Java Python 3
virtualenv .venvsource .venv/bin/activatemakechmod a+x ./src/GDBFuzz/main.py本地运行样例
[SUT]# Path to the binary file of the SUT.# This can, for example, be an .elf file or a .bin file.binary_file_path = <path># Address of the root node of the CFG.# Breakpoints are placed at nodes of this CFG.# e.g. 'LLVMFuzzerTestOneInput' or 'main'entrypoint = <entrypoint># Number of inputs that must be executed without a breakpoint hit until# breakpoints are rotated.until_rotate_breakpoints = <number># Maximum number of breakpoints that can be placed at any given time.max_breakpoints = <number># Blacklist functions that shall be ignored.# ignore_functions is a space separated list of function names e.g. 'malloc free'.ignore_functions = <space separated list># One of {Hardware, QEMU, SUTRunsOnHost}# Hardware: An external component starts a gdb server and GDBFuzz can connect to this gdb server.# QEMU: GDBFuzz starts QEMU. QEMU emulates binary_file_path and starts gdbserver.# SUTRunsOnHost: GDBFuzz start the target program within GDB.target_mode = <mode># Set this to False if you want to start ghidra, analyze the SUT,# and start the ghidra bridge server manually.start_ghidra = True# Space separated list of addresses where software breakpoints (for error# handling code) are set. Execution of those is considered a crash.# Example: software_breakpoint_addresses = 0x123 0x432software_breakpoint_addresses =# Whether all triggered software breakpoints are considered as crashconsider_sw_breakpoint_as_error = False[SUTConnection]# The class 'SUT_connection_class' in file 'SUT_connection_path' implements# how inputs are sent to the SUT.# Inputs can, for example, be sent over Wi-Fi, Serial, Bluetooth, ...# This class must inherit from ./connections/SUTConnection.py.# See ./connections/SUTConnection.py for more information.SUT_connection_file = FIFOConnection.py[GDB]path_to_gdb = gdb-multiarch#Written in address:portgdb_server_address = localhost:4242[Fuzzer]# In Bytesmaximum_input_length = 100000# In secondssingle_run_timeout = 20# In secondstotal_runtime = 3600# Optional# Path to a directory where each file contains one seed. If you don't want to# use seeds, leave the value empty.seeds_directory =[BreakpointStrategy]# Strategies to choose basic blocks are located in# 'src/GDBFuzz/breakpoint_strategies/'# For the paper we use the following strategies# 'RandomBasicBlockStrategy.py' - Randomly choosing unreached basic blocks# 'RandomBasicBlockNoDomStrategy.py' - Like previous, but doesn't use dominance relations to derive transitively reached nodes.# 'RandomBasicBlockNoCorpusStrategy.py' - Like first, but prevents growing the input corpus and therefore behaves like blackbox fuzzing with coverage measurement.# 'BlackboxStrategy.py', - Doesn't set any breakpointsbreakpoint_strategy_file = RandomBasicBlockStrategy.py[Dependencies]path_to_qemu = dependencies/qemu/build/x86_64-linux-user/qemu-x86_64path_to_ghidra = dependencies/ghidra[LogsAndVisualizations]# One of {DEBUG, INFO, WARNING, ERROR, CRITICAL}loglevel = INFO# Path to a directory where output files (e.g. graphs, logfiles) are stored.output_directory = ./output# If set to True, an MQTT client sends UI elements (e.g. graphs)enable_UI = Falsechmod a+x ./example_programs/json-2017-02-12./src/GDBFuzz/main.py --config ./example_programs/fuzz_json.cfg在 Docker 容器中安装并运行
make dockerimagechmod a+x ./example_programs/json-2017-02-12docker run -it --env CONFIG_FILE=/example_programs/fuzz_json_docker_qemu.cfg -v $(pwd)/example_programs:/example_programs -v $(pwd)/output:/output gdbfuzz:1.0. ├── corpus ├── crashes ├── cfg ├── fuzzer_stats ├── plot_data ├── reverse_cfgsudo apt-get install graphviz$ node --versionv16.9.1$ npm --version7.21.1cd ./src/webuinpm installlistener 1883allow_anonymous truelistener 9001protocol websocketssudo service mosquitto restartsudo service mosquitto statuscd ./src/webuinpm start原文始发于微信公众号(FreeBuf):GDBFuzz:基于硬件断点的嵌入式系统模糊测试工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论