LibFuzzer实战教学文档<\/h1>

1. LibFuzzer概述<\/h2>

LibFuzzer是LLVM项目的一部分，是一个功能强大的模糊测试引擎，具有以下核心特性：<\/p>

进程内(In-process)<\/strong>：所有测试在同一个进程内存空间中进行，不启动新进程<\/li>
覆盖率引导(Coverage-guided)<\/strong>：基于代码覆盖率反馈优化测试用例<\/li>

进化式(Evolutionary)<\/strong>：结合变异和生成两种方式产生测试用例<\/li> <\/ol>
工作原理：LibFuzzer与待测库链接，向目标函数发送测试数据，跟踪代码覆盖率，通过变异输入数据最大化覆盖率。<\/p>
2. 环境配置<\/h2>
安装要求<\/h3>

已集成在Clang中，安装Clang即可<\/li>
检查安装：clang --version<\/code><\/li> <\/ul> 3. 实战案例：CVE-2016-5180复现<\/h2> 漏洞背景<\/h3> Heap overflow in c-ares，是ChromeOS漏洞利用链的一部分<\/p> 复现步骤<\/h3> 获取测试套件：<\/p> git clone https:\/\/github.com\/google\/fuzzer-test-suite <\/span><\/span><\/code><\/pre><\/li> 项目结构：<\/p> build.sh<\/code>：主编译脚本<\/li> custom-build.sh<\/code>：自定义编译选项<\/li> common.sh<\/code>：公共函数<\/li> target.cc<\/code>：目标测试代码<\/li> <\/ul> <\/li> 编译执行：<\/p> .\/build.sh <\/span><\/span><\/code><\/pre>编译完成后生成：<\/p> SRC：源码目录<\/li> BUILD：构建目录<\/li> 可执行fuzz程序<\/li> <\/ul> <\/li> 运行fuzz：<\/p> .\/fuzz_target <\/span><\/span><\/code><\/pre><\/li> <\/ol> 4. LibFuzzer输出解析<\/h2> 字段<\/th> 含义<\/th> 示例分析<\/th> <\/tr> <\/thead> cov<\/td> 代码覆盖率(基本块数)<\/td> 初始14，增至29<\/td> <\/tr> ft<\/td> 独特特征数(路径\/分支等)<\/td> 15增至45<\/td> <\/tr> corp<\/td> 语料库状态(用例数\/总字节)<\/td> 9个用例,21字节<\/td> <\/tr> exec\/s<\/td> 每秒执行次数<\/td> 0表示初期或受限<\/td> <\/tr> rss<\/td> 内存占用<\/td> 稳定31MB<\/td> <\/tr> L<\/td> 输入长度(实际\/最大)<\/td> 多数4字节内<\/td> <\/tr> MS<\/td> 变异策略组合<\/td> ChangeBit-CrossOver等<\/td> <\/tr> <\/tbody> <\/table> 5. ASAN错误分析<\/h2> 典型错误类型：<\/p> heap-buffer-overflow<\/code>：堆缓冲区溢出<\/li> 报错示例：0x603000032a25<\/code><\/li> <\/ul> 6. 编译脚本详解<\/h2> build.sh<\/h3> 主编译脚本，调用：<\/p> custom-build.sh<\/code>：设置编译选项<\/li> common.sh<\/code>：公共函数<\/li> <\/ul> 重要编译选项<\/h3> -fsanitize=fuzzer<\/code>：替代旧的-fsanitize-coverage=trace-pc-guard<\/code><\/li> -fsanitize=address<\/code>：检测堆栈溢出、UAF<\/li> -fsanitize=undefined<\/code>：检测未定义行为<\/li> -fsanitize=memory<\/code>：检测未初始化内存访问<\/li> <\/ul> 7. 目标函数编写<\/h2> 必须实现的函数模板：<\/p> extern<\/span> "C"<\/span> int<\/span> LLVMFuzzerTestOneInput(const<\/span> uint8_t<\/span> *<\/span>Data, size_t Size) { <\/span><\/span> \/\/ 调用待测库函数 <\/span><\/span><\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>8. 编译选项详解<\/h2> 选项<\/th> 作用<\/th> <\/tr> <\/thead> -g<\/td> 保留调试符号<\/td> <\/tr> -O0\/-O1\/-O2\/-O3<\/td> 优化等级<\/td> <\/tr> -o file_name<\/td> 指定输出文件名<\/td> <\/tr> -I path<\/td> 添加头文件路径<\/td> <\/tr> -fsanitize=fuzzer<\/td> 链接LibFuzzer库<\/td> <\/tr> -fsanitize=address<\/td> 检测内存错误<\/td> <\/tr> -fsanitize-coverage<\/td> 覆盖率统计<\/td> <\/tr> <\/tbody> <\/table> 9. Fuzz执行参数<\/h2> 参数<\/th> 默认值<\/th> 作用<\/th> <\/tr> <\/thead> verbosity<\/td> 1<\/td> 输出详细日志<\/td> <\/tr> seed<\/td> 0<\/td> 随机种子<\/td> <\/tr> runs<\/td> -1<\/td> 测试次数(-1无限)<\/td> <\/tr> max_len<\/td> 0<\/td> 输入最大长度<\/td> <\/tr> shuffle<\/td> 1<\/td> 打乱初始语料库<\/td> <\/tr> prefer_small<\/td> 1<\/td> 优先小输入<\/td> <\/tr> timeout<\/td> 1200<\/td> 单次运行超时(秒)<\/td> <\/tr> max_total_time<\/td> 0<\/td> 最大运行时长<\/td> <\/tr> jobs<\/td> 0<\/td> 并行任务数<\/td> <\/tr> workers<\/td> 0<\/td> 工作线程数<\/td> <\/tr> detect_leaks<\/td> 1<\/td> 检测内存泄漏<\/td> <\/tr> print_coverage<\/td> 0<\/td> 退出打印覆盖率<\/td> <\/tr> <\/tbody> <\/table> 10. 语料库使用技巧<\/h2> 提供初始种子：<\/p> .\/fuzz_target corpus\/ <\/span><\/span><\/code><\/pre><\/li> 合并优化语料库：<\/p> .\/fuzz_target -merge=<\/span>1<\/span> tmin_corpus corpus <\/span><\/span><\/code><\/pre><\/li> 保存生成语料：<\/p> .\/fuzz_target -artifact_prefix=<\/span>.\/crash\/ empty_corpus\/ <\/span><\/span><\/code><\/pre><\/li> <\/ol> 11. 字典使用<\/h2> 示例字典文件：<\/p> kw1="value1" kw2="value2" <\/code><\/pre> 使用字典：<\/p> .\/fuzz_target -dict=<\/span>test.dict corpus\/ <\/span><\/span><\/code><\/pre>12. 案例：CVE-2014-0160(心脏出血漏洞)<\/h2> 复现步骤<\/h3> 获取代码：<\/p> git clone https:\/\/github.com\/Dor1s\/libfuzzer-workshop <\/span><\/span><\/code><\/pre><\/li> 编译OpenSSL库：<\/p> .\/config enable-fuzz-afl no-shared no-asm <\/span><\/span>make <\/span><\/span><\/code><\/pre><\/li> 准备证书文件：<\/p> server.key<\/li> server.pem<\/li> <\/ul> <\/li> 编译target：<\/p> clang++ -g -O1 -fsanitize=<\/span>address,fuzzer target.cc -I.\/include .\/libssl.a .\/libcrypto.a -o target <\/span><\/span><\/code><\/pre><\/li> 运行fuzz：<\/p> .\/target <\/span><\/span><\/code><\/pre><\/li> <\/ol> 13. VSCode调试配置<\/h2> 安装Native Debug扩展<\/li> 创建launch.json：<\/li> <\/ol> { <\/span><\/span> "version"<\/span>: "0.2.0"<\/span>, <\/span><\/span> "configurations"<\/span>: [ <\/span><\/span> { <\/span><\/span> "name"<\/span>: "(gdb) Launch"<\/span>, <\/span><\/span> "type"<\/span>: "cppdbg"<\/span>, <\/span><\/span> "request"<\/span>: "launch"<\/span>, <\/span><\/span> "program"<\/span>: "${workspaceFolder}\/target"<\/span>, <\/span><\/span> "args"<\/span>: [], <\/span><\/span> "stopAtEntry"<\/span>: false<\/span>, <\/span><\/span> "cwd"<\/span>: "${workspaceFolder}"<\/span>, <\/span><\/span> "environment"<\/span>: [], <\/span><\/span> "externalConsole"<\/span>: false<\/span>, <\/span><\/span> "MIMode"<\/span>: "gdb"<\/span> <\/span><\/span> } <\/span><\/span> ] <\/span><\/span>} <\/span><\/span><\/code><\/pre> 修改target.cc添加main函数：<\/li> <\/ol> int<\/span> main<\/span>() { <\/span><\/span> const<\/span> uint8_t<\/span> data[] =<\/span> {0x01<\/span>, 0x02<\/span>, 0x03<\/span>}; \/\/ 替换为crash数据 <\/span><\/span><\/span><\/span> LLVMFuzzerTestOneInput(data, sizeof<\/span>(data)); <\/span><\/span> return<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>14. 关键技巧总结<\/h2> 编译时使用最新-fsanitize=fuzzer<\/code>选项<\/li> 提供优质初始语料库可显著提高效率<\/li> 使用字典处理特定关键字匹配<\/li> 合并语料库优化测试用例集<\/li> 合理设置超时和内存限制参数<\/li> 结合ASAN快速定位内存错误<\/li> 使用覆盖率反馈指导测试方向<\/li> <\/ol> 通过以上方法和技巧，可以高效地使用LibFuzzer进行模糊测试，发现软件中的潜在漏洞。<\/p>