-
AFLplusplus
The fuzzer afl++ is afl with community patches, qemu 5.1 upgrade, collision-free coverage, enhanced laf-intel & redqueen, AFLfast++ power schedules, MOpt mutators, unicorn_mode, and a lot more!
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
matrix-nio
A Python Matrix client library, designed according to sans I/O (http://sans-io.readthedocs.io/) principles
-
mirage
A fancy, customizable, keyboard-operable Qt/QML & Python Matrix chat client for encrypted and decentralized communication. (by mirukana)
Author here. As one of the other comments mentions, afl++ (and to some extent vanilla afl) already has capability to automatically scrape magic values from arguments to special functions like `strcmp` and the like. The older technique is called libtokencap (https://github.com/AFLplusplus/AFLplusplus/blob/stable/utils...), but afl++ also has a newer feature called AUTODICT (https://github.com/AFLplusplus/AFLplusplus/blob/stable/instr...).
But this only solves the problem of magic constants expected in the input. If the check depends on dynamic properties of the input or happens deeper in the code after the input's already been through some transformations, it can't be solved like this. There are other techniques to help with this, though. One of the earlier attempts to solve such types of more complex checks is called laf-intel (https://github.com/AFLplusplus/AFLplusplus/blob/stable/instr...) and boils down to transforming a more complex check into a nested series of simpler checks. This makes it more probable that the fuzzer's random mutation will be able to solve the outer check and hence hit new coverage, enabling the fuzzer to detect the mutation as productive.
afl++ has a more modern variant of this called CmpLog (https://github.com/AFLplusplus/AFLplusplus/blob/stable/instr...) which is based on the RedQueen technique. The paper for RedQueen is a really interesting read: https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentl...
The problem of checksums is at times also solved by simply modifying the binary so that the checksum is neutralized and always succeeds, especially if you have access to source code.
As for the problem of fuzzing stateful things like the double ratchet, one way of tackling the problem is to think of the input to the fuzzer as not only the raw bytes that you'll be passing to the program you're fuzzing, but as a blueprint specifying which high-level operations you'll be performing on the input. Then you teach your fuzzer to be smarter and be able to perform a bunch of those operations.
So, let's say you take 512 bytes as the input to the fuzzer. You treat the first 256 bytes as the message to decode and the latter 256 bytes as the high-level cryptographic operations to perform on this message, each byte specifying one of those operations. So you could say a byte of value 1 represents the operation "ENCRYPT WITH KEY K1", 2 represents "ENCRYPT WITH KEY K2", 3 represents "DECRYPT WITH KEY K1", 4 represents "DECRYPT WITH KEY K2", 5 represents "PERFORM SHA2" and so on. Now you can feasibly end up with a sequence which will take a message encrypted with key K1, decrypt it, modify the message, then re-encrypt with key K2. Or, in the case of the double ratchet algorithm, have it perform multiple successive encryption steps to evolve the state of the ratchet and be able to fuzz more deeply.
Of course, the encoding needs to be rather dense for this to work well so that ideally each low-level bit mutation the fuzzer does on an input still encodes a valid sequence of valid high-level operations.
For a nicely documented and clean Matrix client implementation in Python, see weechat-matrix[1] and the matrix-nio[2] library it's based on. There's also Mirage[3] which is also based on matrix-nio and is a GUI client.
[1]: https://github.com/poljar/weechat-matrix
[2]: https://github.com/poljar/matrix-nio
[3]: https://github.com/mirukana/mirage
For a nicely documented and clean Matrix client implementation in Python, see weechat-matrix[1] and the matrix-nio[2] library it's based on. There's also Mirage[3] which is also based on matrix-nio and is a GUI client.
[1]: https://github.com/poljar/weechat-matrix
[2]: https://github.com/poljar/matrix-nio
[3]: https://github.com/mirukana/mirage
For a nicely documented and clean Matrix client implementation in Python, see weechat-matrix[1] and the matrix-nio[2] library it's based on. There's also Mirage[3] which is also based on matrix-nio and is a GUI client.
[1]: https://github.com/poljar/weechat-matrix
[2]: https://github.com/poljar/matrix-nio
[3]: https://github.com/mirukana/mirage