionaries" > < a href = "#7-字典-Dictionaries" class = "headerlink" title = "7) 字典(Dictionaries)" > < / a > 7) 字典(Dictionaries)< / h2 > < p > 插桩提供的反馈能够让它自动地识别出一些输入文件中的语法(syntax)符号(tokens),并且能够为测试器(tested parser)检测到一些组合,这些组合是由预定义(predefined)的或自动检测到的(auto-detected)字典项(dictionary terms)构成的合法语法(valid grammar)。< br > 关于这些特点在afl-fuzz是如何实现的, : < br > < a href = "http://lcamtuf.blogspot.com/2015/01/afl-fuzz-making-up-grammar-with.html" target = "_blank" rel = "noopener" > afl-fuzz-making-up-grammar-with< / a > < br > 大体上,当基本的(basic, typically easily-obtained)句法(syntax)符号(tokens)以纯粹随机的方式组合在一起时,< strong > 插桩< / strong > 和< strong > 队列进化< / strong > 这两种方法共同提供了一种反馈机制,这种反馈机制能够区分无意义的变异和在插桩代码中触发新行为的变异。这样能增量地构建更复杂的句法(syntax)。< br > 这样构建的字典能够让fuzzer快速地重构非常详细(highly verbose)且复杂的(complex)语法, < br > 有趣的是, < / p >
< h2 id = "8-崩溃去重( ) > < a href = "#8-崩溃去重( ) class = "headerlink" title = "8) 崩溃去重( ) > < / a > 8) 崩溃去重( ) < / h2 > < p > 崩溃去重是fuzzing工具里很重要的问题之一。很多naive的解决方式都会有这样的问题: < / p >
2019-07-16 09:15:34 +00:00
< p > afl-fuzz的解决方案认为满足一下两个条件, : < br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > - The crash trace includes a tuple not seen in any of the previous crashes,这个crash的路径包括一个之前crash从未见到过的tuple。< / span > < br > < span class = "line" > - The crash trace is missing a tuple that was always present in earlier faults.这个crash的路径不包含一个总在之前crash中出现的tuple。< / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 这种方式一开始容易受到count inflation的影响, , < strong > 崩溃去重< / strong > 的方式是afl-fuzz的基石(cornerstone)。< / p >
< h2 id = "9-崩溃调查-Investigating-crashes" > < a href = "#9-崩溃调查-Investigating-crashes" class = "headerlink" title = "9) 崩溃调查(Investigating crashes)" > < / a > 9) 崩溃调查(Investigating crashes)< / h2 > < p > 不同的crash的可用性(exploitability)是不同的。afl-fuzz提供一个crash的探索模式(exploration mode)来解决这个问题。< br > 对一个已知的出错测试用例, , < br > 这种方法的意义在以下链接中会进一步讨论:< br > < a href = "http://lcamtuf.blogspot.com/2014/11/afl-fuzz-crash-exploration-mode.html" target = "_blank" rel = "noopener" > afl-fuzz-crash-exploration-mode< / a > < br > 这种方法利用< strong > instrumentation的反馈< / strong > , , , < br > 对于crashes来说, , , ( ) , , < br > 这就是说afl-tmin可以被用来随意缩减它们。< / p >
< h2 id = "10-The-fork-server" > < a href = "#10-The-fork-server" class = "headerlink" title = "10) The fork server" > < / a > 10) The fork server< / h2 > < p > 为了提升性能, , : < br > < a href = "http://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html" target = "_blank" rel = "noopener" > fuzzing-binaries-without-execve< / a > < br > fork server被集成在了instrumentation的程序下, , < br > 对于需要快速发包的测试, < / p >
< h2 id = "11-并行机制" > < a href = "#11-并行机制" class = "headerlink" title = "11) 并行机制" > < / a > 11) 并行机制< / h2 > < p > 实现并行的机制是, , < br > 详见: parallel_fuzzing.txt.< / p >
2019-07-16 09:15:34 +00:00
< h2 id = "12) > < a href = "#12) class = "headerlink" title = "12) > < / a > 12) < / h2 > < p > AFL-Fuzz对二进制黑盒目标程序的instrumentation是通过< strong > QEMU< / strong > 的“user emulation”模式实现的。< br > 这样我们就可以允许跨架构的运行, < br > QEMU使用basic blocks作为翻译单元, , < strong > guided fuzz< / strong > 的模型。< br > < figure class = "highlight plain" > < table > < tr > < td class = "gutter" > < pre > < span class = "line" > 1< / span > < br > < span class = "line" > 2< / span > < br > < span class = "line" > 3< / span > < br > < span class = "line" > 4< / span > < br > < span class = "line" > 5< / span > < br > < span class = "line" > 6< / span > < br > < span class = "line" > 7< / span > < br > < / pre > < / td > < td class = "code" > < pre > < span class = "line" > if (block_address > elf_text_start & & block_address < elf_text_end) { < / span > < br > < span class = "line" > < / span > < br > < span class = "line" > cur_location = (block_address > > 4) ^ (block_address < < 8);< / span > < br > < span class = "line" > shared_mem[cur_location ^ prev_location]++;< / span > < br > < span class = "line" > prev_location = cur_location > > 1;< / span > < br > < span class = "line" > < / span > < br > < span class = "line" > } < / span > < br > < / pre > < / td > < / tr > < / table > < / figure > < / p >
2019-07-09 09:11:34 +00:00
< p > 像QEMU, DynamoRIO, and PIN这样的二进制翻译器, , , , < br > 当然第一次翻译一个新的basic block还是有必要的延迟, , , , , , < / p >
2019-07-01 09:28:12 +00:00
< h2 id = "13) > < a href = "#13) class = "headerlink" title = "13) > < / a > 13) < / h2 > < p > 文件格式分析器是最小化算法的简单扩展< br > 前面讨论过; 该工具执行一系列步行字节翻转,然后在输入文件中注释字节运行,而不是尝试删除无操作块。< / p >
< / div >
< div >
< div style = "padding: 10px 0; margin: 20px auto; width: 90%; text-align: center;" >
< div > 您的支持将鼓励我继续创作!< / div >
< button id = "rewardButton" disable = "enable" onclick = "var qr = document.getElementById('QR'); if (qr.style.display === 'none') {qr.style.display='block';} else {qr.style.display='none'}" >
< span > 打赏< / span >
< / button >
< div id = "QR" style = "display: none;" >
< div id = "wechat" style = "display: inline-block" >
< img id = "wechat_qr" src = "/images/Wechatpay.png" alt = "Cool-Y 微信支付" >
< p > 微信支付< / p >
< / div >
< div id = "alipay" style = "display: inline-block" >
< img id = "alipay_qr" src = "/images/Alipay.png" alt = "Cool-Y 支付宝" >
< p > 支付宝< / p >
< / div >
< / div >
< / div >
< / div >
< footer class = "post-footer" >
2019-07-01 11:52:45 +00:00
< div class = "post-tags" >
< a href = "/tags/AFL/" rel = "tag" > # AFL< / a >
< a href = "/tags/模糊测试/" rel = "tag" > # 模糊测试< / a >
< / div >
2019-07-01 09:28:12 +00:00
< div class = "post-nav" >
< div class = "post-nav-next post-nav-item" >
2019-07-09 06:49:56 +00:00
< a href = "/2019/05/14/pack-and-unpack/" rel = "next" title = "加壳与脱壳" >
< i class = "fa fa-chevron-left" > < / i > 加壳与脱壳
2019-07-01 09:28:12 +00:00
< / a >
< / div >
< span class = "post-nav-divider" > < / span >
< div class = "post-nav-prev post-nav-item" >
2019-07-09 08:59:11 +00:00
< a href = "/2019/07/09/afl-first-try/" rel = "prev" title = "AFL-爱之初体验" >
AFL-爱之初体验 < i class = "fa fa-chevron-right" > < / i >
2019-07-09 06:49:56 +00:00
< / a >
2019-07-01 09:28:12 +00:00
< / div >
< / div >
< / footer >
< / div >
< / article >
< div class = "post-spread" >
< / div >
< / div >
< / div >
< div class = "comments" id = "comments" >
< div id = "gitment-container" > < / div >
< / div >
< / div >
< div class = "sidebar-toggle" >
< div class = "sidebar-toggle-line-wrap" >
< span class = "sidebar-toggle-line sidebar-toggle-line-first" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-middle" > < / span >
< span class = "sidebar-toggle-line sidebar-toggle-line-last" > < / span >
< / div >
< / div >
< aside id = "sidebar" class = "sidebar" >
< div class = "sidebar-inner" >
< ul class = "sidebar-nav motion-element" >
< li class = "sidebar-nav-toc sidebar-nav-active" data-target = "post-toc-wrap" >
文章目录
< / li >
< li class = "sidebar-nav-overview" data-target = "site-overview-wrap" >
站点概览
< / li >
< / ul >
< section class = "site-overview-wrap sidebar-panel" >
< div class = "site-overview" >
< div class = "site-author motion-element" itemprop = "author" itemscope itemtype = "http://schema.org/Person" >
< img class = "site-author-image" itemprop = "image" src = "/images/avatar.png" alt = "Cool-Y" >
< p class = "site-author-name" itemprop = "name" > Cool-Y< / p >
2019-07-24 03:51:42 +00:00
< p class = "site-description motion-element" itemprop = "description" > 没人比我更懂中医#MAGA< / p >
2019-07-01 09:28:12 +00:00
< / div >
< nav class = "site-state motion-element" >
< div class = "site-state-item site-state-posts" >
< a href = "/archives/" >
2021-01-08 08:35:03 +00:00
< span class = "site-state-item-count" > 28< / span >
2019-07-01 09:28:12 +00:00
< span class = "site-state-item-name" > 日志< / span >
< / a >
< / div >
< div class = "site-state-item site-state-categories" >
< a href = "/categories/index.html" >
2019-10-15 11:24:26 +00:00
< span class = "site-state-item-count" > 7< / span >
2019-07-01 09:28:12 +00:00
< span class = "site-state-item-name" > 分类< / span >
< / a >
< / div >
< div class = "site-state-item site-state-tags" >
< a href = "/tags/index.html" >
2021-01-08 08:35:03 +00:00
< span class = "site-state-item-count" > 52< / span >
2019-07-01 09:28:12 +00:00
< span class = "site-state-item-name" > 标签< / span >
< / a >
< / div >
< / nav >
< div class = "links-of-author motion-element" >
< span class = "links-of-author-item" >
< a href = "https://github.com/Cool-Y" target = "_blank" title = "GitHub" >
< i class = "fa fa-fw fa-github" > < / i > GitHub< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "mailto:cool.yim@whu.edu.cn" target = "_blank" title = "E-Mail" >
< i class = "fa fa-fw fa-envelope" > < / i > E-Mail< / a >
< / span >
< span class = "links-of-author-item" >
< a href = "https://www.instagram.com/yan__han/" target = "_blank" title = "Instagram" >
< i class = "fa fa-fw fa-instagram" > < / i > Instagram< / a >
< / span >
< / div >
2019-10-01 12:45:37 +00:00
< div id = "music163player" >
< iframe frameborder = "no" border = "0" marginwidth = "0" marginheight = "0" width = "330" height = "450" src = "//music.163.com/outchain/player?type=4&id=334277093&auto=1&height=430" > < / iframe >
< / div >
2019-07-01 09:28:12 +00:00
< / div >
< / section >
<!-- noindex -->
< section class = "post-toc-wrap motion-element sidebar-panel sidebar-panel-active" >
< div class = "post-toc" >
2019-07-09 09:11:34 +00:00
< div class = "post-toc-content" > < ol class = "nav" > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x01-模糊测试" > < span class = "nav-text" > 0x01 模糊测试< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x02-AFL快速入门" > < span class = "nav-text" > 0x02 AFL快速入门< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x03-AFL特点" > < span class = "nav-text" > 0x03 AFL特点< / span > < / a > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x04-AFL-README" > < span class = "nav-text" > 0x04 AFL README< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#1) > < span class = "nav-text" > 1) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#2) > < span class = "nav-text" > 2) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#3) ( ) > < span class = "nav-text" > 3) ( ) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#4) > < span class = "nav-text" > 4) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#5) > < span class = "nav-text" > 5) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#6) > < span class = "nav-text" > 6) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#7) > < span class = "nav-text" > 7) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#8) > < span class = "nav-text" > 8) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#9) > < span class = "nav-text" > 9) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#10) > < span class = "nav-text" > 10) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#11) > < span class = "nav-text" > 11) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#12) > < span class = "nav-text" > 12) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#13) > < span class = "nav-text" > 13) < / span > < / a > < / li > < / ol > < / li > < li class = "nav-item nav-level-1" > < a class = "nav-link" href = "#0x05-afl-fuzz白皮书" > < span class = "nav-text" > 0x05 afl-fuzz白皮书< / span > < / a > < ol class = "nav-child" > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#0) > < span class = "nav-text" > 0) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#1) > < span class = "nav-text" > 1) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#2) > < span class = "nav-text" > 2) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#3) > < span class = "nav-text" > 3) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#4) ( ) > < span class = "nav-text" > 4) ( ) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#5) ( ) > < span class = "nav-text" > 5) ( ) < / span > < / a > < / li > < li class = "nav-item nav-level-2" > < a class = "nav-link" href = "#6-模糊测试策略-Fuzzing-strategies" > < span class = "nav-text" > 6) 模糊测试策略(Fuzzing strategies)< /
2019-07-01 09:28:12 +00:00
< / div >
< / section >
<!-- /noindex -->
< / div >
< / aside >
< / div >
< / main >
< footer id = "footer" class = "footer" >
< div class = "footer-inner" >
2021-01-08 04:26:24 +00:00
< div class = "copyright" > © 2019 — < span itemprop = "copyrightYear" > 2021< / span >
2019-07-01 09:28:12 +00:00
< span class = "with-love" >
< i class = "fa fa-user" > < / i >
< / span >
< span class = "author" itemprop = "copyrightHolder" > Cool-Y< / span >
< span class = "post-meta-divider" > |< / span >
< span class = "post-meta-item-icon" >
< i class = "fa fa-area-chart" > < / i >
< / span >
2021-01-08 08:35:03 +00:00
< span title = "Site words total count" > 100.2k< / span >
2019-07-01 09:28:12 +00:00
< / div >
< div class = "powered-by" > 由 < a class = "theme-link" target = "_blank" href = "https://hexo.io" > Hexo< / a > 强力驱动< / div >
< div class = "busuanzi-count" >
< script async src = "//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js" > < / script >
< span class = "site-uv" >
< i class = "fa fa-user" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_uv" > < / span >
< / span >
< span class = "site-pv" >
< i class = "fa fa-eye" > < / i >
< span class = "busuanzi-value" id = "busuanzi_value_site_pv" > < / span >
< / span >
< / div >
< / div >
< / footer >
< div class = "back-to-top" >
< i class = "fa fa-arrow-up" > < / i >
< / div >
< / div >
< script type = "text/javascript" >
if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
window.Promise = null;
}
< / script >
< script type = "text/javascript" src = "/lib/jquery/index.js?v=2.1.3" > < / script >
< script type = "text/javascript" src = "/lib/fastclick/lib/fastclick.min.js?v=1.0.6" > < / script >
< script type = "text/javascript" src = "/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/velocity/velocity.ui.min.js?v=1.2.1" > < / script >
< script type = "text/javascript" src = "/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5" > < / script >
< script type = "text/javascript" src = "/js/src/utils.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/motion.js?v=5.1.4" > < / script >
2019-08-09 03:54:43 +00:00
< script type = "text/javascript" src = "/js/src/affix.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/schemes/pisces.js?v=5.1.4" > < / script >
2019-07-01 09:28:12 +00:00
< script type = "text/javascript" src = "/js/src/scrollspy.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/post-details.js?v=5.1.4" > < / script >
< script type = "text/javascript" src = "/js/src/bootstrap.js?v=5.1.4" > < / script >
<!-- LOCAL: You can save these files to your site and update links -->
2019-07-10 04:27:33 +00:00
< link rel = "stylesheet" href = "https://jjeejj.github.io/css/gitment.css" >
< script src = "https://jjeejj.github.io/js/gitment.js" > < / script >
2019-07-01 09:28:12 +00:00
<!-- END LOCAL -->
< script type = "text/javascript" >
function renderGitment(){
2019-07-10 04:27:33 +00:00
var gitment = new Gitment({
2019-07-09 06:49:56 +00:00
id: window.location.pathname,
2019-07-01 09:28:12 +00:00
owner: 'Cool-Y',
repo: 'gitment-comments',
oauth: {
client_secret: '1c5db4da72df5e6fc318d12afe5f4406f7c54343',
client_id: '180955a2c3ae3d966d9a'
}});
gitment.render('gitment-container');
}
renderGitment();
< / script >
< script src = "https://cdn1.lncld.net/static/js/av-core-mini-0.6.4.js" > < / script >
< script > AV . initialize ( "EWwoJgHNdlj6iBjiFlMcabUO-gzGzoHsz" , "x8FxDrYG79C8YFrTww9ljo8K" ) ; < / script >
< script >
function showTime(Counter) {
var query = new AV.Query(Counter);
var entries = [];
var $visitors = $(".leancloud_visitors");
$visitors.each(function () {
entries.push( $(this).attr("id").trim() );
});
query.containedIn('url', entries);
query.find()
.done(function (results) {
var COUNT_CONTAINER_REF = '.leancloud-visitors-count';
if (results.length === 0) {
$visitors.find(COUNT_CONTAINER_REF).text(0);
return;
}
for (var i = 0; i < results.length ; i + + ) {
var item = results[i];
var url = item.get('url');
var time = item.get('time');
var element = document.getElementById(url);
$(element).find(COUNT_CONTAINER_REF).text(time);
}
for(var i = 0; i < entries.length ; i + + ) {
var url = entries[i];
var element = document.getElementById(url);
var countSpan = $(element).find(COUNT_CONTAINER_REF);
if( countSpan.text() == '') {
countSpan.text(0);
}
}
})
.fail(function (object, error) {
console.log("Error: " + error.code + " " + error.message);
});
}
function addCount(Counter) {
var $visitors = $(".leancloud_visitors");
var url = $visitors.attr('id').trim();
var title = $visitors.attr('data-flag-title').trim();
var query = new AV.Query(Counter);
query.equalTo("url", url);
query.find({
success: function(results) {
if (results.length > 0) {
var counter = results[0];
counter.fetchWhenSave(true);
counter.increment("time");
counter.save(null, {
success: function(counter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(counter.get('time'));
},
error: function(counter, error) {
console.log('Failed to save Visitor num, with error message: ' + error.message);
}
});
} else {
var newcounter = new Counter();
/* Set ACL */
var acl = new AV.ACL();
acl.setPublicReadAccess(true);
acl.setPublicWriteAccess(true);
newcounter.setACL(acl);
/* End Set ACL */
newcounter.set("title", title);
newcounter.set("url", url);
newcounter.set("time", 1);
newcounter.save(null, {
success: function(newcounter) {
var $element = $(document.getElementById(url));
$element.find('.leancloud-visitors-count').text(newcounter.get('time'));
},
error: function(newcounter, error) {
console.log('Failed to create');
}
});
}
},
error: function(error) {
console.log('Error:' + error.code + " " + error.message);
}
});
}
$(function() {
var Counter = AV.Object.extend("Counter");
if ($('.leancloud_visitors').length == 1) {
addCount(Counter);
} else if ($('.post-title-link').length > 1) {
showTime(Counter);
}
});
< / script >
< script >
(function(){
var bp = document.createElement('script');
var curProtocol = window.location.protocol.split(':')[0];
if (curProtocol === 'https') {
bp.src = 'https://zz.bdstatic.com/linksubmit/push.js';
}
else {
bp.src = 'http://push.zhanzhang.baidu.com/push.js';
}
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(bp, s);
})();
< / script >
< / body >
< / html >
