googleprojectzero/SockFuzzer googleprojectzero/SockFuzzer

  • Stars
    star
    367
  • Rank 116,257 (Top 3 %)
  • Language
    C
  • License
    Other
  • Created over 3 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
googleprojectzero/SockFuzzer
github

googleprojectzero

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

SockFuzzer

This repository contains SockFuzzer, a fork of XNU that contains support for fuzzing the network stack in userland on macOS and Linux-based hosts.

Building and Using the Fuzzer

NOTE: The project is moving to a Bazel-based build system. The following steps work for now but will be updated once the new build system is published.

Build the fuzzer the same way you would typically build a project using CMake for your platform. For example:

$ mkdir build; cd build
$ CC=clang CXX=clang++ cmake -GNinja ..
$ ninja

You can now run the net_fuzzer binary, optionally providing parameters as described in the libFuzzer documentation.

A Dockerfile is included which shows how to prepare a Debian environment to build the project. Feel free to use this container to build and run the fuzzer.

Extending the Fuzzer

This project is currently an all-in-one fuzzer for XNU networking. You can extend it by adding additional targets to CMakeLists.txt or by extending the existing network target. Nothing about this project specifically prevents the testing of additional non-networking subsystems, so feel free to extend it to test other areas.

Generating and Reviewing Coverage Reports

Coverage reports are an important way to review the quality of the current fuzzer implementation. On Linux, a net_cov binary is generated containing LLVM's source based code-coverage instrumentation.

At the time of writing, the following commands product an HTML coverage report located in the report folder after running all of the testcases located in the corpus folder.

./net_cov corpus
llvm-profdata merge -sparse default.profraw -o default.profdata
llvm-cov show -format=html -output-dir=report -instr-profile=default.profdata net_cov

Importing upstream XNU releases

A macOS environment is needed to generate the new files. Unpack the new source tarball replacing third_party/xnu. Then run the following command, updating SDKROOT as needed. Then you can add BUILD/obj/EXPORT_HDRS and BUILD/obj/DEBUG_X86_64 to the git repo. You'll also need to rebase any changes to the original XNU sources. In some cases, the outer CMakeLists.txt must also be updated to reflect new or deleted source paths.

I use an upstream branch to facilitate merging my patches with the upstream changes.

# From inside third_party/xnu
$ make SDKROOT=macosx11.1 ARCH_CONFIGS=X86_64 KERNEL_CONFIGS=DEBUG
$ git add BUILD/obj/EXPORT_HDRS EXTERNAL_HEADERS

Disclaimer

This is not an official Google product.

More Repositories

1

winafl

A fork of AFL for fuzzing Windows binaries
C
2,311
star
2

sandbox-attacksurface-analysis-tools

Set of tools to analyze Windows sandboxes for exposed attack surface.
C#
2,047
star
3

fuzzilli

A JavaScript Engine Fuzzer
Swift
1,859
star
4

weggli

weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases.
Rust
1,857
star
5

domato

DOM fuzzer
Python
1,672
star
6

TinyInst

A lightweight dynamic instrumentation library
C++
1,158
star
7

Jackalope

Binary, coverage-guided fuzzer for Windows, macOS, Linux and Android
C++
1,068
star
8

halfempty

A fast, parallel test case minimization tool.
C
941
star
9

0days-in-the-wild

Repository for information about 0-days exploited in-the-wild.
HTML
753
star
10

symboliclink-testing-tools

C++
747
star
11

p0tools

Project Zero Docs and Tools
C++
698
star
12

ktrw

An iOS kernel debugger based on a KTRR bypass for A11 iPhones; works with LLDB and IDA Pro.
C
660
star
13

functionsimsearch

Some C++ example code to demonstrate how to perform code similarity searches using SimHashing.
C++
559
star
14

BrokenType

TrueType and OpenType font fuzzing toolset
C++
430
star
15

iOS-messaging-tools

Python
368
star
16

SkCodecFuzzer

Fuzzing harness for testing proprietary image codecs supported by Skia on Android
C++
331
star
17

bochspwn

A Bochs-based instrumentation project designed to log kernel memory references, to identify "double fetches" and other OS vulnerabilities
C++
319
star
18

bochspwn-reloaded

A Bochs-based instrumentation performing kernel memory taint tracking to detect disclosure of uninitialized memory to ring 3
C++
284
star
19

Street-Party

Street Party is a suite of tools that allows the RTP streams of video conferencing implementations to be viewed and modified.
C++
242
star
20

DrSancov

DynamoRIO plugin to get ASAN and SanitizerCoverage compatible output for closed-source executables
C++
203
star
21

CompareCoverage

Clang instrumentation module for tracing variable and buffer comparisons in C/C++ and saving the coverage data to .sancov files
C++
200
star
22

Hyntrospect

PowerShell
179
star
23

reil

C++
59
star
24

.allstar

1
star
25

.github

1
star