GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → stateafl → stateafl

stateafl / stateafl

Licence: Apache-2.0 license
StateAFL: A Greybox Fuzzer for Stateful Network Servers

Programming Languages

c
50402 projects - #5 most used programming language
shell
77523 projects
C++
36643 projects - #6 most used programming language
Makefile
30231 projects
Dockerfile
14818 projects
python
139335 projects - #7 most used programming language

Labels

fuzzing

Projects that are alternatives of or similar to stateafl

foundry
Foundry is a blazing fast, portable and modular toolkit for Ethereum application development written in Rust.
Stars: ✭ 4,623 (+4477.23%)
Mutual labels:  fuzzing
swiftfuzztools
Swift-based fuzzing tools
Stars: ✭ 18 (-82.18%)
Mutual labels:  fuzzing
wasm runtimes fuzzing
Improving security and resilience of WebAssembly VMs/runtimes/parsers using fuzzing
Stars: ✭ 56 (-44.55%)
Mutual labels:  fuzzing
libdft64
libdft for Intel Pin 3.x and 64 bit platform. (Dynamic taint tracking, taint analysis)
Stars: ✭ 174 (+72.28%)
Mutual labels:  fuzzing
sidefuzz
Fuzzer to automatically find side-channel (timing) vulnerabilities
Stars: ✭ 94 (-6.93%)
Mutual labels:  fuzzing
soltix
SOLTIX: Scalable automated framework for testing Solidity compilers.
Stars: ✭ 30 (-70.3%)
Mutual labels:  fuzzing
ronin-support
A support library for Ronin. Like activesupport, but for hacking!
Stars: ✭ 23 (-77.23%)
Mutual labels:  fuzzing
phuzz
Find exploitable PHP files by parameter fuzzing and function call tracing
Stars: ✭ 53 (-47.52%)
Mutual labels:  fuzzing
afl-cygwin
AFL "mostly" ported to cygwin
Stars: ✭ 24 (-76.24%)
Mutual labels:  fuzzing
FuzzImageMagick
Sample files for fuzzing ImageMagick
Stars: ✭ 15 (-85.15%)
Mutual labels:  fuzzing
rbuster
yet another dirbuster
Stars: ✭ 21 (-79.21%)
Mutual labels:  fuzzing
MsFontsFuzz
OpenType font file format fuzzer for Windows
Stars: ✭ 49 (-51.49%)
Mutual labels:  fuzzing
e9afl
AFL binary instrumentation
Stars: ✭ 234 (+131.68%)
Mutual labels:  fuzzing
PersonalStuff
This is a repo is to upload files done during my research.
Stars: ✭ 94 (-6.93%)
Mutual labels:  fuzzing
jest-fuzz
Fuzz testing for jest
Stars: ✭ 24 (-76.24%)
Mutual labels:  fuzzing
gini
A fast SAT solver
Stars: ✭ 139 (+37.62%)
Mutual labels:  fuzzing
Easy-Pickings
Automatic function exporting and linking for fuzzing cross-architecture binaries.
Stars: ✭ 49 (-51.49%)
Mutual labels:  fuzzing
Grammar-Mutator
A grammar-based custom mutator for AFL++
Stars: ✭ 133 (+31.68%)
Mutual labels:  fuzzing
fuzzware
Fuzzware's main repository. Start here to install.
Stars: ✭ 132 (+30.69%)
Mutual labels:  fuzzing
fuzzer-challenges
Challenging testcases for fuzzers
Stars: ✭ 44 (-56.44%)
Mutual labels:  fuzzing
View All Similar Projects ➔

StateAFL: A Coverage-Driven (Greybox) Fuzzer for Stateful Network Protocols

StateAFL is a fuzzer designed for network servers. It extends the original idea of the AFL fuzzer, which automatically evolves fuzz inputs to maximize code coverage. In addition to code coverage, StateAFL seeks to maximize protocol state coverage.

The aim of this tool is to contribute towards a completely-automated solution for stateful protocol fuzzing (similarly to what AFL was able to achieve for stateless programs) and to promote a wider application of fuzzing in real-world systems. The fuzzer does not require developers to implement custom message parsers for the protocol under test.

StateAFL automatically infers the current protocol state of the server. At compile-time, it instruments the target server with probes on memory allocations and network I/O operations. At run-time, it takes snapshots of long-lived data within process memory for each protocol iteration (see figure), and it applies fuzzy hashing to map the in-memory state to a unique protocol state.

The fundamental loop of network servers

StateAFL blocks

More information about the internals of StateAFL is available in the following research paper.

StateAFL has been implemented on top of the codebase of AFL and AFLnet. To fuzz a server, it should be compiled using the afl-clang-fast tool in this project, to perform a compiler pass for instrumenting the target.

Licences

StateAFL is licensed under Apache License, Version 2.0.

StateAFL extends AFLnet, written and maintained by Van-Thuan Pham <[email protected]>, and American Fuzzy Lop written and maintained by Michał Zalewski <[email protected]>. For details about these fuzzers, we refer to README-AFLnet.md and README-AFL.md.

StateAFL uses the Trend Micro Locality Sensitive Hash (TLSH) library and the MVPTree C library for fuzzy hashing and for nearest neighbor search. StateAFL uses the Containers library for map, queue, and set data structures. StateAFL uses an open-source implementation of memcpy from the XNU project to override the ASAN's memcpy interceptor.

  • AFL: Copyright 2013, 2014, 2015, 2016 Google Inc. All rights reserved. Released under terms and conditions of Apache License, Version 2.0.

  • TLSH: Copyright 2013 Trend Micro Incorporated. Released under terms and conditions of Apache License, Version 2.0.

  • MVPTree C library: Copyright 2008-2009 by D. Grant Starkweather. Released under terms and conditions of GNU Public License, Version 3.0.

  • Containers library: Copyright (c) 2017-2020 Bailey Thompson. Released under terms and conditions of MIT License.

  • memcpy: Copyright (c) 1990, 1993 The Regents of the University of California. This code is derived from software contributed to Berkeley by Chris Torek. Released under terms and conditions of BSD License.

ProFuzzBench

If you want to run some experiments quickly, please take a look at ProFuzzBench. ProFuzzBench includes a suite of representative open-source network servers for popular protocols (e.g., TLS, SSH, SMTP, FTP, SIP), and tools to automate experimentation. StateAFL has been integrated into that benchmark.

Installation (Tested on Ubuntu 18.04 & 16.04 64-bit)

Prerequisites

# Install clang (required by afl-clang-fast)
sudo apt-get install clang
# Install graphviz development
sudo apt-get install graphviz-dev

StateAFL

Download StateAFL and compile it. We have tested StateAFL on Ubuntu 18.04 and Ubuntu 16.04 64-bit and it would also work on all environments that support the vanilla AFL and graphviz.

# First, clone this StateAFL repository to a folder named stateafl
git clone <links to the repository> stateafl
# Then move to the source code folder
cd stateafl
make clean all
cd llvm_mode
# The following make command may not work if llvm-config cannot be found
# To fix this issue, just set the LLVM_CONFIG env. variable to the specific llvm-config version on your machine
# On Ubuntu 18.04, it could be llvm-config-6.0 if you have installed clang using apt-get
make
# Move to StateAFL's parent folder
cd ../..
export STATEAFL=$(pwd)/stateafl

Setup PATH environment variables

export PATH=$STATEAFL:$PATH
export AFL_PATH=$STATEAFL

Usage

StateAFL can be run using the same command line options of AFL and AFLNet (except for protocol specification). Run afl-fuzz --help to see all options. Please also see README-AFLnet.md for more information.

  • -i folder: folder with input files, in replayable format (see below)

  • -N netinfo: server information (e.g., tcp://127.0.0.1/8554)

  • -P protocol: (optional, for cross-checking protocol state machine against AFLNet) application protocol to be tested (e.g., RTSP, FTP, DTLS12, DNS, DICOM, SMTP, SSH, TLS, DAAP-HTTP, SIP)

  • -D usec: (optional) waiting time (in microseconds) for the server to complete its initialization

  • -K : (optional) send SIGTERM signal to gracefully terminate the server after consuming all request messages

  • -E : (optional) enable state aware mode

  • -R : (optional) enable region-level mutation operators

  • -F : (optional) enable false negative reduction mode

  • -c script : (optional) name or full path to a script for server cleanup

  • -q algo: (optional) state selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

  • -s algo: (optional) seed selection algorithm (e.g., 1. RANDOM_SELECTION, 2. ROUND_ROBIN, 3. FAVOR)

  • -u path to "vanilla" executable: (optional) if this is provided, StateAFL uses two forkservers, for better performance: one for profiling the code coverage (by running an input on the target executable indicated in "-u", which can be the same executable that would be used in AFLNet/AFLnwe); and another for profiling the protocol state (by running the executable compiled with StateAFL's afl-clang-fast)

  • -U path to folder: (optional) working directory where to run the "vanilla" executable (see option -u)

Example command:

afl-fuzz -d -i in -o out -N <server info> -x <dictionary file> -D 10000 -q 3 -s 3 -E -K -R <executable binary and its arguments (e.g., port number)>

Preparing the seed inputs

StateAFL takes in input seed files in "replayable" format. It is a simple format also used in AFLNet for replaying inputs (i.e., the ones saves in replayable-queue and replayable-crashes within the output folder), using the command aflnet-replay. The format alternates the size of a message (4 bytes, unsigned int) and the contents of that message.

Network replay format

You can automatically generate seed files from PCAP traces, as follows:

$ python3 convert-pcap-replay-format.py --input ftp_requests_full_normal.pcap --server-port 2200 --output ftp_requests_full_normal.replay

Writing 13 bytes...
Writing 13 bytes...
Writing 6 bytes...
Writing 5 bytes...
Writing 24 bytes...
Writing 6 bytes...
Writing 10 bytes...
Writing 6 bytes...
Converted PCAP saved to ftp_requests_full_normal.replay

$ hexdump -C ftp_requests_full_normal.replay

00000000  0d 00 00 00 55 53 45 52  20 75 62 75 6e 74 75 0d  |....USER ubuntu.|
00000010  0a 0d 00 00 00 50 41 53  53 20 75 62 75 6e 74 75  |.....PASS ubuntu|
00000020  0d 0a 06 00 00 00 53 59  53 54 0d 0a 05 00 00 00  |......SYST......|
00000030  50 57 44 0d 0a 18 00 00  00 50 4f 52 54 20 31 32  |PWD......PORT 12|
00000040  37 2c 30 2c 30 2c 31 2c  31 33 32 2c 32 30 39 0d  |7,0,0,1,132,209.|
00000050  0a 06 00 00 00 4c 49 53  54 0d 0a 0a 00 00 00 4d  |.....LIST......M|
00000060  4b 44 20 74 65 73 74 0d  0a 06 00 00 00 51 55 49  |KD test......QUI|
00000070  54 0d 0a                                          |T..|
00000073

The PCAP file should only contain one message flow between the server and a client. Both TCP and UDP are supported. If the PCAP contains multiple message flows, you can use the options --client-port and --ignore-multiple-clients to pick a specific flow and ignore the others. To run the conversion script, you need to install the pyshark Python package, and the tshark tool. It is not required that the protocol under test can be parsed by tshark. The script only extracts the raw payload from TCP or UDP traffic.

Demo

The following demo shows how to use StateAFL on an FTP server. It starts from collecting the PCAP from a simple client-server session. The PCAP is then converted in "replayable" format, and seeded to StateAFL. StateAFL incrementally builds a Finite State Machine of the protocol from the in-memory states of the FTP server.

For more information on automating fuzzing experiments, see the ProFuzzBench project.

Demo transcript

Environment variables:

WORKDIR=/home/ubuntu/experiments
STATEAFL=/home/ubuntu/stateafl

To collect a PCAP with tcpdump:

$ sudo tcpdump -i lo -w pcaps/ftp.pcap port 2200

To run the LightFTP server:

$ ./fftp fftp.conf 2200

To run the FTP client:

$ ftp localhost 2200
Logged-in as "ubuntu", pass "ubuntu"
pwd
mkdir TEST
cd TEST
pwd
quit

To convert the PCAP trace:

$ python3 $STATEAFL/convert-pcap-replay-format.py --input $WORKDIR/pcaps/ftp.pcap --server-port 2200 --output $WORKDIR/in-ftp-replay/ftp.replay

To fuzz the FTP server:

$ make clean
$ CC=${STATEAFL}/afl-clang-fast make clean all -j3

$ ${STATEAFL}/afl-fuzz -d -i ${WORKDIR}/in-ftp-replay -x ${WORKDIR}/ftp.dict -o ${WORKDIR}/output -N tcp://127.0.0.1/2200 -D 10000 -q 3 -s 3 -E -K -m none -t 5000 -c ${WORKDIR}/ftpclean -u ${WORKDIR}/LightFTP/Source/Release/fftp -- ./fftp fftp.conf 2200

To plot (on the terminal) the protocol state machine:

$ watch -n 1 'cat $WORKDIR/output/ipsm.dot | graph-easy --from=dot --as_ascii 2>/dev/null'
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].