Evocatio is a bug analyzer built on top of AFL++ and AddressSanitizer. It automatically discovers a bug’s capabilities: analyzing a crashing test case (i.e., an input exposing a bug) to understand the full extent of how an attacker can exploit a bug. Evocatio leverages a capability-guided fuzzer to efficiently uncover new bug capabilities (rather than only generating a single crashing test case for a given bug, as a traditional greybox fuzzer does).
In this repo, we present 5 function module of Evocatio:
- POC Minimization: to get a poc with smaller size like afl-tmin.
- Critical Bytes Inference: to infer which bytes of poc are critical, so as to mutate them first.
- CapFuzz: to explore new capabilities of a bug. In this module, each new poc found by CapFuzz represents a new capability.
- Bug Capability Scaning: to summurize all capabilities found by CapFuzz.
- Severity Score: to calculate severity score of the bug from bug capabilities.
You can use these modules either sequentially or seperately.
We also present CapSan based on AddressSanitizer to detect bug capabilities.
More details about the project can be found at the paper. Our presentation about Evocatio can be found at the slide.
This repository is structured as follows:
- bug-severity-AFLplusplus (POC Minimization, Critical Bytes Inference, CapFuzz, CapSan)
- scripts (Bug Capability Scaning, SeverityScore)
We developed bug-severity-AFLplusplus based on AFLplusplus. What's more, our CapSan was developed by leveraging the convenience of __asan_*
public interface provided by AddressSanitizer.
Need Python 3.x. (Just Python's standard library is enough.)
Generally, requirement of bug-severity-AFLplusplus is just same as AFLplusplus.
However, you should pay more attention to the availability of asan_interface.h. AddressSanitizer is implemented by your compiler suite (such as gcc and clang), which works by instrumenting during the compilation phase and linking its run-time library into the final binary. __asan_*
public interface is provided by its run-time library and declared in asan_interface.h. So make sure that your compiler suite provides this header.
The two python scripts in ./scripts
is out-of-the-box. Just build bug-severity-AFLplusplus like what is needed for afl++:
cd ./bug-severity-AFLplusplus
make source-only NO_SPLICING=1
-
Ensure that
NO_SPLICING=1
is always used there. -
Never use
ASAN_BUILD=1
. Otherwise our bug-severity run-time dependency may confuse your compiler and linker, as well as AddressSanitizer. -
Since afl++ 3.0 there is only one compiler afl-cc works for instrumenting your target, all previous compilers now symlink to it. We have hacked it so that our bug-severity run-time dependency can be linked into the target binary. If afl-cc couldn't be built and work properly, then all is over.
For a quick start with Evocatio, you can follow these steps to start from scratch:
-
Download Evocatio into your system. Install dependencies and build Evocatio.
-
Get your target program and POC.
-
Compile and instrument your target program with AddressSanitizer enabled just as same as when using afl++.
⚠️ Ensure that AddressSanitizer is applied for your target. It is strongly recommended that set the environment variableAFL_USE_ASAN=1
to tell afl-cc do everything for you. Manually using compiler flag-fsanitize=address
as the doc says is also an alternative. -
Evocatio Function Module 1️⃣ : POC Minimization
./bug-severity-AFLplusplus/afl-tmin-lazy -m none -i /path/to/original/poc -o /path/to/minimized/poc -- /path/to/target/program @@
"@@" is a placeholder like in AFL++. If there are any commands surrounding "@@", keep them.
-
Evocatio Function Module 2️⃣ : Critical Bytes Inference
mkdir <your_path>/seeds ./bug-severity-AFLplusplus/cd-bytes-identifier -m none -i /path/to/poc -o /tmp/foo -g -c /tmp/constraints.res -k <your_path>/seeds -- /path/to/target/program @@
The output will be in
<your_path>/seeds/
. If you'd like to use another fuzzer later, you may use seeds in<your_path>/seeds/
as your fuzzer's original seeds. -
Evocatio Function Module 3️⃣ : CapFuzz
Start CapFuzz:
./bug-severity-AFLplusplus/afl-fuzz -m none -C -i /path/to/input/seeds/ -o /path/to/output/ -k /path/to/original/poc -- /path/to/target/program @@
-
Evocatio Function Module 4️⃣ : Bug Capability Scaning
Scan capabilities of poc:
python3 ./scripts/gen_raw_data_for_cve.py -i /path/to/new/crashes -o /path/to/bug/capability/json -b /path/to/target/program -a /path/to/commmands/file
-i argument receives path to new pocs found by CapFuzz;
-o argument determines the output path of bug capability json file;
-b argument receives path to the target program(binary);
-a argument receives path to commands file(which means you should write commands surrounding "@@" to a file first). -
Evocatio Function Module 5️⃣ : Severity Score
python3 ./scripts/calculate_severity_score.py -i /path/to/bug/capability/json
This will calulate bug severity score from bug capability json file. The severity score consists of reading score and writing score.
For detailed example, please refer to README in each subdirectory.
Evocatio provides users with a flexible framework that allows developers to flexibly adjust CapSan, CapFuzz and scoring system according to their own needs. For everyone who wants to contribute (and send pull requests), please read our contributing guidelines before you submit.
Questions? Concerns? Feel free to ping me via E-mail for general questions and academic discussion.
For recent update and new features implementation:
- CapSan related issue/usage/feature: ping Sonic via E-mail
- Next generation of Evocatio: ping Zhao via E-mail
- Installation, environment or other Evocatio questions: ping Mao via E-mail.
If you use Evocatio in scientific work, consider citing our paper presented at ACM CCS.
BibTeX
@inproceedings{10.1145/3548606.3560575,
author = {Jiang, Zhiyuan and Gan, Shuitao and Herrera, Adrian and Toffalini, Flavio and Romerio, Lucio and Tang, Chaojing and Egele, Manuel and Zhang, Chao and Payer, Mathias},
title = {Evocatio: Conjuring Bug Capabilities from a Single PoC},
year = {2022},
isbn = {9781450394505},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
url = {https://doi.org/10.1145/3548606.3560575},
doi = {10.1145/3548606.3560575},
booktitle = {Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security},
pages = {1599–1613},
numpages = {15},
keywords = {bug triaging, fuzzing, bug capability},
location = {Los Angeles, CA, USA},
series = {CCS '22}
}