How to run multiple commands in Mayhem

Welcome to our Mayhem Tips and Tricks series! Our goal is to help you learn about the best features of Mayhem in small bite-size chunks. Today, we will explain how you can run multiple commands in Mayhem.

When running Mayhem against an uninstrumented binary, you may find yourself impressed by the efficacy of the symbolic execution, but also wanting to leverage some of the memory sanitizers built into open source fuzzers such as Honggfuzz or libFuzzer. However, when you compile a target with instrumentation, you find that you can no longer utilize Mayhem’s symbolic execution to fuzz deeply within your target. Or maybe, you really like driving test case generation and triaging defects with open source fuzzing targets, but you find that you can no longer generate coverage in Mayhem with an already instrumented binary. Sounds like a catch-22, right? Wrong!

¿Por qué no los dos?
You can actually upload both targets to Mayhem to leverage symbolic execution/code coverage AND open source sanitizers such as ASAN. All you have to do is include both instrumented and uninstrumented binaries in your target, and utilize the cmds: section of the Mayhemfile to have your cake and eat it too. Say you have the following Mayhemfile:/mytarget is an uninstrumented binary that you’ve been fuzzing for a while, but now want to include libFuzzer’s ASAN support to catch even more bugs. Build your target with ASAN support:

version: '1.15'
project: abrewer/mytarget
target: mytarget
baseimage: $MAYHEM_DOCKER_REGISTRY/abrewer/mytarget:latest

tasks:
 - name: exploitability_factors
 - name: regression_testing
 - name: behavior_testing
 - name: coverage_analysis

cmds:
 - cmd: /mytarget @@

/mytarget is an uninstrumented binary that you’ve been fuzzing for a while, but now want to include libFuzzer’s ASAN support to catch even more bugs. Build your target with ASAN support:

FROM fuzzers/libfuzzer:12.0

## Create instrumented directory
RUN mkdir /instrumented
WORKDIR /instrumented
COPY ./mytarget-llvm.c .

## Build your instrumented target
RUN clang -fsanitize=fuzzer,address -static mytarget–llvm.c -o ./mytarget
RUN mkdir /uninstrumented
WORKDIR /uninstrumented
COPY ./mytarget.c .

## Build your uninstrumented target here
## No entrypoint/cmd

Then, in your Mayhemfile, just specify them both!

version: '1.15'
project: abrewer/mytarget
target: mytarget
baseimage: $MAYHEM_DOCKER_REGISTRY/abrewer/mytarget:latest

tasks:
 - name: exploitability_factors
 - name: regression_testing
 - name: behavior_testing
 - name: coverage_analysis

cmds:

 - cmd: /uninstrumented/mytarget @@
 - cmd: /instrumented/mytarget @@

libfuzzer: true

That’s it! Now you get the best of both worlds.

We hope that you found this Tips and Tricks article helpful.