Skip to content

Missing some instrumentations when instrumenting binary with AFL #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Marsman1996 opened this issue Aug 18, 2021 · 0 comments
Open

Missing some instrumentations when instrumenting binary with AFL #28

Marsman1996 opened this issue Aug 18, 2021 · 0 comments
Labels
bug Something isn't working

Comments

@Marsman1996
Copy link

Marsman1996 commented Aug 18, 2021
edited
Loading

RetroWrite generates labels with the format as .L%x in

retrowrite/librw/rw.py

Line 190 in 243db58

instruction.op_str = ".L%x" % (target)

and

retrowrite/librw/container.py

Line 191 in 9e2e633

results.append(".L%x:" % (instruction.address))

However, for the afl-gcc compilers of AFL-family fuzzers such as AFL++, they only instrument the label start with .L%d

https://github.com/AFLplusplus/AFLplusplus/blob/32a0d6ac31554a47dca591f8978982758fb87677/src/afl-as.c#L464-L466

        if ((isdigit(line[2]) ||
             (clang_mode && !strncmp(line + 1, "LBB", 3))) &&
            R(100) < (long)inst_ratio) {

Taking the nm in binutils as an example, the .L9ffea basic block is instrumented while .La0047 and .La0058 are not instrumented.
After the fix, the number of instrumentation increase from 39511 to 47795.

.L9ffea:
.LC9ffea:

/* --- AFL TRAMPOLINE (64-BIT) --- */

.align 4

leaq -(128+24)(%rsp), %rsp
movq %rdx,  0(%rsp)
movq %rcx,  8(%rsp)
movq %rax, 16(%rsp)
movq $0x00006e12, %rcx
call __afl_maybe_log
movq 16(%rsp), %rax
movq  8(%rsp), %rcx
movq  0(%rsp), %rdx
leaq (128+24)(%rsp), %rsp

/* --- END --- */

	movq -0x48(%rbp), %rax
.LC9ffee:
	movq -0x58(%rbp), %rcx
.LC9fff2:
	movq %rax, 8(%rcx)
.LC9fff6:
	movq -0x58(%rbp), %rax
.LC9fffa:
	movl $0xffffffff, 0x60(%rax)
.LCa0001:
	movq -0x58(%rbp), %rax
.LCa0005:
	movl $1, 0x64(%rax)
.LCa000c:
	movl $1, -0x64(%rbp)
.LCa0013:
	movq -0x20(%rbp), %rax
.LCa0017:
	movq (%rax), %rax
.LCa001a:
	cmpq $0, 0x100(%rax)
.LCa0022:
	je .La0047

/* --- AFL TRAMPOLINE (64-BIT) --- */

.align 4

leaq -(128+24)(%rsp), %rsp
movq %rdx,  0(%rsp)
movq %rcx,  8(%rsp)
movq %rax, 16(%rsp)
movq $0x0000740b, %rcx
call __afl_maybe_log
movq 16(%rsp), %rax
movq  8(%rsp), %rcx
movq  0(%rsp), %rdx
leaq (128+24)(%rsp), %rsp

/* --- END --- */

.LCa0028:
	movq -0x20(%rbp), %rax
.LCa002c:
	movq (%rax), %rax
.LCa002f:
	movq 0x100(%rax), %rax
.LCa0036:
	cmpl $0, 0x10(%rax)
.LCa003a:
	jne .La0047

/* --- AFL TRAMPOLINE (64-BIT) --- */

.align 4

leaq -(128+24)(%rsp), %rsp
movq %rdx,  0(%rsp)
movq %rcx,  8(%rsp)
movq %rax, 16(%rsp)
movq $0x000050f3, %rcx
call __afl_maybe_log
movq 16(%rsp), %rax
movq  8(%rsp), %rcx
movq  0(%rsp), %rdx
leaq (128+24)(%rsp), %rsp

/* --- END --- */

.LCa0040:
	movl $0, -0x64(%rbp)
.La0047:
.LCa0047:
	movq -0x20(%rbp), %rax
.LCa004b:
	movq (%rax), %rax
.LCa004e:
	addq $0x100, %rax
.LCa0054:
	movq %rax, -0x60(%rbp)
.La0058:
.LCa0058:
	movq -0x60(%rbp), %rax
.LCa005c:
	cmpq $0, (%rax)
.LCa0060:
	je .La007f

I think RetroWrite could output the label with format .L%d (see #27), or modify the code in afl-as.c to

        if (((isdigit(line[2]) || (line[2] >= 'a' && line[2] <= 'f')) ||
            (clang_mode && !strncmp(line + 1, "LBB", 3))) &&
            R(100) < (long)inst_ratio) {

The assembly code files are attached here.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@diagprov @Marsman1996