This blog post details the steps I took to set up AFL fuzzer to target MozJPEG. I did this using the base image that was set up in the post on fuzzing XPDF. This post is written to document how to fuzz something like an image parser.
Install prerequisites
These are required in addition to anything inherited from the previous blog post.
sudo apt-get install nasm autoreconf libtool
Prepare MozJPEG
cd ~/Downloads
wget "https://github.com/mozilla/mozjpeg/releases/download/v3.1/mozjpeg-3.1-release-source.tar.gz"
tar -xf mozjpeg-3.1-release-source.tar.gz
cd mozjpeg
# Running `autoreconf` is required to avoid some errors.
autoreconf -f -i
# Instrument MozJPEG using AFL
CC=~/bin/afl/afl-gcc ./configure --disable-shared
make clean all AFL_HARDEN=1
Prepare ramdisk
This code is used to set up a ramdisk, which should hopefully speed up reads and writes.
cat << EOF > ~/bin/set-up-ramdisk.sh
#!/bin/bash
if grep -qs '/tmp/afl-ramdisk' /proc/mounts; then
sudo umount /tmp/afl-ramdisk
rm -rf /tmp/afl-ramdisk
fi
sudo mkdir /tmp/afl-ramdisk && sudo chmod 777 /tmp/afl-ramdisk
sudo mount -t tmpfs -o size=1G tmpfs /tmp/afl-ramdisk
cp -R ~/Downloads/mozjpeg /tmp/afl-ramdisk
cp -R ~/bin/afl /tmp/afl-ramdisk
cp -R ~/bin/afl/testcases/images/jpeg/ /tmp/afl-ramdisk/samples
EOF
chmod +x ~/bin/set-up-ramdisk.sh
sudo -E env "PATH=$PATH" set-up-ramdisk.sh
Prepare AFL
This is required in order to run AFL.
sudo su
echo core >/proc/sys/kernel/core_pattern
exit
Start fuzzing
Kick off the fuzzer.
cd /tmp/afl-ramdisk
export PATH="$PATH:/tmp/afl-ramdisk/afl"
sudo chown $(whoami):$(whoami) -R afl/ samples/ mozjpeg/
mkdir cjpeg_out
afl-launch -m="2G" -i samples -o afl_out -n 4 mozjpeg/cjpeg -quality 70 \
-outfile cjpeg_out/afl-image.jpg @@
For some options, check out this post. Of note, some options that are available are:
- The
-quality
option accepts fractional numbers (necessary if you want to make a fair benchmark) and two numbers separated by commas to set quality of brightness and color separately, e.g. -quality 60,70. -sample 1x1
enables full-resolution color (e.g. red lines won’t be smudged as badly), but it makes files larger.-quant-table 2
(mentioned earlier) makes images softer and reduces posterization in low qualities.-notrellis
makes images sharper, but increases file size.-outfile
defines path where result is (over)written to. And the last argument is the source image. It can be a PNG, a very high-quality JPEG or Targa.
The status of the fuzzer can be checked with afl-whatsup
:
watch afl-whatsup -s pdf-out
Performance is decent, hovering around 1500 execs/second: