Site updated: 2019-07-09 17:08:29

This commit is contained in:
Cool-Y 2019-07-09 17:08:31 +08:00
parent 7dc690ad31
commit 5a304462e7
3 changed files with 7 additions and 7 deletions

View File

@ -88,7 +88,7 @@
<meta property="og:description" content="这篇文章是对afl的简单使用可大致分为黑盒测试和白盒测试两个部分。白盒测试从对目标程序的插桩编译开始然后使用fuzzer对其模糊测试发现崩溃最后对测试的代码覆盖率进行评估。黑盒测试则演示得较简略。参考https://paper.seebug.org/841/#_1 部署afl 123456&amp;gt; wget http://lcamtuf.coredump.cx/afl/releases/">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562570048/afl/1.png">
<meta property="og:updated_time" content="2019-07-09T08:57:59.215Z">
<meta property="og:updated_time" content="2019-07-09T09:03:52.647Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="AFL-爱之初体验">
<meta name="twitter:description" content="这篇文章是对afl的简单使用可大致分为黑盒测试和白盒测试两个部分。白盒测试从对目标程序的插桩编译开始然后使用fuzzer对其模糊测试发现崩溃最后对测试的代码覆盖率进行评估。黑盒测试则演示得较简略。参考https://paper.seebug.org/841/#_1 部署afl 123456&amp;gt; wget http://lcamtuf.coredump.cx/afl/releases/">
@ -454,7 +454,7 @@
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&gt; $ CPU_TARGET=x86_64 ./build_qemu_support.sh</span><br><span class="line">&gt; [+] Build process successful!</span><br><span class="line">&gt; [*] Copying binary...</span><br><span class="line">&gt; -rwxr-xr-x 1 han han 10972920 7月 9 10:43 ../afl-qemu-trace</span><br><span class="line">&gt; [+] Successfully created &apos;../afl-qemu-trace&apos;.</span><br><span class="line">&gt; [!] Note: can&apos;t test instrumentation when CPU_TARGET set.</span><br><span class="line">&gt; [+] All set, you can now (hopefully) use the -Q mode in afl-fuzz!</span><br><span class="line">&gt;</span><br></pre></td></tr></table></figure>
</blockquote>
<hr>
<h1 id="0x01白盒测试"><a href="#0x01白盒测试" class="headerlink" title="0x01白盒测试"></a>0x01白盒测试</h1><h2 id="目标程序编译"><a href="#目标程序编译" class="headerlink" title="目标程序编译"></a>目标程序编译</h2><ol>
<h1 id="0x01-白盒测试"><a href="#0x01-白盒测试" class="headerlink" title="0x01 白盒测试"></a>0x01 白盒测试</h1><h2 id="目标程序编译"><a href="#目标程序编译" class="headerlink" title="目标程序编译"></a>目标程序编译</h2><ol>
<li><p>源代码</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line">#undef _FORTIFY_SOURCE</span><br><span class="line">#include &lt;stdio.h&gt;</span><br><span class="line">#include &lt;stdlib.h&gt;</span><br><span class="line">#include &lt;unistd.h&gt;</span><br><span class="line"></span><br><span class="line">void vulnerable_function() &#123;</span><br><span class="line"> char buf[128];</span><br><span class="line"> read(STDIN_FILENO, buf, 256);</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">int main(int argc, char** argv) &#123;</span><br><span class="line"> vulnerable_function();</span><br><span class="line"> write(STDOUT_FILENO, &quot;Hello, World\n&quot;, 13);</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>
</li>
@ -524,7 +524,7 @@
</li>
</ol>
<hr>
<h1 id="0x02代码覆盖率及其相关概念"><a href="#0x02代码覆盖率及其相关概念" class="headerlink" title="0x02代码覆盖率及其相关概念"></a>0x02代码覆盖率及其相关概念</h1><blockquote>
<h1 id="0x02-代码覆盖率及其相关概念"><a href="#0x02-代码覆盖率及其相关概念" class="headerlink" title="0x02 代码覆盖率及其相关概念"></a>0x02 代码覆盖率及其相关概念</h1><blockquote>
<p>代码覆盖率是模糊测试中一个极其重要的概念使用代码覆盖率可以评估和改进测试过程执行到的代码越多找到bug的可能性就越大毕竟在覆盖的代码中并不能100%发现bug在未覆盖的代码中却是100%找不到任何bug的。<br>代码覆盖率是一种度量代码的覆盖程度的方式也就是指源代码中的某行代码是否已执行对二进制程序还可将此概念理解为汇编代码中的某条指令是否已执行。其计量方式很多但无论是GCC的GCOV还是LLVM的SanitizerCoverage都提供函数function、基本块basic-block、边界edge三种级别的覆盖率检测。</p>
</blockquote>
<h2 id="计算代码覆盖率"><a href="#计算代码覆盖率" class="headerlink" title="计算代码覆盖率"></a>计算代码覆盖率</h2><p><strong>GCOV</strong>:插桩生成覆盖率 <strong>LCOV</strong>:图形展示覆盖率 <strong>afl-cov</strong>调用前两个工具计算afl测试用例的覆盖率</p>
@ -540,7 +540,7 @@
</ol>
<p><img src="https://res.cloudinary.com/dozyfkbg3/image/upload/v1562570048/afl/1.png" alt></p>
<hr>
<h1 id="0x03黑盒测试使用qemu"><a href="#0x03黑盒测试使用qemu" class="headerlink" title="0x03黑盒测试使用qemu"></a>0x03黑盒测试使用qemu</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">$ ./afl-fuzz -i ../vuln/testcase/ -o ../vuln/outQemu -Q ../vuln/v1</span><br><span class="line">american fuzzy lop 2.52b (v1)</span><br><span class="line"></span><br><span class="line">┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐</span><br><span class="line">│ run time : 0 days, 0 hrs, 0 min, 41 sec │ cycles done : 232 │</span><br><span class="line">│ last new path : none yet (odd, check syntax!) │ total paths : 2 │</span><br><span class="line">│ last uniq crash : 0 days, 0 hrs, 0 min, 41 sec │ uniq crashes : 1 │</span><br><span class="line">│ last uniq hang : none seen yet │ uniq hangs : 0 │</span><br><span class="line">├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤</span><br><span class="line">│ now processing : 0* (0.00%) │ map density : 0.04% / 0.04% │</span><br><span class="line">│ paths timed out : 0 (0.00%) │ count coverage : 1.00 bits/tuple │</span><br><span class="line">├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤</span><br><span class="line">│ now trying : havoc │ favored paths : 1 (50.00%) │</span><br><span class="line">│ stage execs : 255/256 (99.61%) │ new edges on : 1 (50.00%) │</span><br><span class="line">│ total execs : 121k │ total crashes : 33 (1 unique) │</span><br><span class="line">│ exec speed : 2860/sec │ total tmouts : 0 (0 unique) │</span><br><span class="line">├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤</span><br><span class="line">│ bit flips : 0/56, 0/54, 0/50 │ levels : 1 │</span><br><span class="line">│ byte flips : 0/7, 0/5, 0/1 │ pending : 0 │</span><br><span class="line">│ arithmetics : 0/392, 0/25, 0/0 │ pend fav : 0 │</span><br><span class="line">│ known ints : 0/36, 0/138, 0/44 │ own finds : 0 │</span><br><span class="line">│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │</span><br><span class="line">│ havoc : 1/120k, 0/0 │ stability : 100.00% │</span><br><span class="line">│ trim : 82.61%/5, 0.00% ├────────────────────────┘</span><br><span class="line">^C────────────────────────────────────────────────────┘ [cpu000:102%]</span><br></pre></td></tr></table></figure>
<h1 id="0x03-黑盒测试使用qemu"><a href="#0x03-黑盒测试使用qemu" class="headerlink" title="0x03 黑盒测试使用qemu"></a>0x03 黑盒测试使用qemu</h1><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line">$ ./afl-fuzz -i ../vuln/testcase/ -o ../vuln/outQemu -Q ../vuln/v1</span><br><span class="line">american fuzzy lop 2.52b (v1)</span><br><span class="line"></span><br><span class="line">┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐</span><br><span class="line">│ run time : 0 days, 0 hrs, 0 min, 41 sec │ cycles done : 232 │</span><br><span class="line">│ last new path : none yet (odd, check syntax!) │ total paths : 2 │</span><br><span class="line">│ last uniq crash : 0 days, 0 hrs, 0 min, 41 sec │ uniq crashes : 1 │</span><br><span class="line">│ last uniq hang : none seen yet │ uniq hangs : 0 │</span><br><span class="line">├─ cycle progress ────────────────────┬─ map coverage ─┴───────────────────────┤</span><br><span class="line">│ now processing : 0* (0.00%) │ map density : 0.04% / 0.04% │</span><br><span class="line">│ paths timed out : 0 (0.00%) │ count coverage : 1.00 bits/tuple │</span><br><span class="line">├─ stage progress ────────────────────┼─ findings in depth ────────────────────┤</span><br><span class="line">│ now trying : havoc │ favored paths : 1 (50.00%) │</span><br><span class="line">│ stage execs : 255/256 (99.61%) │ new edges on : 1 (50.00%) │</span><br><span class="line">│ total execs : 121k │ total crashes : 33 (1 unique) │</span><br><span class="line">│ exec speed : 2860/sec │ total tmouts : 0 (0 unique) │</span><br><span class="line">├─ fuzzing strategy yields ───────────┴───────────────┬─ path geometry ────────┤</span><br><span class="line">│ bit flips : 0/56, 0/54, 0/50 │ levels : 1 │</span><br><span class="line">│ byte flips : 0/7, 0/5, 0/1 │ pending : 0 │</span><br><span class="line">│ arithmetics : 0/392, 0/25, 0/0 │ pend fav : 0 │</span><br><span class="line">│ known ints : 0/36, 0/138, 0/44 │ own finds : 0 │</span><br><span class="line">│ dictionary : 0/0, 0/0, 0/0 │ imported : n/a │</span><br><span class="line">│ havoc : 1/120k, 0/0 │ stability : 100.00% │</span><br><span class="line">│ trim : 82.61%/5, 0.00% ├────────────────────────┘</span><br><span class="line">^C────────────────────────────────────────────────────┘ [cpu000:102%]</span><br></pre></td></tr></table></figure>
<ul>
<li style="list-style: none"><input type="checkbox"> 待完成对黑盒测试原理的分析</li>
</ul>
@ -776,7 +776,7 @@
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01白盒测试"><span class="nav-text">0x01白盒测试</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#目标程序编译"><span class="nav-text">目标程序编译</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试插桩程序"><span class="nav-text">测试插桩程序</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#执行FUZZER"><span class="nav-text">执行FUZZER</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#afl何时结束"><span class="nav-text">afl何时结束</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#处理输出结果"><span class="nav-text">处理输出结果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃类型和可利用性"><span class="nav-text">崩溃类型和可利用性</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02代码覆盖率及其相关概念"><span class="nav-text">0x02代码覆盖率及其相关概念</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#计算代码覆盖率"><span class="nav-text">计算代码覆盖率</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03黑盒测试使用qemu"><span class="nav-text">0x03黑盒测试使用qemu</span></a></li></ol></div>
<div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-1"><a class="nav-link" href="#0x01-白盒测试"><span class="nav-text">0x01 白盒测试</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#目标程序编译"><span class="nav-text">目标程序编译</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#测试插桩程序"><span class="nav-text">测试插桩程序</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#执行FUZZER"><span class="nav-text">执行FUZZER</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#afl何时结束"><span class="nav-text">afl何时结束</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#处理输出结果"><span class="nav-text">处理输出结果</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#崩溃类型和可利用性"><span class="nav-text">崩溃类型和可利用性</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x02-代码覆盖率及其相关概念"><span class="nav-text">0x02 代码覆盖率及其相关概念</span></a><ol class="nav-child"><li class="nav-item nav-level-2"><a class="nav-link" href="#计算代码覆盖率"><span class="nav-text">计算代码覆盖率</span></a></li></ol></li><li class="nav-item nav-level-1"><a class="nav-link" href="#0x03-黑盒测试使用qemu"><span class="nav-text">0x03 黑盒测试使用qemu</span></a></li></ol></div>
</div>

View File

@ -4,7 +4,7 @@
<url>
<loc>https://cool-y.github.io/2019/07/09/afl-first-try/</loc>
<lastmod>2019-07-09T08:57:59.215Z</lastmod>
<lastmod>2019-07-09T09:03:52.647Z</lastmod>
</url>