GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects β†’ ant4g0nist β†’ ManuFuzzer

ant4g0nist / ManuFuzzer

Licence: Apache-2.0 License
Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

Programming Languages

Objective-C++
1391 projects
Makefile
30231 projects
c
50402 projects - #5 most used programming language

Labels

macosapplefuzzinglibfuzzerllvm-mc

Projects that are alternatives of or similar to ManuFuzzer

libfuzzer-cov
Get actually nice HTML coverage overview on libfuzzer runs
Stars: ✭ 20 (-83.05%)
Mutual labels:  fuzzing, libfuzzer
Sloth
Sloth πŸ¦₯ is a coverage guided fuzzing framework for fuzzing Android Native libraries that makes use of libFuzzer and QEMU user-mode emulation
Stars: ✭ 91 (-22.88%)
Mutual labels:  fuzzing, libfuzzer
fuzzuf
Fuzzing Unification Framework
Stars: ✭ 263 (+122.88%)
Mutual labels:  fuzzing, libfuzzer
srcinv
source code audit tool
Stars: ✭ 45 (-61.86%)
Mutual labels:  fuzzing
SPStorkController
Now playing controller from Apple Music, Mail & Podcasts Apple's apps.
Stars: ✭ 2,515 (+2031.36%)
Mutual labels:  apple
Pomosh-iOS-watchOS
πŸ…Pomosh is your next awesome Pomodoro Technique assistant on πŸ“±iOS and ⌚️ WatchOS πŸ™Œ. It's native and lightweight. Uses SwiftUI. has a nice tomato icon and also ready for macOS tooπŸ”₯
Stars: ✭ 50 (-57.63%)
Mutual labels:  apple
security-study-tutorial
Summary of online learning materials
Stars: ✭ 73 (-38.14%)
Mutual labels:  fuzzing
emmutaler
A set of tools for fuzzing SecureROM. Managed to find and trigger checkm8.
Stars: ✭ 126 (+6.78%)
Mutual labels:  fuzzing
Meme-Maker-Mac
Meme Maker open source macOS app made in Swift.
Stars: ✭ 59 (-50%)
Mutual labels:  apple
drawing
An app for drawing and manipulating structures displayed with augmented reality.
Stars: ✭ 21 (-82.2%)
Mutual labels:  apple
Wells
A lightweight diagnostics report submission system
Stars: ✭ 26 (-77.97%)
Mutual labels:  apple
hap-rs
Rust implementation of the Apple HomeKit Accessory Protocol (HAP)
Stars: ✭ 116 (-1.69%)
Mutual labels:  apple
Core-NFC-Example
An example project which demonstrate the usage of iOS 11 Core NFC framework.
Stars: ✭ 19 (-83.9%)
Mutual labels:  apple
react-native-input-bar
Fully customizable, beautifully designed Input Bar for React Native
Stars: ✭ 32 (-72.88%)
Mutual labels:  apple
toughfuzzer
Tough Fuzzer is an obstacle course for go-fuzz composed of a series of small code samples which encapsulate the most common obstacles to code-coverage the fuzzer will encounter. In each case, the obstacle is insurmountable in a reasonable period of time using random inputs or even coverage-guided mutation.
Stars: ✭ 18 (-84.75%)
Mutual labels:  fuzzing
TermiNetwork
🌏 A zero-dependency networking solution for building modern and secure iOS, watchOS, macOS and tvOS applications.
Stars: ✭ 80 (-32.2%)
Mutual labels:  apple
mac scripts
A collection of scripts used to Manage Mac OS X computers.
Stars: ✭ 38 (-67.8%)
Mutual labels:  apple
pre-commit-macadmin
Pre-commit hooks for Mac admins.
Stars: ✭ 43 (-63.56%)
Mutual labels:  apple
fuzz-monkey
Fuzzing tool written in Golang. Insane monkey not included.
Stars: ✭ 13 (-88.98%)
Mutual labels:  fuzzing
crypto-corpus
Corpus of crypto formats
Stars: ✭ 12 (-89.83%)
Mutual labels:  fuzzing
View All Similar Projects βž”

ManuFuzzer

Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

PRs Welcome License Follow Twitter

What is ManuFuzzer?

ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework similar. It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.

How ManuFuzzer works?

ManuFuzzer makes use of custom breakpoint handler. When you select a module to instrument, ManuFuzzer replaces the branch instructions with breakpoint instruction at each and every basic-block by disassembling the module runtime using LLVM MC and stores the original bytes in a shadow memory mapping, whose address is fixed and can be computed from any address of the modified library and executes the program. Everytime any breakpoint gets hit, ManuFuzzer updates the coverage for the basic-block using custom breakpoint handler setup for SIGTRAP, deletes the breakpoint and resumes execution.

How to build ManuFuzzer?

ManuFuzzer is dependent on LLVM MC for disassembly and LLVM libFuzzer for fuzzing. ManuFuzzer patches LLVM-MC to increase the speed and evaluate an instruction type. ManuFuzzer pulls LLVM version 12.0.1-rc3 from https://github.com/llvm/llvm-project and applies llvm_ManuFuzzer.patch to LLVM MC and libFuzzer.

➜ git clone https://github.com/ant4g0nist/ManuFuzzer

To compile with debug logs:

➜ cd ManuFuzzer
➜ make
➜ make install

To compile without debug logs, pass FUZZ=1 in env:

➜ cd ManuFuzzer
➜ FUZZ=1 make
➜ make install

How to use ManuFuzzer?

For examples, let's try fuzzing CGFontCreateWithDataProvider function from CoreGraphics. This seems to be an easy target to reach.

ManuFuzzer exports 4 functions we need to use in our harness.

void installHandlers(void);
void libFuzzerCleanUp(void);
int instrumentMe(const char * module);
int libFuzzerStart(int argc, char **argv, UserCallback LLVMFuzzerTestOneInput);
  • instrumentMe(const char * module) function is used to instrument a target module.
  • installHandlers function installs the breakpoint handler required by ManuFuzzer to handle breakpoints.
  • libFuzzerStart is the main entry point to libFuzzer that takes argc, argv and a function LLVMFuzzerTestOneInput with signature LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
  • libFuzzerCleanUp just cleans up the mallocs.

These functions can be used in our harness as shown here:

#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>
#import <CoreGraphics/CoreGraphics.h>

#include "libManuFuzzer.h"

extern uint16_t previousLoc;

void LLVMFuzzerInitialize(int *argc, char ***argv) {
    installHandlers();

    instrumentMe("/System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO");
    instrumentMe("/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics");
    instrumentMe("/System/Library/Frameworks/CoreText.framework/Versions/A/CoreText");
    instrumentMe("/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib");
}

int LLVMFuzzerTestOneInput(const uint8_t *fuzz_buff, size_t size)
{
    previousLoc = 0;

    NSData *inData = [[NSData alloc] initWithBytes:fuzz_buff length:size];
    CFErrorRef error;
    
    CGDataProviderRef provider = CGDataProviderCreateWithCFData((__bridge CFDataRef)inData);
    
    CGFontRef font = CGFontCreateWithDataProvider(provider);
    
    if (font)
        CFRelease(font);
 
    CFRelease(provider);

    [inData release];

    return 0;
}

int main(int argc, char* argv[])
{
    LLVMFuzzerInitialize(&argc, &argv);
    libFuzzerStart(argc, argv, LLVMFuzzerTestOneInput);
    libFuzzerCleanUp();

    return 0;
}

Makefile to compile above sample code:

example.o: examples/main.mm
	SDKROOT=$(SDKROOT) $(CXX) -c -o bin/$@ examples/main.mm
	
example: example.o
	SDKROOT=$(SDKROOT) $(CXX) $(FUZZ_EXAMPLE_CFLAGS) ./bin/example.o -o bin/example
	rm bin/*.o

To compile the example:

➜ make example

Demo

TODO

  • replace Capstone with LLVM MC
  • make support for macOS on M1 public
  • make support for macOS on Intel public
  • clean the setup
  • test, test and tesssttt
  • fuzz, fuzzzz and more fuzzzzz

Trophies

let me know if you have found any vulnerabilities using this and will add it here :)

Thanks πŸ™ŒπŸ»πŸ™ŒπŸ»

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].