不让在建设门户网站,公众号怎么制作小程序,全功能多国语言企业网站,怎么向国外打广告看了一些博客#xff0c;都是在说fuzzer和fork server进行交互#xff0c;由fork server fork出子进程来执行程序#xff0c;但是不太明白这两者到底是如何在代码层面进行交互的。
run_target中有这么一段代码#xff0c;大概意思是fuzzer给fork server传递prev_timed_out…看了一些博客都是在说fuzzer和fork server进行交互由fork server fork出子进程来执行程序但是不太明白这两者到底是如何在代码层面进行交互的。
run_target中有这么一段代码大概意思是fuzzer给fork server传递prev_timed_out然后再从fork server读取子进程的pidchild_pid s32 res;/* In non-dumb mode, we have the fork server up and running, so simplytell it to have at it, and then read back PID. */if ((res write(fsrv_ctl_fd, prev_timed_out, 4)) ! 4) {if (stop_soon) return 0;RPFATAL(res, Unable to request new process from fork server (OOM?));}if ((res read(fsrv_st_fd, child_pid, 4)) ! 4) {if (stop_soon) return 0;RPFATAL(res, Unable to request new process from fork server (OOM?));}if (child_pid 0) FATAL(Fork server is misbehaving (OOM?));我现在的问题是为什么fuzzer给fork server传了个参数fork server就直接返回pid了呢这中间两者是如何进行交互的fork server做了什么就传递了一个child_pid出来
fork server进程是执行了下面这段代码删去了一些不重要的代码 if (!forksrv_pid) {struct rlimit r;/* Isolate the process and configure standard descriptors. If out_file isspecified, stdin is /dev/null; otherwise, out_fd is cloned instead. */setsid();dup2(dev_null_fd, 1);dup2(dev_null_fd, 2);if (out_file) {dup2(dev_null_fd, 0);} else {dup2(out_fd, 0);close(out_fd);}/* Set up control and status pipes, close the unneeded original fds. */if (dup2(ctl_pipe[0], FORKSRV_FD) 0) PFATAL(dup2() failed);if (dup2(st_pipe[1], FORKSRV_FD 1) 0) PFATAL(dup2() failed);close(ctl_pipe[0]);close(ctl_pipe[1]);close(st_pipe[0]);close(st_pipe[1]);close(out_dir_fd);close(dev_null_fd);close(dev_urandom_fd);close(fileno(plot_file));execv(target_path, argv);/* Use a distinctive bitmap signature to tell the parent about execv()falling through. */*(u32*)trace_bits EXEC_FAIL_SIG;exit(0);}可能需要理解setsid(); 简单搜索了下还得去理解进程相关只是于是去问了bingbing的回答告诉我setsid()函数是一个系统调用它的作用是创建一个新的会话session并使得当前进程成为会话的首进程session leader这个函数似乎和我想知道的东西没有联系。
问了下bing并参考了这个博客https://blog.csdn.net/Little_Bro/article/details/122694054fork server的交互还和插桩有关系。
查看了AFL白皮书https://github.com/mirrorer/afl/blob/master/docs/technical_details.txt写的很粗略还是得去看作者的博客https://lcamtuf.blogspot.com/2014/10/fuzzing-binaries-without-execve.html Unfortunately, there is also a problem: especially for simple libraries, you may end up spending most of the time waiting for execve(), the linker, and all the library initialization routines to do their job. I’ve been thinking of ways to minimize this overhead in american fuzzy lop, but most of the ideas I had were annoyingly complicated. For example, it is possible to write a custom ELF loader and execute the program in-process while using mprotect() to temporarily lock down the memory used by the fuzzer itself - but things such as signal handling would be a mess. Another option would be to execute in a single child process, make a snapshot of the child’s process memory and then “rewind” to that image later on via /proc/pid/mem - but likewise, dealing with signals or file descriptors would require a ton of fragile hacks. 为什么不直接多次调用execve()因为每次调用 execve()都会有一些预处理的开销作者想要加快这个过程。不太了解预处理的过程后续有需要再了解 Luckily, Jann Horn figured a different, much simpler approach, and sent me a patch for afl out of the blue It boils down to injecting a small piece of code into the fuzzed binary - a feat that can be achieved via LD_PRELOAD, via PTRACE_POKETEXT, via compile-time instrumentation, or simply by rewriting the ELF binary ahead of the time. The purpose of the injected shim is to let execve() happen, get past the linker (ideally with LD_BIND_NOW1, so that all the hard work is done beforehand), and then stop early on in the actual program, before it gets to processing any inputs generated by the fuzzer or doing anything else of interest. In fact, in the simplest variant, we can simply stop at main(). 作者给出了一个很巧妙的解决方法在被fuzzed的程序中插桩让这个程序在完成预处理后暂停比如再main函数的第一句话暂停然后在这里调用fork()被fork出来的子进程将会直接跳过预处理过程开始执行实际处理。 Once the designated point in the program is reached, our shim simply waits for commands from the fuzzer; when it receives a “go” message, it calls fork() to create an identical clone of the already-loaded program; thanks to the powers of copy-on-write, the clone is created very quickly yet enjoys a robust level of isolation from its older twin. Within the child processfork server创建的子进程, the injected code returns control to the original binary, letting it process the fuzzer-supplied input data (and suffer any consequences of doing so). Within the parent, the shim relays the PID of the newly-crated process to the fuzzer and goes back to the command-wait loop. 作者把插入的代码叫做slim分隔片还是很形象的slim等待来自fuzzer的命令对应run_target中的write(fsrv_ctl_fd, prev_timed_out, 4)在收到fuzzer的命令后fork server fork出来一个真正执行二进制程序的fuzzed进程并给fuzzer返回一个pid。
这里有一个问题函数参数是在哪里传递的呢write(fsrv_ctl_fd, prev_timed_out, 4)似乎没有传递参数。
接下俩作者还讨论了实际实现可能遇到的问题以及插桩的汇编代码
https://blog.csdn.net/Little_Bro/article/details/12269405这个博客对插桩代码进行了解释但是我目前不需要对插桩代码理解的那么清楚已经明白了fork server和fuzzer之间交互的逻辑
