GSoC 2020 with AFL++
My GSoC journey started in February 2020, with the announcement of the organisations taking part in this year’s summer of code. But first, a little about me. I am Rishi Ranjan, an undergrad student pursuing computer science at the Indian Institue of Technology, Roorkee. I was always fascinated with different aspects of information security and wanted to explore it more. And this year’s GSoC presented the perfect opportunity for it.
So, I started going through the list of organisations with a particular focus on InfoSec organisations and came across AFL++. I had heard of fuzzing and AFL before but had never actually explored it. So, I was a newbie in it and this came as a great opportunity for me!
Pre GSoC phase
While looking at their proposed projects, I came across a lot of brilliant ideas. Still, the one which caught my eye was the one involving building a multithreaded fuzzing framework/library based on AFL, which would be written in C (a language I like :) ). So, I decided to go ahead and contribute to AFL++. So, to start with I submitted a pull request fixing an issue with the signal handlers in the fuzzer.
One of the org members(and my future GSoC mentor :) )Dominik added me to the GSoC group for the students where it was much easier to interact with the other mentors too. I solved a few more issues such as moving the environment variables to a different state, adding support for multiple custom mutators and moving the post-process API to the custom mutator API. I then submitted my proposal for working on the embeddable multithreaded fuzzing library project. Finally, the results came out, and I got selected for GSoC 2020 :). Woohoo!!!
My mentors for the project were Dominik (who had helped me a lot during the pre-GSoC time) and Heiko. Apart from them, Marc and Andrea also worked on the basic structure of the fuzzing library we planned to implement. Andrea even came up with a POC for the project I was going to work on.
Phase 1
Phase 1 started with me implementing the basic structures and functions for the library, which would be central to a fuzzer. We worked on the executor, the input and the queue structures. Since we wanted the library to follow somewhat Object-Oriented structure, we also implemented the virtual tables for these structures and their default implementations along with it. So now, at the end of phase 1, we had a usable and extendable executor, input and queue structure ready to use. We also had a clear structure of the library and its components by the end of phase 1. Also, the mentors decided that we should have a video conference every week to keep track of the things accomplished and the next week goals which would be easier for me. This also helped me during the project as all my doubts were cleared right away.
Phase 2
Phase 2 began with us deciding that we would probably finish all the remaining structures of the library so that we have time to work on multithreading the library. So, I implemented the other structures which included the fuzz-one, engine, observation channel, feedback and mutators. We also implemented the different nitpicks of the library and the functions which we thought would be significant. This phase brought more clarity about what we wanted from the library and how the different structures would be present in the fuzzer and interact with each other. With this, I also started working on a simple fuzzer based on the library, which would be a reference point for the users. This example was based on the coverage-feedback and forkservers of AFL++ which are also now included in the library. Thus, the library made a lot of progress in the second phase.
Phase 3
The final phase was the one in which we sped up the work to make the library multithreaded and much more usable. I started by completing the example fuzzer and then writing unit tests for the library. Then we started working on making the example multithreaded, and since the library was very structured so this wasn’t very difficult to do. After this, we also went ahead and implemented a simple in-memory fuzzer as an example. These different examples show the usability of the library, how easy it is to build a fuzzer using it.
Link to the code
You can find my work here.
Also here is an image of our example fuzzer based on our library working
I want to thank my mentors Dominik and Heiko for their great support and patience with me without which this project wouldn’t have been possible. I’d also like to thank Andrea and Marc for helping with my doubts whenever I approached them for help. I want to conclude by saying that this project has been a great learning experience for me. It helped me explore fuzzing, programming and software engineering all in great detail. I couldn’t have asked for a better GSoC experience than the one provided to me by AFL++, and I’m very thankful to them for this :)