Add extractor for libfuzzer data generator

Author: P1umer

utils/aflpp_extractor/Makefile

@@ -0,0 +1,42 @@
+ifeq "" "$(LLVM_CONFIG)"
+  LLVM_CONFIG=llvm-config
+endif
+
+ifeq "$(shell uname -s)" "Darwin"
+  # On some odd MacOS system configurations, the Xcode sdk path is not set correctly
+  SDK_LD = -L$(shell xcrun --show-sdk-path)/usr/lib
+  LDFLAGS += $(SDK_LD)
+endif
+
+ifeq "" "$(LLVM_CONFIG)"
+  LLVM_CONFIG := llvm-config
+endif
+LLVM_BINDIR = $(shell $(LLVM_CONFIG) --bindir 2>/dev/null)
+ifneq "" "$(LLVM_BINDIR)"
+  ifeq "$(shell test -x $(LLVM_BINDIR)/clang && echo 1)" "1"
+    CC := $(LLVM_BINDIR)/clang
+  endif
+endif
+CC := clang
+CFLAGS := -O3 -funroll-loops -g -fPIC
+
+all:    libAFLExtractor.a  reproducer
+
+extractor.o: extractor.c
+	-$(CC) -I. -I../../include $(CFLAGS) -c extractor.c
+
+extractor_test.o: extractor_test.c
+	-$(CC) -I. -I../../include $(CFLAGS) -c extractor_test.c
+
+libAFLExtractor.a:      extractor.o
+	@ar rc libAFLExtractor.a extractor.o
+	# @cp -vf libAFLExtractor.a ../../
+
+libExtractorTest.a:     extractor_test.o
+	@ar rc libExtractorTest.a extractor_test.o
+
+reproducer: libAFLExtractor.a libExtractorTest.a
+	/Users/p1umer/Git/AFLplusplus/afl-clang-fast -D_DEBUG=\"1\" -I../../include -Wl -funroll-loops -o reproducer libExtractorTest.a libAFLExtractor.a reproducer.c
+
+clean:
+	rm -f *.o *.a *~ core reproducer

utils/aflpp_extractor/afl_ext.h

@@ -0,0 +1,25 @@
+// Copyright 2023 P1umer
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+typedef struct mutate_helper {
+    uint8_t *buf;
+    size_t len;
+} mutate_helper_t;
+
+// extern function used in AFL++
+extern mutate_helper_init();
+extern size_t mutate_helper_generate(unsigned char *buf, size_t buf_size);
+extern uint8_t* mutate_helper_buffer();
+extern size_t mutate_helper_buffer_size();
+
+

utils/aflpp_extractor/extractor.c

@@ -0,0 +1,105 @@
+// Copyright 2023 P1umer
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+#include <signal.h>
+#include <execinfo.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+#include "extractor.h"
+
+// libFuzzer interface is thin, so we don't include any libFuzzer headers.
+__attribute__((weak)) int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
+__attribute__((weak)) int LLVMFuzzerInitialize(int *argc, char ***argv){
+  // Default implementation does nothing
+  return 0;
+}
+
+#define INITIAL_SIZE (100)
+#define MAX_LENGTH(x, y) ( ((x) > (y)) ? (x) : y )
+
+// #define kMaxAflInputSize (1 * 1024 * 1024)
+// static uint8_t AflInputBuf[kMaxAflInputSize];
+static mutate_helper_t* afl_mutate_helper;
+
+void fake_init() {
+    int fake_argc = 3;
+
+    char *fake_argv_arr[] = {
+        "fake1",
+        "fake2",
+        "fake3"
+    };
+
+    char **fake_argv = malloc(fake_argc * sizeof(char *));
+    if (!fake_argv) {
+        perror("Failed to allocate memory for fake_argv");
+        // return 1;
+    }
+
+    for (int i = 0; i < fake_argc; i++) {
+        fake_argv[i] = fake_argv_arr[i];
+    }
+    if (LLVMFuzzerInitialize) {
+        LLVMFuzzerInitialize(&fake_argc, &fake_argv);
+    }
+}
+
+void mutate_helper_init() {
+    afl_mutate_helper = (mutate_helper_t *)calloc(1, sizeof(mutate_helper_t));
+    afl_mutate_helper->len = INITIAL_SIZE;
+    afl_mutate_helper->buf = (uint8_t *)calloc(1, afl_mutate_helper->len);
+    if (!afl_mutate_helper->buf) perror("mutate_helper_init");
+    fake_init();
+}
+
+size_t mutate_helper_generate(unsigned char *buf, size_t buf_size) {
+    return LLVMFuzzerTestOneInput(buf, buf_size);
+}
+
+void mutate_helper_realloc_buf(size_t length) {
+
+    if (afl_mutate_helper->len <= length) {
+        // double length
+        size_t old_length = afl_mutate_helper->len;
+        afl_mutate_helper->len = length * 2;
+        afl_mutate_helper->buf = (uint8_t *)realloc(afl_mutate_helper->buf, afl_mutate_helper->len);
+        if (!afl_mutate_helper->buf) {
+            perror("mutate_helper_realloc");
+            return;
+        }
+    }
+
+    memset(afl_mutate_helper->buf, 0, afl_mutate_helper->len);
+}
+
+void mutate_helper_buffer_copy(unsigned char *buf, size_t buf_size){
+    mutate_helper_realloc_buf(buf_size);
+    // Clear only the newly allocated portion of the buffer
+    memcpy(afl_mutate_helper->buf, buf, buf_size);
+
+}
+
+uint8_t* mutate_helper_buffer(){
+    return afl_mutate_helper->buf;
+}
+
+size_t mutate_helper_buffer_size(){
+    return afl_mutate_helper->len;
+}
+
+#undef MAX_LENGTH
+#undef INITIAL_SIZE
+

utils/aflpp_extractor/extractor.h

@@ -0,0 +1,33 @@
+// Copyright 2023 P1umer
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+
+typedef struct mutate_helper {
+    uint8_t *buf;
+    size_t len;
+} mutate_helper_t;
+
+// extern function used in AFL++
+void fake_init();
+void mutate_helper_init();
+size_t mutate_helper_generate(unsigned char *buf, size_t buf_size);
+uint8_t* mutate_helper_buffer();
+size_t mutate_helper_buffer_size();
+
+void mutate_helper_realloc_buf(size_t length);
+
+// extern function used in Libfuzzer
+void mutate_helper_buffer_copy(unsigned char *buf, size_t buf_size);

utils/aflpp_extractor/extractor_test.c

@@ -0,0 +1,53 @@
+// Copyright 2023 P1umer
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+// Simple target function to check if input contains "++".
+int target_function(const uint8_t *data, size_t size) {
+  for (size_t i = 0; i < size - 1; ++i) {
+    if (data[i] == '+' && data[i + 1] == '+') {
+      return 1;
+    }
+  }
+  return 0;
+}
+
+#include "fuzzer_ext.h"
+
+// libFuzzer's required entry point.
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  size_t new_size = size + 2; // Adding 2 for "++"
+  uint8_t *modified_data = (uint8_t *)malloc(new_size);
+  memcpy(modified_data, data, size);
+  modified_data[size] = '+';
+  modified_data[size + 1] = '+';
+
+// extractor start
+
+  mutate_helper_buffer_copy(modified_data, size + 2);
+
+// extractor end
+
+  // int result = target_function(modified_data, new_size);
+
+  free(modified_data);
+  // return result;
+  return 0;
+}
+
+

utils/aflpp_extractor/fuzzer_ext.h

@@ -0,0 +1,25 @@
+// Copyright 2023 P1umer
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+typedef struct mutate_helper {
+    uint8_t *buf;
+    size_t len;
+} mutate_helper_t;
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+    extern void mutate_helper_buffer_copy(unsigned char *buf, size_t buf_size);
+#ifdef __cplusplus
+}
+#endif 

utils/aflpp_extractor/reproducer.c

@@ -0,0 +1,73 @@
+// Copyright 2023 P1umer
+
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+
+//     http://www.apache.org/licenses/LICENSE-2.0
+
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+#include "afl_ext.h"
+
+int main(int argc, char* argv[]) {
+
+  mutate_helper_init();
+
+  if (argc < 3) {
+    fprintf(stderr, "USAGE: %s <input> <output>\n", argv[0]);
+    return 1;
+  }
+
+  FILE* input = fopen(argv[1], "rb");
+
+  if (!input) {
+    fprintf(stderr, "Failed to open '%s'\n", argv[1]);
+    return 1;
+  }
+
+  fseek(input, 0, SEEK_END);
+  size_t size = ftell(input);
+  fseek(input, 0, SEEK_SET);
+
+  uint8_t* data = (uint8_t*)(malloc(size));
+  if (!data) {
+    fclose(input);
+    fprintf(stderr, "Failed to allocate %zu bytes\n", size);
+    return 1;
+  }
+
+  size_t bytes_read = fread(data, 1, size, input);
+  fclose(input);
+
+  if (bytes_read != (size_t)(size)) {
+    free(data);
+    fprintf(stderr, "Failed to read %s\n", argv[1]);
+    return 1;
+  }
+
+  printf("[+] prev data: %s\n", data);
+
+  mutate_helper_generate(data, size);
+  int result = mutate_helper_buffer_size();
+  uint8_t* transfer =  mutate_helper_buffer();
+  
+  printf("[+] result data: %d\n %s\n", result,transfer);
+
+  FILE* output=fopen(argv[2],"wb");
+  fwrite(transfer, 1,result, output);
+
+  free(data);
+
+  // MutateHelper_C_delete();
+
+  return result;
+}