AFLGO源码分析与教学文档<\/h1>

1. AFLGO概述<\/h2>
AFLGO是基于AFL的定向模糊测试工具，通过LLVM的pass机制实现插桩逻辑，并利用模拟退火算法进行目标导向的模糊测试。核心功能包括：<\/p>
预处理阶段：分析目标程序的控制流和调用关系<\/li>
距离计算阶段：计算基本块到目标位置的距离<\/li>
插桩阶段：在目标程序中插入距离测量和覆盖率收集代码<\/li> <\/ul>
2. AFLGO-PASS.SO.CC分析<\/h2>

2.1 参数设置<\/h3>
AFLGO pass需要以下参数：<\/p>
-targets<\/code>：包含目标位置行号的文件<\/li>
-distance<\/code>：包含基本块到目标位置距离的文件<\/li>
-outdir<\/code>：输出文件路径<\/li>
<\/ul>
2.2 DOT模板特化<\/h3>
AFLGO通过修改LLVM的DefaultDOTGraphTraits<\/code>基类来生成DOT文件：<\/p>

getGraphName<\/code>：设置DOT文件的图名（如"CFG for 'main' function"）<\/li>
getNodeLabel<\/code>：设置基本块标签（使用基本块名或操作数格式名）<\/li>
<\/ul>
2.3 AFLCoverage类<\/h3>
模块级Pass，继承自ModulePass<\/code>：<\/p>
class<\/span> AFLCoverage<\/span> :<\/span> public<\/span> ModulePass {
<\/span><\/span>    static<\/span> char<\/span> ID;  \/\/ Pass的唯一标识符
<\/span><\/span><\/span><\/span>    AFLCoverage() :<\/span> ModulePass(ID) {}
<\/span><\/span>    bool<\/span> runOnModule<\/span>(Module &<\/span>M) override<\/span>;
<\/span><\/span>    \/\/ 其他成员函数...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>2.4 getDebugLoc函数<\/h3>
获取IR指令对应的源码位置：<\/p>
static<\/span> bool<\/span> getDebugLoc<\/span>(const<\/span> Instruction *<\/span>I, std::<\/span>string &<\/span>Filename, unsigned<\/span> &<\/span>Line) {
<\/span><\/span>    if<\/span> (DILocation *<\/span>Loc =<\/span> I-><\/span>getDebugLoc()) {
<\/span><\/span>        Line =<\/span> Loc-><\/span>getLine();
<\/span><\/span>        Filename =<\/span> Loc-><\/span>getFilename().str();
<\/span><\/span>        \/\/ 处理内联函数情况
<\/span><\/span><\/span><\/span>        if<\/span> (Filename.empty() &&<\/span> Loc-><\/span>getInlinedAt())
<\/span><\/span>            return<\/span> getDebugLoc(Loc-><\/span>getInlinedAt(), Filename, Line);
<\/span><\/span>        return<\/span> true;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> false;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5 runOnModule主逻辑<\/h3>
2.5.1 参数校验与准备<\/h4>
检查必需参数并初始化数据结构：<\/p>
if<\/span> (!<\/span>TargetsFile.empty()) {
<\/span><\/span>    \/\/ 读取目标位置到targets列表
<\/span><\/span><\/span><\/span>    is_aflgo_preprocessing =<\/span> true;
<\/span><\/span>}
<\/span><\/span>if<\/span> (!<\/span>DistanceFile.empty()) {
<\/span><\/span>    \/\/ 读取距离信息到distance_map哈希表
<\/span><\/span><\/span><\/span>    \/\/ 距离值x100转为int
<\/span><\/span><\/span><\/span>    is_aflgo =<\/span> true;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.5.2 预处理阶段<\/h4>

打开输出文件（BBnames.txt, BBcalls.txt等）<\/li>
遍历模块中的所有函数，跳过黑名单函数<\/li>
对每个基本块：

获取IR指令的源码位置<\/li>
跳过系统库代码（\/usr\/开头的文件）<\/li>
为无名基本块生成名称（文件名+行号）<\/li>
检查是否为目标基本块<\/li>
处理函数调用指令，记录调用关系<\/li>
写入基本块名称到BBnames.txt<\/li>
<\/ul>
<\/li>
在tracing模式下，向基本块末尾插入桩代码：<\/li>
<\/ol>
IRBuilder<><\/span> Builder(BB-><\/span>getTerminator());
<\/span><\/span>Type *<\/span>Args[] =<\/span> {Builder.getInt8PtrTy()};
<\/span><\/span>FunctionType *<\/span>FTy =<\/span> FunctionType::<\/span>get(
<\/span><\/span>    Type::<\/span>getVoidTy(M.getContext()), Args, false);
<\/span><\/span>Function *<\/span>instrumented =<\/span> M.getOrInsertFunction(
<\/span><\/span>    "llvm_profiling_call"<\/span>, FTy);
<\/span><\/span>Builder.CreateCall(instrumented, {bbnameVal});
<\/span><\/span><\/code><\/pre>
输出控制流图（.dot文件）<\/li>
记录目标基本块和函数信息<\/li>
<\/ol>
2.5.3 距离插桩阶段<\/h4>


定义IR数据类型：<\/p>

Int8Ty<\/code>：1字节（bitmap）<\/li>
Int32Ty<\/code>：用于cur_loc、prev_loc<\/li>
Int64Ty<\/code>：距离统计（x86_64平台）<\/li>
<\/ul>
<\/li>

初始化全局变量：<\/p>
<\/li>
<\/ol>
GlobalVariable *<\/span>AFLMapPtr =<\/span> new<\/span> GlobalVariable(
<\/span><\/span>    M, Int8Ty, false, GlobalValue::<\/span>ExternalLinkage,
<\/span><\/span>    0<\/span>, "__afl_area_ptr"<\/span>);
<\/span><\/span>GlobalVariable *<\/span>AFLPrevLoc =<\/span> new<\/span> GlobalVariable(
<\/span><\/span>    M, Int32Ty, false, GlobalValue::<\/span>ExternalLinkage,
<\/span><\/span>    0<\/span>, "__afl_prev_loc"<\/span>);
<\/span><\/span><\/code><\/pre>

遍历函数和基本块：<\/p>

获取基本块名称<\/li>
跳过不在BBnames.txt中的基本块（选择性插桩时）<\/li>
从distance_map获取距离值<\/li>
<\/ul>
<\/li>

AFL传统插桩逻辑：<\/p>
<\/li>
<\/ol>
\/\/ 设置当前基本块ID
<\/span><\/span><\/span><\/span>unsigned<\/span> cur_loc =<\/span> R(MAP_SIZE);
<\/span><\/span>ConstantInt *<\/span>CurLoc =<\/span> ConstantInt::<\/span>get(Int32Ty, cur_loc);
<\/span><\/span>
<\/span><\/span>\/\/ 获取上一个基本块ID
<\/span><\/span><\/span><\/span>LoadInst *<\/span>PrevLoc =<\/span> Builder.CreateLoad(AFLPrevLoc);
<\/span><\/span>PrevLoc-><\/span>setMetadata(M.getMDKindID("nosanitize"<\/span>), MDNode::<\/span>get(C, None));
<\/span><\/span>Value *<\/span>PrevLocCasted =<\/span> Builder.CreateZExt(PrevLoc, Int32Ty);
<\/span><\/span>
<\/span><\/span>\/\/ 加载共享内存指针
<\/span><\/span><\/span><\/span>LoadInst *<\/span>MapPtr =<\/span> Builder.CreateLoad(AFLMapPtr);
<\/span><\/span>MapPtr-><\/span>setMetadata(M.getMDKindID("nosanitize"<\/span>), MDNode::<\/span>get(C, None));
<\/span><\/span>Value *<\/span>MapPtrIdx =<\/span> Builder.CreateGEP(
<\/span><\/span>    MapPtr, Builder.CreateXor(PrevLocCasted, CurLoc));
<\/span><\/span>
<\/span><\/span>\/\/ 增加bitmap计数器
<\/span><\/span><\/span><\/span>Value *<\/span>Counter =<\/span> Builder.CreateLoad(MapPtrIdx);
<\/span><\/span>Counter-><\/span>setMetadata(M.getMDKindID("nosanitize"<\/span>), MDNode::<\/span>get(C, None));
<\/span><\/span>Value *<\/span>Incr =<\/span> Builder.CreateAdd(Counter, ConstantInt::<\/span>get(Int8Ty, 1<\/span>));
<\/span><\/span>Builder.CreateStore(Incr, MapPtrIdx)
<\/span><\/span>    -><\/span>setMetadata(M.getMDKindID("nosanitize"<\/span>), MDNode::<\/span>get(C, None));
<\/span><\/span>
<\/span><\/span>\/\/ 更新prev_loc
<\/span><\/span><\/span><\/span>Builder.CreateStore(ConstantInt::<\/span>get(Int32Ty, cur_loc >><\/span> 1<\/span>), AFLPrevLoc);
<\/span><\/span><\/code><\/pre>
AFLGO距离插桩：<\/li>
<\/ol>
if<\/span> (distance !=<\/span> -<\/span>1<\/span>) {
<\/span><\/span>    \/\/ 将距离转为IR常量
<\/span><\/span><\/span><\/span>    ConstantInt *<\/span>Distance =<\/span> ConstantInt::<\/span>get(LargestType, (unsigned<\/span>)distance);
<\/span><\/span>    
<\/span><\/span>    \/\/ 获取并更新总距离
<\/span><\/span><\/span><\/span>    LoadInst *<\/span>MapDist =<\/span> Builder.CreateLoad(MapDistPtr);
<\/span><\/span>    Value *<\/span>IncrDist =<\/span> Builder.CreateAdd(MapDist, Distance);
<\/span><\/span>    Builder.CreateStore(IncrDist, MapDistPtr);
<\/span><\/span>    
<\/span><\/span>    \/\/ 更新计数器
<\/span><\/span><\/span><\/span>    LoadInst *<\/span>MapCnt =<\/span> Builder.CreateLoad(MapCntPtr);
<\/span><\/span>    Value *<\/span>IncrCnt =<\/span> Builder.CreateAdd(MapCnt, One);
<\/span><\/span>    Builder.CreateStore(IncrCnt, MapCntPtr);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.6 Pass注册<\/h3>
static<\/span> void<\/span> registerAFLPass<\/span>(const<\/span> PassManagerBuilder &<\/span>,
<\/span><\/span>                           legacy::<\/span>PassManagerBase &<\/span>PM) {
<\/span><\/span>    PM.add(new<\/span> AFLCoverage());
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>static<\/span> RegisterStandardPasses RegisterAFLPass<\/span>(
<\/span><\/span>    PassManagerBuilder::<\/span>EP_OptimizerLast, registerAFLPass);
<\/span><\/span>static<\/span> RegisterStandardPasses RegisterAFLPass0<\/span>(
<\/span><\/span>    PassManagerBuilder::<\/span>EP_EnabledOnOptLevel0, registerAFLPass);
<\/span><\/span><\/code><\/pre>3. DISTANCE.PY分析<\/h2>
3.1 参数设置<\/h3>
parser.<\/span>add_argument('-d'<\/span>, '--dot'<\/span>, required=<\/span>True<\/span>, help=<\/span>"输入dot文件路径"<\/span>)
<\/span><\/span>parser.<\/span>add_argument('-t'<\/span>, '--targets'<\/span>, required=<\/span>True<\/span>, help=<\/span>"目标位置文件"<\/span>)
<\/span><\/span>parser.<\/span>add_argument('-o'<\/span>, '--output'<\/span>, required=<\/span>True<\/span>, help=<\/span>"输出距离文件"<\/span>)
<\/span><\/span>parser.<\/span>add_argument('-n'<\/span>, '--names'<\/span>, required=<\/span>True<\/span>, help=<\/span>"节点名称文件"<\/span>)
<\/span><\/span>parser.<\/span>add_argument('-c'<\/span>, '--cg-distance'<\/span>, help=<\/span>"CG距离文件"<\/span>)
<\/span><\/span>parser.<\/span>add_argument('-s'<\/span>, '--cg-callsites'<\/span>, help=<\/span>"CG调用点文件"<\/span>)
<\/span><\/span><\/code><\/pre>3.2 处理流程<\/h3>


读取dot文件并判断模式（CG或CFG）<\/p>
<\/li>

CG模式处理：<\/p>

读取目标位置<\/li>
计算每个节点到目标的距离<\/li>
使用迪杰斯特拉算法找最短路径<\/li>
距离公式：1 \/ (1 + dist)<\/code>的加权平均倒数<\/li>
<\/ul>
<\/li>

CFG模式处理：<\/p>

检查必需参数（cg_distance和cg_callsites）<\/li>
建立函数名到距离的映射<\/li>
处理基本块调用关系<\/li>
距离计算：
dist =<\/span> shortest +<\/span> 10<\/span> *<\/span> bb_d  # bb_d是函数间距离<\/span>
<\/span><\/span><\/code><\/pre><\/li>
取所有路径中的最小值作为最终距离<\/li>
<\/ul>
<\/li>
<\/ol>
3.3 距离计算函数<\/h3>
def<\/span> distance<\/span>(G, name, targets, bbdistance, mode):
<\/span><\/span>    if<\/span> mode ==<\/span> 'cg'<\/span> and<\/span> name in<\/span> bbdistance:
<\/span><\/span>        return<\/span> bbdistance[name] *<\/span> 10<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span> mode ==<\/span> 'cg'<\/span>:
<\/span><\/span>        # 计算CG距离<\/span>
<\/span><\/span>        dist =<\/span> 0.0<\/span>
<\/span><\/span>        for<\/span> target in<\/span> targets:
<\/span><\/span>            try<\/span>:
<\/span><\/span>                d =<\/span> nx.<\/span>shortest_path_length(G, name, target)
<\/span><\/span>                dist +=<\/span> 1.0<\/span> \/<\/span> (1.0<\/span> +<\/span> d)
<\/span><\/span>            except<\/span>:
<\/span><\/span>                continue<\/span>
<\/span><\/span>        return<\/span> 1.0<\/span> \/<\/span> dist if<\/span> dist ><\/span> 0<\/span> else<\/span> sys.<\/span>maxsize
<\/span><\/span>    
<\/span><\/span>    else<\/span>:  # CFG模式<\/span>
<\/span><\/span>        min_dist =<\/span> sys.<\/span>maxsize
<\/span><\/span>        for<\/span> bb, bb_d in<\/span> bbdistance.<\/span>items():
<\/span><\/span>            try<\/span>:
<\/span><\/span>                shortest =<\/span> nx.<\/span>shortest_path_length(G, name, bb)
<\/span><\/span>                current_dist =<\/span> shortest +<\/span> 10<\/span> *<\/span> bb_d
<\/span><\/span>                if<\/span> current_dist <<\/span> min_dist:
<\/span><\/span>                    min_dist =<\/span> current_dist
<\/span><\/span>            except<\/span>:
<\/span><\/span>                continue<\/span>
<\/span><\/span>        return<\/span> min_dist
<\/span><\/span><\/code><\/pre>4. 关键知识点总结<\/h2>


LLVM Pass机制<\/strong>：AFLGO利用LLVM的Pass系统在IR级别进行插桩，比汇编级插桩更高效可靠。<\/p>
<\/li>

控制流分析<\/strong>：<\/p>

通过DOT文件生成CFG和CG<\/li>
使用networkx库进行图分析<\/li>
基本块命名规则：文件名+行号<\/li>
<\/ul>
<\/li>

距离计算<\/strong>：<\/p>

CG距离：函数调用图级别的距离<\/li>
CFG距离：基本块级别的距离<\/li>
跨函数调用惩罚：距离×10<\/li>
最终距离取最小值<\/li>
<\/ul>
<\/li>

插桩策略<\/strong>：<\/p>

传统AFL边覆盖率插桩（异或计数）<\/li>
AFLGO特有距离插桩（累加距离和计数器）<\/li>
选择性插桩支持<\/li>
<\/ul>
<\/li>

共享内存布局<\/strong>：<\/p>
+---------------------+
| AFL bitmap (MAP_SIZE)|
+---------------------+
| 总距离值 (8字节)     |
+---------------------+
| 计数器 (8字节)       |
+---------------------+
<\/code><\/pre>
<\/li>
<\/ol>
5. 教学建议<\/h2>


实践步骤<\/strong>：<\/p>

编译AFLGO并生成aflgo-pass.so<\/li>
使用afl-clang-fast编译目标程序<\/li>
运行预处理阶段生成控制流信息<\/li>
运行distance.py计算距离<\/li>
进行定向模糊测试<\/li>
<\/ul>
<\/li>

调试技巧<\/strong>：<\/p>

检查生成的.dot文件验证控制流<\/li>
检查BBnames.txt等中间文件<\/li>
使用LLVM IR查看插桩结果<\/li>
<\/ul>
<\/li>

扩展方向<\/strong>：<\/p>

修改距离计算公式<\/li>
添加新的目标选择策略<\/li>
优化共享内存布局<\/li>
<\/ul>
<\/li>

常见问题<\/strong>：<\/p>

确保目标程序包含调试信息<\/li>
检查Pass参数是否正确传递<\/li>
验证距离计算结果的合理性<\/li>
<\/ul>
<\/li>
<\/ol>
通过本教学文档，读者可以全面理解AFLGO的工作原理和实现细节，为进一步研究和定制定向模糊测试工具奠定基础。<\/p>