T-Fuzz consists of 2 components:
- Fuzzing tool (TFuzz): a fuzzing tool based on program transformation
- Crash Analyzer (CrashAnalyzer): a tool that verifies whether crashes found transformed programs are true bugs in the original program or not (coming soon).
The current version is tested only on Ubuntu-16.04, while trying to run the code, please use our tested OS.
T-Fuzz system is built on several opensource tools.
- angr
- shellphish fuzzer
- angr tracer
- radare2 and its python wrapper r2pipe
$ git clone https://github.com/radare/radare2.git
$ cd radare2
$ ./sys/install.sh
Note: to use
apt-get build-dep
, you need to uncomment the deb-src lines in your apt source file (/etc/apt/sources.list) and run apt-get update.
$ sudo apt-get install build-essential gcc-multilib libtool automake autoconf bison debootstrap debian-archive-keyring
$ sudo apt-get build-dep qemu-system
$ sudo apt-get install libacl1-dev libtool-bin libc-bin:2.20
$ sudo apt-get install python-pip python-virtualenv
$ pip install virtualenvwrapper
Add the following lines to your shell rc file (~/.bashrc
or ~/.zshrc
).
export WORKON_HOME=$HOME/.virtual_envs
source /usr/local/bin/virtualenvwrapper.sh
$ mkvirtualenv tfuzz-env
This command will install all the dependent python libraries for you.
$ workon tfuzz-env
$ pip install -r req.txt
$ ./TFuzz --program <path_to_target_program> --work_dir <work_dir> --target_opts <target_opts>
Where
- <path_to_target_program>: the path to the target program to fuzz
- <work_dir>: the directory to save the results
- <target_opts>: the options to pass to the target program, like AFL, use
@@
as placeholder for files to mutate.
- Fuzzing base64 with T-Fuzz
$ ./TFuzz --program target_programs/base64 --work_dir workdir_base64 --target_opts "-d @@"
- Fuzzing uniq with T-Fuzz
$ ./TFuzz --program target_programs/uniq --work_dir workdir_uniq --target_opts "@@"
- Fuzzing md5sum with T-Fuzz
$ ./TFuzz --program target_programs/md5sum --work_dir workdir_md5sum --target_opts "-c @@"
- Fuzzing who with T-Fuzz
$ ./TFuzz --program target_programs/who --work_dir workdir_who --target_opts "@@"
Coming soon!