Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Bandit/libdislocator/README.dislocator
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
60 lines (44 sloc)
2.63 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =================================== | |
| libdislocator, an abusive allocator | |
| =================================== | |
| (See ../docs/README for the general instruction manual.) | |
| This is a companion library that can be used as a drop-in replacement for the | |
| libc allocator in the fuzzed binaries. It improves the odds of bumping into | |
| heap-related security bugs in several ways: | |
| - It allocates all buffers so that they are immediately adjacent to a | |
| subsequent PROT_NONE page, causing most off-by-one reads and writes to | |
| immediately segfault, | |
| - It adds a canary immediately below the allocated buffer, to catch writes | |
| to negative offsets (won't catch reads, though), | |
| - It sets the memory returned by malloc() to garbage values, improving the | |
| odds of crashing when the target accesses uninitialized data, | |
| - It sets freed memory to PROT_NONE and does not actually reuse it, causing | |
| most use-after-free bugs to segfault right away, | |
| - It forces all realloc() calls to return a new address - and sets | |
| PROT_NONE on the original block. This catches use-after-realloc bugs, | |
| - It checks for calloc() overflows and can cause soft or hard failures | |
| of alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, | |
| AFL_LD_HARD_FAIL). | |
| Basically, it is inspired by some of the non-default options available for the | |
| OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is | |
| also somewhat similar to several other debugging libraries, such as gmalloc | |
| and DUMA - but is simple, plug-and-play, and designed specifically for fuzzing | |
| jobs. | |
| Note that it does nothing for stack-based memory handling errors. The | |
| -fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, | |
| can catch some subset of that. | |
| The allocator is slow and memory-intensive (even the tiniest allocation uses up | |
| 4 kB of physical memory and 8 kB of virtual mem), making it completely unsuitable | |
| for "production" uses; but it can be faster and more hassle-free than ASAN / MSAN | |
| when fuzzing small, self-contained binaries. | |
| To use this library, run AFL like so: | |
| AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] | |
| You *have* to specify path, even if it's just ./libdislocator.so or | |
| $PWD/libdislocator.so. | |
| Similarly to afl-tmin, the library is not "proprietary" and can be used with | |
| other fuzzers or testing tools without the need for any code tweaks. It does not | |
| require AFL-instrumented binaries to work. | |
| Note that the AFL_PRELOAD approach (which AFL internally maps to LD_PRELOAD or | |
| DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is | |
| dynamically linked. Otherwise, attempting to use the library will have no | |
| effect. |