Home

Awesome

ManuFuzzer

Binary code-coverage fuzzer for macOS, based on libFuzzer and LLVM

PRs Welcome License Follow Twitter

What is ManuFuzzer?

ManuFuzzer is an LLVM-based binary, coverage-guided fuzzing framework similar. It is simple to integrate coverage-guided fuzzing with ManuFuzzer: just define a special function, update some build flags, and you have instant binary-only, coverage-guided fuzzing (only basic-block coverage). Using ManuFuzzer, you can instrument one or more selected frameworks for coverage and fuzz the target functions/library.

How ManuFuzzer works?

ManuFuzzer makes use of custom breakpoint handler. When you select a module to instrument, ManuFuzzer replaces the branch instructions with breakpoint instruction at each and every basic-block by disassembling the module runtime using LLVM MC and stores the original bytes in a shadow memory mapping, whose address is fixed and can be computed from any address of the modified library and executes the program. Everytime any breakpoint gets hit, ManuFuzzer updates the coverage for the basic-block using custom breakpoint handler setup for SIGTRAP, deletes the breakpoint and resumes execution.

How to build ManuFuzzer?

ManuFuzzer is dependent on LLVM MC for disassembly and LLVM libFuzzer for fuzzing. ManuFuzzer patches LLVM-MC to increase the speed and evaluate an instruction type. ManuFuzzer pulls LLVM version 12.0.1-rc3 from https://github.com/llvm/llvm-project and applies llvm_ManuFuzzer.patch to LLVM MC and libFuzzer.

➜ git clone https://github.com/ant4g0nist/ManuFuzzer

To compile with debug logs:

➜ cd ManuFuzzer
➜ make
➜ make install

To compile without debug logs, pass FUZZ=1 in env:

➜ cd ManuFuzzer
➜ FUZZ=1 make
➜ make install

How to use ManuFuzzer?

For examples, let's try fuzzing CGFontCreateWithDataProvider function from CoreGraphics. This seems to be an easy target to reach.

ManuFuzzer exports 4 functions we need to use in our harness.

void installHandlers(void);
void libFuzzerCleanUp(void);
int instrumentMe(const char * module);
int libFuzzerStart(int argc, char **argv, UserCallback LLVMFuzzerTestOneInput);

These functions can be used in our harness as shown here:

#include <string.h>
#include <unistd.h>
#include <dlfcn.h>
#import <Foundation/Foundation.h>
#import <CoreGraphics/CoreGraphics.h>

#include "libManuFuzzer.h"

extern uint16_t previousLoc;

void LLVMFuzzerInitialize(int *argc, char ***argv) {
    installHandlers();

    instrumentMe("/System/Library/Frameworks/ImageIO.framework/Versions/A/ImageIO");
    instrumentMe("/System/Library/Frameworks/CoreGraphics.framework/Versions/A/CoreGraphics");
    instrumentMe("/System/Library/Frameworks/CoreText.framework/Versions/A/CoreText");
    instrumentMe("/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib");
}

int LLVMFuzzerTestOneInput(const uint8_t *fuzz_buff, size_t size)
{
    previousLoc = 0;

    NSData *inData = [[NSData alloc] initWithBytes:fuzz_buff length:size];
    CFErrorRef error;
    
    CGDataProviderRef provider = CGDataProviderCreateWithCFData((__bridge CFDataRef)inData);
    
    CGFontRef font = CGFontCreateWithDataProvider(provider);
    
    if (font)
        CFRelease(font);
 
    CFRelease(provider);

    [inData release];

    return 0;
}

int main(int argc, char* argv[])
{
    LLVMFuzzerInitialize(&argc, &argv);
    libFuzzerStart(argc, argv, LLVMFuzzerTestOneInput);
    libFuzzerCleanUp();

    return 0;
}

Makefile to compile above sample code:

example.o: examples/main.mm
	SDKROOT=$(SDKROOT) $(CXX) -c -o bin/$@ examples/main.mm
	
example: example.o
	SDKROOT=$(SDKROOT) $(CXX) $(FUZZ_EXAMPLE_CFLAGS) ./bin/example.o -o bin/example
	rm bin/*.o

To compile the example:

➜ make example

Demo

TODO

Trophies

let me know if you have found any vulnerabilities using this and will add it here :)

Thanks 🙌🏻🙌🏻