⛏️
⛏️
文章目录
  1. Chromium fuzzing tutorial
  2. ToDo
  3. References

Fuzzing学习笔记:libfuzzer与Chromium

2019.07.27 放之(Felix Zhao) 安全工程师

接上篇,当然依旧是整理自gist

libfuzzer是llvm下面的一个项目

LibFuzzer is in-process, coverage-guided, evolutionary fuzzing engine. LibFuzzer is linked with the library under test, and feeds fuzzed inputs to the library via a specific fuzzing entrypoint (aka “target function”); the fuzzer then tracks which areas of the code are reached, and generates mutations on the corpus of input data in order to maximize the code coverage. The code coverage information for libFuzzer is provided by LLVM’s SanitizerCoverage instrumentation.

下面开始搞一搞吧

Chromium fuzzing tutorial

ubuntu16.04:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
export PATH="$PATH:/path/to/depot_tools"             #使用绝对路径
mkdir ~/chromium && cd ~/chromium
fetch --nohooks chromium                           # 大概下载10G左右
cd src 
./build/install-build-deps.sh                     # 安装依赖
gclient runhooks                            # 运行  Chromium-specifices
# 准备构建
gn gen out/Default                   # 生成ninja文件准备构建

#mount -t tmpfs -o size=20G,nr_inodes=40k,mode=1777 tmpfs /root/chromium/src/out  
# 20G小了,编译没有够用,空间不够重新开大点。

# 构建
autoninja -C out/Default chrome

image
image

8核8G的机器,前面的基本上一秒编译一个,看来可能要9个小时后才能编译完。运气好的话

image

编译结束,大小也变成了49G

image

构建libfuzzer

1
2
$ gn gen out/libfuzzer '--args=use_libfuzzer=true is_asan=true is_ubsan_security=true is_debug=false enable_nacl=false' --check
$ ninja -C out/libfuzzer v8_json_parser_fuzzer

image

1
$ ./out/libfuzzer/v8_json_parser_fuzzer ~/chromium/testcases/json_parser_corpus/ --dict=json.dict -jobs=6 -workers=6

image

ToDo

  • gn用法
  • ninja 用法

References