coresight_mode/README.md
CoreSight mode enables binary-only fuzzing on ARM64 Linux using CoreSight (ARM's hardware tracing technology).
NOTE: CoreSight mode is in the early development stage. Not applicable for production use. Currently the following hardware boards are supported:
Please read the RICSec/coresight-trace README and check the prerequisites (capstone) before getting started.
CoreSight mode supports the AFL++ fork server mode to reduce exec system call
overhead. To support fuzzing in binary format only, you must use the shared library libforksrv, which implements the forkserver by intercepting the system call __libc_start_main.
Check out all the git submodules in the cs_mode directory:
git submodule update --init --recursive
There are some notes on building coresight-trace. Refer to the README for the details. Run make in the cs_mode directory:
make build
or
make debug
Make sure cs-proxy is placed in the AFL++ root directory as afl-cs-proxy.
Run afl-fuzz with -A option to use CoreSight mode.
sudo afl-fuzz -A -i input -o output -- $OUTPUT @@
There are AFL++ CoreSight mode-specific environment variables for run-time configuration.
AFL_CS_CUSTOM_BIN overrides the proxy application path. afl-cs-proxy will be used if not defined.
AFLCS_COV specifies coverage type on CoreSight trace decoding. edge and path is supported. The default value is edge.
AFLCS_UDMABUF is the u-dma-buf device number used to store trace data in the DMA region. The default value is 0.
AFLCS_NO_DECODER indicates that the afl-cs-proxy is running without a decoder. Needed for performance measurement purposes.
CS_LD_PRELOAD the same as LD_PRELOAD but only for target binary.
CS_LD_LIBRARY_PATH the same as LD_LIBRARY_PATH but only for target binary.
CS_TRACE_LIB specifies which library from the shared libraries should be included in coverage tracking.
This project has received funding from the Acquisition, Technology & Logistics Agency (ATLA) under the National Security Technology Research Promotion Fund 2021 (JPJ004596).