This blog post details the steps I took to set up AFL fuzzer to target MozJPEG. I did this using the base image that was set up in the post on fuzzing XPDF. This post is written to document how to fuzz something like an image parser.
These are required in addition to anything inherited from the previous blog post.
sudo apt-get install nasm autoreconf libtool
cd ~/Downloads wget "https://github.com/mozilla/mozjpeg/releases/download/v3.1/mozjpeg-3.1-release-source.tar.gz" tar -xf mozjpeg-3.1-release-source.tar.gz cd mozjpeg # Running `autoreconf` is required to avoid some errors. autoreconf -f -i # Instrument MozJPEG using AFL CC=~/bin/afl/afl-gcc ./configure --disable-shared make clean all AFL_HARDEN=1
This code is used to set up a ramdisk, which should hopefully speed up reads and writes.
cat << EOF > ~/bin/set-up-ramdisk.sh #!/bin/bash if grep -qs '/tmp/afl-ramdisk' /proc/mounts; then sudo umount /tmp/afl-ramdisk rm -rf /tmp/afl-ramdisk fi sudo mkdir /tmp/afl-ramdisk && sudo chmod 777 /tmp/afl-ramdisk sudo mount -t tmpfs -o size=1G tmpfs /tmp/afl-ramdisk cp -R ~/Downloads/mozjpeg /tmp/afl-ramdisk cp -R ~/bin/afl /tmp/afl-ramdisk cp -R ~/bin/afl/testcases/images/jpeg/ /tmp/afl-ramdisk/samples EOF chmod +x ~/bin/set-up-ramdisk.sh sudo -E env "PATH=$PATH" set-up-ramdisk.sh
This is required in order to run AFL.
sudo su echo core >/proc/sys/kernel/core_pattern exit
Kick off the fuzzer.
cd /tmp/afl-ramdisk export PATH="$PATH:/tmp/afl-ramdisk/afl" sudo chown $(whoami):$(whoami) -R afl/ samples/ mozjpeg/ mkdir cjpeg_out afl-launch -m="2G" -i samples -o afl_out -n 4 mozjpeg/cjpeg -quality 70 \ -outfile cjpeg_out/afl-image.jpg @@
For some options, check out this post. Of note, some options that are available are:
-qualityoption accepts fractional numbers (necessary if you want to make a fair benchmark) and two numbers separated by commas to set quality of brightness and color separately, e.g. -quality 60,70.
-sample 1x1enables full-resolution color (e.g. red lines won’t be smudged as badly), but it makes files larger.
-quant-table 2(mentioned earlier) makes images softer and reduces posterization in low qualities.
-notrellismakes images sharper, but increases file size.
-outfiledefines path where result is (over)written to. And the last argument is the source image. It can be a PNG, a very high-quality JPEG or Targa.
The status of the fuzzer can be checked with
watch afl-whatsup -s pdf-out
Performance is decent, hovering around 1500 execs/second: