关于GDBFuzz

GDBFuzz是一款功能强大的模糊测试工具，在该工具的帮助下，广大研究人员可以使用硬件断点对嵌入式系统进行模糊测试。

GDBFuzz的理念是利用微控制器的硬件断点作为覆盖引导模糊测试的反馈。因此，GDB被用作通用接口以实现广泛的适用性。对于固件的二进制分析，GDBFuzz使用了Ghidra实现。

工具要求

Java

Python 3

工具安装

注意，GDBFuzz已在 Ubuntu 20.04 LTS 和 Raspberry Pie OS 32 位上进行了测试。

首先，我们需要在本地设备上安装并配置好最新版本的Java和Python 3环境，然后创建一个新的虚拟环境并安装所有的依赖组件：

virtualenv .venv

source .venv/bin/activate

make

chmod a+x ./src/GDBFuzz/main.py

工具使用

本地运行样例

GDBFuzz会使用以下键来从配置文件中读取设置：

[SUT]

# Path to the binary file of the SUT.

# This can, for example, be an .elf file or a .bin file.

binary_file_path = <path>

 

# Address of the root node of the CFG.

# Breakpoints are placed at nodes of this CFG.

# e.g. 'LLVMFuzzerTestOneInput' or 'main'

entrypoint = <entrypoint>

 

# Number of inputs that must be executed without a breakpoint hit until

# breakpoints are rotated.

until_rotate_breakpoints = <number>

 

 

# Maximum number of breakpoints that can be placed at any given time.

max_breakpoints = <number>

 

# Blacklist functions that shall be ignored.

# ignore_functions is a space separated list of function names e.g. 'malloc free'.

ignore_functions = <space separated list>

 

# One of {Hardware, QEMU, SUTRunsOnHost}

# Hardware: An external component starts a gdb server and GDBFuzz can connect to this gdb server.

# QEMU: GDBFuzz starts QEMU. QEMU emulates binary_file_path and starts gdbserver.

# SUTRunsOnHost: GDBFuzz start the target program within GDB.

target_mode = <mode>

 

# Set this to False if you want to start ghidra, analyze the SUT,

# and start the ghidra bridge server manually.

start_ghidra = True

 

 

# Space separated list of addresses where software breakpoints (for error

# handling code) are set. Execution of those is considered a crash.

# Example: software_breakpoint_addresses = 0x123 0x432

software_breakpoint_addresses =

 

 

# Whether all triggered software breakpoints are considered as crash

consider_sw_breakpoint_as_error = False

 

[SUTConnection]

# The class 'SUT_connection_class' in file 'SUT_connection_path' implements

# how inputs are sent to the SUT.

# Inputs can, for example, be sent over Wi-Fi, Serial, Bluetooth, ...

# This class must inherit from ./connections/SUTConnection.py.

# See ./connections/SUTConnection.py for more information.

SUT_connection_file = FIFOConnection.py

 

[GDB]

path_to_gdb = gdb-multiarch

#Written in address:port

gdb_server_address = localhost:4242

 

[Fuzzer]

# In Bytes

maximum_input_length = 100000

# In seconds

single_run_timeout = 20

# In seconds

total_runtime = 3600

 

# Optional

# Path to a directory where each file contains one seed. If you don't want to

# use seeds, leave the value empty.

seeds_directory =

 

[BreakpointStrategy]

# Strategies to choose basic blocks are located in

# 'src/GDBFuzz/breakpoint_strategies/'

# For the paper we use the following strategies

# 'RandomBasicBlockStrategy.py' - Randomly choosing unreached basic blocks

# 'RandomBasicBlockNoDomStrategy.py' - Like previous, but doesn't use dominance relations to derive transitively reached nodes.

# 'RandomBasicBlockNoCorpusStrategy.py' - Like first, but prevents growing the input corpus and therefore behaves like blackbox fuzzing with coverage measurement.

# 'BlackboxStrategy.py', - Doesn't set any breakpoints

breakpoint_strategy_file = RandomBasicBlockStrategy.py

 

[Dependencies]

path_to_qemu = dependencies/qemu/build/x86_64-linux-user/qemu-x86_64

path_to_ghidra = dependencies/ghidra

 

 

[LogsAndVisualizations]

# One of {DEBUG, INFO, WARNING, ERROR, CRITICAL}

loglevel = INFO

 

# Path to a directory where output files (e.g. graphs, logfiles) are stored.

output_directory = ./output

 

# If set to True, an MQTT client sends UI elements (e.g. graphs)

enable_UI = False

项目的./example_programs/目录中提供了一个配置文件样例，benchmark/benchSUTs/GDBFuzz_wrapper/common/路径下也有一个可以进行模糊测试的样例程序。

下列命令可以直接对目标程序执行模糊测试：

chmod a+x ./example_programs/json-2017-02-12

./src/GDBFuzz/main.py --config ./example_programs/fuzz_json.cfg

在 Docker 容器中安装并运行

make dockerimage

如需在Docker中执行上述测试，需要先将example_programs和output文件夹映射为卷，然后按如下方式启动GDBFuzz：

chmod a+x ./example_programs/json-2017-02-12

docker run -it --env CONFIG_FILE=/example_programs/fuzz_json_docker_qemu.cfg -v $(pwd)/example_programs:/example_programs -v $(pwd)/output:/output gdbfuzz:1.0

模糊测试输出

根据配置文件中指定的output_directory内容，工具将会生成一个包含下列结构的“trial-0”文件夹：

.

    ├── corpus            

    ├── crashes           

    ├── cfg               

    ├── fuzzer_stats      

    ├── plot_data         

    ├── reverse_cfg       

可视化实现

GDBFuzz 有一个可选功能，可以绘制覆盖节点的控制流图。默认情况下，此功能处于禁用状态。我们可以在用户配置中将“enable_UI”设置为“True”来启用它。

执行下列命令安装graphviz：

sudo apt-get install graphviz

然后安装最新版本的Node.js：

$ node --version

v16.9.1

$ npm --version

7.21.1

安装 Web UI 依赖项：

cd ./src/webui

npm install

安装并更新mosquitto MQTT代理，并使用以下内容替换/etc/mosquitto/conf.d/mosquitto.conf文件中的内容：

listener 1883

allow_anonymous true

listener 9001

protocol websockets

重新启动 mosquitto 代理：

sudo service mosquitto restart

检查 mosquitto 代理是否正在运行：

sudo service mosquitto status

启动网页用户界面：

cd ./src/webui

npm start

打开Web浏览器并访问“http://localhost:3000/”即可。

许可证协议

本项目的开发与发布遵循AGPL-3.0开源许可协议。

项目地址

GDBFuzz：【GitHub传送门】

参考资料

https://publications.cispa.saarland/3950/

https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-20-04-de

http://www.steves-internet-guide.com/install-mosquitto-linux/