From 2cbd9de2ebe37af9ada91db87d13c723147c6ae2 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Wed, 29 May 2024 15:49:52 +0200 Subject: [PATCH] change interrupt mutation --- fuzzers/FRET/src/fuzzer.rs | 22 +++++----------------- fuzzers/FRET/src/mutational.rs | 23 ++++++----------------- fuzzers/FRET/src/systemstate/ARCH.md | 6 ++++++ 3 files changed, 17 insertions(+), 34 deletions(-) create mode 100644 fuzzers/FRET/src/systemstate/ARCH.md diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index 4da9b43d0e..277adc5dc0 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -439,22 +439,9 @@ pub fn fuzz() { unsafe { #[cfg(feature = "fuzz_int")] { - let mut start_tick : u32 = 0; - for i in 0..DO_NUM_INTERRUPT { - let mut t : [u8; 4] = [0,0,0,0]; - if len > (i+1)*4 { - for j in 0 as usize..4 as usize { - t[j]=buf[i*4+j]; - } - if i == 0 || true { - unsafe {start_tick = max(u32::from_le_bytes(t) % LIMIT, FIRST_INT);} - } else { - start_tick = u32::saturating_add(start_tick,max(unsafe{MINIMUM_INTER_ARRIVAL_TIME},u32::from_le_bytes(t))); - } - libafl_interrupt_offsets[i] = start_tick; - libafl_num_interrupts = i+1; - } - } + let t = input_bytes_to_interrupt_times(buf); + for i in 0..t.len() {libafl_interrupt_offsets[i]=t[i];} + libafl_num_interrupts=t.len(); if buf.len() > libafl_num_interrupts*4 { buf = &buf[libafl_num_interrupts*4..]; @@ -620,7 +607,8 @@ pub fn fuzz() { // Setup an havoc mutator with a mutational stage let mutator = StdScheduledMutator::new(mutations); - let mut stages = tuple_list!(StdMutationalStage::new(mutator)); + let stages = (); + let mut stages = (StdMutationalStage::new(mutator), stages); #[cfg(feature = "fuzz_int")] let mut stages = (InterruptShiftStage::new(), stages); diff --git a/fuzzers/FRET/src/mutational.rs b/fuzzers/FRET/src/mutational.rs index c5b601accc..f9d0b40937 100644 --- a/fuzzers/FRET/src/mutational.rs +++ b/fuzzers/FRET/src/mutational.rs @@ -31,13 +31,15 @@ pub fn input_bytes_to_interrupt_times(buf: &[u8]) -> Vec { for j in 0usize..4usize { t[j]=buf[i*4+j]; } - unsafe {start_tick = max(u32::from_le_bytes(t), FIRST_INT);} + start_tick = u32::from_le_bytes(t); + if start_tick < FIRST_INT {start_tick=0;} ret.push(start_tick); } else {break;} } ret.sort_unstable(); // obey the minimum inter arrival time while maintaining the sort for i in 0..ret.len() { + if ret[i]==0 {continue;} for j in i+1..ret.len()-1 { if ret[j]-ret[i] < unsafe{MINIMUM_INTER_ARRIVAL_TIME} { ret[j] = u32::saturating_add(ret[i],unsafe{MINIMUM_INTER_ARRIVAL_TIME}); @@ -107,22 +109,9 @@ where let mut interrupt_offsets : [u32; 32] = [u32::MAX; 32]; let mut num_interrupts : usize = 0; { - let mut start_tick : u32 = 0; - for i in 0..DO_NUM_INTERRUPT { - let mut t : [u8; 4] = [0,0,0,0]; - if target_bytes.len() > (i+1)*4 { - for j in 0 as usize..4 as usize { - t[j]=target_bytes[i*4+j]; - } - if i == 0 || true { - start_tick = max(u32::from_le_bytes(t),FIRST_INT); - } else { - start_tick = u32::saturating_add(start_tick,max(unsafe{MINIMUM_INTER_ARRIVAL_TIME},u32::from_le_bytes(t))); - } - interrupt_offsets[i] = start_tick; - num_interrupts = i+1; - } - } + let t = input_bytes_to_interrupt_times(&target_bytes); + for i in 0..t.len() {interrupt_offsets[i]=t[i];} + num_interrupts=t.len(); } interrupt_offsets.sort_unstable(); diff --git a/fuzzers/FRET/src/systemstate/ARCH.md b/fuzzers/FRET/src/systemstate/ARCH.md new file mode 100644 index 0000000000..62ffe8981d --- /dev/null +++ b/fuzzers/FRET/src/systemstate/ARCH.md @@ -0,0 +1,6 @@ +# System-state heuristics +## Information flow +- ``fuzzer.rs`` resolves symbols and creates ``api_ranges`` and ``isr_ranges`` +- ``helpers::QemuSystemStateHelper`` captures a series of ``RawFreeRTOSSystemState`` +- ``observers::QemuSystemStateObserver`` divides this into ``ReducedFreeRTOSSystemState`` and ``ExecInterval``, the first contains the raw states and the second contains information about the flow between states +- ``stg::StgFeedback`` builds an stg from the intervals \ No newline at end of file