wanderer/fastnetmon-rewritten
1
0
Fork 0
mirror of https://github.com/pavel-odintsov/fastnetmon synced 2025-04-10 10:23:29 +02:00
Code Issues Releases Activity

Fuzz update (#1033)

Browse Source 
* Remove libfuzzer wrappers
* update harness, add script for AFL++ pers mod instr
* Update README.md

---------

Co-authored-by: Evgeny Shtanov <evg.shtanov@gmail.comm>
This commit is contained in:
Evgeny Shtanov 2024-12-14 15:46:40 +03:00 committed by GitHub
parent f8a29251c9
commit 05bd983473
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
12 changed files with 303 additions and 208 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
src/CMakeLists.txt
View File

@ -1211,19 +1211,6 @@ if (ENABLE_FUZZ_TEST)
target_link_libraries(process_netflow_packet_v5_fuzz sflow_plugin netflow_plugin example_plugin fastnetmon_logic ${LOG4CPP_LIBRARY_PATH})
endif()
# Fuzz test with AFL++ or clang
if (ENABLE_FUZZ_TEST_LIBFUZZER)
add_executable(parse_sflow_v5_packet_fuzz tests/fuzz/parse_sflow_v5_packet_fuzz_libfuzzer.cpp)
target_link_libraries(parse_sflow_v5_packet_fuzz sflow_plugin netflow_plugin example_plugin fastnetmon_logic ${LOG4CPP_LIBRARY_PATH})
target_compile_options(parse_sflow_v5_packet_fuzz PRIVATE -fsanitize=fuzzer)
target_link_options(parse_sflow_v5_packet_fuzz PRIVATE -fsanitize=fuzzer)
add_executable(process_netflow_packet_v5_fuzz tests/fuzz/process_netflow_packet_v5_fuzz_libfuzzer.cpp)
target_link_libraries(process_netflow_packet_v5_fuzz sflow_plugin netflow_plugin example_plugin fastnetmon_logic ${LOG4CPP_LIBRARY_PATH})
target_compile_options(process_netflow_packet_v5_fuzz PRIVATE -fsanitize=fuzzer)
target_link_options(process_netflow_packet_v5_fuzz PRIVATE -fsanitize=fuzzer)
endif()
# Chaged interface socket to console input
if (ENABLE_FUZZ_TEST_DESOCK)
target_link_libraries(fastnetmon desock)

160
src/tests/fuzz/README.md
View File

@ -8,9 +8,9 @@ This section describes the fuzzing testing process, the approaches used, and met
- [Docker Image](#docker-image)
- [CMake](#cmake)
- [File Structure](#file-structure)
- [Example of Fuzzing Run](#example-of-fuzzing-run)
- [Example of Fuzzing Run](#example-of-manual-fuzzing-launch-for-individual-fuzzing-wrappers)
- [Other Fuzzing Techniques](#other-fuzzing-techniques)
- [Techniques That Didn't Work](#techniques-that-didnt-work)
- [Fuzzing Launch in Docker Container](#fuzzing-launch-in-docker-container)
## Docker Image
--------------------------------
@ -44,24 +44,23 @@ A number of options have been added to the source `CMakeLists.txt` file, allowin
| Option | Description |
|-----------------------------------|-----------------------------------------------------------|
| `-DENABLE_FUZZ_TEST` | Builds two fuzzing wrappers for `AFL++`. Use **only with the `afl-c++` compiler** or its variations |
| `DENABLE_FUZZ_TEST_LIBFUZZER` | Builds two fuzzing wrappers for `libfuzzer`. Use **with the `clang` compiler or variations of `afl-c++`** |
| `-DENABLE_FUZZ_TEST_DESOCK` | This option allows modifying the behavior of the standard `socket` function. Now data will come from the input stream instead of the network socket. **Instruments the original `fastnetmon` executable** |
| `-DCMAKE_BUILD_TYPE=Debug` | Debugging option required for proper debugger functionality. **Do not use on release builds or during tests - false positives may occur with sanitizer functions like `assert()`** |
## File Structure
--------------------------------
```bash
fuzz/
├── README.md
├── README_rus.md
├── fastnetmon.conf
├── parse_sflow_v5_packet_fuzz.cpp
├── parse_sflow_v5_packet_fuzz_libfuzzer.cpp
├── process_netflow_packet_v5_fuzz.cpp
├── process_netflow_packet_v5_fuzz_libfuzzer.cpp └── scripts/
├── minimize_out.sh
├── start_fuzz_conf_file.sh
└── start_fuzz_harness.sh
```
fuzz/
├── README.md
├── README_rus.md
├── fastnetmon.conf
├── parse_sflow_v5_packet_fuzz.cpp
├── process_netflow_packet_v5_fuzz.cpp
└── scripts/
│ ├── minimize_out.sh
│ ├── afl_pers_mod_instr.sh
├── start_fuzz_conf_file.sh
└── start_fuzz_harness.sh
```
### File Descriptions
--------------------------------
@ -72,9 +71,7 @@ fuzz/
| `README_rus.md` | Documentation in **Russian** about the fuzz testing of the project. |
| `fastnetmon.conf` | Configuration file for FastNetMon. Only the netflow and sflow protocols are left for operation. |
| `parse_sflow_v5_packet_fuzz.cpp` | Wrapper for fuzzing the `parse_sflow_v5_packet_fuzz` function using `AFL++`. |
| `parse_sflow_v5_packet_fuzz_libfuzzer.cpp` | Wrapper for fuzzing the `parse_sflow_v5_packet_fuzz` function using `libfuzzer`. |
| `process_netflow_packet_v5_fuzz.cpp` | Wrapper for fuzzing the `process_netflow_packet_v5_fuzz` function using `AFL++`. |
| `process_netflow_packet_v5_fuzz_libfuzzer.cpp` | Wrapper for fuzzing the `process_netflow_packet_v5_fuzz` function using `libfuzzer`. |
| File/Directory | Description | Run |
|----------------------------------------|-------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------|
@ -82,37 +79,90 @@ fuzz/
| `/scripts/minimize_out.sh` | Script for minimizing, verifying, and clustering crash outputs. | `./minimize_out.sh <path_to_out_directory> <./binary>` |
| `/scripts/start_fuzz_conf_file.sh` | Script for running fuzzing on configuration files. Launches several tmux sessions. Uses options `./fastnetmon --configuration_check --configuration_file`. | Run from the current directory without additional options. The environment is automatically set up. |
| `/scripts/start_fuzz_harness.sh` | Script for testing binary files compiled from wrappers into separate executables. Designed for wrappers compiled for `AFL++`. It sets up the environment, creates folders, and launches two tmux sessions with fuzzer instances. After fuzzing ends, it runs the `minimize_out.sh` script for crash clustering. | `./start_fuzz_harness.sh <path/to/bin>` The script will stop if no new paths are found within a certain time. By default, the time is 1 hour. To change it, modify the `TIME` variable (in seconds) inside the script. |
| `/scripts/afl_pers_mod_instr.sh` | A script that adds `AFL++` instrumentation for fuzzing in `persistent mode`. **Important! Currently used only with `netflow_collector.cpp` and `sflow_collector.cpp`** | `./afl_pers_mod_instr.sh <netflow_plugin/netflow_collector.cpp>` |
## Example of Fuzzing Run
--------------------------------
## Example of manual fuzzing launch for individual fuzzing wrappers
--------------------------------
Run the container:
```bash
docker run --privileged -it fuzz /bin/bash
```
To run AFL++ fuzzing with multi-threading enabled:
Run the container:
```bash
docker run --privileged -it fuzz /bin/bash
echo core | tee /proc/sys/kernel/core_pattern
```
**Don't forget to collect the data corpus in the in folder**
For a test run, use a single sed with a '1':
```bash
mkdir in
echo "1" >> in/1
```
To enable multi-threaded fuzzing with AFL++, we set up core dumping:
```bash
echo core | tee /proc/sys/kernel/core_pattern
```
With the standard `docker image` build, the `build_fuzz` directory will be created, inside which the fuzzing wrappers will be compiled:
With a standard docker image build, there will be a folder build_fuzz_harness where the following fuzzing wrappers will be compiled:
- `parse_sflow_v5_packet_fuzz`
- `process_netflow_packet_v5_fuzz`
To run fuzzing, we use the `start_fuzz_harness` script:
**Start fuzzing:**
```bash
afl-fuzz -i in -o out -- ./parse_sflow_v5_packet_fuzz
```
Or
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./process_netflow_packet_v5_fuzz
afl-fuzz -i in -o out -- ./process_netflow_packet_v5_fuzz
```
Or
- The `build_netflow_pers_mod` folder will contain the code for fuzzing the `process_netflow_packet_v5` function via `AFL++ persistent mode`.
- The `build_sflow_pers_mod` folder will contain the code for fuzzing the `parse_sflow_v5_packet` function via `AFL++ persistent mode`.
If the build is done manually, use the `afl_pers_mod_instr.sh` script to instrument the files.
The fuzzing launch for these functions is the same, as the final executable file fastnetmon is instrumented:
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./parse_sflow_v5_packet_fuzz
afl-fuzz -i in -o out -- ./fastnetmon
```
After starting, a directory `<bin_name>_fuzz_dir` will be created, containing the input and output folders.
A `tmux session` will be started with two tabs — each running an instance of the `AFL++` fuzzer.
Fuzzing will continue until no new paths are found within one hour (this timeout value can be modified in the script).
After that, the tmux session will end, and crash clustering and verification will begin with the `minimize_out.sh` script.
**IMPORTANT!**
For multi-thread fuzzing of the fastnetmon file, you need to provide a separate configuration file for each instance of the fuzzer for `fastnetmon`, specifying different ports for protocols, otherwise, the instances will conflict, and multiple threads will not be able to run.
## Example of fuzzing launch via automation script
--------------------------------
*All actions take place inside the container, where the working directory is `src`, so paths are constructed relative to this folder.*
For fuzzing, we use the `start_fuzz_harness` script.
For wrappers compiled into binary files:
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./build_fuzz_harness/process_netflow_packet_v5_fuzz
```
Or
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./build_fuzz_harness/parse_sflow_v5_packet_fuzz
```
For instrumenting `fastnetmon`:
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./build_netflow_pers_mod/fastnetmon
```
Or
```bash
/src/tests/fuzz/scripts/start_fuzz_harness.sh ./build_sflow_pers_mod/fastnetmon
```
After launching, a directory `<bin_name>_fuzz_dir` will be created, inside which a folder `input` will be generated.
A folder `/output` will be created at the root of the system, where fuzzing output files and clustering files will be sent.
This is necessary to easily access data after fuzzing inside the container (see below).
A `tmux` session with an AFL++ fuzzer instance will be started.
Fuzzing will continue until no new paths are found within an hour (this value can be changed inside the script).
Then, the tmux session will end, and clustering and crash checking will begin using the `minimize_out.sh` script.
## Other Fuzzing Techniques
@ -133,11 +183,51 @@ How the instrumentation looks:
5. Build with the AFL++ compiler and sanitizers. No wrappers are needed for compilation.
6. Run fuzzing with: `afl-fuzz -i in -o out -- ./fastnetmon`
For these two purposes, an automation script for code instrumentation has been created.
See more details in the script `/scripts/afl_pers_mod_instr.sh`.
### Techniques That Didn't Work
### Other Fuzzing Techniques
--------------------------------
| Name | Description |
|---------------------|------------------------------------------------------------------------------------------------------|
| `AFLNet` | The characteristics of the protocol (lack of feedback) prevent the use of this fuzzer. |
| `desock` | Code instrumentation is successful, but the fuzzer does not start and cannot collect feedback. I consider this method **promising**, but the fuzzer requires adjustments. |
| `libfuzzer` | Wrappers for `libfuzzer` were written and implemented into cmake, but due to the peculiarities of the build and the project's focus on fuzzing via `AFL++`, they were removed from the project. Commit with a working [`libfuzzer`] wrappers (https://github.com/pavel-odintsov/fastnetmon/commit/c3b72c18f0bc7f43b535a5da015c3954d716be22)
## Fuzzing Launch in Docker Container
### A Few Words for Context
Each fuzzer thread requires one system thread.
The `start_fuzz_harness.sh` script includes a time limit for fuzzing.
The `TIME` variable is responsible for the "last path found" time parameter.
If this parameter stops resetting, it means the fuzzer has hit a deadlock and there's no point in continuing fuzzing.
From empirical experience, this parameter should be set to 2 hours. The project has it set to 1 hour.
If shallow testing is needed, this parameter can be reduced to 10-15 minutes, making the total fuzzing time last a few hours.
### Build and Launch
Build:
```bash
cd fastnetmon
docker build -f tests/Dockerfile.ubuntu-24.04-afl++ -t fuzz .
```
Launch the container:
```
mkdir work
docker run -v $(pwd)/work:/output --privileged -it fuzz /bin/bash -c "/src/tests/fuzz/scripts/start_fuzz_harness.sh ./build_netflow_pers_mod/fastnetmon"
```
This method can be used to launch any wrapper / binary file by simply providing the command from the *Example of fuzzing launch via automation script* section in quotes after the `-c` argument.
After fuzzing is completed, the results will be placed in the host system's work folder—both the results folder and the clustering folder will be there.
The container will have a status exit. It can be manually restarted to check for crashes.

125
src/tests/fuzz/README_rus.md
View File

File diff suppressed because one or more lines are too long

6
src/tests/fuzz/parse_sflow_v5_packet_fuzz.cpp
View File

@ -44,12 +44,8 @@ __AFL_FUZZ_INIT();
int main(int argc, char** argv) {
uint32_t client_ipv4_address = 128;
std::string ip_add = "192.168.0.1";
uint16_t version = 5;
unsigned char* udp_buffer = __AFL_FUZZ_TESTCASE_BUF;
udp_buffer[0] = (version >> 8) & 0xFF; // Higher byte
udp_buffer[1] = version & 0xFF;
while (__AFL_LOOP(10000)) {
unsigned int received_bytes = __AFL_FUZZ_TESTCASE_LEN;
parse_sflow_v5_packet( (uint8_t*)udp_buffer, received_bytes, client_ipv4_address);

49
src/tests/fuzz/parse_sflow_v5_packet_fuzz_libfuzzer.cpp
View File

@ -1,49 +0,0 @@
#include "../../abstract_subnet_counters.hpp"
#include "../../fastnetmon_configuration_scheme.hpp"
#include "../../bgp_protocol_flow_spec.hpp"
#include "../../netflow_plugin/netflow_collector.hpp"
#include "../../sflow_plugin/sflow_collector.hpp"
#include "../../fastnetmon_logic.hpp"
log4cpp::Category& logger = log4cpp::Category::getRoot();
time_t current_inaccurate_time = 0;
fastnetmon_configuration_t fastnetmon_global_configuration;
packet_buckets_storage_t<subnet_ipv6_cidr_mask_t> packet_buckets_ipv6_storage;
bool DEBUG_DUMP_ALL_PACKETS = false;
bool DEBUG_DUMP_OTHER_PACKETS = false;
uint64_t total_ipv6_packets = 0;
uint64_t total_ipv4_packets = 0;
patricia_tree_t *lookup_tree_ipv4;
patricia_tree_t *lookup_tree_ipv6;
uint64_t total_flowspec_whitelist_packets = 0;
uint64_t total_simple_packets_processed = 0;
uint64_t unknown_ip_version_packets = 0;
bool process_incoming_traffic = true;
bool process_outgoing_traffic = true;
bool enable_connection_tracking = true;
std::vector<flow_spec_rule_t> static_flowspec_based_whitelist;
packet_buckets_storage_t<uint32_t> packet_buckets_ipv4_storage;
total_speed_counters_t total_counters_ipv4;
total_speed_counters_t total_counters_ipv6;
abstract_subnet_counters_t<subnet_ipv6_cidr_mask_t, subnet_counter_t> ipv6_network_counters;
abstract_subnet_counters_t<subnet_ipv6_cidr_mask_t, subnet_counter_t> ipv6_host_counters;
abstract_subnet_counters_t<subnet_cidr_mask_t, subnet_counter_t> ipv4_network_counters;
abstract_subnet_counters_t<uint32_t, subnet_counter_t> ipv4_host_counters;
map_of_vector_counters_for_flow_t SubnetVectorMapFlow;
std::mutex flow_counter_mutex;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 2) {
return 0;
}
uint32_t client_ipv4_address = 128;
std::string ip_add = "192.168.0.1";
process_netflow_packet((unsigned char *)Data, Size, ip_add, client_ipv4_address);
return 0;
}

4
src/tests/fuzz/process_netflow_packet_v5_fuzz.cpp
View File

@ -44,12 +44,8 @@ __AFL_FUZZ_INIT();
int main(int argc, char** argv) {
uint32_t client_ipv4_address = 128;
std::string ip_add = "192.168.0.1";
uint16_t version = 5;
unsigned char* udp_buffer = __AFL_FUZZ_TESTCASE_BUF;
udp_buffer[0] = (version >> 8) & 0xFF; // Higher byte
udp_buffer[1] = version & 0xFF;
while (__AFL_LOOP(10000)) {
unsigned int received_bytes = __AFL_FUZZ_TESTCASE_LEN;
process_netflow_packet(udp_buffer, received_bytes, ip_add, client_ipv4_address);

54
src/tests/fuzz/process_netflow_packet_v5_fuzz_libfuzzer.cpp
View File

@ -1,54 +0,0 @@
#include "../../abstract_subnet_counters.hpp"
#include "../../fastnetmon_configuration_scheme.hpp"
#include "../../bgp_protocol_flow_spec.hpp"
#include "../../netflow_plugin/netflow_collector.hpp"
#include "../../sflow_plugin/sflow_collector.hpp"
#include "../../fastnetmon_logic.hpp"
log4cpp::Category& logger = log4cpp::Category::getRoot();
time_t current_inaccurate_time = 0;
fastnetmon_configuration_t fastnetmon_global_configuration;
packet_buckets_storage_t<subnet_ipv6_cidr_mask_t> packet_buckets_ipv6_storage;
bool DEBUG_DUMP_ALL_PACKETS = false;
bool DEBUG_DUMP_OTHER_PACKETS = false;
uint64_t total_ipv6_packets = 0;
uint64_t total_ipv4_packets = 0;
patricia_tree_t *lookup_tree_ipv4;
patricia_tree_t *lookup_tree_ipv6;
uint64_t total_flowspec_whitelist_packets = 0;
uint64_t total_simple_packets_processed = 0;
uint64_t unknown_ip_version_packets = 0;
bool process_incoming_traffic = true;
bool process_outgoing_traffic = true;
bool enable_connection_tracking = true;
std::vector<flow_spec_rule_t> static_flowspec_based_whitelist;
packet_buckets_storage_t<uint32_t> packet_buckets_ipv4_storage;
total_speed_counters_t total_counters_ipv4;
total_speed_counters_t total_counters_ipv6;
abstract_subnet_counters_t<subnet_ipv6_cidr_mask_t, subnet_counter_t> ipv6_network_counters;
abstract_subnet_counters_t<subnet_ipv6_cidr_mask_t, subnet_counter_t> ipv6_host_counters;
abstract_subnet_counters_t<subnet_cidr_mask_t, subnet_counter_t> ipv4_network_counters;
abstract_subnet_counters_t<uint32_t, subnet_counter_t> ipv4_host_counters;
map_of_vector_counters_for_flow_t SubnetVectorMapFlow;
std::mutex flow_counter_mutex;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
if (Size < 2) {
return 0; // Минимальный размер данных для обработки
}
uint32_t client_ipv4_address = 128;
uint16_t version = (Data[0] << 8) | Data[1]; // Версия из первых двух байт
// Вызов функции парсинга пакетов
parse_sflow_v5_packet(Data, Size, client_ipv4_address);
return 0; // Успешное завершение обработки
}

28
src/tests/fuzz/scripts/afl_pers_mod_instr.sh Executable file
View File

@ -0,0 +1,28 @@
#!/bin/bash
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <file>"
echo "Example: $0 sflow_plugin/sflow_collector.cpp"
echo "Example: $0 netflow_plugin/netflow_collector.cpp"
exit 1
fi
FILE=$1
# Проверяем, что файл существует
if [ ! -f "$FILE" ]; then
echo "Error: File $FILE does not exist."
exit 1
fi
# ADd __AFL_FUZZ_INIT() in beginnig of file
sed -i '1i __AFL_FUZZ_INIT();' "$FILE"
# Change while(true) by while(__AFL_LOOP(10000))
sed -i 's/while\s*(\s*true\s*)/while (__AFL_LOOP(10000))/' "$FILE"
sed -i 's/char \s*udp_buffer\s*\[\s*udp_buffer_size\s*\]/unsigned char * udp_buffer = __AFL_FUZZ_TESTCASE_BUF;/' "$FILE"
sed -i 's/int received_bytes = recvfrom([^;]*);/int received_bytes = __AFL_FUZZ_TESTCASE_LEN;/' "$FILE"
echo "Instrumentation completed for file: $FILE"

3
src/tests/fuzz/scripts/minimize_out.sh
View File

@ -47,4 +47,5 @@ for file in "$out_dir"/*/crashes/*; do
fi
done
casr-cluster -c "new_out" out-cluster
casr-cluster -c "new_out" out-cluster
cp -r out-cluster $out_dir/

8
src/tests/fuzz/scripts/start_fuzz_conf_file.sh
View File

@ -3,8 +3,8 @@
SESSION_NAME="config_file_fuzz"
INPUT_DIR="./input"
OUTPUT_DIR="./output"
TARGET_PROGRAM="/src/build_fuzz/fastnetmon"
OUTPUT_DIR="/output"
TARGET_PROGRAM="/src/build_fuzz_harness/fastnetmon"
if [ ! -d "$INPUT_DIR" ]; then
echo "Input directory '$INPUT_DIR' does not exist. Creating it..."
@ -25,9 +25,11 @@ fi
echo "1" >> "$INPUT_DIR"/1
echo "a" >> "$INPUT_DIR"/2
echo core | tee /proc/sys/kernel/core_pattern
tmux new-session -d -s $SESSION_NAME -n afl1
tmux send-keys -t ${SESSION_NAME}:afl1 "afl-fuzz -i $INPUT_DIR -o $OUTPUT_DIR -m none -M master -- $TARGET_PROGRAM --configuration_check --configuration_file @@" C-m
tmux new-window -t $SESSION_NAME -n afl2
tmux send-keys -t ${SESSION_NAME}:afl2 "afl-fuzz -i $INPUT_DIR -o $OUTPUT_DIR -m none -S fuzzer02 -- $TARGET_PROGRAM --configuration_check --configuration_file @@" C-m
tmux send-keys -t ${SESSION_NAME}:afl2 "afl-fuzz -i $INPUT_DIR -o $OUTPUT_DIR -m none -S slave -- $TARGET_PROGRAM --configuration_check --configuration_file @@" C-m
tmux select-window -t ${SESSION_NAME}:afl1
tmux attach-session -t $SESSION_NAME

15
src/tests/fuzz/scripts/start_fuzz_harness.sh
View File

@ -3,6 +3,8 @@
# Check if two arguments are provided
if [ $# -ne 1 ]; then
echo "Usage: $0 <./bin>"
echo "Example: $0 ../../../build_fuzz_harness/parse_sflow_v5_packet_fuzz"
echo "Example: $0 ../../../build_fuzz_harness/process_netflow_packet_v5_fuzz"
exit 1
fi
TARGET_PROGRAM="$1"
@ -10,13 +12,15 @@ TARGET_PROGRAM="$1"
ASAN_OPTIONS="detect_odr_violation=0:abort_on_error=1:symbolize=0"
TIME_STOP=3600
SESSION_NAME="process_netflow_packet_v5_fuzz"
INPUT_DIR="./input"
OUTPUT_DIR="./output"
OUTPUT_DIR="/output"
DIR_NAME=$(basename $1)_dir
DICT="/AFLplusplus/dictionaries/pcap.dict"
MINIMIZE_SCRIPT=/src/tests/fuzz/scripts/minimize_out.sh
SESSION_NAME="$DIR_NAME"
if [ ! -d "$DIR_NAME" ]; then
echo "Work directory '$DIR_NAME' does not exist. Creating it..."
mkdir -p "$DIR_NAME"
@ -45,13 +49,14 @@ if [ ! -x "$MINIMIZE_SCRIPT" ]; then
exit 1
fi
echo core | tee /proc/sys/kernel/core_pattern
wget https://raw.githubusercontent.com/catalyst/openstack-sflow-traffic-billing/refs/heads/master/examples/sample-sflow-packet -O input/1
echo "1" >> input/2
tmux new-session -d -s $SESSION_NAME -n master
tmux send-keys -t ${SESSION_NAME}:master "ASAN_OPTIONS=$ASAN_OPTIONS AFL_EXIT_ON_TIME=$TIME_STOP afl-fuzz -i $INPUT_DIR -o $OUTPUT_DIR -x $DICT -m none -M master -- ./$TARGET_PROGRAM " C-m
tmux new-window -t $SESSION_NAME -n slave
tmux send-keys -t ${SESSION_NAME}:slave "ASAN_OPTIONS=$ASAN_OPTIONS AFL_EXIT_ON_TIME=$TIME_STOP afl-fuzz -i $INPUT_DIR -o $OUTPUT_DIR -x $DICT -m none -S fuzzer02 -- ./$TARGET_PROGRAM " C-m
tmux select-window -t ${SESSION_NAME}:slave
tmux select-window -t ${SESSION_NAME}:master
tmux attach-session -t $SESSION_NAME

46
tests/Dockerfile.ubuntu-24.04-afl++
View File

@ -42,30 +42,40 @@ RUN cp notify_about_attack.sh /usr/local/bin/notify_about_attack.sh && \
mkdir -p /var/log/fastnetmon_attacks
# build dir for AFL++ fuzzing
RUN mkdir build_fuzz && cd build_fuzz && \
RUN mkdir build_fuzz_harness && cd build_fuzz_harness && \
cmake .. -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
-DCMAKE_CXX_FLAGS="-g -O0 -ggdb3 -fsanitize=address,bounds,undefined,null,float-divide-by-zero" && \
make -j$(nproc)
# build dir for libfuzzer fuzzing
RUN mkdir build_libfuzz && cd build_libfuzz && \
cmake .. -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST_LIBFUZZER=ON -DCMAKE_CXX_COMPILER=clang++ \
# build dir for AFL++ fuzzing
RUN tests/fuzz/scripts/afl_pers_mod_instr.sh netflow_plugin/netflow_collector.cpp && \
mkdir build_netflow_pers_mod && cd build_netflow_pers_mod && \
cmake .. -DLINK_WITH_ABSL=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
-DCMAKE_CXX_FLAGS="-g -O0 -ggdb3 -fsanitize=address,bounds,undefined,null,float-divide-by-zero" && \
make -j$(nproc)
make -j$(nproc) fastnetmon
# build dir for desock
RUN mkdir build_desock && cd build_desock && \
cmake .. -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST_DESOCK=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
RUN tests/fuzz/scripts/afl_pers_mod_instr.sh sflow_plugin/sflow_collector.cpp && \
mkdir build_sflow_pers_mod && cd build_sflow_pers_mod && \
cmake .. -DLINK_WITH_ABSL=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
-DCMAKE_CXX_FLAGS="-g -O0 -ggdb3 -fsanitize=address,bounds,undefined,null,float-divide-by-zero" && \
make -j$(nproc)
make -j$(nproc) fastnetmon
# dir for verifying crashes and debug harnesses
RUN mkdir build_debug && cd build_debug && \
cmake .. -DCMAKE_BUILD_TYPE=Debug -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
-DCMAKE_CXX_FLAGS="-g -O0 -ggdb3" && \
make -j$(nproc)
# Uncomment this section if you plan to debug the code.
# # build dir for desock
# RUN mkdir build_desock && cd build_desock && \
# cmake .. -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST_DESOCK=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
# -DCMAKE_CXX_FLAGS="-g -O0 -ggdb3 -fsanitize=address,bounds,undefined,null,float-divide-by-zero" && \
# make -j$(nproc)
# # dir for verifying crashes and debug harnesses
# RUN mkdir build_debug && cd build_debug && \
# cmake .. -DCMAKE_BUILD_TYPE=Debug -DLINK_WITH_ABSL=ON -DENABLE_FUZZ_TEST=ON -DCMAKE_CXX_COMPILER=afl-clang-lto++ \
# -DCMAKE_CXX_FLAGS="-g -O0 -ggdb3" && \
# make -j$(nproc)
# dir for verifying crashes on vanilla binary
RUN mkdir build_clean && cd build_clean && \
cmake .. -DLINK_WITH_ABSL=ON && \
make -j$(nproc)
# # dir for verifying crashes on vanilla binary
# RUN mkdir build_clean && cd build_clean && \
# cmake .. -DLINK_WITH_ABSL=ON && \
# make -j$(nproc) fastnetmon