stackoom
  简体   繁体   中英

AFL only explores 1 path and nothing more! ( last new path : none yet (odd, check syntax!) )

 原文  2022-12-02 00:24:40       c/ fuzzing/ american-fuzzy-lop

Question

I am using AFL (version 2.57b) in a docker container (on Ubuntu 20.04) to fuzz several C programs. But the problem is, whenever I fuzz a program it does not explore more than 1 path and the output is something like this:

the AFL output -- running

In this case, I am using this command specifically:

AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i corpus/ -o afl_out --./afl-main @@

Where afl-main is the name of the program compiled with afl-clang and corpus is the name of a directory containing input files.

In this specific case, the main.c is as follows:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main (int argc, char* argv[]) {

if (argc < 1)
    return 1;

if (strcmp(argv[1],"-s")==0)
    printf("girls\n");
else if(strcmp(argv[1],"-k")==0)
    printf("boys!\n");
else
    printf("OMG!!\n");

return 0;

}

But, as I have already mentioned, switching to other programs does not change anything in the output.

There is also a similar question here , but I have applied the proposed solution there and my binary is working fine when I provide an input from the corpus directory in my current working directory.

I tried several C programs to see whether there is a problem with the way of implementation or the way I pass the inputs (through standard input), but the afl-fuzz output is still the same.

I appreciate any help and comment in advance.

1 answers

solution1
 0  2022-12-19 14:21:36

@@ in your afl command line means the position, where afl will place the input filename. Afl will run your executable like this - ./afl-main inputfile . Your program compares this filename with "-s" and "-k" .

Afl fuzzes the contents of the input, not the filenames. You should read the contents of the input and compare it instead of the filenames. This should solve your problem.

Also note - you provide an argument to your executable, thus the condition if (argc < 1) should not be entered. The remaining part of the program has only 3 paths - one for each if case. The time afl needs to find all these paths depends on your seed (initial input files in corpus folder), the more close it is to "-s" and "-k" , the faster afl will find these. The provided screenshot says you ran afl only for 2 minutes. In general case this is too few to analyze the fuzzing results.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AFL "(odd, check syntax!) " Odd C# path issue How to check if path is a subdirectory of another Check installed app path in reg How to check opened file path? Check path equivalence using glib Check whether a path is absolute or relative Why does openssl/ssl.h contain nothing but a relative path? All or nothing - fast heuristic shortest path algorithm (parallel?) How to remove the last string token from a path
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM