diff --git a/README.md b/README.md index 354cc8f..a4a112e 100644 --- a/README.md +++ b/README.md @@ -1,71 +1,11 @@ -

-
kAFL
-

- -

-HW-assisted Feedback Fuzzer for x86 VMs -

- -

- - CI - - - GitHub release (latest by date) - - - Docker Image Version (latest by date) - - - Docker Pulls - - - GitHub - -

-

- - online_docs - -

- -kAFL/[Nyx](https://nyx-fuzz.com) is a fast guided fuzzer for the x86 VM. It is great for anything that -executes as QEMU/KVM guest, in particular x86 firmware, kernels and full-blown -operating systems. - -**Note: All components are provided for research and validation purposes only. -Use at your own Risk** - -## Targets - -kAFL is the main fuzzer driving the [**Linux Security Hardening for Confidential Compute**](https://github.com/intel/ccc-linux-guest-hardening) effort, identifing vulnerabilities in a complex setup and improving the security of the Linux kernel for all CC solutions. - -Among other successful targets for kAFL/Nyx : - -- [**Intel SGX enclaves**](https://www.usenix.org/conference/usenixsecurity22/presentation/cloosters) -- [**Intel TDX TDVF firmware**](https://github.com/hemx0147/TDVFuzz) -- [**Mozilla Firefox IPCs**](https://dl.acm.org/doi/10.1145/3492321.3519591) -- [**Linux network applications** ](https://dl.acm.org/doi/10.1145/3492321.3519591) -- [**Windows drivers**](https://github.com/IntelLabs/kAFL/issues/53) -- [**Hypervisors**](https://www.usenix.org/conference/usenixsecurity21/presentation/schumilo) -- Play [**Super Mario** at 10-30x speedups](https://dl.acm.org/doi/10.1145/3492321.3519591) ! - -Additionally, kAFL has been used internally at Intel for x86 firmware and drivers validation as well as SMM handlers fuzzing. - -## Features - -- kAFL/Nyx uses [_Intel VT_](https://www.intel.com/content/www/us/en/virtualization/virtualization-technology/intel-virtualization-technology.html), [_Intel PML_](https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/page-modification-logging-vmm-white-paper.pdf) and _Intel PT_ to achieve efficient execution, snapshot reset and coverage feedback for greybox or whitebox fuzzing scenarios. It allows to run many x86 FW and OS kernels with any desired toolchain and minimal code -modifications. - -- kAFL uses a custom [kAFL-Fuzzer](https://github.com/IntelLabs/kafl.fuzzer) - written in Python. The kAFL-Fuzzer follows an AFL-like design and is optimized - for working with many Qemu instances in parallel, supporting flexible VM - configuration, logging and debug options. - -- kAFL integrates the [_Radamsa_](https://gitlab.com/akihe/radamsa) fuzzer as well as [_Redqueen_](https://github.com/RUB-SysSec/redqueen) and [_Grimoire_](https://github.com/RUB-SysSec/grimoire) extensions. Redqueen uses VM introspection to extract runtime inputs to conditional instructions, overcoming typical magic byte and other input checks. Grimoire attempts to identify keywords and syntax from fuzz inputs in order to generate more clever large-scale mutations. - -For details on **Redqueen**, **Grimoire**, [_IJON_](https://github.com/RUB-SysSec/ijon), **Nyx**, please visit [nyx-fuzz.com](https://nyx-fuzz.com). +# MS Fuzz : +**MS Fuzzer** is coverage-guided Fuzzer that is targeting Windows Kernel Driver. +## Feature +- **MS Fuzzer** uses [_Intel PT_](https://www.intel.com/content/www/us/en/developer/videos/collecting-processor-trace-in-intel-system-debugger.html) to achieve code coverage. +- The **MS Fuzzer** follows an AFL-like design and can detect semi-stateful bugs. +- **MS Fuzzer** is a well-designed fuzzer based on [_Nyx-Fuzzer_](https://nyx-fuzz.com) / [_kAFL_](https://github.com/IntelLabs/kAFL) and [_Redqueen_](https://github.com/RUB-SysSec/redqueen). +- Designed to find bugs for windows Driver that interact with user with **DeviceIoControl**. ## Requirements @@ -75,44 +15,12 @@ For details on **Redqueen**, **Grimoire**, [_IJON_](https://github.com/RUB-SysSe - **Patched Host Kernel:** A modified Linux host kernel will be installed as part of the setup. Running kAFL inside a VM may work starting IceLake or later CPU. -- **Recent Debian/Ubuntu:** The installation and tutorials are - tested for recent Ubuntu LTS (>=20.04) and Debian (>=bullseye). - +- **Ubuntu:** The installation and tutorials are + tested for recent Ubuntu 20.04.6 LTS. -## Getting Started - -Once you have python3-venv and make installed, you can install kAFL using `make deploy`: - -```shell -sudo apt install python3-venv make git -git clone https://github.com/IntelLabs/kAFL.git -cd kAFl -make deploy +## How to use +``` +aaa +aaaa +aaa ``` - -Installation make take some time and require a reboot to update your kernel. - -Check the detailed [installation guide](https://intellabs.github.io/kAFL/tutorials/installation.html) in case -of trouble, or the [deployment guide](https://intellabs.github.io/kAFL/reference/deployment.html) for detailed -information and customizing the kAFL setup for your project. - -## Fuzzing your first target - -As a first fuzzing example, we recommend [Fuzzing the Linux Kernel](https://intellabs.github.io/kAFL/tutorials/fuzzing_linux_kernel.html). - -Other targets are available such as: - -- [Windows driver/userspace](https://intellabs.github.io/kAFL/tutorials/windows/index.html) -- [Linux userspace](https://github.com/IntelLabs/kafl.targets/tree/master/linux-user) -- [UEFI OVMF](https://github.com/IntelLabs/kafl.targets/tree/master/uefi_ovmf_64) - -A improved documentation is under work for these targets. - -## Maintainers - -- [@Wenzel - Mathieu Tarral](https://github.com/Wenzel) ([Intel](https://github.com/IntelLabs)) -- [@il-steffen - Steffen Schulz](https://github.com/il-steffen) ([IntelLabs](https://github.com/IntelLabs)) - -## License - -[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT) diff --git a/install.sh b/install.sh new file mode 100644 index 0000000..b9a6d0b --- /dev/null +++ b/install.sh @@ -0,0 +1,237 @@ + + +system_deps() +{ + echo + echo "[*] Install Packages" + sudo apt-get update -y + sudo apt install curl git wget file zsh sudo vim libssl-dev libffi-dev build-essential libssl-dev libc6-i386 libc6-dbg gcc-multilib make gcc gdb -y + sudo apt install python git curl wget vim zsh gdb python3 python3-pip make -y + sudo apt install gawk bison flex openssl libssl-dev libelf-dev lz4 dwarves -y + sudo apt install qemu-utils qemu-system-x86 python3 python3-venv g++-mingw-w64-x86-64 zstd -y + sudo apt install python3 python3-venv -y + sudo apt install gawk bison flex openssl libssl-dev libelf-dev lz4 dwarves zstd -y + + echo "[*] Installing essentials tools ..." + sudo apt-get install git make gcc bc libssl-dev pax-utils libelf-dev \ + libgraphviz-dev gnuplot ruby libgtk-3-dev libc6-dev flex bison \ + python3 python3-pip python3-all-dev python3-setuptools python3-wheel -y + + echo "[*] Installing build dependencies for QEMU ..." + sudo apt-get build-dep qemu-system-x86 -y + # libcapstone is an optional qemu feature but a hard requirement for kAFL + sudo apt-get install libcapstone-dev libcapstone3 + + echo "[*] Installing kAFL python dependencies ..." + pip3 install --user mmh3 lz4 psutil fastrand ipdb inotify msgpack toposort pygraphviz pgrep tqdm six python-dateutil + + sudo apt-get install git -y + echo "[*] install vagrant" + wget https://github.com/hashicorp/vagrant/releases/download/2.3.8.dev%2B000032-f72cda8b/vagrant_2.3.8.dev-1_amd64.deb + sudo dpkg -i vagrant_2.3.8.dev-1_amd64.deb + sudo rm vagrant_2.3.8.dev-1_amd64.deb + + + + echo "[*] install packer" + sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA16FCBCA621E701 + curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add - + sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main" + sudo apt-get update + sudo apt-get install packer +} + +system_init(){ + echo "[*] clone kAFL" + cd ~ + git clone https://github.com/0dayResearchLab/kAFL.git + cd kAFL + + echo "[+] build nyx+ kernel.." + sudo make deploy +} + +check_gitconfig() +{ + if [ ! "`git config --get user.name`" ] || [ ! "`git config --get user.email`" ]; then + echo "[-] Error: The installer uses git in order to manage local patches against qemu and linux sources." + echo " Please setup a valid git config in order for this to work:" + echo + echo " $ git config --global user.name Joe User" + echo " $ git config --global user.email joe.user@invalid.local" + echo + exit 1 + fi +} + +system_check() +{ + echo + echo "[*] Performing basic sanity checks..." + + if [ ! "`uname -s`" = "Linux" ]; then + echo "[-] Error: KVM-PT is supported only on Linux ..." + exit 1 + fi + + + dist_id="$(lsb_release -si)" + if [ "$dist_id" != "Debian" -a "$dist_id" != "Ubuntu" ]; then + echo "[-] Error: This installer was tested using recent Debian and Ubuntu." + echo + echo "Other recent Linux distributions will generally work as well but" + echo "the installer will not be able to resolve the required dependencies." + echo + echo "It is recommended to abort the installer and instead follow this" + echo "script by hand, resolving any build/runtime errors as they come up." + echo + echo "Press [Ctrl-c] to abort or [Return] to continue.." + read + fi + + for i in dpkg apt-get sudo; do + T=`which "$i" 2>/dev/null` + if [ "$T" = "" ]; then + echo "[-] Error: '$i' not found, please install first." + exit 1 + fi + done + + check_gitconfig + echo "[*] Sanitiy check Done" +} + +vm_build() +{ + echo "[*] install windows templates..." + cd /home/$currentUser/kAFL + sudo make deploy + + echo "[+] install templates done!" + + sudo make deploy -- --tags examples,examples-template-windows1 + + sudo vagrant plugin install vagrant-host-shell + sudo apt-get install libvirt-dev -y + sudo vagrant plugin install vagrant-libvirt + + cd /home/$currentUser/kAFL/kafl/examples/templates/windows + + echo "[*] Qemu Image build..." + echo "[*] You Can see progress By [VNC:port]" + sudo make build +} + +vm_import() +{ + cd /home/$currentUser/kAFL/kafl/examples/templates/windows + echo "[+] Image Build Done!" + sudo make import + + sudo apt install qemu qemu-kvm libvirt-clients libvirt-daemon-system virtinst bridge-utils + sudo systemctl enable libvirtd + sudo systemctl start + reboot +} + +initial_snapshot() +{ + cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64 + sudo make init +} + +edit_vm_dir() +{ + # Check if the script is being run as root + if [ "$EUID" -ne 0 ]; then + echo "This script must be run as root." + exit 1 + fi + + sudo chmod 777 /root/.local/share/libvirt/images/* + sudo cp /root/.local/share/libvirt/images/* /var/lib/libvirt/images + sudo rm -rf /root/.local/share/libvirt/images/* + + sudo virsh pool-define-as --name newpool --type dir --target /var/lib/libvirt/images + sudo virsh pool-autostart newpool + sudo virsh pool-start newpool + + echo "[+] reboot after 10 sec.." + sudo reboot +} + +initial_snapshot() +{ + cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64 + sudo make snapshot +} + +target_setting() +{ + cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64 + sudo make gui +} + +fuzz_snapshot() +{ + cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64 + sudo make init +} +revoke_snapshot() +{ + cd /home/$currentUser/kAFL/kafl/examples/windows_x86_64 + sudo make revoke +} +# Auto-scale building with number of CPUs. Override with ./install -j N +jobs=$(nproc) +currentUser=$(whoami) + +#echo "Detected $(nproc) cores, building with -j $jobs..." + + + + +case $1 in + ## dependency + "deps") + system_deps + ;; + ## build kAFL.sh + "init") + system_init + ;; + "check") + system_check + ;; + ## build Qemu 1 + "vm_build") + vm_build + ;; + ## build Qemu 2 + "vm_import") + vm_import + ;; + ## itwill be error + "initial_snapshot") + initial_snapshot + ;; + ## edit Image.sh + "edit_vm_dir") + edit_vm_dir + ;; + ## init snapshot + "init_snapshot") + initial_snapshot + ;; + ## edit Image.sh + "target_setting") + target_setting + ;; + ## edit Image.sh + "fuzz_snapshot") + fuzz_snapshot + ;; + "revoke_snapshot") + revoke_snapshot + ;; +esac \ No newline at end of file