GDBFuzz:基于硬件断点的嵌入式系统模糊测试工具
GDBFuzz是一款功能强大的模糊测试工具,在该工具的帮助下,广大研究人员可以使用硬件断点对嵌入式系统进行模糊测试。
GDBFuzz的理念是利用微控制器的硬件断点作为覆盖引导模糊测试的反馈。因此,GDB被用作通用接口以实现广泛的适用性。对于固件的二进制分析,GDBFuzz使用了Ghidra实现。
工具要求
Java Python 3
工具安装
注意,GDBFuzz已在 Ubuntu 20.04 LTS 和 Raspberry Pie OS 32 位上进行了测试。
首先,我们需要在本地设备上安装并配置好最新版本的Java和Python 3环境,然后创建一个新的虚拟环境并安装所有的依赖组件:
virtualenv .venv
source .venv/bin/activate
make
chmod a+x ./src/GDBFuzz/main.py
工具使用
本地运行样例
GDBFuzz会使用以下键来从配置文件中读取设置:
[SUT]
# Path to the binary file of the SUT.
# This can, for example, be an .elf file or a .bin file.
binary_file_path = <path>
# Address of the root node of the CFG.
# Breakpoints are placed at nodes of this CFG.
# e.g. 'LLVMFuzzerTestOneInput' or 'main'
entrypoint = <entrypoint>
# Number of inputs that must be executed without a breakpoint hit until
# breakpoints are rotated.
until_rotate_breakpoints = <number>
# Maximum number of breakpoints that can be placed at any given time.
max_breakpoints = <number>
# Blacklist functions that shall be ignored.
# ignore_functions is a space separated list of function names e.g. 'malloc free'.
ignore_functions = <space separated list>
# One of {Hardware, QEMU, SUTRunsOnHost}
# Hardware: An external component starts a gdb server and GDBFuzz can connect to this gdb server.
# QEMU: GDBFuzz starts QEMU. QEMU emulates binary_file_path and starts gdbserver.
# SUTRunsOnHost: GDBFuzz start the target program within GDB.
target_mode = <mode>
# Set this to False if you want to start ghidra, analyze the SUT,
# and start the ghidra bridge server manually.
start_ghidra = True
# Space separated list of addresses where software breakpoints (for error
# handling code) are set. Execution of those is considered a crash.
# Example: software_breakpoint_addresses = 0x123 0x432
software_breakpoint_addresses =
# Whether all triggered software breakpoints are considered as crash
consider_sw_breakpoint_as_error = False
[SUTConnection]
# The class 'SUT_connection_class' in file 'SUT_connection_path' implements
# how inputs are sent to the SUT.
# Inputs can, for example, be sent over Wi-Fi, Serial, Bluetooth, ...
# This class must inherit from ./connections/SUTConnection.py.
# See ./connections/SUTConnection.py for more information.
SUT_connection_file = FIFOConnection.py
[GDB]
path_to_gdb = gdb-multiarch
#Written in address:port
gdb_server_address = localhost:4242
[Fuzzer]
# In Bytes
maximum_input_length = 100000
# In seconds
single_run_timeout = 20
# In seconds
total_runtime = 3600
# Optional
# Path to a directory where each file contains one seed. If you don't want to
# use seeds, leave the value empty.
seeds_directory =
[BreakpointStrategy]
# Strategies to choose basic blocks are located in
# 'src/GDBFuzz/breakpoint_strategies/'
# For the paper we use the following strategies
# 'RandomBasicBlockStrategy.py' - Randomly choosing unreached basic blocks
# 'RandomBasicBlockNoDomStrategy.py' - Like previous, but doesn't use dominance relations to derive transitively reached nodes.
# 'RandomBasicBlockNoCorpusStrategy.py' - Like first, but prevents growing the input corpus and therefore behaves like blackbox fuzzing with coverage measurement.
# 'BlackboxStrategy.py', - Doesn't set any breakpoints
breakpoint_strategy_file = RandomBasicBlockStrategy.py
[Dependencies]
path_to_qemu = dependencies/qemu/build/x86_64-linux-user/qemu-x86_64
path_to_ghidra = dependencies/ghidra
[LogsAndVisualizations]
# One of {DEBUG, INFO, WARNING, ERROR, CRITICAL}
loglevel = INFO
# Path to a directory where output files (e.g. graphs, logfiles) are stored.
output_directory = ./output
# If set to True, an MQTT client sends UI elements (e.g. graphs)
enable_UI = False
项目的./example_programs/目录中提供了一个配置文件样例,benchmark/benchSUTs/GDBFuzz_wrapper/common/路径下也有一个可以进行模糊测试的样例程序。
下列命令可以直接对目标程序执行模糊测试:
chmod a+x ./example_programs/json-2017-02-12
./src/GDBFuzz/main.py --config ./example_programs/fuzz_json.cfg
在 Docker 容器中安装并运行
make dockerimage
如需在Docker中执行上述测试,需要先将example_programs和output文件夹映射为卷,然后按如下方式启动GDBFuzz:
chmod a+x ./example_programs/json-2017-02-12
docker run -it --env CONFIG_FILE=/example_programs/fuzz_json_docker_qemu.cfg -v $(pwd)/example_programs:/example_programs -v $(pwd)/output:/output gdbfuzz:1.0模糊测试输出
根据配置文件中指定的output_directory内容,工具将会生成一个包含下列结构的「trial-0」文件夹:
.
├── corpus
├── crashes
├── cfg
├── fuzzer_stats
├── plot_data
├── reverse_cfg
可视化实现
GDBFuzz 有一个可选功能,可以绘制覆盖节点的控制流图。默认情况下,此功能处于禁用状态。我们可以在用户配置中将「enable_UI」设置为「True」来启用它。
执行下列命令安装graphviz:
sudo apt-get install graphviz
然后安装最新版本的Node.js:
$ node --version
v16.9.1
$ npm --version
7.21.1
安装 Web UI 依赖项:
cd ./src/webui
npm install
安装并更新mosquitto MQTT代理,并使用以下内容替换/etc/mosquitto/conf.d/mosquitto.conf文件中的内容:
listener 1883
allow_anonymous true
listener 9001
protocol websockets
重新启动 mosquitto 代理:
sudo service mosquitto restart
检查 mosquitto 代理是否正在运行:
sudo service mosquitto status
启动网页用户界面:
cd ./src/webui
npm start
打开Web浏览器并访问「http://localhost:3000/」即可。
许可证协议
本项目的开发与发布遵循AGPL-3.0开源许可协议。
项目地址
GDBFuzz:
https://github.com/boschresearch/gdbfuzz
https://publications.cispa.saarland/3950/ https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-20-04-de http://www.steves-internet-guide.com/install-mosquitto-linux/
腾讯云开发者
