INVSCOV实践记录2.0

Usage

实验环境：Ubuntu20.04
实验对象：Xpdf4.03

先构造初始语料库：使用从24小时覆盖率引导模糊会话生成的种子

sudo apt-get install afl++
export CC=afl-clang
export CXX=afl-clang++
mkdir build
cd build
cmake ../
make

afl-fuzz -i /home/yan/fuzzing_xpdf/in -o /home/yan/fuzzing_xpdf/out -d -- ./pdfinfo @@

运行24左右之后：

找到种子库：

此时queue有7300个文件，使用cmin精简种子：

afl-cmin -i /home/yan/fuzzing_xpdf/out/queue -o /home/yan/fuzzing_xpdf/out/queue_cmin ./pdfinfo @@

使用invscov

将 env var INVSCOV_OUTPUT_PATH 设置为现有的空文件夹

mkdir output_path
export INVSCOV_OUTPUT_PATH=/home/yan/fuzz/invscov/output_path/

构建：

cd xpdf-4.03/
#./configure
mkdir build
cd build
#/home/yan/桌面/fuzz/invscov
CC=/home/yan/fuzz/invscov/InvsCov/dump-cc CXX=/home/yan/fuzz/invscov/InvsCov/dump-c++ cmake ..
make -j4
 # assuming that 'program' is the result of the compilation

运行reconstruct-dump

/home/yan/fuzz/invscov/InvsCov/reconstruct-dump

执行learn invariants

/home/yan/fuzz/invscov/InvsCov/learn-invariants /home/yan/fuzz/invscov/initial_corpus ./xpdf_dump/pdfinfo @@

java -cp “/home/yan/invscov/InvsCov/…/daikon.jar” daikon.Daikon “/home/yan/invscov/output_path//decls.decls” --corpus “/home/yan/invscov/initial_corpus” --cmd ‘./xpdf_dump/pdfinfo @@’ --invs “/home/yan/invscov/output_path//daikon.txt”
生成daikon.txt

生成constraints

 /home/yan/fuzz/invscov/InvsCov/generate-constraints

编译
把build删掉重建

CC=/home/yan/fuzz/invscov/InvsCov/instrument-cc CXX=/home/yan/fuzz/invscov/InvsCov/instrument-c++ cmake ..
make -j4
 /home/yan/fuzz/invscov/AFLplusplus/afl-fuzz -i /home/yan/fuzz/invscov/initial_corpus -o /home/yan/fuzz/invscov/output -d -- ./pdfinfo @@

将导致将崩溃信息发送到Fuzzer之间的延迟增大，进而可能将崩溃被误报为超时，所以我们得临时修改core_pattern文件，如下所示：

su
echo core >/proc/sys/kernel/core_pattern

然后还有cpu配置模式有问题的话如下解决：

 cd /sys/devices/system/cpu
 echo performance | tee cpu*/cpufreq/scaling_governor

最后运行

 cd /home/yan/fuzz/invscov/xpdf-4.03/xpdf_fuzz
/home/yan/fuzz/invscov/AFLplusplus/afl-fuzz -i /home/yan/fuzz/invscov/initial_corpus -o /home/yan/fuzz/invscov/output -d -- ./pdfinfo @@