1# libdislocator, an abusive allocator 2 3For the general instruction manual, see [docs/README.md](../../docs/README.md). 4 5This is a companion library that can be used as a drop-in replacement for the 6libc allocator in the fuzzed binaries. It improves the odds of bumping into 7heap-related security bugs in several ways: 8 9 - It allocates all buffers so that they are immediately adjacent to a 10 subsequent PROT_NONE page, causing most off-by-one reads and writes to 11 immediately segfault, 12 13 - It adds a canary immediately below the allocated buffer, to catch writes to 14 negative offsets (won't catch reads, though), 15 16 - It sets the memory returned by malloc() to garbage values, improving the 17 odds of crashing when the target accesses uninitialized data, 18 19 - It sets freed memory to PROT_NONE and does not actually reuse it, causing 20 most use-after-free bugs to segfault right away, 21 22 - It forces all realloc() calls to return a new address - and sets PROT_NONE 23 on the original block. This catches use-after-realloc bugs, 24 25 - It checks for calloc() overflows and can cause soft or hard failures of 26 alloc requests past a configurable memory limit (AFL_LD_LIMIT_MB, 27 AFL_LD_HARD_FAIL). 28 29 - Optionally, in platforms supporting it, huge pages can be used by passing 30 `USEHUGEPAGE=1` to make. 31 32 - Optionally, in platforms supporting it, `named` pages can be used by passing 33 `USENAMEDPAGE=1` to make. 34 35 - Size alignment to `max_align_t` can be enforced with `AFL_ALIGNED_ALLOC=1`. In 36 this case, a tail canary is inserted in the padding bytes at the end of the 37 allocated zone. This reduces the ability of libdislocator to detect 38 off-by-one bugs but also it makes libdislocator compliant to the C standard. 39 40Basically, it is inspired by some of the non-default options available for the 41OpenBSD allocator - see malloc.conf(5) on that platform for reference. It is 42also somewhat similar to several other debugging libraries, such as gmalloc and 43DUMA - but is simple, plug-and-play, and designed specifically for fuzzing jobs. 44 45Note that it does nothing for stack-based memory handling errors. The 46-fstack-protector-all setting for GCC / clang, enabled when using AFL_HARDEN, 47can catch some subset of that. 48 49The allocator is slow and memory-intensive (even the tiniest allocation uses up 504 kB of physical memory and 8 kB of virtual mem), making it completely 51unsuitable for "production" uses; but it can be faster and more hassle-free than 52ASAN / MSAN when fuzzing small, self-contained binaries. 53 54To use this library, run AFL++ like so: 55 56``` 57AFL_PRELOAD=/path/to/libdislocator.so ./afl-fuzz [...other params...] 58``` 59 60You *have* to specify path, even if it's just ./libdislocator.so or 61$PWD/libdislocator.so. 62 63Similarly to afl-tmin, the library is not "proprietary" and can be used with 64other fuzzers or testing tools without the need for any code tweaks. It does not 65require AFL-instrumented binaries to work. 66 67Note that the AFL_PRELOAD approach (which AFL++ internally maps to LD_PRELOAD or 68DYLD_INSERT_LIBRARIES, depending on the OS) works only if the target binary is 69dynamically linked. Otherwise, attempting to use the library will have no 70effect. 71