CoreSight mode enables binary-only fuzzing on ARM64 Linux using CoreSight (ARM's hardware tracing technology).
NOTE: CoreSight mode is in the early development stage. Not applicable for production use. Currently the following hardware boards are supported:
Please read the RICSec/coresight-trace README and check the prerequisites (capstone) before getting started.
CoreSight mode supports the AFL++ fork server mode to reduce exec system call overhead. To support it for binary-only fuzzing, it needs to modify the target ELF binary to re-link to the patched glibc. We employ this design from PTrix.
Check out all the git submodules in the cs_mode directory:
git submodule update --init --recursive
There are some notes on building coresight-trace. Refer to the README for the details. Run make in the cs_mode directory:
make build
Make sure cs-proxy is placed in the AFL++ root directory as afl-cs-proxy.
The fork server mode requires patchelf and the patched glibc. The dependency build can be done by just run make:
make patch TARGET=$BIN
The above make command builds and installs the dependencies to $PREFIX (default to $PWD/.local) at the first time. Then, it runs patchelf to $BIN with output $OUTPUT ($BIN.patched by default).
Run afl-fuzz with -A option to use CoreSight mode.
sudo afl-fuzz -A -i input -o output -- $OUTPUT @@
There are AFL++ CoreSight mode-specific environment variables for run-time configuration.
AFL_CS_CUSTOM_BIN overrides the proxy application path. afl-cs-proxy will be used if not defined.
AFLCS_COV specifies coverage type on CoreSight trace decoding. edge and path is supported. The default value is edge.
AFLCS_UDMABUF is the u-dma-buf device number used to store trace data in the DMA region. The default value is 0.
This project has received funding from the Acquisition, Technology & Logistics Agency (ATLA) under the National Security Technology Research Promotion Fund 2021 (JPJ004596).