Skip to content

seviezhou/Kraken

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
alpha_in
alpha_in
 
 
img
img
 
 
include
include
 
 
lib
lib
 
 
supplement
supplement
 
 
test
test
 
 
testcases
testcases
 
 
thirdparty
thirdparty
 
 
.gitignore
.gitignore
 
 
CMakeLists.txt
CMakeLists.txt
 
 
README.md
README.md
 
 
main.cpp
main.cpp
 
 
test.sh
test.sh
 
 

Repository files navigation

AlphaFuzz

AlphaFuzz is a coverage-guided grey-box fuzzer written in C++.

This repository also contains the source code for our paper: KRAKEN: Program-Adaptive Parallel Fuzzing, which will appear in ISSTA'25.

Build

AlphaFuzz uses cmake to build and supports building on Linux and Mac.

LLVM

AlphaFuzz requires LLVM to perform compile-time instrumentation, if your LLVM version can not meet the requirement, use the compile-llvm.sh script in the thirdparty folder to build LLVM-9.0.0 and Clang. After building, please add the bin folder to your PATH.

Or you can use -DLLVM_BUILD_PATH=<PATH_TO_LLVM_BUILD> to specify a local LLVM build in the camke command. But still remember to add the bin folder to your PATH because the cmake script needs to execute llvm-config.

Alternatively, you can download pre-compiled LLVM binaries such as 9.0.0, and add the bin folder to your PATH.

Linux

Requirements:

  • A C++ compiler and standard C++ library supporting C++11
  • CMake (version >= 3.5)
  • Git
  • LLVM + Clang >= 4.0.0

Build:

cd AlphaFuzz
mkdir build
cd build
cmake ..
make -j8

Mac

Requirements(can be installed using homebrew):

  • Full Xcode installation(with Command Line Tools)
  • CMake (version >= 3.5)
  • Git
  • LLVM + Clang >= 4.0.0

Build:

cd AlphaFuzz
mkdir build
cd build
cmake ..
make -j8

Usage

Instrumenting programs with AlphaFuzz

Remember to set ALPHA_PATH to the AlphaFuzz folder.

The correct way to recompile the target program may vary depending on the specifics of the build process, but a nearly universal approach would be:

$ export ALPHA_PATH=/path/to/AlphaFuzz
$ CC=/path/to/Alphafuzz/tools/alpha-clang ./configure
$ make

For C++ programs, you would also want to set CXX=/path/to/alphafuzz/tools/alpha-clang++.

If you want to add ASAN to the target program, you should specify environment variables:

export ALPHA_USE_ASAN=1

Fuzzing

After a successful build, the executable is in the tools folder. This tool has the following parameters:

./tools/alpha-fuzz [ options ] -- /path/to/fuzz_target [ ... ]

Required parameters:

  -i dir        - input directory with test cases
  -o dir        - output directory for fuzzer findings

Optional parameters:

  -x dir         - dictionary directory for advance mutation
  -t msec        - timeout for each run (auto-scaled, 1000ms = 1s)
  -m megs        - memory limit for child process (50 MB)
  -j jobs        - allowed number of parallel fuzzer (default 1, maximum 80)
  --no-determine - skip deterministic mutation
  --no-kill      - skip killing workers
  --no-aco       - skip ACO scheduling
  --no-stage     - skip staged worker activation
  --inf-mem      - set unlimited memory for forked process (ASAN/MSAN need this)
  --mem-sync     - use in memory queue to do synchronization in parallel mode
  --quiet        - quiet mode, do not output anything to console (but to log.txt file)

sample usage:

./tools/alpha-fuzz -i alpha_in -o alpha_out ./test/hello @@

parallel fuzzing:

./tools/alpha-fuzz -j 2 -i alpha_in -o alpha_out ./test/hello @@

Test script

Here is a simple script test.sh to test AlphaFuzz:

export ALPHA_PATH=`pwd`
export PATH=<PATH_TO_LLVM_BIN>:$PATH
./tools/alpha-clang ./test/1.c -o ./test/hello
./tools/alpha-fuzz -i alpha_in -o alpha_out ./test/hello @@

Trophy

Up to now, a total of 119 CVE IDs are assigned to bugs found by AlphaFuzz. Listed below:

CVE-2020-23907
CVE-2020-23912
CVE-2020-23914
CVE-2020-23915
CVE-2020-23921
CVE-2020-23922
CVE-2020-23927
CVE-2020-23928
CVE-2020-23930
CVE-2020-23931
CVE-2020-23932
CVE-2020-28241
CVE-2021-3548
CVE-2021-32614
CVE-2021-33479
CVE-2021-33480
CVE-2021-33481
CVE-2021-32265
CVE-2020-23331
CVE-2021-35306
CVE-2021-32278
CVE-2021-32273
CVE-2021-32272
CVE-2021-32276
CVE-2021-32277
CVE-2021-32274
CVE-2021-32275
CVE-2021-32270
CVE-2021-32269
CVE-2021-32271
CVE-2021-32268
CVE-2021-32281
CVE-2021-32285
CVE-2021-32282
CVE-2021-32284
CVE-2021-32283
CVE-2021-32286
CVE-2021-32288
CVE-2021-32287
CVE-2021-32289
CVE-2020-24826
CVE-2021-32294
CVE-2021-32298
CVE-2021-39514
CVE-2021-39519
CVE-2021-39520
CVE-2021-39517
CVE-2021-39516
CVE-2021-39518
CVE-2021-39515
CVE-2020-24870
CVE-2021-39527
CVE-2021-39521
CVE-2021-39525
CVE-2020-21843
CVE-2021-39522
CVE-2021-39530
CVE-2021-39523
CVE-2021-39528
CVE-2020-20817
CVE-2021-39534
CVE-2021-39531
CVE-2021-39532
CVE-2021-39533
CVE-2021-39535
CVE-2021-39536
CVE-2021-32297
CVE-2021-39537 
CVE-2021-32280
CVE-2020-24995
CVE-2021-32299
CVE-2021-39540
CVE-2021-39543
CVE-2021-39541
CVE-2021-39542
CVE-2021-39539
CVE-2021-39538
CVE-2021-39550
CVE-2021-39551
CVE-2021-39552
CVE-2021-39549
CVE-2021-39544
CVE-2021-39548
CVE-2021-39547
CVE-2021-39545
CVE-2021-39546
CVE-2021-39598
CVE-2021-39597
CVE-2021-39596
CVE-2021-39557
CVE-2021-39575
CVE-2021-39562
CVE-2021-39561
CVE-2021-39553
CVE-2021-39559
CVE-2021-39555
CVE-2021-39556
CVE-2021-39554
CVE-2021-39577
CVE-2021-39584
CVE-2021-39569
CVE-2021-39590
CVE-2021-39589
CVE-2021-39583
CVE-2021-39592
CVE-2021-39574
CVE-2021-39595
CVE-2021-39579
CVE-2021-39587
CVE-2021-39563
CVE-2021-39564
CVE-2021-39593
CVE-2021-39582
CVE-2021-39591
CVE-2021-39588
CVE-2021-39585
CVE-2021-39594
CVE-2021-39558
CVE-2021-32292

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages