Tested on Ubuntu 18.04 with following environment. * Python v3.6.10 * npm v6.14.6 * n v6.7.0
For nodejs and npm,
$ sudo apt-get -y install npm $ sudo npm install -g n $ sudo n stableFor redis-server,
$ sudo apt install redis-serverwe choose clang-6.0 to compile afl and browsers smoothly.
$ sudo apt-get -y install clang-6.0
To setup environment for AFL,
$ cd fuzz/scripts $ sudo ./prepare.sh
To compile whole project,
$ git clone https://github.com/sslab-gatech/DIE-corpus.git $ python3 ./fuzz/scripts/make_initial_corpus.py ./DIE-corpus ./corpus
$ ./fuzz/scripts/populate.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)] # Example $ ./fuzz/scripts/populate.sh ~/ch ./DIE-corpus chIt's done! Your corpus is well executed and the data should be located on redis-server.
To check the redis-data,
$ redis-cli -p 9000 127.0.0.1:9000> keys *If the result contains "crashBitmap", "crashQueue", "pathBitmap", "newPathsQueue" keys, the fuzzer was well registered and executed.
Make ssh-tunnel for connection with redis-server
Usage ``` $ ./fuzz/scripts/run.sh [target binary path] [path of DIE-corpus dir] [target js engine (ch/jsc/v8/ffx)]
$ ./fuzz/scripts/run.sh ~/ch ./DIE-corpus ch ```
Check if it's running
$ tmux lsYou can find a session named
fuzzerif it's running.
We used d8 to profile type information. So, please change d8_path in fuzz/TS/typer/typer.py before execution.
cd fuzz/TS/typer python3 typer.py [corpus directory]
*.jsi file will be created if instrumentation works well. *.t file will be created if profiling works well.
If you find bugs and get CVEs by running DIE, please let us know.