Fuzzing Against the Machine by Antonio Nappa & Eduardo Blázquez

Author:Antonio Nappa & Eduardo Blázquez
Language: eng
Format: epub
Publisher: Packt
Published: 2023-11-15T00:00:00+00:00

Passing inputs to the guest system

While the Driver binary is running within the guest, a communication channel between the Driver inside the VM and AFL is established through a hypercall. This call allows the Guest to call QEMU.

In TriForce, an additional code instruction is implemented in QEMU for handling communication with the Driver inside the VM. These instructions consist of non-existent opcodes for each architecture, allowing the entire OS to be targeted by the fuzzer. The helper_aflCall functions can be found in the qemu_mode/qemu/target-*/translate.c files. Here is an example of the code for x86 architecture:

case 0x124: /* pseudo-instr: 0x0f 0x24 - AFL call */ gen_helper_aflCall(cpu_regs[R_EAX],cpu_env,cpu_regs[R_EDI],cpu_regs[R_ESI],cpu_regs[R_EDX]); break;

In the code provided earlier, we can see that when QEMU encounters the 0xf 0x24 instruction, it triggers the execution of the helper_aflCall function. This function retrieves values from various registers, with the syscall number retrieved from the EAX register being used as the type of aflCall, while the remaining registers contain the arguments:

target_ulong helper_aflCall(CPUArchState *env, target_ulong code, target_ulong a0, target_ulong a1) { switch(code) { case 1: return startForkserver(env, a0); case 2: return getWork(env, a0, a1); case 3: return startWork(env, a0); case 4: return doneWork(a0); default: return -1; } }

The value from the RDI register will serve as the second parameter, and subsequent registers will hold the remaining parameters. This is managed by QEMU through the gen_helper_aflCall function. Depending on the type of aflCall, we have the following functionalities in the docs/triforce_internals.txt documentation:

startForkserver (RDI = 1): This function starts AFL’s fork server. After this point, each test will run in a separate forked child. If enableTicks is non-zero, QEMU will re-enable the CPUs timer after forking a child; otherwise, it will not be enabled.

getWork (RDI = 2): This function fills the memory at the specified pointer with the next input test case. It returns the actual size filled, which is <= sz.

startWork (RDI = 3): This function tells AFL to start tracing. The argument points to a buffer with two quadwords giving the start and end addresses of the code to trace. Instructions outside of this range are not traced.

doneWork (RDI = 4): This function tells AFL that the test case has completed. If a panic is detected, AFL will stop the test case immediately. Otherwise, it will run until doneWork is called. The exitCode value specified is returned to AFL. Note that the exit code can be replaced with the 64 value if any dmesg logs were detected during the test case, although this feature is not currently implemented.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.