• Stars
    star
    167
  • Rank 226,635 (Top 5 %)
  • Language
    C++
  • License
    Apache License 2.0
  • Created over 4 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

ParmeSan: Sanitizer-guided Greybox Fuzzing

ParmeSan: Sanitizer-guided Greybox Fuzzing

License

ParmeSan is a sanitizer-guided greybox fuzzer based on Angora.

Published Work

USENIX Security 2020: ParmeSan: Sanitizer-guided Greybox Fuzzing.

The paper can be found here: ParmeSan: Sanitizer-guided Greybox Fuzzing

Building ParmeSan

See the instructions for Angora.

Basically run the following scripts to install the dependencies and build ParmeSan:

build/install_rust.sh
PREFIX=/path/to/install/llvm build/install_llvm.sh
build/install_tools.sh
build/build.sh

ParmeSan also builds a tool bin/llvm-diff-parmesan, which can be used for target acquisition.

Building a target

First build your program into a bitcode file using clang (e.g., base64.bc). Then build your target in the same way, but with your selected sanitizer enabled. To get a single bitcode file for larger projects, the easiest solution is to use gllvm.

# Build the bitcode files for target acquisition
USE_FAST=1 $(pwd)/bin/angora-clang -emit-llvm -o base64.fast.bc -c base64.bc
USE_FAST=1 $(pwd)/bin/angora-clang -fsanitize=address -emit-llvm -o base64.fast.asan.bc -c base64.bc
# Build the actual binaries to be fuzzed
USE_FAST=1 $(pwd)/bin/angora-clang -o base64.fast -c base64.bc
USE_TRACK=1 $(pwd)/bin/angora-clang -o base64.track -c base64.bc

Then acquire the targets using:

bin/llvm-diff-parmesan -json base64.fast.bc base64.fast.asan.bc

This will output a file targets.json, which you provide to ParmeSan with the -c flag.

For example:

$(pwd)/bin/fuzzer -c ./targets.json -i in -o out -t ./base64.track -- ./base64.fast -d @@

Options

ParmeSan's SanOpt option can speed up the fuzzing process by dynamically switching over to a sanitized binary only once the fuzzer reaches one of the targets specified in the targets.json file.

Enable using the -s [SANITIZED_BIN] option.

Build the sanitized binary in the following way:

USE_FAST=1 $(pwd)/bin/angora-clang -fsanitize=address -o base64.asan.fast -c base64.bc

Targets input file

The targets input file consisit of a JSON file with the following format:

{
  "targets":  [1,2,3,4],
  "edges":   [[1,2], [2,3]],
  "callsite_dominators": {"1": [3,4,5]}
}

Where the targets denote the identify of the cmp instruction to target (i.e., the id assigned by the __angora_trace_cmp() calls) and edges is the overlay graph of cmp ids (i.e., which cmps are connected to each other). The edges filed can be empty, since ParmeSan will add newly discovered edges automatically, but note that the performance will be better if you provide the static CFG.

It is also possible to run ParmeSan in pure directed mode (-D option), meaning that it will only consider new seeds if the seed triggers coverage that is on a direct path to one of the specified targets. Note that this requires a somewhat complete static CFG to work (an incomplete CFG might contain no paths to the targets at all, which would mean that no new coverage will be considered at all).

ParmeSan Screenshot

How to get started

Have a look at BUILD_TARGET.md for a step-by-step tutorial on how to get started fuzzing with ParmeSan.

FAQ

  • Q: I get a warning like ==1561377==WARNING: DataFlowSanitizer: call to uninstrumented function gettext when running the (track) instrumented program.
  • A: In many cases you can ignore this, but it will lose the taint (meaning worse performance). You need to add the function to the abilist (e.g., llvm_mode/dfsan_rt/dfsan/done_abilist.txt) and add a custom DFSan wrapper (in llvm_mode/dfsan_rt/dfsan/dfsan_custom.cc). See the Angora documentation for more info.
  • Q: I get an compiler error when building the track binary.
  • A: ParmeSan/ Angora uses DFSan for dynamic data-flow analysis. In certain cases building target applications can be a bit tricky (especially in the case of C++ targets). Make sure to disable as much inline assembly as possible and make sure that you link the correct libraries/ llvm libc++. Some programs also do weird stuff like an indirect call to a vararg function. This is not supported by DFSan at the moment, so the easy solution is to patch out these calls, or do something like indirect call promotion.
  • Q: llvm-diff-parmesan generates too many targets!
  • A: You can do target pruning using the scripts in tools/ (in particular tools/prune.py) or use ASAP to generate a target bitcode file with fewer sanitizer targets.

Docker image

You can also get the pre-built docker image of ParmeSan.

docker pull vusec/parmesan
docker run --rm -it vusec/parmesan
# In the container you can build objdump
/parmesan/misc/build_objdump.sh

More Repositories

1

drammer

Native binary for testing Android phones for the Rowhammer bug
C++
478
star
2

vuzzer

C
379
star
3

revanc

Reverse Engineering Page Table Caches in Your Processor
C
362
star
4

ridl

RIDL test suite and exploits
C
345
star
5

vuzzer64

This implements a 64-bit version of vusec/vuzzer fuzzing tool.
C++
175
star
6

hammertime

C
141
star
7

trrespass

TRRespass
C
119
star
8

bhi-spectre-bhb

This repository contains exploit and reverse-engineering source code regarding the Spectre-BHB/Branch History Injection vulnerability
C
101
star
9

guardion

Android GuardION patches to mitigate DMA-based Rowhammer attacks on ARM
C++
75
star
10

collabfuzz

CollabFuzz: A Framework for Collaborative Fuzzing
C++
66
star
11

dangsan

C++
62
star
12

floatzone

C
61
star
13

pandacap

A framework for streamlining the capture of PANDA execution traces.
Shell
55
star
14

slam

Spectre based on Linear Address Masking
C
53
star
15

deltapointers

Delta Pointers: Buffer Overflow Checks Without the Checks (EuroSys'18)
C++
51
star
16

kasper

Kasper: Scanning for Generalized Transient Execution Gadgets in the Linux Kernel
C
51
star
17

smash

C
46
star
18

memsentry

Open-source release for MemSentry (EuroSys'17)
C
44
star
19

typearmor

Implementation of our S&P16 paper: A Tough Call: Mitigating Advanced Code-Reuse Attacks
C
43
star
20

uncontained

Uncovering Container Confusion in the Linux Kernel
C++
41
star
21

inspectre-gadget

InSpectre Gadget: in-depth inspection and exploitability analysis of Spectre disclosure gadgets
Python
39
star
22

blindside

C
32
star
23

xlate

Code to evaluate XLATE attacks as well existing cache attacks.
C
30
star
24

typesan

TypeSan checks casts in C++ code - code released for CCS 2016
C++
30
star
25

minesweeper

Tools used for MineSweeper project
Python
30
star
26

safeinit

SafeInit protects software from uninitialized read vulnerabilities - code released for NDSS 2017
C++
24
star
27

kmvx

kMVX: Detecting Kernel Information Leaks with Multi-variant Execution
21
star
28

patharmor

C
21
star
29

instrumentation-infra

An extendable and flexible infrastructure for program instrumentation.
Python
20
star
30

mvarmor

Multi-variant execution (MVX) using hardware-assisted process virtualization (with Dune)
C
17
star
31

shalloc

Shared memory allocator
C
16
star
32

tlbdr

C
15
star
33

dangzero

C
15
star
34

tlbkit

some tlb experimentation code: calculate L1, L2 miss penalties and show cross-HT interference.
Python
13
star
35

fpvi-scsb

Rage Against The Machine Clear: A Systematic Analysis of Machine Clears and Their Implications for Transient Execution Attacks
C
13
star
36

triereme

Rust
11
star
37

midfat

C++
10
star
38

ramses

Memory address translation library.
C
9
star
39

LookUB

C++
9
star
40

snappy

C++
9
star
41

TIFF

C++
9
star
42

drammer-app

GUI for testing Android phones for the Rowhammer bug
Java
8
star
43

typeisolation

Type-based Data Isolation prototype
C++
8
star
44

vusion

8
star
45

probeguard

ProbeGuard: Mitigating Probing Attacks Through Reactive Program Transformations [ ASPLOS'19 ]
C++
7
star
46

dune

Dune fork
C
7
star
47

poking-holes

Project for the Poking Holes in Information Hiding paper
OCaml
7
star
48

alis

C
7
star
49

LLVMUtils

This repository contains a number of generic LLVM utility functions, setters, and/or getters for use in different LLVM passes.
C++
7
star
50

libshrink

A user-space runtime library to shrink the address space to a specified number of bits.
C++
6
star
51

zebram

C
5
star
52

pibe

PIBE project source code
5
star
53

infra-sanitizers

Configurations for benchmarking sanitizers
Python
5
star
54

qemu-hypercall

QEMU offering the hypercall interface used by HSFI and OSIRIS
C
5
star
55

firestarter

C
4
star
56

aos-labs-2021

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
57

osiris

C
4
star
58

delorean

C
4
star
59

hammertime-fliptables

Rowhammer flip tables collected using Hammertime.
ReScript
4
star
60

instrumentation-skeleton

Skeleton repository for instrumentation-infra users.
Python
4
star
61

Copy-on-Flip

C
4
star
62

aos-labs-2020

Vrije Universiteit Amsterdam - Advanced Operating Systems (OpenLSD)
C
4
star
63

absynthe

ABSynthe related code
Python
3
star
64

minix-llvm

MINIX with the changes from the llvm_squashed branch needed for OSIRIS and HSFI
C
3
star
65

libumem-mvx

libumem fork for MvArmor
C
3
star
66

SCC

The |S|uborbital |C||C|annon compiler fuzzing framework
C++
3
star
67

libdft64-ng

Fork of https://github.com/AngoraFuzzer/libdft64 with support for shadow memory-based tagmap, small set tags, pointer/offset labels, and taint all memory semantics.
C++
3
star
68

dsn-2016-hsfi

C
2
star
69

type-after-type

C++
2
star
70

kamino

OCaml
2
star
71

SpeculationAtFault-AE

Artifact of "Speculation at Fault: Modeling and Testing Microarchitectural Leakage of CPU Exceptions"
C
2
star
72

kdfsan-llvm-project

C++
2
star
73

kdfsan-syzkaller

Go
1
star
74

kdfsan-linux

C
1
star
75

coco-docs

Vrije Universiteit Amsterdam - Compiler Construction (aux docs)
HTML
1
star
76

pirop

PIROP Asterisk exploits
Python
1
star
77

vu-forms-and-templates

VU forms and templates
TeX
1
star
78

uncontained-llvm-project

1
star
79

lldb-dfsan

Debugging DFSan labels with LLDB
Python
1
star