FitM, the Fuzzer in the Middle, can fuzz client and server binaries at the same time using userspace snapshot-fuzzing and network emulation. It's fast and comparably easy to set up.
License: MIT License
Taken from TODO in code:
Cache the most recent (<=3) snapshot maps for a given generation. This reduces the number of times we have to iterate over the saved states folder AND the number of files we have to read.
When implementing this we should think about whether or not it takes up too much memory to hold traces for up to 3 gens for all states in the queue.
We don't really need neither create_restore.py, nor crit anymore, right?
Hi,
I built FitM with make, and run the example using FITM_ARGS=config/fitm-args.ftp.json make run but got the following failure:
FITM_ARGS=config/fitm-args.ftp.json make run
cargo build --release
Compiling fitm v0.1.0 (/root/projects/fuzzer/FitM)
Finished release [optimized + debuginfo] target(s) in 27.20s
sudo rm -rf ./active-state
sudo rm -rf ./cmin-tmp
sudo ./target/release/fitm config/fitm-args.ftp.json
cwd: "/root/projects/fuzzer/FitM"
__________________ ___
/ ____/ _/_ __/ |/ /
/ /_ / / / / / /|_/ /
/ __/ _/ / / / / / / /
/_/ /___/ /_/ /_/ /_/
File fitm-state.json not found. Restarting from scratch.
No valid state to resume. Starting fresh :)
==== [*] Time start init_run: 2022-04-04 21:13:55 ====
[*] Init run finished with exit code None
[*] Target was killed by signal. Assuming dump success.
thread 'main' panicked at '[!] parse_pid failed to parse JSON in utils::parse_pid: UnexpectedEndOfJson', src/utils.rs:67:59
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
make: *** [Makefile:40:run] error 101
Could you please help me?
Is there a problem in using vecs instead of arrays to allow for configurable parameters?
I remember @domenukk wanted to use arrays and strs to reduce memory footprint.
I'm using the vagrant VM and build it with the provided vagrantfile. It seems that there is a error in criu where it can't compile features-time64.h
Hi, I setup a new ubuntu20.04 vm, run commands in misc/provision.sh to prepare the environment.
Then I try the example with make and FITM_ARGS=config/fitm-args.ftp.json make run, but I got criu dump failed error message. The fuzzer stuck at gen1 for about 1min then exit.
Could you please help? Thank you.
cargo build --release
Finished release [optimized + debuginfo] target(s) in 0.03s
sudo rm -rf ./active-state
sudo rm -rf ./cmin-tmp
sudo -E ./target/release/fitm config/fitm-args.ftp.json
cwd: "/home/qwe/FitM"
__________________ ___
/ ____/ _/_ __/ |/ /
/ /_ / / / / / /|_/ /
/ __/ _/ / / / / / / /
/_/ /___/ /_/ /_/ /_/
File fitm-state.json not found. Restarting from scratch.
No valid state to resume. Starting fresh :)
==== [*] Time start init_run: 2022-04-15 19:39:09 ====
[*] Init run finished with exit code None
[*] Target was killed by signal. Assuming dump success.
[*] Init run finished with exit code Some(0)
[!] Unexpected exit status '0' from snapshot creation.
thread 'main' panicked at 'Namespace call failed with error Custom { kind: Other, error: "[!] criu dump failed, check active-state dir." }', src/namespacing.rs:135:31
stack backtrace:
0: rust_begin_unwind
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panicking.rs:143:14
2: fitm::namespacing::NamespaceContext::execute
at /home/qwe/FitM/src/namespacing.rs:135:31
3: fitm::FITMSnapshot::init_run
at /home/qwe/FitM/src/lib.rs:269:28
4: fitm::run
at /home/qwe/FitM/src/lib.rs:1351:13
5: fitm::main
at /home/qwe/FitM/src/main.rs:88:21
6: core::ops::function::FnOnce::call_once
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
[*] Init run finished with exit code None
[*] Target was killed by signal. Assuming dump success.
==== [*] Time end init_run: "2022-04-15 19:39:10" ====
---> Round 1: Fuzzing Gen 1
==== [*] Queue before process_stage contains: [[], ["fitm-gen1-state0"], ["fitm-gen2-state0"], []] ====
==== [*] Time start process_stage gen 1: "2022-04-15 19:39:10" ====
-> Processing stage with 1 inputs.
==== [*] Time start process_stage loop step fitm-gen1-state0: "2022-04-15 19:39:10" ====
==== [*] Wrote cmin contents from /home/qwe/FitM/cmin-tmp to /home/qwe/FitM/saved-states/fitm-gen1-state0/in ====
==== [*] Start fuzzing fitm-gen1-state0 ("ftp") ====
Fuzzer Stats:
- cycles_done : 1
- execs_done : 62990
- execs_per_sec : 1049.52
- paths_total : 103
- max_depth : 2
- stability : 100.00%
- unique_crashes : 0
- unique_hangs : 0
==== [*] Finished fuzzing fitm-gen1-state0 ====
==== [*] Wrote cmin contents from /home/qwe/FitM/cmin-tmp to /home/qwe/FitM/saved-states/fitm-gen1-state0/out/main/queue ====
==== [*] Creating outputs for state: fitm-gen1-state0 ====
==== [*] Using input: "/home/qwe/FitM/saved-states/fitm-gen1-state0/out/main/queue/id:000068,time:0,orig:id:000131,src:000055+000118,time:58311,op:splice,rep:2" ====
thread 'main' panicked at '[!] create_outputs_file(): Snapshot run failed: Os { code: 10, kind: Uncategorized, message: "No child processes" }', src/lib.rs:552:55
stack backtrace:
0: rust_begin_unwind
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/panicking.rs:143:14
2: core::result::unwrap_failed
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/result.rs:1749:5
3: core::result::Result<T,E>::expect
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/result.rs:1022:23
4: fitm::FITMSnapshot::create_outputs_file::{{closure}}
at /home/qwe/FitM/src/lib.rs:552:21
5: fitm::namespacing::NamespaceContext::execute
at /home/qwe/FitM/src/namespacing.rs:126:27
6: fitm::FITMSnapshot::create_outputs_file
at /home/qwe/FitM/src/lib.rs:525:27
7: fitm::FITMSnapshot::create_outputs
at /home/qwe/FitM/src/lib.rs:623:13
8: fitm::process_stage
at /home/qwe/FitM/src/lib.rs:981:9
9: fitm::run
at /home/qwe/FitM/src/lib.rs:1458:30
10: fitm::main
at /home/qwe/FitM/src/main.rs:88:21
11: core::ops::function::FnOnce::call_once
at /rustc/7737e0b5c4103216d6fd8cf941b7ab9bdbaace7c/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
[!] Error during create_outputs execution. Please check latest statefolder for output
make: *** [Makefile:40: run] Error 1
I can't even start the program, so sad. But there are no errors in the make process
vagrant@ubuntu-focal:/vagrant$ FITM_ARGS=config/fitm-args.ftp.json make run
cargo build --release
sudo rm -rf ./active-state
sudo rm -rf ./cmin-tmp
sudo ./target/release/fitm config/fitm-args.ftp.json
sudo: ./target/release/fitm: command not found
make: *** [Makefile:40: run] Error 1
vagrant@ubuntu-focal:/vagrant$ ls
AFLplusplus Makefile config debug fitm.pdf restore.sh.tmp src
Cargo.toml README.md create_restore.py fitm-qemu libqasan.so rpc.proto tests
LICENSE Vagrantfile criu fitm-qemu-trace misc rust-toolchain tmp
Hi,
Thanks for sharing this interesting work!
I am trying to fuzz a proprietary binary/client where client_args and server_args have spaces in them - for example --server --arg1 value1 --arg2 value2 --arg3
I am fairly sure I am missing something json related here but if I try to run the session with just 1 argument I get expected output, if I try with 2 arguments I get output I would expect if I missed the spaces out.
I am guessing I need to do something different to ensure the spaces are not stripped as if I recall correctly json strips spaces out, any pointers would be appreciated?
Alan
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.