Driller的安装与使用

本文主要介绍模糊测试工具Driller的安装与使用。

1. Driller 简介

由于Driller依赖于模糊测试工具AFL和二进制分析工具angr, AFL目前在ubuntu18.04上不能使用gcc build，angr目前只能在64位系统中运行。
因此，本实验选择的系统环境是Ubuntu 16.04 64 bits.

2. Driller 的安装

这部分主要参考[2]，注意安装时最好在Python虚拟环境中安装！！！
安装依赖：

sudo apt-get install build-essential libtol-bin automake bison flex python libglib2.0-dev

安装AFL:

mkdir driller
cd driller
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xf afl-latest.tgz
cd afl-2.52b
make
cd qemu_mode   
./build_qemu_support.sh 

安装Driller:
在安装与使用Driller时，最好在一个单独的Python虚拟环境中进行。

sudo apt install python virtualenv git python-dev
cd ~/driller
virtualenv venv
source venv/bin/activate
pip install git+https://github.com/angr/cle
pip install git+https://github.com/angr/angr
pip install git+https://github.com/angr/tracer
pip install git+https://github.com/shellphish/driller

安装成功的标识是可以import driller

python
import driller

在这里插入图片描述

3. Driller的使用

这种安装方法是采用一种Driller和AFL并行运行的过程，将driller中求解输入的部分和AFL fuzz的部分分别放在两个terminal运行 [2]。
Fuzz的程序源码为buggy.c

#include 
#include 

int main(int argc, char *argv[]) {
  char buffer[6] = {0};
  int i;
  int *null = 0;

  read(0, buffer, 6);
  if (buffer[0] == '7' && buffer[1] == '/' && buffer[2] == '4'
      && buffer[3] == '2' && buffer[4] == 'a' && buffer[5] == '8') {
    i = *null;
  }

  puts("No problem");
}

编译，由于使用AFL QEMU模式，因此不需要对源码进行插桩：

gcc -o buggy buggy.c

打开一个terminal, 用AFL进行FUZZ：

mkdir -p workdir/input
echo 'init' > workdir/input/seed1   # 提供初始化种子输入
echo core | sudo tee /proc/sys/kernel/core_pattern
afl-2.52b/afl-fuzz -M fuzzer-master -i workdir/input/ -o workdir/output/ -Q ./buggy

[2] 提供了一个运行脚本run_driller.py:

#!/usr/bin/env python

import errno
import os
import os.path
import sys
import time

from driller import Driller

def save_input(content, dest_dir, count):
    """Saves a new input to a file where AFL can find it.

    File will be named id:XXXXXX,driller (where XXXXXX is the current value of
    count) and placed in dest_dir.
    """
    name = 'id:%06d,driller' % count
    with open(os.path.join(dest_dir, name), 'w') as destfile:
        destfile.write(content)


def main():
    if len(sys.argv) != 3:
        print 'Usage: %s  ' % sys.argv[0]
        sys.exit(1)

    _, binary, fuzzer_dir = sys.argv

    # Figure out directories and inputs
    with open(os.path.join(fuzzer_dir, 'fuzz_bitmap')) as bitmap_file:
        fuzzer_bitmap = bitmap_file.read()
    source_dir = os.path.join(fuzzer_dir, 'queue')
    dest_dir = os.path.join(fuzzer_dir, '..', 'driller', 'queue')

    # Make sure destination exists
    try:
        os.makedirs(dest_dir)
    except os.error as e:
        if e.errno != errno.EEXIST:
            raise

    seen = set()  # Keeps track of source files already drilled
    count = len(os.listdir(dest_dir))  # Helps us name outputs correctly

    # Repeat forever in case AFL finds something new
    while True:
        # Go through all of the files AFL has generated, but only once each
        for source_name in os.listdir(source_dir):
            if source_name in seen or not source_name.startswith('id:'):
                continue
            seen.add(source_name)
            with open(os.path.join(source_dir, source_name)) as seedfile:
                seed = seedfile.read()

            print 'Drilling input: %s' % seed
            for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
                save_input(new_input, dest_dir, count)
                count += 1

            # Try a larger input too because Driller won't do it for you
            seed = seed + '0000'
            print 'Drilling input: %s' % seed
            for _, new_input in Driller(binary, seed, fuzzer_bitmap).drill_generator():
                save_input(new_input, dest_dir, count)
                count += 1
        time.sleep(10)

if __name__ == '__main__':
    main()

再打开另一个窗口，运行driller部分。

source venv/bin/activate
python run_driller.py ./buggy workdir/output/fuzzer-master

参考文献：

[1] Stephens, Nick, et al. "Driller: Augmenting Fuzzing Through Selective Symbolic Execution." NDSS. Vol. 16. 2016.
[2] https://blog.grimm-co.com/post/guided-fuzzing-with-driller/
[3] https://github.com/shellphish/driller
[4] https://github.com/shellphish/fuzzer

附录

安装脚本：

#! /bin/bash
sudo apt-get install build-essential libtol-bin automake bison flex python libglib2.0-dev
mkdir driller
cd driller
wget http://lcamtuf.coredump.cx/afl/releases/afl-latest.tgz
tar xf afl-latest.tgz
cd afl-2.52b
make
cd qemu_mode
./build_qemu_support.sh 
sudo apt-get install python virtualenv git python-dev
cd ../../
virtualenv venv
source venv/bin/activate

#！/bin/bash
pip install git+https://github.com/angr/cle
pip install git+https://github.com/angr/angr
pip install git+https://github.com/angr/tracer
pip install git+https://github.com/shellphish/driller