* Thomas Schmitt <scdbac...@gmx.net>, 2014-12-29, 18:38:
Can you tell me your setup for xorriso ?
A program is worth a thousand words, so I wrote a scripts that sets
(almost) everything up. It assumes that AFL is already installed (and
the afl-* scripts are within $PATH), and that current working directory
is root of the libisofs source.
I hope the script is sufficiently commented, but I recommend reading AFL
documentation in addition to that: at least README and
docs/status_screen.txt.
Are there any known problems to avoid ?
Setting up AFL is a multi-step process, and there's a few ways things
could break. Fortunately, afl-fuzz is designed to be goof-proof. :-) It
usually warns you if something went wrong.
--
Jakub Wilk
#!/bin/sh
set -e
if ! [ -f demo/demo.c -a -d libisofs ]; then
echo 'This script must be run in the root directory of libisofs
source.' >&2;
exit 1
fi
# 1) Enable hardening for afl-gcc.
# Hardening allows catching more memory bugs at the expense of a slight
# performance loss. It's a good trade-off IMO.
export AFL_HARDEN=1
# 2) Build the library AFL instrumentation:
./configure CC=afl-gcc
make
mkdir tmp
# 3) Create a (small) initial test case:
cat > tmp/limeric <<EOF
There was a young man from Japan
Whose limericks never would scan.
When asked why that was,
He replied "It's because
I always try to cram as many words into the last line as I possibly can."
EOF
mkdir -p afl-input
xorrisofs tmp > afl-input/input.iso
rm -rf tmp
# Unfortunately, the test case is kinda big.
# Test cases under 1K are ideal for AFL, but oh well,
# we'll keep our cool with this 360K monster. :-P
# 4) Find or write a program that will exercise the library.
# It is important that the target program is as fast as possible.
# For example, xorriso(1) overhead is far too big.
# Fortunately, the demo looks like a good candidate for the target program. :-)
# Let's just check that it actually works:
demo/demo -iso_read afl-input/input.iso
# 5) Start fuzzing:
afl-fuzz -d -i afl-input/ -o afl-output/ -- demo/demo -iso_read @@
# Here:
# "-d" enables quick & dirty mode (which is rather necessary with our huge
test case)
# "-i" specifies input directory
# "-o" specifies output directory for AFL findings
# parameters after "--" is the command line that AFL will execute
# "@@" is a placeholder for filename of mutated input
#
# And that's it! :-) The fuzzing process will continue until you press Ctrl-C.
#
# See the status_screen.txt file in the AFL documentation for information on
# how to interpret the displayed stats and monitor the health of the process.
#
# AFL will store input files that triggered a crash in afl-output/crashes/.
