Skip to content

Commit

Permalink
Add install.sh & rewrite README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
5angjun committed Nov 6, 2023
1 parent 4453d0a commit 948ecc5
Show file tree
Hide file tree
Showing 2 changed files with 251 additions and 106 deletions.
120 changes: 14 additions & 106 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,71 +1,11 @@
<h1 align="center">
<br>kAFL</br>
</h1>

<h3 align="center">
HW-assisted Feedback Fuzzer for x86 VMs
</h3>

<p align="center">
<a href="https://github.com/IntelLabs/kAFL/actions/workflows/CI.yml">
<img src="https://github.com/IntelLabs/kAFL/actions/workflows/CI.yml/badge.svg" alt="CI">
</a>
<a href="https://github.com/IntelLabs/kAFL/releases">
<img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/IntelLabs/kAFL">
</a>
<a href="https://hub.docker.com/r/intellabs/kafl">
<img alt="Docker Image Version (latest by date)" src="https://img.shields.io/docker/v/intellabs/kafl?label=Docker%20Image">
</a>
<a href="https://hub.docker.com/r/intellabs/kafl">
<img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/intellabs/kafl">
</a>
<a href="https://github.com/IntelLabs/kAFL/blob/master/LICENSE.md">
<img alt="GitHub" src="https://img.shields.io/github/license/IntelLabs/kafl">
</a>
</p>
<p align="center">
<a href="https://IntelLabs.github.io/kAFL/">
<img src="https://img.shields.io/badge/Online-Documentation-green?style=for-the-badge&logo=gitbook" alt="online_docs"/>
</a>
</p>

kAFL/[Nyx](https://nyx-fuzz.com) is a fast guided fuzzer for the x86 VM. It is great for anything that
executes as QEMU/KVM guest, in particular x86 firmware, kernels and full-blown
operating systems.

**Note: All components are provided for research and validation purposes only.
Use at your own Risk**

## Targets

kAFL is the main fuzzer driving the [**Linux Security Hardening for Confidential Compute**](https://github.com/intel/ccc-linux-guest-hardening) effort, identifing vulnerabilities in a complex setup and improving the security of the Linux kernel for all CC solutions.

Among other successful targets for kAFL/Nyx :

- [**Intel SGX enclaves**](https://www.usenix.org/conference/usenixsecurity22/presentation/cloosters)
- [**Intel TDX TDVF firmware**](https://github.com/hemx0147/TDVFuzz)
- [**Mozilla Firefox IPCs**](https://dl.acm.org/doi/10.1145/3492321.3519591)
- [**Linux network applications** ](https://dl.acm.org/doi/10.1145/3492321.3519591)
- [**Windows drivers**](https://github.com/IntelLabs/kAFL/issues/53)
- [**Hypervisors**](https://www.usenix.org/conference/usenixsecurity21/presentation/schumilo)
- Play [**Super Mario** at 10-30x speedups](https://dl.acm.org/doi/10.1145/3492321.3519591) !

Additionally, kAFL has been used internally at Intel for x86 firmware and drivers validation as well as SMM handlers fuzzing.

## Features

- kAFL/Nyx uses [_Intel VT_](https://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.html), [_Intel PML_](https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/page-modification-logging-vmm-white-paper.pdf) and _Intel PT_ to achieve efficient execution, snapshot reset and coverage feedback for greybox or whitebox fuzzing scenarios. It allows to run many x86 FW and OS kernels with any desired toolchain and minimal code
modifications.

- kAFL uses a custom [kAFL-Fuzzer](https://github.com/IntelLabs/kafl.fuzzer)
written in Python. The kAFL-Fuzzer follows an AFL-like design and is optimized
for working with many Qemu instances in parallel, supporting flexible VM
configuration, logging and debug options.

- kAFL integrates the [_Radamsa_](https://gitlab.com/akihe/radamsa) fuzzer as well as [_Redqueen_](https://github.com/RUB-SysSec/redqueen) and [_Grimoire_](https://github.com/RUB-SysSec/grimoire) extensions. Redqueen uses VM introspection to extract runtime inputs to conditional instructions, overcoming typical magic byte and other input checks. Grimoire attempts to identify keywords and syntax from fuzz inputs in order to generate more clever large-scale mutations.

For details on **Redqueen**, **Grimoire**, [_IJON_](https://github.com/RUB-SysSec/ijon), **Nyx**, please visit [nyx-fuzz.com](https://nyx-fuzz.com).
# MS Fuzz :
**MS Fuzzer** is coverage-guided Fuzzer that is targeting Windows Kernel Driver.

## Feature
- **MS Fuzzer** uses [_Intel PT_](https://www.intel.com/content/www/us/en/developer/videos/collecting-processor-trace-in-intel-system-debugger.html) to achieve code coverage.
- The **MS Fuzzer** follows an AFL-like design and can detect semi-stateful bugs.
- **MS Fuzzer** is a well-designed fuzzer based on [_Nyx-Fuzzer_](https://nyx-fuzz.com) / [_kAFL_](https://github.com/IntelLabs/kAFL) and [_Redqueen_](https://github.com/RUB-SysSec/redqueen).
- Designed to find bugs for windows Driver that interact with user with **DeviceIoControl**.

## Requirements

Expand All @@ -75,44 +15,12 @@ For details on **Redqueen**, **Grimoire**, [_IJON_](https://github.com/RUB-SysSe
- **Patched Host Kernel:** A modified Linux host kernel will be installed as part
of the setup. Running kAFL inside a VM may work starting IceLake or later CPU.

- **Recent Debian/Ubuntu:** The installation and tutorials are
tested for recent Ubuntu LTS (>=20.04) and Debian (>=bullseye).

- **Ubuntu:** The installation and tutorials are
tested for recent Ubuntu 20.04.6 LTS.

## Getting Started

Once you have python3-venv and make installed, you can install kAFL using `make deploy`:

```shell
sudo apt install python3-venv make git
git clone https://github.com/IntelLabs/kAFL.git
cd kAFl
make deploy
## How to use
```
aaa
aaaa
aaa
```

Installation make take some time and require a reboot to update your kernel.

Check the detailed [installation guide](https://intellabs.github.io/kAFL/tutorials/installation.html) in case
of trouble, or the [deployment guide](https://intellabs.github.io/kAFL/reference/deployment.html) for detailed
information and customizing the kAFL setup for your project.

## Fuzzing your first target

As a first fuzzing example, we recommend [Fuzzing the Linux Kernel](https://intellabs.github.io/kAFL/tutorials/fuzzing_linux_kernel.html).

Other targets are available such as:

- [Windows driver/userspace](https://intellabs.github.io/kAFL/tutorials/windows/index.html)
- [Linux userspace](https://github.com/IntelLabs/kafl.targets/tree/master/linux-user)
- [UEFI OVMF](https://github.com/IntelLabs/kafl.targets/tree/master/uefi_ovmf_64)

A improved documentation is under work for these targets.

## Maintainers

- [@Wenzel - Mathieu Tarral](https://github.com/Wenzel) ([Intel](https://github.com/IntelLabs))
- [@il-steffen - Steffen Schulz](https://github.com/il-steffen) ([IntelLabs](https://github.com/IntelLabs))

## License

[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
237 changes: 237 additions & 0 deletions install.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@


system_deps()
{
echo
echo "[*] Install Packages"
sudo apt-get update -y
sudo apt install curl git wget file zsh sudo vim libssl-dev libffi-dev build-essential libssl-dev libc6-i386 libc6-dbg gcc-multilib make gcc gdb -y
sudo apt install python git curl wget vim zsh gdb python3 python3-pip make -y
sudo apt install gawk bison flex openssl libssl-dev libelf-dev lz4 dwarves -y
sudo apt install qemu-utils qemu-system-x86 python3 python3-venv g++-mingw-w64-x86-64 zstd -y
sudo apt install python3 python3-venv -y
sudo apt install gawk bison flex openssl libssl-dev libelf-dev lz4 dwarves zstd -y

echo "[*] Installing essentials tools ..."
sudo apt-get install git make gcc bc libssl-dev pax-utils libelf-dev \
libgraphviz-dev gnuplot ruby libgtk-3-dev libc6-dev flex bison \
python3 python3-pip python3-all-dev python3-setuptools python3-wheel -y

echo "[*] Installing build dependencies for QEMU ..."
sudo apt-get build-dep qemu-system-x86 -y
# libcapstone is an optional qemu feature but a hard requirement for kAFL
sudo apt-get install libcapstone-dev libcapstone3

echo "[*] Installing kAFL python dependencies ..."
pip3 install --user mmh3 lz4 psutil fastrand ipdb inotify msgpack toposort pygraphviz pgrep tqdm six python-dateutil

sudo apt-get install git -y
echo "[*] install vagrant"
wget https://github.com/hashicorp/vagrant/releases/download/2.3.8.dev%2B000032-f72cda8b/vagrant_2.3.8.dev-1_amd64.deb
sudo dpkg -i vagrant_2.3.8.dev-1_amd64.deb
sudo rm vagrant_2.3.8.dev-1_amd64.deb



echo "[*] install packer"
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701
curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
sudo apt-get update
sudo apt-get install packer
}

system_init(){
echo "[*] clone kAFL"
cd ~
git clone https://github.com/0dayResearchLab/kAFL.git
cd kAFL

echo "[+] build nyx+ kernel.."
sudo make deploy
}

check_gitconfig()
{
if [ ! "`git config --get user.name`" ] || [ ! "`git config --get user.email`" ]; then
echo "[-] Error: The installer uses git in order to manage local patches against qemu and linux sources."
echo " Please setup a valid git config in order for this to work:"
echo
echo " $ git config --global user.name Joe User"
echo " $ git config --global user.email joe.user@invalid.local"
echo
exit 1
fi
}

system_check()
{
echo
echo "[*] Performing basic sanity checks..."

if [ ! "`uname -s`" = "Linux" ]; then
echo "[-] Error: KVM-PT is supported only on Linux ..."
exit 1
fi


dist_id="$(lsb_release -si)"
if [ "$dist_id" != "Debian" -a "$dist_id" != "Ubuntu" ]; then
echo "[-] Error: This installer was tested using recent Debian and Ubuntu."
echo
echo "Other recent Linux distributions will generally work as well but"
echo "the installer will not be able to resolve the required dependencies."
echo
echo "It is recommended to abort the installer and instead follow this"
echo "script by hand, resolving any build/runtime errors as they come up."
echo
echo "Press [Ctrl-c] to abort or [Return] to continue.."
read
fi

for i in dpkg apt-get sudo; do
T=`which "$i" 2>/dev/null`
if [ "$T" = "" ]; then
echo "[-] Error: '$i' not found, please install first."
exit 1
fi
done

check_gitconfig
echo "[*] Sanitiy check Done"
}

vm_build()
{
echo "[*] install windows templates..."
cd /home/$currentUser/kAFL
sudo make deploy

echo "[+] install templates done!"

sudo make deploy -- --tags examples,examples-template-windows1

sudo vagrant plugin install vagrant-host-shell
sudo apt-get install libvirt-dev -y
sudo vagrant plugin install vagrant-libvirt

cd /home/$currentUser/kAFL/kafl/examples/templates/windows

echo "[*] Qemu Image build..."
echo "[*] You Can see progress By [VNC:port]"
sudo make build
}

vm_import()
{
cd /home/$currentUser/kAFL/kafl/examples/templates/windows
echo "[+] Image Build Done!"
sudo make import

sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils
sudo systemctl enable libvirtd
sudo systemctl start
reboot
}

initial_snapshot()
{
cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64
sudo make init
}

edit_vm_dir()
{
# Check if the script is being run as root
if [ "$EUID" -ne 0 ]; then
echo "This script must be run as root."
exit 1
fi

sudo chmod 777 /root/.local/share/libvirt/images/*
sudo cp /root/.local/share/libvirt/images/* /var/lib/libvirt/images
sudo rm -rf /root/.local/share/libvirt/images/*

sudo virsh pool-define-as --name newpool --type dir --target /var/lib/libvirt/images
sudo virsh pool-autostart newpool
sudo virsh pool-start newpool

echo "[+] reboot after 10 sec.."
sudo reboot
}

initial_snapshot()
{
cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64
sudo make snapshot
}

target_setting()
{
cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64
sudo make gui
}

fuzz_snapshot()
{
cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64
sudo make init
}
revoke_snapshot()
{
cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64
sudo make revoke
}
# Auto-scale building with number of CPUs. Override with ./install -j N <action>
jobs=$(nproc)
currentUser=$(whoami)

#echo "Detected $(nproc) cores, building with -j $jobs..."




case $1 in
## dependency
"deps")
system_deps
;;
## build kAFL.sh
"init")
system_init
;;
"check")
system_check
;;
## build Qemu 1
"vm_build")
vm_build
;;
## build Qemu 2
"vm_import")
vm_import
;;
## itwill be error
"initial_snapshot")
initial_snapshot
;;
## edit Image.sh
"edit_vm_dir")
edit_vm_dir
;;
## init snapshot
"init_snapshot")
initial_snapshot
;;
## edit Image.sh
"target_setting")
target_setting
;;
## edit Image.sh
"fuzz_snapshot")
fuzz_snapshot
;;
"revoke_snapshot")
revoke_snapshot
;;
esac

0 comments on commit 948ecc5

Please sign in to comment.