Autodict-QL
is a plugin system that enables fast generation of Tokens/Dictionaries in a handy way that can be manipulated by the user (Unlike The LLVM Passes that are hard to modify). This means that autodict-ql is a scriptable feature which basically uses the CodeQL (A powerful semantic code analysis engine) to fetch information from a code base.
Tokens are useful when you perform fuzzing on different parsers. AFL++ -x
switch enables the usage of dictionaries through your fuzzing campagin. if you are not familiar with Dictionaries in fuzzing, take a look here .
We basically developed this plugin on top of CodeQL engine because it gives the user scripting features, it‘s easier and it’s independent of the LLVM system. This means that a user can write his CodeQL scripts or modify the current scripts to improve or change the token generation algorithms based on different program analysis concepts.
Currently, we pushed some scripts as defaults for Token generation. In addition, we provide every CodeQL script as an standalone script because it's easier to modify or test.
Currently we provided the following CodeQL scripts :
strcmp-str.ql
is used to extract strings that are related to strcmp
function.
strncmp-str.ql
is used to extract the strings from the strncmp
function.
memcmp-str.ql
is used to extract the strings from the memcmp
function.
litool.ql
extracts Magic numbers as Hexadecimal format.
strtool.ql
extracts strings with uses of a regex and dataflow concept to capture the string comparison functions. if strcmp is rewritten in a project as Mystrcmp or something like strmycmp, then this script can catch the arguments and these are valuable tokens.
You can write other CodeQL scripts to extract possible effective tokens if you think they can be useful.
The usage of Autodict-QL is pretty easy. But let's describe it as :
build-codeql.sh
bash script. This script will install CodeQL completety and will set the required environment variables for your system, so :# chmod +x codeql-build.sh` # sudo ./codeql-build.sh # codeql `
Then you should get :
Usage: codeql <command> <argument>... Create and query CodeQL databases, or work with the QL language. GitHub makes this program freely available for the analysis of open-source software and certain other uses, but it is not itself free software. Type codeql --license to see the license terms. --license Show the license terms for the CodeQL toolchain. Common options: -h, --help Show this help text. -v, --verbose Incrementally increase the number of progress messages printed. -q, --quiet Incrementally decrease the number of progress messages printed. Some advanced options have been hidden; try --help -v for a fuller view. Commands: query Compile and execute QL code. bqrs Get information from .bqrs files. database Create, analyze and process CodeQL databases. dataset [Plumbing] Work with raw QL datasets. test Execute QL unit tests. resolve [Deep plumbing] Helper commands to resolve disk locations etc. execute [Deep plumbing] Low-level commands that need special JVM options. version Show the version of the CodeQL toolchain. generate Generate formatted QL documentation. github Commands useful for interacting with the GitHub API through CodeQL.
./configure --disable-shared
codeql create database libxml-db --language=cpp --command=make
automate
in the project you want to fuzz. (inside the libxml directory)mkdir automate
codeql database upgrade ../libxml-db
python3 autodict-ql.py [CURRECT_DIR] [CODEQL_DATABASE_PATH] [TOKEN_PATH]
python3 autodict-ql.py /home/user/libxml/automate /home/user/libxml/libxml-db tokens
tokens
dir for you and you are done, then pass the tokens path to afl -x
flag.Core developer of the AFL++ project Marc Heuse also developed a similar tool named dict2file
which is a LLVM pass which can automatically extracts useful tokens, in addition with LTO instrumentation mode, this dict2file is automtically generates token extraction. Autodict-QL
plugin gives you scripting capability and you can do whatever you want to extract from the Codebase and it‘s up to you. in addition it’s independent from LLVM system. On the other hand, you can also use Google dictionaries which have been made public in May 2020, but the problem of using Google dictionaries is that they are limited to specific file format and speicifications. for example, for testing binutils and ELF file format or AVI in FFMPEG, there are no prebuilt dictionary, so it is highly recommended to use Autodict-QL
or Dict2File
features to automatically generating dictionaries based on the target.
I've personally prefer to use Autodict-QL
or dict2file
rather than Google dictionaries or any other manully generated dictionaries as Autodict-QL
is working based on the target. In overall, fuzzing with dictionaries and well-generated tokens will give better results.
There are 2 important points to remember :
Autodict-QL
with AFL++ cmplog, you will get much better code coverage and hence better chance to discover new bugs.AFL_MAX_DET_EXTRAS
to the number of generated dictionaries, if you forget to set this environment variable, then AFL++ use just 200 tokens and use the rest of them probablistically. So this will guarantees that your tokens will be used by AFL++.