AFL工具使用实践：以libtiff为例的模糊测试指南<\/h1>

1. 环境准备<\/h2>

1.1 目标程序准备<\/h3>
首先下载并编译libtiff库作为测试目标：<\/p>
mkdir libtiff
<\/span><\/span>cd libtiff
<\/span><\/span>wget http:\/\/download.osgeo.org\/libtiff\/tiff-4.0.9.tar.gz
<\/span><\/span>tar zxvf tiff-4.0.9.tar.gz
<\/span><\/span>cd tiff-4.0.9
<\/span><\/span><\/code><\/pre>1.2 AFL编译器设置<\/h3>
设置环境变量使用AFL的编译器：<\/p>
export CC=<\/span>afl-gcc
<\/span><\/span>export CXX=<\/span>afl-g++
<\/span><\/span><\/code><\/pre>1.3 编译目标程序<\/h3>
.\/configure --disable-shared
<\/span><\/span>make
<\/span><\/span>cd ..
<\/span><\/span><\/code><\/pre>2. 测试用例准备<\/h2>
2.1 创建输入输出目录<\/h3>
mkdir input output
<\/span><\/span><\/code><\/pre>2.2 获取测试用例<\/h3>
从AFL测试用例库中获取TIFF相关测试用例：<\/p>
cp ..\/AFL\/testcases\/tiff\/edges-only\/images\/* input
<\/span><\/span><\/code><\/pre>3. 核心模糊测试<\/h2>
3.1 设置核心转储<\/h3>
sudo su
<\/span><\/span>echo core >\/proc\/sys\/kernel\/core_pattern
<\/span><\/span><\/code><\/pre>3.2 启动模糊测试<\/h3>
afl-fuzz -i input -o output .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>4. 语料库优化<\/h2>
4.1 语料库蒸馏(cmin)<\/h3>
移除执行相同代码路径的输入文件：<\/p>
afl-cmin -i input -o output -- .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>4.2 测试用例最小化(tmin)<\/h3>
减小单个输入文件的大小：<\/p>
afl-tmin -i .\/input\/id:000001,src:000000,op:flip1,pos:0,+cov.tif -o output_file -- .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>5. 执行路径分析<\/h2>
使用showmap跟踪单个输入的执行路径：<\/p>
afl-showmap -m none -o \/dev\/null -- .\/tiff-4.0.9\/tools\/tiff2rgba .\/input\/id:000001,src:000000,op:flip1,pos:0,+cov.tif out.png
<\/span><\/span><\/code><\/pre>6. 持久化测试会话<\/h2>
使用screen保持模糊测试会话：<\/p>
sudo apt install screen
<\/span><\/span>screen afl-fuzz -i input -o output .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>命名screen会话：<\/p>
screen -S fuzzer1
<\/span><\/span>afl-fuzz -i testcase_dir -o findings_dir \/path\/to\/program [<\/span>params]<\/span> @@
<\/span><\/span>[<\/span>detached from 6999.fuzzer1]<\/span>
<\/span><\/span>screen -r fuzzer1
<\/span><\/span><\/code><\/pre>7. 并行模糊测试<\/h2>
7.1 查看CPU核心数<\/h3>
cat \/proc\/cpuinfo | grep "cpu cores"<\/span> | uniq
<\/span><\/span><\/code><\/pre>7.2 启动并行fuzzer<\/h3>
主fuzzer：<\/p>
screen afl-fuzz -i input -o output -M fuzzer1 -- .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>从属fuzzer：<\/p>
screen afl-fuzz -i input -o output -S fuzzer2 -- .\/tiff-4.0.9\/tools\/tiff2rgba -a @@
<\/span><\/span><\/code><\/pre>8. 结果分析工具<\/h2>
8.1 状态查看(whatsup)<\/h3>
afl-whatsup output\/fuzzer1\/crashes
<\/span><\/span><\/code><\/pre>8.2 图形化展示(plot)<\/h3>
安装gnuplot：<\/p>
apt-get install gnuplot
<\/span><\/span><\/code><\/pre>生成图表：<\/p>
afl-plot .\/output .\/dir
<\/span><\/span><\/code><\/pre>8.3 崩溃分析(collect)<\/h3>
安装必要工具：<\/p>
git clone https:\/\/github.com\/rc0r\/exploitable
<\/span><\/span>sudo python setup.py install
<\/span><\/span>git clone https:\/\/github.com\/rc0r\/afl-utils
<\/span><\/span>sudo python setup.py install
<\/span><\/span><\/code><\/pre>执行崩溃分析：<\/p>
afl-collect -d crashes.db -e gdb_script -r -rr .\/output .\/input -j 8<\/span> -- .\/.\/tiff-4.0.9\/tools\/tiff2rgba
<\/span><\/span><\/code><\/pre>注意：如果遇到Python2的which问题，可以自定义which函数：<\/p>
def<\/span> which<\/span>(program):
<\/span><\/span>    # 查找程序在系统中的路径<\/span>
<\/span><\/span>    for<\/span> path in<\/span> os.<\/span>environ["PATH"<\/span>].<\/span>split(os.<\/span>pathsep):
<\/span><\/span>        exe_file =<\/span> os.<\/span>path.<\/span>join(path, program)
<\/span><\/span>        if<\/span> os.<\/span>path.<\/span>isfile(exe_file) and<\/span> os.<\/span>access(exe_file, os.<\/span>X_OK):
<\/span><\/span>            return<\/span> exe_file
<\/span><\/span>    return<\/span> None<\/span>
<\/span><\/span><\/code><\/pre>并修改源代码中的which调用：<\/p>
gdb_binary =<\/span> which("gdb"<\/span>)
<\/span><\/span><\/code><\/pre>9. 关键注意事项<\/h2>

编译目标程序时务必使用AFL的编译器(afl-gcc\/afl-g++)<\/li>
模糊测试前需要正确设置核心转储模式<\/li>
并行测试时，主fuzzer(-M)和从属fuzzer(-S)需要同步目录<\/li>
长时间运行的模糊测试建议使用screen保持会话<\/li>
定期使用cmin和tmin优化测试用例集<\/li>
分析结果时结合多种工具(whatsup, plot, collect)获取全面信息<\/li>
<\/ol>