Greybox Fuzzing¶
In the previous chapter, we have introduced mutation-based fuzzing, a technique that generates fuzz inputs by applying small mutations to given inputs. In this chapter, we show how to guide these mutations towards specific goals such as coverage. The algorithms in this chapter stem from the popular American Fuzzy Lop (AFL) fuzzer, in particular from its AFLFast and AFLGo flavors. We will explore the greybox fuzzing algorithm behind AFL and how we can exploit it to solve various problems for automated vulnerability detection.
from bookutils import YouTubeVideo
YouTubeVideo('vBrNT9q2t1Y')
Prerequisites
- Reading the introduction on mutation-based fuzzing is recommended.
Synopsis¶
To use the code provided in this chapter, write
>>> from fuzzingbook.GreyboxFuzzer import <identifier>
and then make use of the following features.
This chapter introduces advanced methods for grey-box fuzzing inspired by the popular AFL fuzzer. The GreyboxFuzzer
class has three arguments. First, a list of seed inputs:
>>> seed_input = "http://www.google.com/search?q=fuzzing"
>>> seeds = [seed_input]
Second, a mutator that changes individual parts of the input.
>>> mutator = Mutator()
Third, a power schedule that assigns fuzzing effort across the population:
>>> schedule = PowerSchedule()
These three go into the GreyboxFuzzer
constructor:
>>> greybox_fuzzer = GreyboxFuzzer(seeds=seeds, mutator=mutator, schedule=schedule)
The GreyboxFuzzer
class is used in conjunction with a FunctionCoverageRunner
:
>>> http_runner = FunctionCoverageRunner(http_program)
>>> outcomes = greybox_fuzzer.runs(http_runner, trials=10000)
After fuzzing, we can inspect the population:
>>> greybox_fuzzer.population[:20]
[http://www.google.com/search?q=fuzzing,
http=/uww>gonlco\m'$sterc( fJ|kGziosg*,
ht/dwwvcGoooglUe.{om1earqcH?pfw:in(g,
htp=uwD>god0co\estqrP(ct! Ckz+o{g,
?htp=
uww>g@onlo\m'$gs2;terc( fJ|ozixos*,
>ht=
uww>g@onlo\m'$g`s;t\erc( fJ\ozxks*,
http://www.googl.e.com/searchq=fuzzing,
ht-tpS:www.voogl.a.om/s~da3rkhq=fuzzing,
tp:/wgg-)lUco/sec?qFuZzizg4L,
0?htp,
ukg;gg@on
o#\om'Zswer<