Blackbox fuzzing - how does the input data mutate in the absence of source code (llvm, clang, libFuzzer)?

S

slinkinone2018-03-05 23:22:30

C++ / C#

slinkinone, 2018-03-05 23:22:30

Good day!
The question is about fuzzing with the libFuzzer library .
As I understand it, when using libFuzzer ( github ), we compile the code using clang with sanitizer flags:

-fsanitize=address -fsanitize-coverage=trace-pc-guard

trace-pc-guard is responsible for building code-coverage, based on which the input data will be mutated in order to capture "untraversed sections" of the code.
Is the following true:
If the application used hooks a library (let it be libStatistic.so - compiled with gcc and without a sanitizer) and calls its functions, then hooks and callbacks will not be inserted into the code ( asm ) of the called library, as a result of which it will be "incomplete" code-coverage, non-optimal mutation and reduced fuzzer efficiency?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

D

Dor1s, 2018-03-15
@slinkinone

Yes that's right. The fuzzer will not receive coverage information from code that is not instrumented.
By the way, in recent versions it's better to compile with the `-fsanitize=fuzzer` flag instead of `-fsanitize-coverage=%something%`. This option includes various chips for instrumentation.
llvm.org/docs/LibFuzzer.html#fuzzer-usage
I've seen the following project which seems to allow you to instrument binaries and use libFuzzer, but no idea how well it actually works: https://github.com/trailofbits/mcsema /blob/master/...
When I was last interested, they answered that it does not work very well with large projects: https://twitter.com/Dor3s/status/841661600473976833