Site updated: 2019-07-09 14:49:41
This commit is contained in:
Cool-Y
@ -760,7 +760,7 @@ Server -------wire----------|
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -869,7 +869,7 @@ Server -------wire----------|
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -1060,7 +1060,7 @@ Server -------wire----------|
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -609,7 +609,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -718,7 +718,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -909,7 +909,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -616,7 +616,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -725,7 +725,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -916,7 +916,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -626,7 +626,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -735,7 +735,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -926,7 +926,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -651,7 +651,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -760,7 +760,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -951,7 +951,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -754,7 +754,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -863,7 +863,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -1054,7 +1054,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -675,7 +675,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -784,7 +784,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -975,7 +975,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -798,7 +798,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -907,7 +907,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -1098,7 +1098,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -630,8 +630,8 @@
|
||||
|
||||
<div class="post-nav-prev post-nav-item">
|
||||
|
||||
<a href="/2019/05/14/pack-and-unpack/" rel="prev" title="pack and unpack">
|
||||
pack and unpack <i class="fa fa-chevron-right"></i>
|
||||
<a href="/2019/05/14/pack-and-unpack/" rel="prev" title="加壳与脱壳">
|
||||
加壳与脱壳 <i class="fa fa-chevron-right"></i>
|
||||
</a>
|
||||
|
||||
</div>
|
||||
@ -718,7 +718,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -827,7 +827,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -1018,7 +1018,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -81,7 +81,7 @@
|
||||
|
||||
<meta name="description" content="壳是最早出现的一种专用加密软件技术。一些软件会采取加壳保护的方式。壳附加在原始程序上,通过Windows加载器载入内存后,先于原始程序执行,以得到控制权,在执行的过程中对原始程序进行解密还原,然后把控制权还给原始程序,执行原来的代码。加上外壳后,原始程序在磁盘文件中一般是以加密后的形式存在的,只在执行时在内存中还原。这样可以有效防止破解者对程序文件进行非法修改,也可以防止程序被静态反编译。 壳的加">
|
||||
<meta property="og:type" content="article">
|
||||
<meta property="og:title" content="pack and unpack">
|
||||
<meta property="og:title" content="加壳与脱壳">
|
||||
<meta property="og:url" content="https://cool-y.github.io/2019/05/14/pack-and-unpack/index.html">
|
||||
<meta property="og:site_name" content="混元霹雳手">
|
||||
<meta property="og:description" content="壳是最早出现的一种专用加密软件技术。一些软件会采取加壳保护的方式。壳附加在原始程序上,通过Windows加载器载入内存后,先于原始程序执行,以得到控制权,在执行的过程中对原始程序进行解密还原,然后把控制权还给原始程序,执行原来的代码。加上外壳后,原始程序在磁盘文件中一般是以加密后的形式存在的,只在执行时在内存中还原。这样可以有效防止破解者对程序文件进行非法修改,也可以防止程序被静态反编译。 壳的加">
|
||||
@ -97,9 +97,9 @@
|
||||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557837250/%E5%8A%A0%E5%A3%B3/9.png">
|
||||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557837519/%E5%8A%A0%E5%A3%B3/10.png">
|
||||
<meta property="og:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557837859/%E5%8A%A0%E5%A3%B3/11.png">
|
||||
<meta property="og:updated_time" content="2019-05-18T06:52:27.207Z">
|
||||
<meta property="og:updated_time" content="2019-07-01T12:04:55.244Z">
|
||||
<meta name="twitter:card" content="summary">
|
||||
<meta name="twitter:title" content="pack and unpack">
|
||||
<meta name="twitter:title" content="加壳与脱壳">
|
||||
<meta name="twitter:description" content="壳是最早出现的一种专用加密软件技术。一些软件会采取加壳保护的方式。壳附加在原始程序上,通过Windows加载器载入内存后,先于原始程序执行,以得到控制权,在执行的过程中对原始程序进行解密还原,然后把控制权还给原始程序,执行原来的代码。加上外壳后,原始程序在磁盘文件中一般是以加密后的形式存在的,只在执行时在内存中还原。这样可以有效防止破解者对程序文件进行非法修改,也可以防止程序被静态反编译。 壳的加">
|
||||
<meta name="twitter:image" content="https://res.cloudinary.com/dozyfkbg3/image/upload/v1557817831/%E5%8A%A0%E5%A3%B3/1.png">
|
||||
|
||||
@ -137,7 +137,7 @@
|
||||
|
||||
|
||||
|
||||
<title>pack and unpack | 混元霹雳手</title>
|
||||
<title>加壳与脱壳 | 混元霹雳手</title>
|
||||
|
||||
|
||||
|
||||
@ -333,7 +333,7 @@
|
||||
|
||||
|
||||
|
||||
<h1 class="post-title" itemprop="name headline">pack and unpack</h1>
|
||||
<h1 class="post-title" itemprop="name headline">加壳与脱壳</h1>
|
||||
|
||||
|
||||
<div class="post-meta">
|
||||
@ -373,7 +373,7 @@
|
||||
|
||||
|
||||
|
||||
<span id="/2019/05/14/pack-and-unpack/" class="leancloud_visitors" data-flag-title="pack and unpack">
|
||||
<span id="/2019/05/14/pack-and-unpack/" class="leancloud_visitors" data-flag-title="加壳与脱壳">
|
||||
<span class="post-meta-divider">|</span>
|
||||
<span class="post-meta-item-icon">
|
||||
<i class="fa fa-eye"></i>
|
||||
@ -640,7 +640,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -749,7 +749,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -940,7 +940,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
@ -89,7 +89,7 @@
|
||||
<meta property="og:locale" content="zh-Hans">
|
||||
<meta property="og:image" content="https://image.3001.net/images/20181207/1544168163_5c0a22e3eedce.jpg">
|
||||
<meta property="og:image" content="http://lcamtuf.coredump.cx/afl/afl_gzip.png">
|
||||
<meta property="og:updated_time" content="2019-07-01T12:00:47.564Z">
|
||||
<meta property="og:updated_time" content="2019-07-08T06:09:11.627Z">
|
||||
<meta name="twitter:card" content="summary">
|
||||
<meta name="twitter:title" content="AFL初探">
|
||||
<meta name="twitter:description" content="接触这个词语已经有一年了,但还没有学习过更没有上手实践过,正好趁这个机会好好弄弄AFL。提起模糊测试,我们总会联想起这样或那样的专业术语——测试用例、代码覆盖率、执行路径等等,你可能和我一样一头雾水,这次我们就来看个明白 0x01 模糊测试首先,模糊测试(Fuzzing)是一种测试手段,它把系统看成一个摸不清内部结构的黑盒,只是向其输入接口随机地发送合法测试用例,这些用例并不是开发者所预期的输入">
|
||||
@ -410,7 +410,7 @@
|
||||
</span>
|
||||
|
||||
<span title="字数统计">
|
||||
11.3k 字
|
||||
11.4k 字
|
||||
</span>
|
||||
|
||||
|
||||
@ -479,7 +479,7 @@
|
||||
|
||||
<hr>
|
||||
<h1 id="0x02-AFL快速入门"><a href="#0x02-AFL快速入门" class="headerlink" title="0x02 AFL快速入门"></a>0x02 <a href="http://lcamtuf.coredump.cx/afl/QuickStartGuide.txt" target="_blank" rel="noopener">AFL快速入门</a></h1><p>1)用<code>make</code>编译AFL。如果构建失败,请参阅docs / INSTALL以获取提示。<br>2)查找或编写一个相当快速和简单的程序,该程序从文件或标准输入中获取数据,以一种有价值的方式处理它,然后干净地退出。如果测试网络服务,请将其修改为在前台运行并从stdin读取。在对使用校验和的格式进行模糊测试时,也要注释掉校验和验证码。<br>遇到故障时,程序必须正常崩溃。注意自定义SIGSEGV或SIGABRT处理程序和后台进程。有关检测非崩溃缺陷的提示,请参阅docs/README中的第11节。<br>3)使用afl-gcc编译要模糊的程序/库。一种常见的方法是:<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">CC = / path / to / afl-gcc CXX = / path / to / afl-g ++ ./configure --disable shared make clean all</span><br></pre></td></tr></table></figure></p>
|
||||
<p>如果程序构建失败,请联系 <a href="mailto:afl-users@googlegroups.com" target="_blank" rel="noopener">afl-users@googlegroups.com</a>。<br>4)获取一个对程序有意义的小而有效的输入文件。在模糊详细语法(SQL,HTTP等)时,也要创建字典,如dictionaries/README.dictionaries中所述。<br>5)如果程序从stdin读取,则运行’afl-fuzz’,如下所示:<br><code>./afl-fuzz -i testcase_dir -o findings_dir -- \ /path/to/tested/program [... program's cmdline ...]</code><br> 如果程序从文件中获取输入,则可以在程序的命令行中输入@@; AFL会为您放置一个自动生成的文件名。</p>
|
||||
<p>如果程序构建失败,请联系 <a href="mailto:afl-users@googlegroups.com" target="_blank" rel="noopener">afl-users@googlegroups.com</a>。<br>4)获取一个对程序有意义的小而有效的输入文件。在模糊详细语法(SQL,HTTP等)时,也要创建字典,如dictionaries/README.dictionaries中所述。<br>5)如果程序从stdin读取,则运行’afl-fuzz’,如下所示:<br><code>./afl-fuzz -i testcase_dir -o findings_dir -- \ /path/to/tested/program [... program's cmdline ...]</code><br> 如果程序从文件中获取输入,则可以在程序的命令行中输入@@; AFL会为您放置一个自动生成的文件名。</p>
|
||||
<p><strong>一些参考文档</strong></p>
|
||||
<blockquote>
|
||||
<p><a href="http://lcamtuf.coredump.cx/afl/README.txt" target="_blank" rel="noopener">docs/README</a> - AFL的一般介绍,<br><a href="https://github.com/mirrorer/afl/blob/master/docs/perf_tips.txt" target="_blank" rel="noopener">docs/perf_tips.txt</a> - 关于如何快速模糊的简单提示,<br><a href="http://lcamtuf.coredump.cx/afl/status_screen.txt" target="_blank" rel="noopener">docs/status_screen.txt</a> - UI中显示的花絮的解释,<br><a href="https://github.com/mirrorer/afl/blob/master/docs/parallel_fuzzing.txt" target="_blank" rel="noopener">docs/parallel_fuzzing.txt</a> - 关于在多个核上运行AFL的建议<br><a href="http://lcamtuf.coredump.cx/afl/demo/" target="_blank" rel="noopener">Generated test cases for common image formats</a> - 生成图像文件测试用例的demo<br><a href="http://lcamtuf.coredump.cx/afl/technical_details.txt" target="_blank" rel="noopener">Technical “whitepaper” for afl-fuzz</a> - 技术白皮书</p>
|
||||
@ -496,10 +496,10 @@
|
||||
</ol>
|
||||
<hr>
|
||||
<h1 id="0x04-AFL-README"><a href="#0x04-AFL-README" class="headerlink" title="0x04 AFL README"></a>0x04 <a href="http://lcamtuf.coredump.cx/afl/README.txt" target="_blank" rel="noopener">AFL README</a></h1><blockquote>
|
||||
<p>Written and maintained by Michal Zalewski <a href="mailto:lcamtuf@google.com" target="_blank" rel="noopener">lcamtuf@google.com</a></p>
|
||||
<p>Written and maintained by Michal Zalewski <a href="mailto:lcamtuf@google.com" target="_blank" rel="noopener">lcamtuf@google.com</a></p>
|
||||
<p> Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved.<br> Released under terms and conditions of Apache License, Version 2.0.</p>
|
||||
<p> For new versions and additional information, check out:<br> <a href="http://lcamtuf.coredump.cx/afl/" target="_blank" rel="noopener">http://lcamtuf.coredump.cx/afl/</a></p>
|
||||
<p> To compare notes with other users or get notified about major new features,<br> send a mail to <a href="mailto:afl-users+subscribe@googlegroups.com" target="_blank" rel="noopener">afl-users+subscribe@googlegroups.com</a>.</p>
|
||||
<p> To compare notes with other users or get notified about major new features,<br> send a mail to <a href="mailto:afl-users+subscribe@googlegroups.com" target="_blank" rel="noopener">afl-users+subscribe@googlegroups.com</a>.</p>
|
||||
<p> <strong>See QuickStartGuide.txt if you don’t have time to read this file.</strong></p>
|
||||
</blockquote>
|
||||
<h2 id="1)具有导向性的模糊测试的挑战"><a href="#1)具有导向性的模糊测试的挑战" class="headerlink" title="1)具有导向性的模糊测试的挑战"></a>1)具有导向性的模糊测试的挑战</h2><p>Fuzzing是用于识别真实软件中的安全问题的最强大且经过验证的策略之一;它负责安全关键软件中迄今为止发现的绝大多数远程代码执行和权限提升漏洞。<br>不幸的是,模糊测试也不够有力。盲目的、随机的变异使得它不太可能在测试代码中达到某些代码路径,从而使一些漏洞超出了这种技术的范围。<br>已经有许多尝试来解决这个问题。早期方法之一 - 由Tavis Ormandy开创 - 是一种语义库蒸馏(corpus distillation)。网上找到的一些大型语料库中往往包含大量的文件,这时就需要对其精简,该方法依赖于覆盖信号从大量高质量的候选文件语料库中选择有趣种子的子集,然后通过传统方式对其进行模糊处理。该方法非常有效,但需要这样的语料库随时可用。正因为如此,代码覆盖率也只是衡量程序执行状态的一个简单化的度量,这种方式并不适合后续引导fuzzing测试的。<br>其他更复杂的研究集中在诸如程序流分析(“concoic execution”),符号执行或静态分析等技术上。所有这些方法在实验环境中都非常有前景,但在实际应用中往往会遇到可靠性和性能问题 - 部分高价值的程序都有非常复杂的内部状态和执行路径,在这一方面符号执行和concolic技术往往会显得不够健壮(如路径爆炸问题),所以仍然稍逊于传统的fuzzing技术。</p>
|
||||
@ -571,7 +571,7 @@
|
||||
<h1 id="0x05-afl-fuzz白皮书"><a href="#0x05-afl-fuzz白皮书" class="headerlink" title="0x05 afl-fuzz白皮书"></a>0x05 <a href="http://lcamtuf.coredump.cx/afl/technical_details.txt" target="_blank" rel="noopener">afl-fuzz白皮书</a></h1><p>本文档提供了American Fuzzy Lop的简单的概述。想了解一般的使用说明,请参见README 。想了解AFL背后的动机和设计目标,请参见<a href="http://lcamtuf.coredump.cx/afl/historical_notes.txt" target="_blank" rel="noopener">historical_notes.txt</a>。</p>
|
||||
<h2 id="0)设计说明-Design-statement"><a href="#0)设计说明-Design-statement" class="headerlink" title="0)设计说明(Design statement)"></a>0)设计说明(Design statement)</h2><p>American Fuzzy Lop 不关注任何单一的操作规则(singular principle of<br>operation),也不是一个针对任何特定理论的概念验证(proof of concept)。这个工具可以被认为是一系列在实践中测试过的hacks行为,我们发现这个工具惊人的有效。我们用目前最simple且最robust的方法实现了这个工具。<br>唯一的设计宗旨在于速度、可靠性和易用性。</p>
|
||||
<h2 id="1)覆盖率计算-Coverage-measurements"><a href="#1)覆盖率计算-Coverage-measurements" class="headerlink" title="1)覆盖率计算(Coverage measurements)"></a>1)覆盖率计算(Coverage measurements)</h2><p>在编译过的程序中插桩能够捕获分支(边缘)的覆盖率,并且还能检测到粗略的分支执行命中次数(branch-taken hit counts)。在分支点注入的代码大致如下:</p>
|
||||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">cur_location = <COMPILE_TIME_RANDOM>;</span><br><span class="line">shared_mem[cur_location ^ prev_location]++;</span><br><span class="line">prev_location = cur_location >> 1;</span><br></pre></td></tr></table></figure>
|
||||
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">cur_location = <COMPILE_TIME_RANDOM>; //用一个随机数标记当前基本块</span><br><span class="line">shared_mem[cur_location ^ prev_location]++; //将当前块和前一块异或保存到shared_mem[]</span><br><span class="line">prev_location = cur_location >> 1; //cur_location右移1位区分从当前块到当前块的转跳</span><br></pre></td></tr></table></figure>
|
||||
<p>cur_location的值是随机产生的,为的是简化连接复杂对象的过程和保持XOR输出分布是均匀的。<br>shared_mem[] 数组是一个调用者 (caller) 传给被插桩的二进制程序的64kB的共享空间。其中的每一字节可以理解成对于插桩代码中特别的元组(branch_src, branch_dst)的一次命中(hit)。<br>选择这个数组大小的原因是让冲突(collisions)尽可能减少。这样通常能处理2k到10k的分支点。同时,它的大小也足以使输出图能在接受端达到毫秒级的分析。</p>
|
||||
<table>
|
||||
<thead>
|
||||
@ -617,7 +617,7 @@
|
||||
<p>这种形式的覆盖率,相对于简单的基本块覆盖率来说,对程序运行路径提供了一个更好的描述(insight)。特别地,它能很好地区分以下两个执行路径:</p>
|
||||
<blockquote>
|
||||
<p> A -> B -> C -> D -> E (tuples: AB, BC, CD, DE)<br> A -> B -> D -> C -> E (tuples: AB, BD, DC, CE)</p>
|
||||
<p>这有助于发现底层代码的微小错误条件。因为安全漏洞通常是一些非预期(或不正确)的语句转移(一个tuple就是一个语句转移),而不是没覆盖到某块代码。<br>上边伪代码的最后一行移位操作是为了让tuple具有定向性(没有这一行的话,A^B和B^A就没区别了,同样,A^A和B^B也没区别了)。采用左移的原因跟Intel CPU的一些特性有关。</p>
|
||||
<p>这有助于发现底层代码的微小错误条件。因为安全漏洞通常是一些非预期(或不正确)的语句转移(一个tuple就是一个语句转移),而不是没覆盖到某块代码。<br>上边伪代码的最后一行移位操作是为了让tuple具有定向性(没有这一行的话,A^B和B^A就没区别了,同样,A^A和B^B也没区别了)。采用右移的原因跟Intel CPU的一些特性有关。</p>
|
||||
</blockquote>
|
||||
<h2 id="2)发现新路径-Detecting-new-behaviors"><a href="#2)发现新路径-Detecting-new-behaviors" class="headerlink" title="2)发现新路径(Detecting new behaviors)"></a>2)发现新路径(Detecting new behaviors)</h2><p>AFL的fuzzers使用一个<strong>全局Map</strong>来存储之前执行时看到的tuple。这些数据可以被用来对不同的trace进行快速对比,从而可以计算出是否新执行了一个dword指令/一个qword-wide指令/一个简单的循环。<br>当一个变异的输入产生了一个包含新tuple的执行路径时,对应的输入文件就被保存,然后被发送到下一过程(见第3部分)。对于那些没有产生新路径的输入,就算他们的instrumentation输出模式是不同的,也会被抛弃掉。<br>这种算法考虑了一个非常细粒度的、长期的对程序状态的探索,同时它还不必执行复杂的计算,不必对整个复杂的执行流进行对比,也避免了路径爆炸的影响。<br>为了说明这个算法是怎么工作的,考虑下面的两个路径,第二个路径出现了新的tuples(CA, AE):<br><figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">#1: A -> B -> C -> D -> E</span><br><span class="line">#2: A -> B -> C -> A -> E</span><br></pre></td></tr></table></figure></p>
|
||||
<p>因为#2的原因,以下的路径就不认为是不同的路径了,尽管看起来非常不同:<br><code>#3: A -> B -> C -> A -> B -> C -> A -> B -> C -> D -> E</code></p>
|
||||
@ -816,8 +816,8 @@
|
||||
<div class="post-nav">
|
||||
<div class="post-nav-next post-nav-item">
|
||||
|
||||
<a href="/2019/05/14/pack-and-unpack/" rel="next" title="pack and unpack">
|
||||
<i class="fa fa-chevron-left"></i> pack and unpack
|
||||
<a href="/2019/05/14/pack-and-unpack/" rel="next" title="加壳与脱壳">
|
||||
<i class="fa fa-chevron-left"></i> 加壳与脱壳
|
||||
</a>
|
||||
|
||||
</div>
|
||||
@ -826,6 +826,10 @@
|
||||
|
||||
<div class="post-nav-prev post-nav-item">
|
||||
|
||||
<a href="/2019/07/09/afl-first-try/" rel="prev" title="AFL初次实践">
|
||||
AFL初次实践 <i class="fa fa-chevron-right"></i>
|
||||
</a>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
@ -910,7 +914,7 @@
|
||||
|
||||
<a href="/archives/">
|
||||
|
||||
<span class="site-state-item-count">16</span>
|
||||
<span class="site-state-item-count">17</span>
|
||||
<span class="site-state-item-name">日志</span>
|
||||
</a>
|
||||
</div>
|
||||
@ -1019,7 +1023,7 @@
|
||||
<i class="fa fa-area-chart"></i>
|
||||
</span>
|
||||
|
||||
<span title="Site words total count">44.8k</span>
|
||||
<span title="Site words total count">48k</span>
|
||||
|
||||
</div>
|
||||
|
||||
@ -1210,7 +1214,7 @@
|
||||
<script type="text/javascript">
|
||||
function renderGitment(){
|
||||
var gitment = new Gitmint({
|
||||
id: window.location.pathname,
|
||||
id: window.location.pathname,
|
||||
owner: 'Cool-Y',
|
||||
repo: 'gitment-comments',
|
||||
|
||||
|
||||
1491
2019/07/09/afl-first-try/index.html
Normal file
1491
2019/07/09/afl-first-try/index.html
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user