Skip to content

0xbigshaq/redis-afl

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits

input

input

 
 

.gitignore

.gitignore

 
 

Dockerfile

Dockerfile

 
 

README.md

README.md

 
 

fuzz.sh

fuzz.sh

 
 

hotpatch.diff

hotpatch.diff

 
 

setup.sh

setup.sh

 
 

stats-demo.png

stats-demo.png

 
 

Repository files navigation

redis-afl

An automated(+beginner friendly) setup for compiling and fuzzing Redis w/ AFL++.

More info about the process can be found here: https://0xbigshaq.github.io/2022/03/10/fuzzing-harder-part1

Build

To build, run:

docker build -t afl-redis-setup .

To start the container with a shared volume (in order for the results to be saved in the hosting machine)

docker run --rm -v $(pwd):/root/host-share --privileged -it --workdir=/root afl-redis-setup

Test

To run a smoke test before starting the fuzzing session, run:

AFL_PRELOAD=preeny/x86_64-linux-gnu/desock.so afl-showmap -m2048 -o/dev/null ./redis/src/redis-server ./redis.conf < <(echo "PING");

output:
[+] Hash of coverage map: 5a20352f5b1cb7e5
[+] Captured 1156 tuples (map size 38422, highest value 8, total values 2511) in '/dev/null'.
AFL_PRELOAD=preeny/x86_64-linux-gnu/desock.so afl-showmap -m2048 -o/dev/null ./redis/src/redis-server ./redis.conf < <(echo "SHUTDOWN");

output:
[+] Hash of coverage map: 653954010db919f3
[+] Captured 1170 tuples (map size 38422, highest value 8, total values 2553) in '/dev/null'.

Run

To start fuzzing, just run ./fuzz.sh file :^)

img0

Note: The fuzzing speed/execs per second will not be high if you don't have a strong machine. This can be solved in two approaches: The first approach is 'Trying Harder', to apply this, just keep reading through the Distributed Fuzzing section below. The 2nd approach is 'Trying Smarter', this approach involves patching the server in a more specific way that cuts down the performance costs, such example can be found here.

Distributed Fuzzing

To run multiple instances of AFL++, use afl-launch and specify number of cores using the -n argument:

AFL_PRELOAD=./preeny/x86_64-linux-gnu/desock.so ~/go/bin/afl-launch -n $(nproc) -i ./input/ -o output/ -x ./dict/ -m 2048 ./redis/src/redis-server ./redis.conf

Areas for improvement

The setup in this repo is based on VolatileMinds approach from 2015, I also added some useful improvements(below)

  • Upgrading to a modern version(from 3.1 to 6.2.1)
  • Automating the build proccess & hot-patch of Redis and preeny
  • Adding instructions for scaled/Distributed Fuzzing
  • Fixing compile flags for easier crash analysis (now side-dependencies are compiled with debug information, such as the embedded lua interpreter, etc.)
  • Use AFL_PRELOAD instead of LD_PRELOAD (although I didn't notice a change, some docs are suggesting to use AFL_PRELOAD since LD_PRELOAD might override the fuzzer binary and possibly make the fuzzer melt into itself)
  • Adding more samples for the ./input/ directory
  • Applying persistent fuzzing(AFL_LOOP) to increase the execs per second rate
  • Adding utils like AddressSanitizer(ASAN) UndefinedBehaviorSanitizer(UBSAN) to the final build

About

An automated setup for fuzzing Redis w/ AFL++

Resources

Readme
Activity

Stars

26 stars

Watchers

1 watching

Forks

5 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages