2015-04-11 11:43:25 +00:00
|
|
|
{ stdenv, fetchurl, bash, callPackage, makeWrapper
|
|
|
|
, clang, llvm, which, libcgroup }:
|
2014-11-25 18:42:53 +00:00
|
|
|
|
2015-03-23 02:57:55 +00:00
|
|
|
let
|
|
|
|
afl-qemu = callPackage ./qemu.nix {};
|
|
|
|
qemu-exe-name = if stdenv.system == "x86_64-linux" then "qemu-x86_64"
|
|
|
|
else if stdenv.system == "i686-linux" then "qemu-i386"
|
|
|
|
else throw "afl: no support for ${stdenv.system}!";
|
|
|
|
in
|
2014-11-25 18:42:53 +00:00
|
|
|
stdenv.mkDerivation rec {
|
|
|
|
name = "afl-${version}";
|
2015-04-14 18:45:19 +00:00
|
|
|
version = "1.67b";
|
2014-11-25 18:42:53 +00:00
|
|
|
|
|
|
|
src = fetchurl {
|
|
|
|
url = "http://lcamtuf.coredump.cx/afl/releases/${name}.tgz";
|
2015-04-14 18:45:19 +00:00
|
|
|
sha256 = "11763zgwqg2b5hak006rp0jb3w252js067z9ibgl4nj3br2ncmd2";
|
2014-11-25 18:42:53 +00:00
|
|
|
};
|
|
|
|
|
2015-04-11 11:43:25 +00:00
|
|
|
# Note: libcgroup isn't needed for building, just for the afl-cgroup
|
|
|
|
# script.
|
|
|
|
buildInputs = [ makeWrapper clang llvm which ];
|
2015-03-23 02:57:55 +00:00
|
|
|
|
2015-04-11 11:43:25 +00:00
|
|
|
buildPhase = ''
|
|
|
|
make PREFIX=$out
|
|
|
|
cd llvm_mode && make && cd ..
|
|
|
|
'';
|
2015-03-23 02:57:55 +00:00
|
|
|
installPhase = ''
|
|
|
|
# Do the normal installation
|
|
|
|
make install PREFIX=$out
|
|
|
|
|
|
|
|
# Install the custom QEMU emulator for binary blob fuzzing.
|
|
|
|
cp ${afl-qemu}/bin/${qemu-exe-name} $out/bin/afl-qemu-trace
|
|
|
|
|
2015-04-11 11:43:25 +00:00
|
|
|
# Install the cgroups wrapper for asan-based fuzzing.
|
|
|
|
cp experimental/asan_cgroups/limit_memory.sh $out/bin/afl-cgroup
|
|
|
|
chmod +x $out/bin/afl-cgroup
|
|
|
|
substituteInPlace $out/bin/afl-cgroup \
|
|
|
|
--replace "cgcreate" "${libcgroup}/bin/cgcreate" \
|
|
|
|
--replace "cgexec" "${libcgroup}/bin/cgexec" \
|
|
|
|
--replace "cgdelete" "${libcgroup}/bin/cgdelete"
|
|
|
|
|
|
|
|
# Patch shebangs before wrapping
|
|
|
|
patchShebangs $out/bin
|
|
|
|
|
2015-03-23 02:57:55 +00:00
|
|
|
# Wrap every program with a custom $AFL_PATH; I believe there is a
|
|
|
|
# bug in afl which causes it to fail to find `afl-qemu-trace`
|
|
|
|
# relative to `afl-fuzz` or `afl-showmap`, so we instead set
|
|
|
|
# $AFL_PATH as a workaround, which allows it to be found.
|
2015-04-12 03:00:54 +00:00
|
|
|
for x in `ls $out/bin/afl-* | grep -v afl-clang-fast`; do
|
2015-03-23 02:57:55 +00:00
|
|
|
wrapProgram $x --prefix AFL_PATH : "$out/bin"
|
|
|
|
done
|
2015-04-12 03:00:54 +00:00
|
|
|
# Wrap afl-clang-fast(++) with a *different* AFL_PATH, because it
|
|
|
|
# has totally different semantics in that case(?) - and also set a
|
|
|
|
# proper AFL_CC and AFL_CXX so we don't pick up the wrong one out
|
|
|
|
# of $PATH.
|
|
|
|
for x in $out/bin/afl-clang-fast $out/bin/afl-clang-fast++; do
|
|
|
|
wrapProgram $x \
|
|
|
|
--prefix AFL_PATH : "$out/lib/afl" \
|
|
|
|
--prefix AFL_CC : "${clang}/bin/clang" \
|
|
|
|
--prefix AFL_CXX : "${clang}/bin/clang++"
|
|
|
|
done
|
2015-03-23 02:57:55 +00:00
|
|
|
'';
|
2014-11-25 18:42:53 +00:00
|
|
|
|
|
|
|
meta = {
|
|
|
|
description = "Powerful fuzzer via genetic algorithms and instrumentation";
|
|
|
|
longDescription = ''
|
|
|
|
American fuzzy lop is a fuzzer that employs a novel type of
|
|
|
|
compile-time instrumentation and genetic algorithms to
|
|
|
|
automatically discover clean, interesting test cases that
|
|
|
|
trigger new internal states in the targeted binary. This
|
|
|
|
substantially improves the functional coverage for the fuzzed
|
|
|
|
code. The compact synthesized corpora produced by the tool are
|
|
|
|
also useful for seeding other, more labor or resource-intensive
|
|
|
|
testing regimes down the road.
|
|
|
|
'';
|
|
|
|
homepage = "http://lcamtuf.coredump.cx/afl/";
|
|
|
|
license = stdenv.lib.licenses.asl20;
|
|
|
|
platforms = stdenv.lib.platforms.linux;
|
|
|
|
maintainers = [ stdenv.lib.maintainers.thoughtpolice ];
|
|
|
|
};
|
|
|
|
}
|