sslab-gatech / Qsym
Licence: other
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
Stars: ✭ 459
Projects that are alternatives of or similar to Qsym
ronin-support
A support library for Ronin. Like activesupport, but for hacking!
Stars: ✭ 23 (-94.99%)
Mutual labels: binary, fuzzing
Snodge
Randomly mutate JSON, XML, HTML forms, text and binary data for fuzz testing
Stars: ✭ 121 (-73.64%)
Mutual labels: binary, fuzzing
Formatfuzzer
FormatFuzzer is a framework for high-efficiency, high-quality generation and parsing of binary inputs.
Stars: ✭ 117 (-74.51%)
Mutual labels: binary, fuzzing
Binjs Ref
Reference implementation for the JavaScript Binary AST format
Stars: ✭ 399 (-13.07%)
Mutual labels: binary
Awesome Fuzzing
A curated list of fuzzing resources ( Books, courses - free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
Stars: ✭ 3,867 (+742.48%)
Mutual labels: fuzzing
Nar
node.js application archive - create self-contained binary like executable applications that are ready to ship and run
Stars: ✭ 428 (-6.75%)
Mutual labels: binary
Grinder
Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes.
Stars: ✭ 393 (-14.38%)
Mutual labels: fuzzing
Ceras
Universal binary serializer for a wide variety of scenarios https://discord.gg/FGaCX4c
Stars: ✭ 374 (-18.52%)
Mutual labels: binary
Awesome Fuzzing
A curated list of awesome Fuzzing(or Fuzz Testing) for software security
Stars: ✭ 399 (-13.07%)
Mutual labels: fuzzing
Binarycodable
Swift Codable-like interfaces for binary representations.
Stars: ✭ 359 (-21.79%)
Mutual labels: binary
Frida Fuzzer
This experimetal fuzzer is meant to be used for API in-memory fuzzing.
Stars: ✭ 415 (-9.59%)
Mutual labels: fuzzing
0day Security Software Vulnerability Analysis Technology
0day安全_软件漏洞分析技术
Stars: ✭ 393 (-14.38%)
Mutual labels: binary
Afl Utils
Utilities for automated crash sample processing/analysis, easy afl-fuzz job management and corpus optimization
Stars: ✭ 383 (-16.56%)
Mutual labels: fuzzing
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
Environment
- Tested on Ubuntu 14.04 64bit and 16.04 64bit
Installation
# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope
# install z3 and system deps
$ ./setup.sh
# install using virtual env
$ virtualenv venv
$ source venv/bin/activate
$ pip install .
Installation using Docker
# disable ptrace_scope for PIN
$ echo 0|sudo tee /proc/sys/kernel/yama/ptrace_scope
# build docker image
$ docker build -t qsym ./
# run docker image
$ docker run --cap-add=SYS_PTRACE -it qsym /bin/bash
Installation using vagrant
Since QSYM is dependent on underlying kernel because of its old PIN, we decided to provide a convenient way to install QSYM with VM. Please take a look our vagrant directory.
Run hybrid fuzzing with AFL
# require to set the following environment variables
# AFL_ROOT: afl directory (http://lcamtuf.coredump.cx/afl/)
# INPUT: input seed files
# OUTPUT: output directory
# AFL_CMDLINE: command line for a testing program for AFL (ASAN + instrumented)
# QSYM_CMDLINE: command line for a testing program for QSYM (Non-instrumented)
# run AFL master
$ $AFL_ROOT/afl-fuzz -M afl-master -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run AFL slave
$ $AFL_ROOT/afl-fuzz -S afl-slave -i $INPUT -o $OUTPUT -- $AFL_CMDLINE
# run QSYM
$ bin/run_qsym_afl.py -a afl-slave -o $OUTPUT -n qsym -- $QSYM_CMDLINE
Run for testing
$ cd tests
$ python build.py
$ python -m pytest -n $(nproc)
Troubleshooting
If you find that you can't get QSYM to work and you get the undefined symbol: Z3_is_seq_sort
error in pin.log file, please make sure that you compile and make the target when you're in the virtualenv (env) environment. When you're out of this environment and you compile the target, QSYM can't work with the target binary and issues the mentioned error in pin.log file. This will save your time a lot to compile and make the target from env and then run QSYM on the target, then QSYM will work like a charm!
Authors
- Insu Yun [email protected]
- Sangho Lee [email protected]
- Meng Xu [email protected]
- Yeongjin Jang [email protected]
- Taesoo Kim [email protected]
Publications
QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing
@inproceedings{yun:qsym,
title = {{QSYM: A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing}},
author = {Insu Yun and Sangho Lee and Meng Xu and Yeongjin Jang and Taesoo Kim},
booktitle = {Proceedings of the 27th USENIX Security Symposium (Security)},
month = aug,
year = 2018,
address = {Baltimore, MD},
}
Note that the project description data, including the texts, logos, images, and/or trademarks,
for each open source project belongs to its rightful owner.
If you wish to add or remove any projects, please contact us at [email protected].