OpenAI Gym environment for binary fuzzing based on afl
OpenAI Gym[0] environment for binary fuzzing of a variety of libraries (libpng for now), executables, as well as simpler examples.
The environment's engine is based on american fuzzy lop[1] (afl) and capable of thousands of executions per seconds for moderaltely sized executables.
The action space is the following:
Box(low=0, high=DICT_SIZE-1, shape=(INPUT_SIZE,), dtype='int32')
DICT_SIZE
and INPUT_SIZE
depend on the environnment and the underlying
program to fuzz:
DICT_SIZE
is the size of the dictionnary used to fuzz the program. EOF
isDICT_SIZE-1
and accessible by the eof()
method on theINPUT_SIZE
is the input submitted for fuzzing it is fixed for eachEOF
.The environment simulates the following game:
(It is possible to simply call step
independently of whether the game is done
or not if you're just interested in easily executing binaries and retrieving
the associated coverage from Python. See also step_raw
[2]).
The observation space is the following:
Box(low=0, high=255, shape=(256, 256), dtype='int32')
To compute coverage, the underlying excecution engine assigns a random integer
in [0, 255]
to each simple block in the targeted binary. The coverage is
then represented by a 256x256
matrix of int8
representing the number of
time a transition was executed (note that this differs from how afl computes
coverage). Since int8
are used for efficiency, the number of transitions can
only be within [0, 255]
and wraps otherwise. This coverage matrix for the
last step execution is exactly what is returned as observation.
# Note that running setup.py bdist_wheel takes a bit a time as it builds our
# afl mod as well as the available targets.
pip install .
# You may need to run the following commands as well as superuser.
echo core >/proc/sys/kernel/core_pattern
# You can then test that everything works by running our dummy example.
python dummy_simple_bits.py
FuzzLibPNGEnv
Fuzzing environment for libpng-1.6.34 (recent).
Box(low=0, high=283, shape=(1024,))
dictionary composedFuzzSimpleBits-v0
Fuzzing environment for the simple_bits
executable (see
code).
Box(low=0, high=256, shape=(64,))
dictionary composedFuzzSimpleLoop-v0
Fuzzing environment for the simple_loop
executable (see
code).
Box(low=0, high=256, shape=(8,))
dictionary composedFuzzChecksum_{2,4,8}_{2,4,8}-v0
Fuzzing environment for the checksum_k_n
executable (see
code).
Box(low=0, high=256, shape=(8,))
dictionary composed