fuzz

Fuzzing101 V8

https://github.com/antonio-morales/Fuzzing101/tree/main/Exercise%2010

Note!!! Fuzzilli-0.9 is an unsuccessful attempt. It is recommended to start directly with the latest version of Fuzzilli (starting from the “Let’s Fuzz!” section).

System: Ubuntu 20.04 LTS

Environment Configuration

Fuzzilli-0.9

Execute according to the following command and find an error, because libcurl3 and libcurl4 conflict, just remove libcurl3, follow the prompts to continue the installation.

1
2
3
4
5
6
7
8
9
10
11
fr3y@ubuntu:~$ sudo apt --yes install clang libcurl3 libpython2.7 libpython2.7-dev libcurl4 git
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package libcurl3 is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source
However the following packages replace it:
  libcurl4:i386 libcurl4

E: Package 'libcurl3' has no installation candidate

Next, an error is reported in this step, so libncurses5 is installed and continues to run, and an error is reported again.

1
2
3
4
5
fr3y@ubuntu:~/fuzzilli-0.9$ swift build -c release -Xlinker='-lrt'
swift: error while loading shared libraries: libtinfo.so.5: cannot open shared object file: No such file or directory
fr3y@ubuntu:~$ sudo apt install libncurses5
fr3y@ubuntu:~/fuzzilli-0.9$ swift build -c release -Xlinker='-lrt'
/usr/share/swift/usr/bin/swift-build: error while loading shared libraries: libicuuc.so.60: cannot open shared object file: No such file or directory

Just install this and make sure clang is installed.

1
2
3
cd ~/Downloads
wget http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu60_60.2-3ubuntu3.2_amd64.deb
sudo apt-get install ./libicu60_60.2-3ubuntu3.2_amd64.deb

Successfully installed fuzzilli…

1
2
3
4
5
6
7
8
fr3y@ubuntu:~/fuzzilli-0.9$ swift build -c release -Xlinker='-lrt'
Compile libsocket socket.c
Compile libreprl libreprl.c
Compile libforkserver forkserver.c
Compile libcoverage coverage.c
Compile Swift Module 'Fuzzilli' (60 sources)
Compile Swift Module 'FuzzilliCli' (8 sources)
Linking ./.build/x86_64-unknown-linux/release/FuzzilliCli

Then follow the steps to get V8 source code.

Compile V8 with coverage instrumentation.

1
2
3
4
5
6
fr3y@ubuntu:~/v8$ cp /home/fr3y/fuzzilli-0.9/Targets/V8/v8.patch ./
fr3y@ubuntu:~/v8$ gn gen out/fuzzbuild --args='is_debug=false dcheck_always_on=true v8_static_library=true v8_enable_slow_dchecks=true v8_enable_v8_checks=true v8_enable_verify_heap=true v8_enable_verify_csa=true v8_enable_verify_predictable=true sanitizer_coverage_flags="trace-pc-guard" target_cpu="x64"'
Done. Made 122 targets from 81 files in 185ms
fr3y@ubuntu:~/v8$ ninja -C ./out/fuzzbuild
ninja: Entering directory `./out/fuzzbuild'
[1711/1711] STAMP obj/gn_all.stamp

Because whether using the old version of fuzzilli, swift or v8, an error will occur eventually. This problem can probably be solved by reinstalling each of them again with the same version, but I will directly use the latest version here.

1
[REPRL] Failed to communicate with child process

Let’s Fuzz!

Build V8

  1. Install dependencies: fr3y@ubuntu:~/v8$ ./build/install-build-deps.sh -no-chromeos-fonts
  2. Use gn to generate build files: fr3y@ubuntu:~/v8$ gn gen out/Release "--args=is_debug=false"
  3. Compile: fr3y@ubuntu:~/v8$ ninja -C out/Release
  4. Check the d8 binary by:
1
2
fr3y@ubuntu:~/v8$ ./out/Release/d8 ./test/fuzzer/parser/hello-world
hello world

Fuzzilli

Finally, I used the latest version of fuzzilli to fuzz the latest version of v8, and reinstalled Swift as well.

1
2
3
4
5
fr3y@ubuntu:~/v8$ git checkout origin
fr3y@ubuntu:~/v8$ gclient sync -D
fr3y@ubuntu:~/v8$ ./fuzzbuild.sh
fr3y@ubuntu:~/fuzzilli$ sudo sysctl -w 'kernel.core_pattern=|/bin/false'
fr3y@ubuntu:~/fuzzilli$ swift run FuzzilliCli --profile=v8 --storagePath=/home/fr3y/Desktop/crashes /home/fr3y/v8/out/fuzzbuild/d8

[Fuzzer] Let’s go!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Fuzzer state:                 Fuzzing (with MutationEngine)
Uptime:                       0d 0h 30m 0s
Total Samples:                12666
Interesting Samples Found:    1437
Last Interesting Sample:      0d 0h 0m 4s
Valid Samples Found:          8959
Corpus Size:                  1435
Correctness Rate:             71.00% (overall: 70.73%)
Timeout Rate:                 1.90% (overall: 1.53%)
Crashes Found:                0
Timeouts Hit:                 194
Coverage:                     7.88%
Avg. program size:            48.27
Avg. corpus program size:     11.28
Avg. program execution time:  20ms
Connected nodes:              0
Execs / Second:               36.91
Fuzzer Overhead:              18.61%
Total Execs:                  93155

It is now difficult to discover new vulnerabilities using the default fuzzing approach. Going forward, it will be necessary to adjust the fuzzing strategy, input corpus, mutation rate, code coverage and other factors.