Grimoire: Synthesizing Structure while Fuzzing

Grimoire is coverage-guided fuzzer for structured input languages. It is built upon Redqueen.

The fuzzer is based on our paper (slides, recording):

@inproceedings{blazytko2019grimoire,
    author = {Tim Blazytko and Cornelius Aschermann and Moritz Schl{\"o}gel and Ali Abbasi and Sergej Schumilo and Simon W{\"o}rner and Thorsten Holz},
    title =  {{GRIMOIRE}: Synthesizing Structure while Fuzzing},,
    year = {2019},
    booktitle = {USENIX Security Symposium} 
}

Setup

1. Setup Redqueen
2. Apply Patch qemu.patch to QEMU-PT
3. Use this python code base instead of Redqueen's kAFL-Fuzzer
4. Create a string dictionary (for string mutations) via strings -n3 -d <path to binary> | grep -v "\s" | sort | uniq > dict.txt
5. Prepare binary and fuzz as described here. To use the dictionary, add -I <dict file> to kafl_fuzz.py.

Code

Grimoire can be understood as a patch applied to Redqueen's code base. The published source code contains Redqueen's fuzzing logic, the implementation of Grimoire as well as its interaction with Redqueen.

In detail, Grimoire's is organized as follows:

Inference Logic

The inference logic (paper section 3.1) is contained in fuzzer/technique/grimoire_inference.py.

Mutations

Grimoire's large-scale mutations (paper section 3.2) are contained in fuzzer/technique/grimoire_mutations.py.

Interaction with Redqueen

fuzzer/scheduler.py defines GrimoireScheduler, which is used in Redqueen's InputQueue in file fuzzer/queue.py. Everytime a SlaveProcess (fuzzer/process/slave.py) requests a new input from the queue, a non-generalized input that triggered new coverage will be returned.

This input is then generalized in the state grimoire_inference in FuzzingStateLogic (fuzzer/state_logic.py)

In a later fuzzing stage---during Redqueen's havoc mutation phase---Grimoire's mutations will be applied in FuzzingStateLogic.