0

I am using AFL (version 2.57b) in a docker container (on Ubuntu 20.04) to fuzz several C programs. But the problem is, whenever I fuzz a program it does not explore more than 1 path and the output is something like this:

the AFL output -- running

In this case, I am using this command specifically:

AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 afl-fuzz -i corpus/ -o afl_out -- ./afl-main @@

Where afl-main is the name of the program compiled with afl-clang and corpus is the name of a directory containing input files.

In this specific case, the main.c is as follows:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main (int argc, char* argv[]) {

if (argc < 1)
    return 1;

if (strcmp(argv[1],"-s")==0)
    printf("girls\n");
else if(strcmp(argv[1],"-k")==0)
    printf("boys!\n");
else
    printf("OMG!!\n");

return 0;

}

But, as I have already mentioned, switching to other programs does not change anything in the output.

There is also a similar question here, but I have applied the proposed solution there and my binary is working fine when I provide an input from the corpus directory in my current working directory.

I tried several C programs to see whether there is a problem with the way of implementation or the way I pass the inputs (through standard input), but the afl-fuzz output is still the same.

I appreciate any help and comment in advance.

amdeilami
  • 1
  • 2

1 Answers1

0

@@ in your afl command line means the position, where afl will place the input filename. Afl will run your executable like this - ./afl-main inputfile. Your program compares this filename with "-s" and "-k".

Afl fuzzes the contents of the input, not the filenames. You should read the contents of the input and compare it instead of the filenames. This should solve your problem.

Also note - you provide an argument to your executable, thus the condition if (argc < 1) should not be entered. The remaining part of the program has only 3 paths - one for each if case. The time afl needs to find all these paths depends on your seed (initial input files in corpus folder), the more close it is to "-s" and "-k", the faster afl will find these. The provided screenshot says you ran afl only for 2 minutes. In general case this is too few to analyze the fuzzing results.

nevilad
  • 932
  • 1
  • 7
  • 14