Yogender (OSCP, OSWE, CRTE, CRTP, APTLABS:Red Team Operator LIII, CEH, RHCSA)
LibFuzzer is an in-process, coverage-guided, evolutionary fuzzing engine.
LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entry point (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.
• Install dependencies:
# Get the demo file
git clone <https://github.com/theyoge/AI-Fuzzing.git>
# Dependencies
sudo apt-get update
sudo apt-get --yes install curl subversion screen gcc g++ cmake ninja-build golang autoconf libtool apache2 python-dev pkg-config zlib1g-dev libgcrypt11-dev libgss-dev libssl-dev libxml2-dev ragel nasm libarchive-dev make automake libdbus-1-dev libboost-dev autoconf-archive
sudo apt install clang-12 --install-suggests
Here we have a vulnerable cpp code:
I know you can spot the bug : ) (Hint: Out of bounds exception)
#include <stdint.h>
#include <stddef.h> //hehe
bool vulncode(const uint8_t *Data, size_t DataSize) {
return DataSize >= 3 &&
Data[0] == 'F' &&
Data[1] == 'U' &&
Data[2] == 'Z' &&
Data[3] == 'Z';
}
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
vulncode(Data, Size);
return 0;
}
Also, we call the libFuzzer to initiate fuzzing on the ‘vulncode’ function, so ‘LLVMFuzzerTestOneInput’ will call libFuzzer and it will pass those inputs to our vulnerable function.