qemu_taint

First level taint implementation with qemu for linux user mode

How to use with afl++

WIP

This is meant for afl++. Checkout this special branch of afl++: taint branch Then in the afl++ repository execute cd qemu_taint && ./build_qemu_taint.sh. To use it just add the -A flag to afl-fuzz.

How to use stand-alone

Building

./build.sh

Currently only x86_64 is tested for host and guest, others could work though.

Running

Just run your target with afl-qemu-taint -- program flags. By default the taint is gathered on stdin reads. To see taint from files you have to set the environment variable AFL_TAINT_INPUT with the full path to the input file.

The output

[TAINT] MAP (length: 56, shown: 56) ('!' = touched, '.' = untouched)
[ .!..!!!!....!!!!!!!!!!!!!!!!!!!!!!!.....................         ]

Debug output

Set DEBUG=1 (or AFL_DEBUG=1).

This prints all the syscalls that touch the filename and tainted file descriptors plus the tainted memory operations.

Caveats

only tested for x86_x64 for host and guest (but could work elsewhere too)
Some syscall are not covered:

NR_remap_file_pages, NR_copy_file_range: these are not implemented in qemu
NR_sendfile, NR_sendfile64: write directly to a fd, so no memory access. This is not interpretated as taint. However a warning is given.
NR_[f]truncate, NR_[f]truncate64: only if it truncates to 0 we stop watching for open*, otherwise it is ignored
NR_open_by_handle_at: not supported (PRs welcome)

Complex things will not be detected, e.g. a rename or symlink on the file and then working on it.
No care for speed. It is fast enough but could be made faster.

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
accel		accel
afl		afl
audio		audio
backends		backends
block		block
bsd-user		bsd-user
capstone		capstone
chardev		chardev
contrib		contrib
crypto		crypto
default-configs		default-configs
disas		disas
docs		docs
dtc		dtc
fpu		fpu
fsdev		fsdev
gdb-xml		gdb-xml
hw		hw
include		include
io		io
libdecnumber		libdecnumber
linux-headers		linux-headers
linux-user		linux-user
migration		migration
nbd		nbd
net		net
pc-bios		pc-bios
po		po
qapi		qapi
qga		qga
qobject		qobject
qom		qom
replay		replay
roms		roms
scripts		scripts
scsi		scsi
slirp		slirp
stubs		stubs
target		target
tcg		tcg
tests		tests
trace		trace
ui		ui
util		util
x86_64-linux-user		x86_64-linux-user
CODING_STYLE		CODING_STYLE
COPYING		COPYING
COPYING.LIB		COPYING.LIB
Changelog		Changelog
HACKING		HACKING
LICENSE		LICENSE
MAINTAINERS		MAINTAINERS
Makefile		Makefile
Makefile.objs		Makefile.objs
Makefile.target		Makefile.target
OPS		OPS
README.md		README.md
README.qemu.md		README.qemu.md
SYSCALLS		SYSCALLS
VERSION		VERSION
arch_init.c		arch_init.c
balloon.c		balloon.c
block.c		block.c
blockdev-nbd.c		blockdev-nbd.c
blockdev.c		blockdev.c
blockjob.c		blockjob.c
bootdevice.c		bootdevice.c
bt-host.c		bt-host.c
bt-vhci.c		bt-vhci.c
build.sh		build.sh
clean.sh		clean.sh
config.h		config.h
configure		configure
cpus-common.c		cpus-common.c
cpus.c		cpus.c
debug2.sh		debug2.sh
device-hotplug.c		device-hotplug.c
device_tree.c		device_tree.c
disas.c		disas.c
dma-helpers.c		dma-helpers.c
dump.c		dump.c
exec.c		exec.c
gdbstub.c		gdbstub.c
hmp-commands-info.hx		hmp-commands-info.hx
hmp-commands.hx		hmp-commands.hx
hmp.c		hmp.c
hmp.h		hmp.h
ioport.c		ioport.c
iothread.c		iothread.c
job-qmp.c		job-qmp.c
job.c		job.c
memory.c		memory.c
memory_ldst.inc.c		memory_ldst.inc.c
memory_mapping.c		memory_mapping.c
module-common.c		module-common.c
monitor.c		monitor.c
numa.c		numa.c
os-posix.c		os-posix.c
os-win32.c		os-win32.c
qdev-monitor.c		qdev-monitor.c

License

Licenses found

vanhauser-thc/qemu_taint

Folders and files

Latest commit

History