Need help with redqueen?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

RUB-SysSec
269 Stars 41 Forks GNU Affero General Public License v3.0 5 Commits 4 Opened issues

Services available

!
?

Need anything else?

Contributors list

# 130,449
C
Shell
Haxe
fuzzing
2 commits
# 124,309
Shell
Haxe
passwor...
passwor...
2 commits
# 110,033
Shell
Haxe
sparc
m68k
1 commit

Red­queen: Fuz­zing with In­put-to-Sta­te Cor­re­spon­dence

Redqueen is a fast general purpose fuzzer for x86 binary applications. It can automatically overcome checksums and magic bytes without falling back to complex and fragile program analysis techniques, such as symbolic execution. It works by observing the arguments to function calls and compare instructions via virtual machine introspection. Observed values are used to provide inputs specific mutations. More details can be found in the paper. This fuzzer is built upon kAFL and requires support for Intel VT-x as well as Intel Processor Trace.

The Paper, Talk and Slides describing Redqueen were published at NDSS 2019.

BibTex:

@inproceedings{redqueen,
  title={REDQUEEN: Fuzzing with Input-to-State Correspondence},
  author={Aschermann, Cornelius and Schumilo, Sergej and Blazytko, Tim and Gawlik, Robert and Holz, Thorsten},
  booktitle={Symposium on Network and Distributed System Security (NDSS)},
  year={2019},
}

Initial Setup

To install redqueen run

install.sh
cd ~/redqueen/
sh install.sh

This will setup everything, assuming an Ubuntu 16.04.

Fuzzing with Redqueen is a two stage process. First, the target application is packed:

python ~/redqueen/kAFL-Fuzzer/kafl_user_prepare.py --recompile -args=/A -file=/A ~/redqueen/Evaluation/lava/binaries/who ~/redqueen/Evaluation/lava/packed/who/ m64

Use

kafl_info.py
and the generated
info
executable to get the address ranges of your fuzzing target:
python kafl_info.py Kernel  \
~/redqueen/Target-Components/linux_initramfs/bzImage-linux-4.15-rc7 \
~/redqueen/Target-Components/linux_initramfs/init.cpio.gz \
~/redqueen/Evaluation/lava/packed/who/who_info \
500

Then the packed binary can be fuzzed.

python kafl_fuzz.py Kernel \
~/redqueen/Target-Components/linux_initramfs/bzImage-linux-4.15-rc7 \
~/redqueen/Target-Components/linux_initramfs/init.cpio.gz \
~/redqueen/Evaluation/lava/packed/who/who_fuzz  \
500 \
~/redqueen/Evaluation/lava/packed/uninformed_seeds \
/tmp/kafl_workdir -ip0 0x400000-0x47c000 -t10 -hammer_jmp_tables -n -D -r -l -v -p1

Trophies

License

AGPLv3

Free Software, Hell Yeah!

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.