Coordinated hybrid fuzzing framework with advanced coordination mode
Evaluating and Improving Hybrid Fuzzing, ICSE'2023
@inproceedings{jiang2023evaluating,
title = {Evaluating and improving hybrid fuzzing},
author = {Jiang, Ling and Yuan, Hengchen and Wu, Mingyuan and Zhang, Lingming and Zhang, Yuqun},
doi = {10.1109/ICSE48619.2023.00045},
booktitle = {2023 IEEE/ACM 45th International Conference on Software Engineering (ICSE)},
pages = {410-422},
year={2023}
}
- Tested on Ubuntu 18.04/20.04
- Python (>= 3.8)
- LLVM 10.0-12.0
$ git submodule update --init --recursive
# Install fuzzer and concolic executor
$ ./build.shWe highly recommend to run CoFuzz using the docker container.
# Build docker image
$ docker build -t cofuzz ./
# Run docker container
$ docker run -itd --privileged cofuzz /bin/bashCoFuzz compiles the target program into three binaries with seperate instrumentation.
# Tracing execution path
export CC=trace/build/clang-trace CXX=trace/build/clang-trace++
./configure --disable-shared
make -j$(nproc)
# Count edge coverage for fuzzer
export CC=fuzzer/afl-clang-fast CXX=fuzzer/afl-clang-fast++
./configure --disable-shared
make -j$(nproc)
# Concolic execution
export CC=concolic/qsym/symcc CXX=concolic/qsym/sym++
./configure --disable-shared
make -j$(nproc)For running CoFuzz, a configuration file is required with the following format.
[put]
# Program under test
cohuzz_bin=/path/to/binary/for/concolic/exeuction
trace_bin=/path/to/binary/for/trace/path
argument=@@
Environment variables:
- INPUT: initial seed corpora
- OUTPUT: output directory
- FUZZ_CMD: command for running program for AFL
- CFG_FILE: configuration file for CoFuzz
# Running fuzzing stratrgy
fuzzer/afl-fuzz -S afl -m none -i $INPUT -o $OUTPUT -- $FUZZ_CMD
# Running CoFuzz (concolic execution + coordination mode)
src/cofuzz.py -o $OUTPUT -a afl -c $CFG_FILEFor running a demo program readelf, please turn to the document in Demo.