Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Dunlap, Citrix

329 views

Published on

Americal Fuzzy Lop (AFL) is a fuzzer that uses code coverage and genetic algorithms to automatically find "interesting" inputs: in particular, inputs which will crash your code. Andrew Cooper hooked it up Xen's x86 instruction decoder to AFL and within an hour it found a bug which had been introduced in the 4.8 development window. I extended that work to test the full emulator, and with a few days of tweaking and iterating, AFL had produced over 6,000 unique test cases which gave us nearly 97% code coverage.

This talk will give an overview of our experience with AFL, to help give you a better understanding of the usefulness of this new tool.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

XPDDS17: Using American Fuzzy Lop on the x86 Instruction Emulator - George Dunlap, Citrix

  1. 1. Finding Bugs with American Fuzzy Lop George Dunlap
  2. 2. American Fuzzy Lop
  3. 3. American Fuzzy Lop Instrumentation-guided genetic fuzzer
  4. 4. Goals • Tell you about AFL (because it’s cool) • To encourage you to look into using AFL • In your own test cases… • …or in Xen
  5. 5. Outline • AFL overview • Using AFL for the Xen x86 instruction emulator • Other opportunities for fuzzing in Xen
  6. 6. AFL: Basic Idea • Start with a set of “interesting” test cases • Run them through an instrumented binary to see what paths are taken • Take one off the list and start mutating it • New path taken? Add it to your list of “interesting” test cases • Crash? Keep it in a separate file
  7. 7. x86_emulate • Common code to decode and emulate x86 instructions • Over 8000 LoC • Called from HVM, PV, and shadow code • Pass it: • CPU context, callbacks for all other state interaction • 26 callbacks; most are optional, all can return failure • Already has a user-space test harness
  8. 8. x86_decode (single instruction)
  9. 9. x86_emulate single instruction, blank cpu slate, minimal set of callbacks
  10. 10. x86_emulate multiple instructions
  11. 11. FPU Exceptions • FPU instructions re-executed in the hypervisor context • Xen has framework for handling exceptions, properly; AFL framework didn’t • FPU exceptions don’t happen unless they’re enabled, and they start off disabled • …so AFL had figured out how to turn them on • Hack: Disable exceptions after every instruction iteration
  12. 12. Fuzz the core registers
  13. 13. XSA-195: BT* instructions
  14. 14. Allowing AFL to fuzz more • Implement more callbacks • Allow reads to return fuzzed values (rather than zero) • Allow more complete cpu state to be fuzzed • Allow non-canonical addresses • Allow random failure of callbacks
  15. 15. A bug in one of the XSA fixes!
  16. 16. (Valid) assertions about architecturally correct state
  17. 17. Unchecked return value
  18. 18. Unreal mode
  19. 19. So AFL… • Discovered three critical bugs in x86_emulate • Discovered… • How to turn on FPU exceptions • Assumptions about architectural consistency • An unchecked return value • Assumptions about unreal mode
  20. 20. AFL in xen.git
  21. 21. Running afl-harness • Install AFL • afl packages in debian-testing, others • d/l and build from http://lcamtuf.coredump.cx/afl/ • Build afl-harness • cd xen.git/tools/fuzz/x86_instruction_emulator • make CC=afl-gcc afl • Make starting input • dd if=/dev/urandom of=input/rand bs=$(./afl-harness --min-input) • Run afl-fuzz • afl-fuzz -i input/ -o output/ -- ./afl-harness
  22. 22. Diving deeper • “Map” and the branch path • Fork server / “persistent mode” • Other languages • Python, Go, Rust, ocaml, GJC Java • Running in parallel
  23. 23. Fuzzing more • Already fuzz libelf • Xen hypercall interface • GSOC student working on this • xenstore? • pygrub? • disk / network backends?
  24. 24. A request for help… • oss-fuzz • A Google fuzzing project • Requires someone to sign a contributor agreement
  25. 25. Goal To convince you to look into using AFL on your code
  26. 26. Questions • http://lcamtuf.coredump.cx/afl/

×