Site updated: 2019-07-09 17:08:29
This commit is contained in:
parent
7dc690ad31
commit
5a304462e7
@ -88,7 +88,7 @@
|
||||
<meta property="og:description" content="这篇文章是对afl的简单使用,可大致分为黑盒测试和白盒测试两个部分。白盒测试从对目标程序的插桩编译开始,然后使用fuzzer对其模糊测试发现崩溃,最后对测试的代码覆盖率进行评估。黑盒测试则演示得较简略。参考:https://paper.seebug.org/841/#_1 部署afl 123456&gt; wget http://lcamtuf.coredump.cx/afl/releases/">
|
||||
<meta property="og:locale" content="zh-Hans">
|
||||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562570048/afl/1.png">
|
||||
<meta property="og:updated_time" content="2019-07-09T08:57:59.215Z">
|
||||
<meta property="og:updated_time" content="2019-07-09T09:03:52.647Z">
|
||||
<meta name="twitter:card" content="summary">
|
||||
<meta name="twitter:title" content="AFL-爱之初体验">
|
||||
<meta name="twitter:description" content="这篇文章是对afl的简单使用,可大致分为黑盒测试和白盒测试两个部分。白盒测试从对目标程序的插桩编译开始,然后使用fuzzer对其模糊测试发现崩溃,最后对测试的代码覆盖率进行评估。黑盒测试则演示得较简略。参考:https://paper.seebug.org/841/#_1 部署afl 123456&gt; wget http://lcamtuf.coredump.cx/afl/releases/">
|
||||
@ -454,7 +454,7 @@
|
||||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">> $ CPU_TARGET=x86_64 ./build_qemu_support.sh</span><br><span class="line">> [+] Build process successful!</span><br><span class="line">> [*] Copying binary...</span><br><span class="line">> -rwxr-xr-x 1 han han 10972920 7月 9 10:43 ../afl-qemu-trace</span><br><span class="line">> [+] Successfully created '../afl-qemu-trace'.</span><br><span class="line">> [!] Note: can't test instrumentation when CPU_TARGET set.</span><br><span class="line">> [+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!</span><br><span class="line">></span><br></pre></td></tr></table></figure>
|
||||
</blockquote>
|
||||
<hr>
|
||||
<h1 id="0x01白盒测试"><a href="#0x01白盒测试" class="headerlink" title="0x01白盒测试"></a>0x01白盒测试</h1><h2 id="目标程序编译"><a href="#目标程序编译" class="headerlink" title="目标程序编译"></a>目标程序编译</h2><ol>
|
||||
<h1 id="0x01-白盒测试"><a href="#0x01-白盒测试" class="headerlink" title="0x01 白盒测试"></a>0x01 白盒测试</h1><h2 id="目标程序编译"><a href="#目标程序编译" class="headerlink" title="目标程序编译"></a>目标程序编译</h2><ol>
|
||||
<li><p>源代码</p>
|
||||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">#undef _FORTIFY_SOURCE</span><br><span class="line">#include <stdio.h></span><br><span class="line">#include <stdlib.h></span><br><span class="line">#include <unistd.h></span><br><span class="line"></span><br><span class="line">void vulnerable_function() {</span><br><span class="line"> char buf[128];</span><br><span class="line"> read(STDIN_FILENO, buf, 256);</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line">int main(int argc, char** argv) {</span><br><span class="line"> vulnerable_function();</span><br><span class="line"> write(STDOUT_FILENO, "Hello, World\n", 13);</span><br><span class="line">}</span><br></pre></td></tr></table></figure>
|
||||
</li>
|
||||
@ -524,7 +524,7 @@
|
||||
</li>
|
||||
</ol>
|
||||
<hr>
|
||||
<h1 id="0x02代码覆盖率及其相关概念"><a href="#0x02代码覆盖率及其相关概念" class="headerlink" title="0x02代码覆盖率及其相关概念"></a>0x02代码覆盖率及其相关概念</h1><blockquote>
|
||||
<h1 id="0x02-代码覆盖率及其相关概念"><a href="#0x02-代码覆盖率及其相关概念" class="headerlink" title="0x02 代码覆盖率及其相关概念"></a>0x02 代码覆盖率及其相关概念</h1><blockquote>
|
||||
<p>代码覆盖率是模糊测试中一个极其重要的概念,使用代码覆盖率可以评估和改进测试过程,执行到的代码越多,找到bug的可能性就越大,毕竟,在覆盖的代码中并不能100%发现bug,在未覆盖的代码中却是100%找不到任何bug的。<br>代码覆盖率是一种度量代码的覆盖程度的方式,也就是指源代码中的某行代码是否已执行;对二进制程序,还可将此概念理解为汇编代码中的某条指令是否已执行。其计量方式很多,但无论是GCC的GCOV还是LLVM的SanitizerCoverage,都提供函数(function)、基本块(basic-block)、边界(edge)三种级别的覆盖率检测。</p>
|
||||
</blockquote>
|
||||
<h2 id="计算代码覆盖率"><a href="#计算代码覆盖率" class="headerlink" title="计算代码覆盖率"></a>计算代码覆盖率</h2><p><strong>GCOV</strong>:插桩生成覆盖率 <strong>LCOV</strong>:图形展示覆盖率 <strong>afl-cov</strong>:调用前两个工具计算afl测试用例的覆盖率</p>
|
||||
@ -540,7 +540,7 @@
|
||||
</ol>
|
||||
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562570048/afl/1.png" alt></p>
|
||||
<hr>
|
||||
<h1 id="0x03黑盒测试(使用qemu"><a href="#0x03黑盒测试(使用qemu" class="headerlink" title="0x03黑盒测试(使用qemu"></a>0x03黑盒测试(使用qemu</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">$ ./afl-fuzz -i ../vuln/testcase/ -o ../vuln/outQemu -Q ../vuln/v1</span><br><span class="line">american fuzzy lop 2.52b (v1)</span><br><span class="line"></span><br><span class="line">┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐</span><br><span class="line">│ run time : 0 days, 0 hrs, 0 min, 41 sec │ cycles done : 232 │</span><br><span class="line">│ last new path : none yet (odd, check syntax!) │ total paths : 2 │</span><br><span class="line">│ last uniq crash : 0 days, 0 hrs, 0 min, 41 sec │ uniq crashes : 1 │</span><br><span class="line">│ last uniq hang : none seen yet │ uniq hangs : 0 │</span><br><span class="line">├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤</span><br><span class="line">│ now processing : 0* (0.00%) │ map density : 0.04% / 0.04% │</span><br><span class="line">│ paths timed out : 0 (0.00%) │ count coverage : 1.00 bits/tuple │</span><br><span class="line">├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤</span><br><span class="line">│ now trying : havoc │ favored paths : 1 (50.00%) │</span><br><span class="line">│ stage execs : 255/256 (99.61%) │ new edges on : 1 (50.00%) │</span><br><span class="line">│ total execs : 121k │ total crashes : 33 (1 unique) │</span><br><span class="line">│ exec speed : 2860/sec │ total tmouts : 0 (0 unique) │</span><br><span class="line">├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤</span><br><span class="line">│ bit flips : 0/56, 0/54, 0/50 │ levels : 1 │</span><br><span class="line">│ byte flips : 0/7, 0/5, 0/1 │ pending : 0 │</span><br><span class="line">│ arithmetics : 0/392, 0/25, 0/0 │ pend fav : 0 │</span><br><span class="line">│ known ints : 0/36, 0/138, 0/44 │ own finds : 0 │</span><br><span class="line">│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │</span><br><span class="line">│ havoc : 1/120k, 0/0 │ stability : 100.00% │</span><br><span class="line">│ trim : 82.61%/5, 0.00% ├────────────────────────┘</span><br><span class="line">^C────────────────────────────────────────────────────┘ [cpu000:102%]</span><br></pre></td></tr></table></figure>
|
||||
<h1 id="0x03-黑盒测试(使用qemu"><a href="#0x03-黑盒测试(使用qemu" class="headerlink" title="0x03 黑盒测试(使用qemu"></a>0x03 黑盒测试(使用qemu</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">$ ./afl-fuzz -i ../vuln/testcase/ -o ../vuln/outQemu -Q ../vuln/v1</span><br><span class="line">american fuzzy lop 2.52b (v1)</span><br><span class="line"></span><br><span class="line">┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐</span><br><span class="line">│ run time : 0 days, 0 hrs, 0 min, 41 sec │ cycles done : 232 │</span><br><span class="line">│ last new path : none yet (odd, check syntax!) │ total paths : 2 │</span><br><span class="line">│ last uniq crash : 0 days, 0 hrs, 0 min, 41 sec │ uniq crashes : 1 │</span><br><span class="line">│ last uniq hang : none seen yet │ uniq hangs : 0 │</span><br><span class="line">├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤</span><br><span class="line">│ now processing : 0* (0.00%) │ map density : 0.04% / 0.04% │</span><br><span class="line">│ paths timed out : 0 (0.00%) │ count coverage : 1.00 bits/tuple │</span><br><span class="line">├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤</span><br><span class="line">│ now trying : havoc │ favored paths : 1 (50.00%) │</span><br><span class="line">│ stage execs : 255/256 (99.61%) │ new edges on : 1 (50.00%) │</span><br><span class="line">│ total execs : 121k │ total crashes : 33 (1 unique) │</span><br><span class="line">│ exec speed : 2860/sec │ total tmouts : 0 (0 unique) │</span><br><span class="line">├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤</span><br><span class="line">│ bit flips : 0/56, 0/54, 0/50 │ levels : 1 │</span><br><span class="line">│ byte flips : 0/7, 0/5, 0/1 │ pending : 0 │</span><br><span class="line">│ arithmetics : 0/392, 0/25, 0/0 │ pend fav : 0 │</span><br><span class="line">│ known ints : 0/36, 0/138, 0/44 │ own finds : 0 │</span><br><span class="line">│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │</span><br><span class="line">│ havoc : 1/120k, 0/0 │ stability : 100.00% │</span><br><span class="line">│ trim : 82.61%/5, 0.00% ├────────────────────────┘</span><br><span class="line">^C────────────────────────────────────────────────────┘ [cpu000:102%]</span><br></pre></td></tr></table></figure>
|
||||
<ul>
|
||||
<li style="list-style: none"><input type="checkbox"> 待完成对黑盒测试原理的分析</li>
|
||||
</ul>
|
||||
@ -776,7 +776,7 @@
|
||||
|
||||
|
||||
|
||||
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01白盒测试"><span class="nav-text">0x01白盒测试</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#目标程序编译"><span class="nav-text">目标程序编译</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试插桩程序"><span class="nav-text">测试插桩程序</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#执行FUZZER"><span class="nav-text">执行FUZZER</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#afl何时结束"><span class="nav-text">afl何时结束</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#处理输出结果"><span class="nav-text">处理输出结果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃类型和可利用性"><span class="nav-text">崩溃类型和可利用性</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02代码覆盖率及其相关概念"><span class="nav-text">0x02代码覆盖率及其相关概念</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#计算代码覆盖率"><span class="nav-text">计算代码覆盖率</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03黑盒测试(使用qemu"><span class="nav-text">0x03黑盒测试(使用qemu</span></a></li></ol></div>
|
||||
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-白盒测试"><span class="nav-text">0x01 白盒测试</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#目标程序编译"><span class="nav-text">目标程序编译</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试插桩程序"><span class="nav-text">测试插桩程序</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#执行FUZZER"><span class="nav-text">执行FUZZER</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#afl何时结束"><span class="nav-text">afl何时结束</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#处理输出结果"><span class="nav-text">处理输出结果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃类型和可利用性"><span class="nav-text">崩溃类型和可利用性</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-代码覆盖率及其相关概念"><span class="nav-text">0x02 代码覆盖率及其相关概念</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#计算代码覆盖率"><span class="nav-text">计算代码覆盖率</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-黑盒测试(使用qemu"><span class="nav-text">0x03 黑盒测试(使用qemu</span></a></li></ol></div>
|
||||
|
||||
|
||||
</div>
|
||||
|
File diff suppressed because one or more lines are too long
@ -4,7 +4,7 @@
|
||||
<url>
|
||||
<loc>https://cool-y.github.io/2019/07/09/afl-first-try/</loc>
|
||||
|
||||
<lastmod>2019-07-09T08:57:59.215Z</lastmod>
|
||||
<lastmod>2019-07-09T09:03:52.647Z</lastmod>
|
||||
|
||||
</url>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user