first modifs + comments

remiparrot · remiparrot · commit 9a2432faeedf · 2023-01-10T15:59:59.000+01:00
diff --git a/HOW.md b/HOW.md
@@ -0,0 +1,26 @@
+# How messages are built from seed files
+* `klist_t(lms)` ~= linked list
+* `KLIST_INIT(lms, message_t *, message_t_freer)` -> initialize datastructure (linked list) of `message_t` and utilities functions
+* `klist_t(lms) *construct_kl_messages(u8* fname, region_t *regions, u32 region_count)` -> build a linked list of `message_t` from a seed in the file `fname` and a *description of regions*
+    - a region is a portion of a message correponding to one send/receive
+    - the function `region_t* extract_requests_generic(unsigned char* buf, unsigned int buf_size, unsigned int* region_count_ref)` builds the regions from a seed (used in function `static void add_to_queue(u8* fname, u32 len, u8 passed_det)` -> in fact `extract_requests` which is equal to `extract_requests_generic`)
+
+# How does the forkserver works
+* Instead of cloning the whole SUT for each new fork, the cloning is done within the binary of the SUT: code is injected into the fuzzed binary.
+* [https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html](https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html)
+* In `afl-fuzz.c:init_forkserver` and in `afl-as.h` and `afl-as.c` (instrumentation added in assembly language)
+* StateAFL has two forkservers available depending if stateAFL probes are used or if *vanilla* binary is used instead (option `-u`)
+
+# The function `choose_target_state`
+* choose a state within all the states discovered so far
+* take a selection algorithm in arguments
+* select an id (`target_state_id`) corresponding to a state in the hash map `khms_states`
+* `khms_states` is a hash map of struct `state_info_t`
+
+# The function `choose_seed`
+* produce a `queue_entry` from a state selected
+* take a selection algorithm in arguments
+* A `queue_entry` contains a seed, the regions decomposition and the state
+* A region contains the state sequence produced until the end of the region
+
+# The function `update_scores_and_select_next_state`
diff --git a/TODO.md b/TODO.md
@@ -0,0 +1,53 @@
+# Advice from AFLNet's README
+- [x] Look at the function `choose_target_state`
+- [x] Look at the function `choose_seed`
+- [ ] Look at the function `update_scores_and_select_next_state`
+
+# ~Remove the probes (on memory allocation and on network communication) added at compilation on memory~
+- [/] ~reset folder llvm\_mode as in aflnet project~
+
+# Don't care about the messages sent by the SUT
+* In `int main(int argc, char** argv)`:
+    - [x] remove target protocol selection (see StateAFL)
+
+# Remove the state machine building process
+* Disable option `-E` disable the state machine building and selection of state to fuzz
+    - [ ] follow the boolean variable `state_aware_mode`
+* In `int main(int argc, char** argv)`:
+    - [/] ~remove `check_aslr()` call~
+* In `int setup_ipsm()`:
+    - [x] only initialize the state hash map `khms_states`
+* ~In `EXP_ST void setup_shm(void)`:~
+    - [/] ~(?) remove state related stuff: TLSH calibration, log state tracer, .. -> this is somehow related to the forkserver~
+* In `EXP_ST void setup_dirs_fds(void)`:
+    - [ ] remove records of new paths
+* In `EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len)`:
+    - [ ] remove the AFLNet update of `kl_messages` linked list
+    - [ ] remove `update_fuzzs()` call
+
+# Build a very simple state list from the seeds files
+* In `static void perform_dry_run(char** argv)`:
+    - [ ] build message from *replay* format (see StateAFL)
+* In `void update_state_aware_variables(struct queue_entry *q, u8 dry_run)`
+    - [ ] build a simple state list only if it is a *dry run*
+    - [ ] otherwise do nothing
+* The hash map `khms_states` should be this list
+    - [ ] initialize it in `update_state_aware_variables` in *dry run* mode
+    - [ ] never update it after the initialisation
+* The type `region_t` should not contain state related stuff (in file `aflnet.h`)
+
+# Select the messages to mutate directly from the seeds files
+* In `struct queue_entry *choose_seed(u32 target_state_id, u8 mode)`
+    - [ ] build a `queue_entry` from the seed file corresponding to the state given as argument
+* In `static u8 fuzz_one(char** argv)` after the flag `AFLNET_REGIONS_SELECTION`
+    - [ ] retrieve the M2 part of the messages from the file `length-seed.state[X]` instead of the region information
+
+
+# Select the states in a round-robin fashion (or any other "fair" selection)
+* In the function `choose_target_state`
+    - [ ] add a new selection algorithm based on the simple state list
+
+# Take a look at the mutation functions added in `static u8 fuzz_one(char** argv)` (in StateAFL)
+- [ ] `void regions_add_bytes(region_t* regions, unsigned int region_count, unsigned int position, int added_bytes)`
+- [ ] `int regions_remove_bytes(region_t* regions, unsigned int region_count, unsigned int position, int removed_bytes)`
+- [?] static variables `unsigned int mutated_region_count` and `region_t* mutated_regions`
diff --git a/afl-fuzz.c b/afl-fuzz.c
@@ -160,6 +160,9 @@ static u8  var_bytes[MAP_SIZE];       /* Bytes that appear to be variable */
 
 static s32 shm_id;                    /* ID of the SHM region             */
 
+//unsigned int* extract_response_codes_generic(unsigned char* buf, unsigned int buf_size, unsigned int* state_count_ref);
+
+region_t* extract_requests_generic(unsigned char* buf, unsigned int buf_size, unsigned int* region_count_ref);
 static volatile u8 stop_soon,         /* Ctrl-C pressed?                  */
                    clear_screen = 1,  /* Window resized?                  */
                    child_timed_out;   /* Traced process timed out?        */
@@ -394,12 +397,12 @@ u8 state_selection_algo = ROUND_ROBIN, seed_selection_algo = RANDOM_SELECTION;
 u8 false_negative_reduction = 0;
 
 /* Implemented state machine */
-Agraph_t  *ipsm;
-static FILE* ipsm_dot_file;
+//Agraph_t  *ipsm;
+//static FILE* ipsm_dot_file;
 
 /* Hash table/map and list */
 klist_t(lms) *kl_messages;
-khash_t(hs32) *khs_ipsm_paths;
+//khash_t(hs32) *khs_ipsm_paths;
 khash_t(hms) *khms_states;
 
 //M2_prev points to the last message of M1 (i.e., prefix)
@@ -409,18 +412,18 @@ khash_t(hms) *khms_states;
 kliter_t(lms) *M2_prev, *M2_next;
 
 //Function pointers pointing to Protocol-specific functions
-unsigned int* (*extract_response_codes)(unsigned char* buf, unsigned int buf_size, unsigned int* state_count_ref) = NULL;
-region_t* (*extract_requests)(unsigned char* buf, unsigned int buf_size, unsigned int* region_count_ref) = NULL;
+//unsigned int* (*extract_response_codes)(unsigned char* buf, unsigned int buf_size, unsigned int* state_count_ref) = extract_response_codes_generic;
+region_t* (*extract_requests)(unsigned char* buf, unsigned int buf_size, unsigned int* region_count_ref) = extract_requests_generic;
 
 /* Initialize the implemented state machine as a graphviz graph */
 void setup_ipsm()
 {
-  ipsm = agopen("g", Agdirected, 0);
+  //ipsm = agopen("g", Agdirected, 0);
 
-  agattr(ipsm, AGNODE, "color", "black"); //Default node colr is black
-  agattr(ipsm, AGEDGE, "color", "black"); //Default edge color is black
+  //agattr(ipsm, AGNODE, "color", "black"); //Default node colr is black
+  //agattr(ipsm, AGEDGE, "color", "black"); //Default edge color is black
 
-  khs_ipsm_paths = kh_init(hs32);
+  //khs_ipsm_paths = kh_init(hs32);
 
   khms_states = kh_init(hms);
 }
@@ -517,21 +520,21 @@ u8 is_state_sequence_interesting(unsigned int *state_sequence, unsigned int stat
 }
 
 /* Update the annotations of regions (i.e., state sequence received from the server) */
-void update_region_annotations(struct queue_entry* q)
-{
-  u32 i = 0;
-
-  for (i = 0; i < messages_sent; i++) {
-    if ((response_bytes[i] == 0) || ( i > 0 && (response_bytes[i] - response_bytes[i - 1] == 0))) {
-      q->regions[i].state_sequence = NULL;
-      q->regions[i].state_count = 0;
-    } else {
-      unsigned int state_count;
-      q->regions[i].state_sequence = (*extract_response_codes)(response_buf, response_bytes[i], &state_count);
-      q->regions[i].state_count = state_count;
-    }
-  }
-}
+//void update_region_annotations(struct queue_entry* q)
+//{
+//  u32 i = 0;
+//
+//  for (i = 0; i < messages_sent; i++) {
+//    if ((response_bytes[i] == 0) || ( i > 0 && (response_bytes[i] - response_bytes[i - 1] == 0))) {
+//      q->regions[i].state_sequence = NULL;
+//      q->regions[i].state_count = 0;
+//    } else {
+//      unsigned int state_count;
+//      q->regions[i].state_sequence = (*extract_response_codes)(response_buf, response_bytes[i], &state_count);
+//      q->regions[i].state_count = state_count;
+//    }
+//  }
+//}
 
 /* Choose a region data for region-level mutations */
 u8* choose_source_region(u32 *out_len) {
@@ -2231,6 +2234,83 @@ EXP_ST void setup_shm(void) {
 }
 
 
+
+
+/********************************************************/
+/* 		StateAFL bypasses response code extraction 		*/
+/* 		 and build a generic request extraction 		*/
+unsigned int* extract_response_codes_generic(unsigned char* buf, unsigned int buf_size, unsigned int* state_count_ref) {
+
+  unsigned int state_tracer_count_all = state_shared_ptr->seq_len;
+
+  *state_count_ref = state_tracer_count_all;
+
+  unsigned int * state_sequence = ck_alloc( (*state_count_ref)*sizeof(int) );
+  memcpy(state_sequence, state_shared_ptr->seq, *state_count_ref * sizeof(unsigned int));
+
+
+  return state_sequence;
+}
+
+//static unsigned int mutated_region_count = 0;
+//static region_t* mutated_regions = NULL;
+
+region_t* extract_requests_generic(unsigned char* buf, unsigned int buf_size, unsigned int* region_count_ref) {
+
+  unsigned int region_count = 0;
+  region_t *regions = NULL;
+
+  unsigned int cur_start = 0;
+
+  //if(mutated_regions != NULL && mutated_region_count > 0) {
+
+  //  *region_count_ref = mutated_region_count;
+
+  //  regions = ck_alloc(mutated_region_count * sizeof(region_t));
+  //  memcpy(regions, mutated_regions, mutated_region_count * sizeof(region_t));
+
+  //  return regions;
+  //}
+
+
+  unsigned int byte_count = 0;
+
+  while(byte_count < buf_size) {
+
+    if(byte_count + 4 >= buf_size) {
+      PFATAL("AFLNet - Erroreous message length in input file");
+    }
+
+    unsigned int next_message_len = *((unsigned int *)(void *)&buf[byte_count]);
+
+    byte_count += sizeof(unsigned int);
+
+    if(byte_count + next_message_len > buf_size) {
+      PFATAL("AFLNet - Erroneous message length in input file (2)");
+    }
+
+    region_count++;
+
+    regions = (region_t *)ck_realloc(regions, region_count * sizeof(region_t));
+
+    regions[region_count - 1].start_byte = cur_start;
+    regions[region_count - 1].end_byte = cur_start + next_message_len - 1;
+    regions[region_count - 1].state_sequence = NULL;
+    regions[region_count - 1].state_count = 0;
+
+    cur_start += next_message_len;
+    byte_count += next_message_len;
+
+  }
+
+  *region_count_ref = region_count;
+  return regions;
+
+}
+/* 					End of StateAFL						*/
+/********************************************************/
+
+
 /* Load postprocessor, if available. */
 
 static void setup_post(void) {
@@ -9074,6 +9154,11 @@ int main(int argc, char** argv) {
           FATAL("%s protocol is not supported yet!", optarg);
         }
 
+
+		// bypass the protocol selection
+        extract_requests = &extract_requests_generic;
+        extract_response_codes = &extract_response_codes_generic;
+
         protocol_selected = 1;
 
         break;
@@ -9132,7 +9217,7 @@ int main(int argc, char** argv) {
   //AFLNet - Check for required arguments
   if (!use_net) FATAL("Please specify network information of the server under test (e.g., tcp://127.0.0.1/8554)");
 
-  if (!protocol_selected) FATAL("Please specify the protocol to be tested using the -P option");
+  //if (!protocol_selected) FATAL("Please specify the protocol to be tested using the -P option");
 
   if (netns_name) {
     if (check_ep_capability(CAP_SYS_ADMIN, argv[0]) != 0)
diff --git a/stateafl-aflnet.diff.md b/stateafl-aflnet.diff.md
@@ -0,0 +1,84 @@
+# Seulement dans aflnet: afl-clang-fast
+# Seulement dans aflnet: afl-clang-fast++
+
+
+# Les fichiers stateafl/afl-fuzz.c et aflnet/afl-fuzz.c sont différents
+Many differences ..
+
+
+# Les fichiers stateafl/aflnet-replay.c et aflnet/aflnet-replay.c sont différents
+```
+71c71
+<   if ((!strcmp(argv[2], "DTLS12")) || (!strcmp(argv[2], "SIP"))) {
+---
+>   if ((!strcmp(argv[2], "DTLS12")) || (!strcmp(argv[2], "DNS")) || (!strcmp(argv[2], "SIP"))) {
+96,114d95
+<   
+< #ifdef LOCAL_PORT
+<     struct sockaddr_in local_serv_addr;
+< 
+<     int optval = 1;
+<     setsockopt(sockfd, SOL_SOCKET, SO_REUSEPORT, &optval, sizeof(optval));
+< 
+<     local_serv_addr.sin_family = AF_INET;
+<     local_serv_addr.sin_addr.s_addr = INADDR_ANY;
+<     local_serv_addr.sin_port = htons(LOCAL_PORT);
+< 
+<     local_serv_addr.sin_addr.s_addr = inet_addr("127.0.0.1");
+<     if (bind(sockfd, (struct sockaddr*) &local_serv_addr, sizeof(struct sockaddr_in)))  {
+<       FATAL("Unable to bind socket on local source port");
+<     }
+< #endif
+<   
+< 
+< 
+131,135d111
+< 
+< #ifdef SEND_DELAY
+<     usleep(SEND_DELAY); // send delay
+< #endif
+< 
+```
+
+
+# Seulement dans stateafl: aflnet-to-plain.c
+Not used?
+
+
+# Les fichiers stateafl/afl-replay.c et aflnet/afl-replay.c sont différents
+```
+79c79
+<   if ((!strcmp(argv[2], "DTLS12")) || (!strcmp(argv[2], "SIP"))) {
+---
+>   if ((!strcmp(argv[2], "DTLS12")) || (!strcmp(argv[2], "DNS")) || (!strcmp(argv[2], "SIP"))) {
+```
+
+
+# Les fichiers stateafl/config.h et aflnet/config.h sont différents
+```
+331c331
+< #define STATE_STR_LEN 16
+---
+> #define STATE_STR_LEN 12
+```
+
+
+# Seulement dans stateafl: convert-pcap-replay-format.py
+
+
+# Les fichiers stateafl/Makefile et aflnet/Makefile sont différents
+```
+36c36
+<   LDFLAGS  += -ldl -lgvc -lcgraph -lm
+---
+>   LDFLAGS  += -ldl -lgvc -lcgraph -lm -lcap
+```
+
+
+# Seulement dans stateafl: README-AFLnet.md
+Probably an old version of the README of aflnet
+
+
+# Les fichiers stateafl/README.md et aflnet/README.md sont différents
+Completely different (no surprise)
+
