1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
# libdislocator, an abusive allocator
For the general instruction manual, see [docs/README.md](../../docs/README.md).
This is a companion library that can be used as a drop-in replacement for the
libc allocator in the fuzzed binaries. It improves the odds of bumping into
heap-related security bugs in several ways:
- It allocates all buffers so that they are immediately adjacent to a
subsequent PROT_NONE page, causing most off-by-one reads and writes to
immediately segfault,
- It adds a canary immediately below the allocated buffer, to catch writes to
negative offsets (won't catch reads, though),
- It sets the memory returned by malloc() to garbage values, improving the
odds of crashing when the target accesses uninitialized data,
- It sets freed memory to PROT_NONE and does not actually reuse it, causing
most use-after-free bugs to segfault right away,
- It forces all realloc() calls to return a new address - and sets PROT_NONE
on the original block. This catches use-after-realloc bugs,
- It checks for calloc() overflows and can cause soft or hard failures of
alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB,
AFL_LD_HARD_FAIL).
- Optionally, in platforms supporting it, huge pages can be used by passing
`USEHUGEPAGE=1` to make.
- Optionally, in platforms supporting it, `named` pages can be used by passing
`USENAMEDPAGE=1` to make.
- Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In
this case, a tail canary is inserted in the padding bytes at the end of the
allocated zone. This reduces the ability of libdislocator to detect
off-by-one bugs but also it makes libdislocator compliant to the C standard.
Basically, it is inspired by some of the non-default options available for the
OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is
also somewhat similar to several other debugging libraries, such as gmalloc and
DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs.
Note that it does nothing for stack-based memory handling errors. The
-fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN,
can catch some subset of that.
The allocator is slow and memory-intensive (even the tiniest allocation uses up
4 kB of physical memory and 8 kB of virtual mem), making it completely
unsuitable for "production" uses; but it can be faster and more hassle-free than
ASAN / MSAN when fuzzing small, self-contained binaries.
To use this library, run AFL++ like so:
```
AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...]
```
You *have* to specify path, even if it's just ./libdislocator.so or
$PWD/libdislocator.so.
Similarly to afl-tmin, the library is not "proprietary" and can be used with
other fuzzers or testing tools without the need for any code tweaks. It does not
require AFL-instrumented binaries to work.
Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or
DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is
dynamically linked. Otherwise, attempting to use the library will have no
effect.
|
