关闭

GDBFuzz:基于硬件断点的嵌入式系统模糊测试工具

发表于:2024-7-10 09:23

字体: | 上一篇 | 下一篇 | 我要投稿

 作者:Alpha_h4ck    来源:FreeBuf

  关于GDBFuzz
  GDBFuzz是一款功能强大的模糊测试工具,在该工具的帮助下,广大研究人员可以使用硬件断点对嵌入式系统进行模糊测试。
  GDBFuzz的理念是利用微控制器的硬件断点作为覆盖引导模糊测试的反馈。因此,GDB被用作通用接口以实现广泛的适用性。对于固件的二进制分析,GDBFuzz使用了Ghidra实现。
  工具要求
  Java
  Python 3
  工具安装
  注意,GDBFuzz已在 Ubuntu 20.04 LTS 和 Raspberry Pie OS 32 位上进行了测试。
  首先,我们需要在本地设备上安装并配置好最新版本的Java和Python 3环境,然后创建一个新的虚拟环境并安装所有的依赖组件:
  virtualenv .venv
  source .venv/bin/activate
  make
  chmod a+x ./src/GDBFuzz/main.py
  工具使用
  本地运行样例
  GDBFuzz会使用以下键来从配置文件中读取设置:
  [SUT]
  # Path to the binary file of the SUT.
  # This can, for example, be an .elf file or a .bin file.
  binary_file_path = <path>
   
  # Address of the root node of the CFG.
  # Breakpoints are placed at nodes of this CFG.
  # e.g. 'LLVMFuzzerTestOneInput' or 'main'
  entrypoint = <entrypoint>
   
  # Number of inputs that must be executed without a breakpoint hit until
  # breakpoints are rotated.
  until_rotate_breakpoints = <number>
   
   
  # Maximum number of breakpoints that can be placed at any given time.
  max_breakpoints = <number>
   
  # Blacklist functions that shall be ignored.
  # ignore_functions is a space separated list of function names e.g. 'malloc free'.
  ignore_functions = <space separated list>
   
  # One of {Hardware, QEMU, SUTRunsOnHost}
  # Hardware: An external component starts a gdb server and GDBFuzz can connect to this gdb server.
  # QEMU: GDBFuzz starts QEMU. QEMU emulates binary_file_path and starts gdbserver.
  # SUTRunsOnHost: GDBFuzz start the target program within GDB.
  target_mode = <mode>
   
  # Set this to False if you want to start ghidra, analyze the SUT,
  # and start the ghidra bridge server manually.
  start_ghidra = True
   
   
  # Space separated list of addresses where software breakpoints (for error
  # handling code) are set. Execution of those is considered a crash.
  # Example: software_breakpoint_addresses = 0x123 0x432
  software_breakpoint_addresses =
   
   
  # Whether all triggered software breakpoints are considered as crash
  consider_sw_breakpoint_as_error = False
   
  [SUTConnection]
  # The class 'SUT_connection_class' in file 'SUT_connection_path' implements
  # how inputs are sent to the SUT.
  # Inputs can, for example, be sent over Wi-Fi, Serial, Bluetooth, ...
  # This class must inherit from ./connections/SUTConnection.py.
  # See ./connections/SUTConnection.py for more information.
  SUT_connection_file = FIFOConnection.py
   
  [GDB]
  path_to_gdb = gdb-multiarch
  #Written in address:port
  gdb_server_address = localhost:4242
   
  [Fuzzer]
  # In Bytes
  maximum_input_length = 100000
  # In seconds
  single_run_timeout = 20
  # In seconds
  total_runtime = 3600
   
  # Optional
  # Path to a directory where each file contains one seed. If you don't want to
  # use seeds, leave the value empty.
  seeds_directory =
   
  [BreakpointStrategy]
  # Strategies to choose basic blocks are located in
  # 'src/GDBFuzz/breakpoint_strategies/'
  # For the paper we use the following strategies
  # 'RandomBasicBlockStrategy.py' - Randomly choosing unreached basic blocks
  # 'RandomBasicBlockNoDomStrategy.py' - Like previous, but doesn't use dominance relations to derive transitively reached nodes.
  # 'RandomBasicBlockNoCorpusStrategy.py' - Like first, but prevents growing the input corpus and therefore behaves like blackbox fuzzing with coverage measurement.
  # 'BlackboxStrategy.py', - Doesn't set any breakpoints
  breakpoint_strategy_file = RandomBasicBlockStrategy.py
   
  [Dependencies]
  path_to_qemu = dependencies/qemu/build/x86_64-linux-user/qemu-x86_64
  path_to_ghidra = dependencies/ghidra
   
   
  [LogsAndVisualizations]
  # One of {DEBUG, INFO, WARNING, ERROR, CRITICAL}
  loglevel = INFO
   
  # Path to a directory where output files (e.g. graphs, logfiles) are stored.
  output_directory = ./output
   
  # If set to True, an MQTT client sends UI elements (e.g. graphs)
  enable_UI = False
  项目的./example_programs/目录中提供了一个配置文件样例,benchmark/benchSUTs/GDBFuzz_wrapper/common/路径下也有一个可以进行模糊测试的样例程序。
  下列命令可以直接对目标程序执行模糊测试:
  chmod a+x ./example_programs/json-2017-02-12
  ./src/GDBFuzz/main.py --config ./example_programs/fuzz_json.cfg
  在 Docker 容器中安装并运行
  make dockerimage
  如需在Docker中执行上述测试,需要先将example_programs和output文件夹映射为卷,然后按如下方式启动GDBFuzz:
  chmod a+x ./example_programs/json-2017-02-12
  docker run -it --env CONFIG_FILE=/example_programs/fuzz_json_docker_qemu.cfg -v $(pwd)/example_programs:/example_programs -v $(pwd)/output:/output gdbfuzz:1.0
  模糊测试输出
  根据配置文件中指定的output_directory内容,工具将会生成一个包含下列结构的“trial-0”文件夹:
  .
      ├── corpus            
      ├── crashes           
      ├── cfg               
      ├── fuzzer_stats      
      ├── plot_data         
      ├── reverse_cfg    
  可视化实现
  GDBFuzz 有一个可选功能,可以绘制覆盖节点的控制流图。默认情况下,此功能处于禁用状态。我们可以在用户配置中将“enable_UI”设置为“True”来启用它。
  执行下列命令安装graphviz:
  sudo apt-get install graphviz
  然后安装最新版本的Node.js:
  $ node --version
  v16.9.1
  $ npm --version
  7.21.1
  安装 Web UI 依赖项:
  cd ./src/webui
  npm install
  安装并更新mosquitto MQTT代理,并使用以下内容替换/etc/mosquitto/conf.d/mosquitto.conf文件中的内容:
  listener 1883
  allow_anonymous true
  listener 9001
  protocol websockets
  重新启动 mosquitto 代理:
  sudo service mosquitto restart
  检查 mosquitto 代理是否正在运行:
  sudo service mosquitto status
  启动网页用户界面:
  cd ./src/webui
  npm start
  打开Web浏览器并访问“http://localhost:3000/”即可。
  本文内容不用于商业目的,如涉及知识产权问题,请权利人联系51Testing小编(021-64471599-8017),我们将立即处理
《2023软件测试行业现状调查报告》独家发布~

关注51Testing

联系我们

快捷面板 站点地图 联系我们 广告服务 关于我们 站长统计 发展历程

法律顾问:上海兰迪律师事务所 项棋律师
版权所有 上海博为峰软件技术股份有限公司 Copyright©51testing.com 2003-2024
投诉及意见反馈:webmaster@51testing.com; 业务联系:service@51testing.com 021-64471599-8017

沪ICP备05003035号

沪公网安备 31010102002173号