Shulou(Shulou.com)05/31 Report--

This article is about what kind of tool Nautilus is. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Nautilus introduction

Nautilus is a feedback fuzzy testing tool based on coverage guidelines and syntax. Researchers can use Nautilus to improve test coverage in the process of fuzzy testing in order to find more security vulnerabilities. With the help of Nautilus, researchers can perform more complex mutation operations and generate more valid test cases by specifying semi-efficient input syntax.

Currently, Nautilus has released version 2.0, which introduces a number of functional enhancements over the Nautilus prototype, and the tool now supports AFL++ at 100%. In addition to stability and availability improvements, the following feature improvements are also included:

Support for AFL-Qemu mode

Support for Python format syntax

Support the use of Python scripts to generate structured input

Support to specify source code protocol / format

Support for specifying regular expressions

Avoid generating similar short input

Provides better error output

Repair a large number of Bug

Nautilus working mechanism

We can specify a syntax using rules like EXPR-> EXPR + EXPR, EXPR-> NUM, and NUM-> 1. For these rules, the fuzzy tester will build a tree structure, and this internal syntax expression allows more complex mutation operations to be supported. Next, the tree structure will be transformed into real input for the target application, that is, splicing all the leaf nodes. In the example given below, the left subtree will be parsed to "await 1 percent 2" and the right subtree will be "adept 1 percent 1 percent 2". In order to improve the expressive ability of syntax, Nautilus can also allow researchers to use Python scripts to parse the tree structure to support more complex operations.

Tool installation & configuration

First of all, the majority of users need to clone the project source code locally and make basic configuration using the following command:

Git clone 'git@github.com:nautilus-fuzz/nautilus.git'cd nautilus/path/to/AFLplusplus/afl-clang-fast test.c-o test # afl-clang-fast as provided by AFL

Next, we need to set all the parameters we need to use in the config.ron file:

Cargo run-- release-g grammars/grammar_py_example.py-o / tmp/workdir--. / test @ @

If you want to use QEMU mode, you can run the following command:

Sample use of cargo run / path/to/AFLplusplus/afl-qemu-trace -. / test_bin @ @ tool

Here, we can use Python to generate a syntax and a valid class XML input. It is important to note that the syntax rules of the Python script must ensure that the starting tag is matched:

# ctx.rule (NONTERM: string, RHS: string | bytes) adds a rule NONTERM- > RHS. We can use {NONTERM} in the RHS to request a recursion.ctx.rule ("START", "{XML_CONTENT}") ctx.rule ("XML_CONTENT", "{XML} {XML_CONTENT}") ctx.rule ("XML_CONTENT", "") # ctx.script (NONTERM:string, RHS: [string]], func) adds a rule NONTERM- > func (* RHS). # In contrast to normal `rule` RHS is an array of nonterminals.# It's up to the function to combine the values returned for the NONTERMINALS with any fixed content used.ctx.script ("XML", ["TAG", "ATTR", "XML_CONTENT"], lambda tag,attr,body: B "% s"% (tag,attr,body,tag)) ctx.rule ("ATTR", "foo=bar") ctx.rule ("TAG", "some_tag") ctx.rule ("TAG") "other_tag") # sometimes we don't want to explore the set of possible inputs in more detail. For example, if we fuzz a script#interpreter, we don't want to spend time on fuzzing all different variable names. In such cases we can use Regex#terminals. Regex terminals are only mutated during generation, but not during normal mutation stages, saving a lot of time.#The fuzzer still explores different values for the regex, but it won't be able to learn interesting values incrementally.#Use this when incremantal exploration would most likely waste time. Ctx.regex ("TAG", "[a murz] +")

Next, we can use the fuzzy test case generator to test the syntax we just generated:

$cargo run-bin generator-g grammars/grammar_py_exmaple.py-t 100

In addition, we can use Nautilus in conjunction with AFL. Use the "- o" parameter to point AFL to the same working directory, while AFL synchronizes the data with Nautilus. Here, AFL will import the input from Nautilus:

# Terminal/Screen 1./afl-fuzz-Safl-I / tmp/seeds-o / tmp/workdir/. / test @ @ # Terminal/Screen 2cargo run-- release-- o / tmp/workdir -. / test @ @ Thank you for reading! This is the end of the article on "what is Nautilus?". I hope the above content can be helpful to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.