【技术干货】Fuzzing101全实践 （二）

cd $HOME/Desktop/Fuzz/training/mkdir fuzzing_libtiff && cd fuzzing_libtiff/# download and uncompress the targetwget https://download.osgeo.org/libtiff/tiff-4.0.4.tar.gztar -xzvf tiff-4.0.4.tar.gz# make and install libtiffcd tiff-4.0.4/./configure --prefix="$HOME/Desktop/Fuzz/training/fuzzing_libtiff/install/" --disable-sharedmake -j$(nproc)make install# test the target programv4ler1an bin ➜ ./tiffinfo -D -j -c -r -s -w ../../tiff-4.0.4/test/images/palette-1c-1b.tiff TIFF Directory at offset 0xbd4 (3028)  Image Width: 157 Image Length: 151  Bits/Sample: 1  Sample Format: unsigned integer  Compression Scheme: None  Photometric Interpretation: palette color (RGB from colormap)  Samples/Pixel: 1  Rows/Strip: 409  Planar Configuration: single image plane  Page Number: 0-1  Color Map:        0:     0     0     0       1: 65535 65535 65535  DocumentName: palette-1c-1b.tiff  Software: GraphicsMagick 1.2 unreleased Q16 http://www.GraphicsMagick.org/  1 Strips:      0: [       8,     3020]

rm -r $HOME/Desktop/Fuzz/training/fuzzing_tiff/installcd $HOME/Desktop/Fuzz/training/fuzzing_tiff/tiff-4.0.4/make cleanexport LLVM_CONFIG="llvm-config-12"CC=afl-clang-lto ./configure --prefix="$HOME/Desktop/Fuzz/training/fuzzing_tiff/install/" --disable-shared# 开启AFL_USE_ASANAFL_USE_ASAN=1 make -j$(nproc)AFL_USE_ASAN=1 make install

# installsudo apt instrall lcov# usage infov4ler1an bin ➜ lcov --helpUsage: lcov [OPTIONS]Use lcov to collect coverage data from either the currently running Linuxkernel or from a user space application. Specify the --directory option toget coverage data for a user space program.Misc:  -h, --help                      Print this help, then exit  -v, --version                   Print version number, then exit  -q, --quiet                     Do not print progress messagesOperation:  -z, --zerocounters              Reset all execution counts to zero  -c, --capture                   Capture coverage data  -a, --add-tracefile FILE        Add contents of tracefiles  -e, --extract FILE PATTERN      Extract files matching PATTERN from FILE  -r, --remove FILE PATTERN       Remove files matching PATTERN from FILE  -l, --list FILE                 List contents of tracefile FILE      --diff FILE DIFF            Transform tracefile FILE according to DIFF      --summary FILE              Show summary coverage data for tracefilesOptions:  -i, --initial                   Capture initial zero coverage data  -t, --test-name NAME            Specify test name to be stored with data  -o, --output-file FILENAME      Write data to FILENAME instead of stdout  -d, --directory DIR             Use .da files in DIR instead of kernel  -f, --follow                    Follow links when searching .da files  -k, --kernel-directory KDIR     Capture kernel coverage data only from KDIR  -b, --base-directory DIR        Use DIR as base directory for relative paths      --convert-filenames         Convert filenames when applying diff      --strip DEPTH               Strip initial DEPTH directory levels in diff      --path PATH                 Strip PATH from tracefile when applying diff      --(no-)checksum             Enable (disable) line checksumming      --(no-)compat-libtool       Enable (disable) libtool compatibility mode      --gcov-tool TOOL            Specify gcov tool location      --ignore-errors ERRORS      Continue after ERRORS (gcov, source, graph)      --no-recursion              Exclude subdirectories from processing      --to-package FILENAME       Store unprocessed coverage data in FILENAME      --from-package FILENAME     Capture from unprocessed data in FILENAME      --no-markers                Ignore exclusion markers in source code      --derive-func-data          Generate function data from line data      --list-full-path            Print full path during a list operation      --(no-)external             Include (ignore) data for external files      --config-file FILENAME      Specify configuration file location      --rc SETTING=VALUE          Override configuration file setting      --compat MODE=on|off|auto   Set compat MODE (libtool, hammer, split_crc)      --include PATTERN           Include files matching PATTERN      --exclude PATTERN           Exclude files matching PATTERNFor more information see: http://ltp.sourceforge.net/coverage/lcov.php

# rebuild libtiffrm -r $HOME/Desktop/Fuzz/training/fuzzing_libtiff/installcd $HOME/Desktop/Fuzz/training/fuzzing_libtiff/tiff-4.0.4/make clean# 添加代码覆盖率编译选项CFLAGS="--coverage" LDFLAGS="--coverage" ./configure --prefix="$HOME/Desktop/Fuzz/training/fuzzing_libtiff/install/" --disable-sharedmake -j$(nproc)make install

cd $HOME/Desktop/Fuzz/training/fuzzing_tiff/tiff-4.0.4/lcov --zerocounters --directory ./   # 重置计数器lcov --capture --initial --directory ./ --output-file app.info # 返回“基线”覆盖数据文件，其中包含每个检测行的零覆盖$HOME/Desktop/Fuzz/training/fuzzing_tiff/install/bin/tiffinfo -D -j -c -r -s -w $HOME/Desktop/Fuzz/training/fuzzing_tiff/tiff-4.0.4/test/images/palette-1c-1b.tifflcov --no-checksum --directory ./ --capture --output-file app2.info #将当前覆盖状态保存到 app2.info 文件中# 生成的代码覆盖率信息文件v4ler1an tiff-4.0.4 ➜ file app.info      app.info: LCOV coverage tracefilev4ler1an tiff-4.0.4 ➜ file app2.info app2.info: LCOV coverage tracefilev4ler1an tiff-4.0.4 ➜ head -n 20 app.infoTN:SF:/home/v4ler1an/Desktop/Fuzz/training/fuzzing_libtiff/tiff-4.0.4/contrib/dbs/tiff-rgb.cFN:43,mainFNDA:0,mainFN:190,UsageFNDA:0,UsageDA:43,0DA:45,0DA:46,0DA:53,0DA:55,0DA:56,0DA:57,0DA:58,0DA:59,0DA:60,0DA:61,0DA:62,0DA:63,0

v4ler1an tiff-4.0.4 ➜ genhtml --highlight --legend -output-directory ./html-coverage/ ./app2.infov4ler1an tiff-4.0.4 ➜ cd html-coverage   v4ler1an html-coverage ➜ lsamber.png    gcov.css   index.html         index-sort-l.html  ruby.png  toolsemerald.png  glass.png  index-sort-f.html  libtiff            snow.png  updown.png