Linux下Fuzz测试工具AFL和Syzkaller使用指南<\/h1>

一、AFL (American Fuzzy Lop) 使用教程<\/h2>

1. AFL简介<\/h3>

AFL是一种通过提供随机生成的输入来测试软件，搜索能导致程序崩溃的输入的fuzz测试工具。特点包括：<\/p>

通过对源码进行重新编译时进行插桩的方式自动产生测试用例<\/li>
较低的性能消耗<\/li>
高效的fuzzing策略和最小化技巧<\/li>

支持对有源码和无源码程序的测试（无源码需要QEMU支持）<\/li> <\/ul>

2. AFL安装步骤<\/h3>

从官网下载源码压缩包并解压<\/li>

编译安装：

make
<\/span><\/span>sudo make install
<\/span><\/span><\/code><\/pre><\/li>
配置coredumps输出：
echo core > \/proc\/sys\/kernel\/core_pattern
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. AFL测试示例<\/h3>
3.1 编译测试程序<\/h4>
对于有源码的程序，使用afl代替gcc\/clang编译：<\/p>
C程序：<\/p>
CC=<\/span>\/path\/to\/afl\/afl-gcc .\/configure
<\/span><\/span>make clean all
<\/span><\/span><\/code><\/pre>C++程序：<\/p>
CXX=<\/span>\/path\/to\/afl\/afl-g++ .\/configure
<\/span><\/span>make clean all
<\/span><\/span><\/code><\/pre>3.2 示例测试程序<\/h4>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <signal.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> func<\/span>(char<\/span> *<\/span>data) {
<\/span><\/span>    if<\/span>(data[0<\/span>] ==<\/span> 'A'<\/span>)
<\/span><\/span>        raise(SIGSEGV);
<\/span><\/span>    else<\/span>
<\/span><\/span>        printf("ok<\/span>\n<\/span>"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(int<\/span> argc, char<\/span> *<\/span>argv[]) {
<\/span><\/span>    char<\/span> buf[233<\/span>] =<\/span> {0<\/span>};
<\/span><\/span>    FILE *<\/span>input =<\/span> NULL;
<\/span><\/span>    input =<\/span> fopen(argv[1<\/span>], "r"<\/span>);
<\/span><\/span>    if<\/span>(input !=<\/span> 0<\/span>) {
<\/span><\/span>        fscanf(input, "%s"<\/span>, &<\/span>buf);
<\/span><\/span>        printf("buf is %s<\/span>\n<\/span>"<\/span>, buf);
<\/span><\/span>        func(buf);
<\/span><\/span>        fclose(input);
<\/span><\/span>    } else<\/span>
<\/span><\/span>        printf("error!"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 编译和运行<\/h4>

使用afl-gcc编译：
.\/afl-gcc test.c -o test
<\/span><\/span><\/code><\/pre><\/li>
运行fuzz测试：
.\/afl-fuzz -i testcase -o Testout .\/test @@
<\/span><\/span><\/code><\/pre>
testcase<\/code>：输入目录<\/li>
Testout<\/code>：输出目录<\/li>
@@<\/code>：表示从文件中读取输入<\/li>
<\/ul>
<\/li>
<\/ol>
二、Syzkaller内核模糊测试教程<\/h2>
1. Syzkaller简介<\/h3>
Syzkaller是一款无监督的覆盖引导内核模糊器，支持多种操作系统内核测试。<\/p>
2. 准备工作<\/h3>
2.1 编译内核<\/h4>
需要开启以下内核选项：<\/p>
CONFIG_KCOV=y
CONFIG_DEBUG_INFO=y
CONFIG_KASAN=y
CONFIG_KASAN_INLINE=y
<\/code><\/pre>
2.2 安装Go语言环境<\/h4>

下载并安装Go：
wget https:\/\/storage.googleapis.com\/golang\/go1.8.1.linux-amd64.tar.gz
<\/span><\/span>tar -xf go1.8.1.linux-amd64.tar.gz
<\/span><\/span>mv go goroot
<\/span><\/span><\/code><\/pre><\/li>
设置环境变量：
export GOROOT=<\/span>`<\/span>pwd`<\/span>\/goroot
<\/span><\/span>export PATH=<\/span>$GOROOT\/bin:$PATH
<\/span><\/span>mkdir gopath
<\/span><\/span>export GOPATH=<\/span>`<\/span>pwd`<\/span>\/gopath
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.3 安装Syzkaller<\/h4>
go get -u -d github.com\/google\/syzkaller\/...
<\/span><\/span>cd gopath\/src\/github.com\/google\/syzkaller\/
<\/span><\/span>mkdir workdir
<\/span><\/span>make
<\/span><\/span><\/code><\/pre>3. 创建Debian-wheezy镜像<\/h3>

安装debootstrap：
sudo apt-get install debootstrap
<\/span><\/span><\/code><\/pre><\/li>
使用脚本创建镜像：
cd gopath\/src\/github.com\/google\/syzkaller\/tools\/
<\/span><\/span>.\/create-image.sh
<\/span><\/span><\/code><\/pre>完成后会生成：

wheezy.id_rsa（私钥）<\/li>
wheezy.id_rsa.pub（公钥）<\/li>
wheezy.img（镜像文件）<\/li>
<\/ul>
<\/li>
<\/ol>
4. 启动QEMU虚拟机<\/h3>
设置环境变量：<\/p>
export KERNEL=<\/span>\/home\/edvison\/linux-kernel
<\/span><\/span>export IMG=<\/span>\/home\/edvison\/gopath\/src\/github.com\/google\/syzkaller\/tools
<\/span><\/span><\/code><\/pre>启动脚本：<\/p>
qemu-system-x86_64 \
<\/span><\/span><\/span><\/span>    -kernel $KERNEL\/arch\/x86_64\/boot\/bzImage \
<\/span><\/span><\/span><\/span>    -append "console=ttyS0 root=\/dev\/sda debug earlyprintk=serial slub_debug=QUZ"<\/span>\
<\/span><\/span><\/span><\/span>    -hda $IMG\/wheezy.img \
<\/span><\/span><\/span><\/span>    -net user,hostfwd=<\/span>tcp::10021-:22 -net nic \
<\/span><\/span><\/span><\/span>    --nographic \
<\/span><\/span><\/span><\/span>    -enable-kvm \
<\/span><\/span><\/span><\/span>    -m 2G \
<\/span><\/span><\/span><\/span>    -smp 2<\/span> \
<\/span><\/span><\/span><\/span>    -pidfile vm.pid \
<\/span><\/span><\/span><\/span>    2>&1<\/span> | tee vm.log
<\/span><\/span><\/code><\/pre>停止QEMU实例：<\/p>
sudo kill $(<\/span>cat vm.pid)<\/span>
<\/span><\/span><\/code><\/pre>5. 配置SSH无密码登录<\/h3>

生成SSH密钥：
ssh-keygen -t rsa
<\/span><\/span><\/code><\/pre><\/li>
将公钥复制到虚拟机<\/li>
修改虚拟机SSH配置（\/etc\/ssh\/sshd_config）：
PermitRootLogin without-password
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile \/root\/.ssh\/id_rsa.pub
RhostsRSAAuthentication yes
PermitEmptyPasswords no
PasswordAuthentication no
UsePAM no
<\/code><\/pre>
<\/li>
重启SSH服务：
\/etc\/init.d\/ssh restart
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
6. 传输Syzkaller二进制文件<\/h3>
如果遇到密钥格式问题，使用dropbearconvert转换：<\/p>
sudo apt install dropbear
<\/span><\/span>dropbearconvert openssh dropbear id_rsa id_rsa_dropbear
<\/span><\/span>scp -P 10021<\/span> -i id_rsa_dropbear -r $(<\/span>GOPATH)<\/span>\/bin root@127.0.0.1
<\/span><\/span><\/code><\/pre>7. 启动Syzkaller<\/h3>

创建配置文件my.cfg<\/li>
运行：
.\/bin\/syz-manager -config=<\/span>my.cfg
<\/span><\/span><\/code><\/pre><\/li>
在浏览器访问127.0.0.1:10233<\/code>查看调试信息<\/li>
<\/ol>
三、关键点总结<\/h2>

AFL适用于用户态程序测试，Syzkaller适用于内核测试<\/li>
AFL需要配置coredump输出方式<\/li>
Syzkaller需要特定的内核编译选项<\/li>
虚拟机SSH配置和无密码登录是关键步骤<\/li>
两种工具都需要准备测试环境和样本<\/li>
<\/ol>
通过以上步骤，可以成功搭建并使用AFL和Syzkaller进行模糊测试。<\/p>

Linux下Fuzz测试工具AFL和Syzkaller使用指南<\/h1>

一、AFL (American Fuzzy Lop) 使用教程<\/h2>

3. AFL测试示例<\/h3>

二、Syzkaller内核模糊测试教程<\/h2>

1. Syzkaller简介<\/h3> Syzkaller是一款无监督的覆盖引导内核模糊器，支持多种操作系统内核测试。<\/p>

2. 准备工作<\/h3>

1. Syzkaller简介<\/h3>
Syzkaller是一款无监督的覆盖引导内核模糊器，支持多种操作系统内核测试。<\/p>