SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unify fuzzing with and without interrupts

Browse Source
This commit is contained in:
Alwin Berger 2024-09-09 12:51:23 +02:00
parent 740ce09d31
commit 3bb42150d3
4 changed files with 40 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
fuzzers/FRET/benchmark/Snakefile
View File

@ -1,6 +1,6 @@
import csv
import os
def_flags="--no-default-features --features std,snapshot_fast,singlecore,restarting,do_hash_notify_state,trace_job_response_times"
def_flags="--no-default-features --features std,snapshot_fast,singlecore,restarting,do_hash_notify_state,trace_job_response_times,fuzz_int"
remote="remote/"
RUNTIME=1800
TARGET_REPS_A=2
@ -48,79 +48,24 @@ rule build_stgpath:
shell:
"cargo build --target-dir {output} {def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg"
rule build_showmap_int:
output:
directory("bins/target_showmap_int")
shell:
"cargo build --target-dir {output} {def_flags},config_stg,fuzz_int"
rule build_random_int:
output:
directory("bins/target_random_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int"
rule build_frafl_int:
output:
directory("bins/target_frafl_int")
shell:
"cargo build --target-dir {output} {def_flags},config_frafl,fuzz_int"
rule build_afl_int:
output:
directory("bins/target_afl_int")
shell:
"cargo build --target-dir {output} {def_flags},config_afl,fuzz_int,"
rule build_stg_int:
output:
directory("bins/target_stg_int")
shell:
"cargo build --target-dir {output} {def_flags},config_stg,fuzz_int"
rule build_stgpath_int:
output:
directory("bins/target_stgpath_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg,fuzz_int"
rule build_feedgeneration1:
output:
directory("bins/target_feedgeneration1")
shell:
"cargo build --target-dir {output} {def_flags},feed_genetic,gensize_1"
rule build_feedgeneration1_int:
output:
directory("bins/target_feedgeneration1_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_1"
rule build_feedgeneration10:
output:
directory("bins/target_feedgeneration10")
shell:
"cargo build --target-dir {output} {def_flags},feed_genetic,gensize_10"
rule build_feedgeneration10_int:
output:
directory("bins/target_feedgeneration10_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_10"
rule build_feedgeneration100:
output:
directory("bins/target_feedgeneration100")
shell:
"cargo build --target-dir {output} {def_flags},config_genetic,gensize_100"
rule build_feedgeneration100_int:
output:
directory("bins/target_feedgeneration100_int")
shell:
"cargo build --target-dir {output} {def_flags},config_genetic,fuzz_int,gensize_100"
rule run_bench:
input:
"build/{target}.elf",
@ -163,7 +108,6 @@ rule run_showmap:
input:
"{remote}build/{target}.elf",
"bins/target_showmap",
"bins/target_showmap_int",
"{remote}timedump/{fuzzer}/{target}#{num}.case"
output:
"{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",
@ -180,16 +124,12 @@ rule run_showmap:
fuzz_len=line['input_size']
bkp=line['return_function']
select_task=line['select_task']
script=""
if wildcards.fuzzer.find('_int') > -1:
script="export FUZZER=$(pwd)/{input[2]}/debug/fret\n"
else:
script="export FUZZER=$(pwd)/{input[1]}/debug/fret\n"
script+="""
export FUZZER=$(pwd)/{input[1]}/debug/fret
mkdir -p $(dirname {output})
set +e
echo $FUZZER -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[3]}
$FUZZER -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[3]}
echo $FUZZER -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[2]}
$FUZZER -n $(pwd)/{remote}/timedump/{wildcards.fuzzer}/{wildcards.target}#{wildcards.num}_case -s {select_task} -t -a -r -g -k {input[0]} -c ./target_symbols.csv showmap -i {input[2]}
exit 0
"""
if wildcards.fuzzer.find('random') >= 0:
@ -220,7 +160,7 @@ rule all_main:
rule all_main_int:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_int','feedgeneration10_int','state_int'], target=['waters_int','watersv2_int'],num=range(0,4))
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','feedgeneration10','state'], target=['waters_int','watersv2_int'],num=range(0,4))
rule all_compare_feedgeneration:
input:
@ -228,7 +168,7 @@ rule all_compare_feedgeneration:
rule all_compare_feedgeneration_int:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1_int','feedgeneration10_int','feedgeneration100_int'], target=['waters_int','watersv2_int'],num=range(0,10))
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters_int','watersv2_int'],num=range(0,10))
rule all_compare_afl:
input:
@ -236,7 +176,7 @@ rule all_compare_afl:
rule all_compare_afl_int:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','frafl_int','feedlongest_int'], target=['waters_int','watersv2_int'],num=range(0,10))
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','frafl','feedlongest'], target=['waters_int','watersv2_int'],num=range(0,10))
rule all_images:
input:
@ -244,35 +184,35 @@ rule all_images:
rule all_images_int:
input:
expand("{remote}timedump/{fuzzer}/{target}.{num}.trace.csv.png",remote=remote, fuzzer=['frafl_int','feedgeneration10_int','state_int'], target=['waters_int'],num=range(0,3))
expand("{remote}timedump/{fuzzer}/{target}.{num}.trace.csv.png",remote=remote, fuzzer=['frafl','feedgeneration10','state'], target=['waters_int'],num=range(0,3))
rule clusterfuzz:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','feedgeneration10','state'], target=['waters','watersv2'],num=MY_RANGE_A),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_int','feedgeneration10_int','state_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_A),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','feedgeneration10','state'], target=['waters_int','watersv2_int'],num=MY_RANGE_A),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters_int','watersv2'],num=MY_RANGE_B),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1_int','feedgeneration10_int','feedgeneration100_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','frafl','feedlongest'], target=['waters','watersv2'],num=MY_RANGE_B),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','frafl_int','feedlongest_int'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','frafl','feedlongest'], target=['waters_int','watersv2_int'],num=MY_RANGE_B),
rule all_new:
input:
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100', 'frafl', 'stg'], target=['waters', 'watersv2', 'waterspart', 'waterspartv2'],num=range(0,2)),
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100_int', 'frafl_int', 'stg_int'], target=['waters_int', 'watersv2_int', 'waterspart_int', 'waterspartv2_int'],num=range(0,2)),
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100', 'frafl', 'stg'], target=['waters_int', 'watersv2_int', 'waterspart_int', 'waterspartv2_int'],num=range(0,2)),
# expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random', 'stgpath'], target=['waters', 'watersv2'],num=range(0,3)),
# expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random_int', 'stgpath_int'], target=['waters_int', 'watersv2_int'],num=range(0,3))
rule all_showmap:
input:
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['frafl', 'stg'], target=['watersv2'],num=range(2,3)),
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['frafl_int', 'stg_int'], target=['watersv2_int'],num=range(0,3)),
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['frafl', 'stg'], target=['watersv2_int'],num=range(0,3)),
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['random', 'stgpath'], target=['watersv2'],num=range(0,1)),
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['random_int', 'stgpath_int'], target=['watersv2_int'],num=range(0,1))
expand("{remote}timedump/{fuzzer}/{target}#{num}_case.trace.ron",remote=remote, fuzzer=['random', 'stgpath'], target=['watersv2_int'],num=range(0,1))
rule quicktest:
input:
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100_int', 'frafl_int', 'stg_int'], target=['release'],num=range(0,1)),
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random_int', 'stgpath_int'], target=['release'],num=range(0,1))
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['feedgeneration100', 'frafl', 'stg'], target=['release'],num=range(0,1)),
expand("timedump/{fuzzer}/{target}#{num}.time", fuzzer=['random', 'stgpath'], target=['release'],num=range(0,1))

8
fuzzers/FRET/benchmark/build_all_bins.sh
View File

@ -6,15 +6,7 @@ cargo build --target-dir ./bins/target_frafl ${def_flags},config_frafl,feed_long
cargo build --target-dir ./bins/target_afl ${def_flags},config_afl,observe_hitcounts
cargo build --target-dir ./bins/target_stg ${def_flags},config_stg
cargo build --target-dir ./bins/target_stgpath ${def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg
cargo build --target-dir ./bins/target_showmap_int ${def_flags},config_stg,fuzz_int
cargo build --target-dir ./bins/target_random_int ${def_flags},feed_longest,fuzz_int
cargo build --target-dir ./bins/target_afl_int ${def_flags},config_frafl,fuzz_int
cargo build --target-dir ./bins/target_stg_int ${def_flags},config_stg,fuzz_int
cargo build --target-dir ./bins/target_stgpath_int ${def_flags},feed_stg_abbhash,sched_stg_abbhash,mutate_stg,fuzz_int
cargo build --target-dir ./bins/target_feedgeneration1 ${def_flags},feed_genetic,gensize_1
cargo build --target-dir ./bins/target_feedgeneration1_int ${def_flags},feed_genetic,fuzz_int,gensize_1
cargo build --target-dir ./bins/target_feedgeneration10 ${def_flags},feed_genetic,gensize_10
cargo build --target-dir ./bins/target_feedgeneration10_int ${def_flags},feed_genetic,fuzz_int,gensize_10
cargo build --target-dir ./bins/target_feedgeneration100 ${def_flags},feed_genetic,gensize_100
cargo build --target-dir ./bins/target_feedgeneration100_int ${def_flags},feed_genetic,fuzz_int,gensize_100

46
fuzzers/FRET/benchmark/target_symbols.csv
View File

@ -1,34 +1,34 @@
kernel,main_function,input_symbol,input_size,return_function,select_task,interrupts
mpeg2,mpeg2_main,mpeg2_oldorgframe,90112,mpeg2_return,NONE,0#1000
audiobeam,audiobeam_main,audiobeam_input,11520,audiobeam_return,NONE,0#1000
epic,epic_main,epic_image,4096,epic_return,NONE,0#1000
dijkstra,dijkstra_main,dijkstra_AdjMatrix,10000,dijkstra_return,NONE,0#1000
fft,fft_main,fft_twidtable,2046,fft_return,NONE,0#1000
bsort,bsort_main,bsort_Array,400,bsort_return,NONE,0#1000
insertsort,insertsort_main,insertsort_a,400,insertsort_return,NONE,0#1000
g723_enc,g723_enc_main,g723_enc_INPUT,1024,g723_enc_return,NONE,0#1000
rijndael_dec,rijndael_dec_main,rijndael_dec_data,32768,rijndael_dec_return,NONE,0#1000
rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return,NONE,0#1000
huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return,NONE,0#1000
huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return,NONE,0#1000
gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return,NONE,0#1000
tmr,main,FUZZ_INPUT,32,trigger_Qemu_break,NONE,0#1000
tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break,NONE,0#1000
lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break,NONE,0#1000
waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
watersv2,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
waterspart,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
waterspartv2,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
mpeg2,mpeg2_main,mpeg2_oldorgframe,90112,mpeg2_return,NONE,
audiobeam,audiobeam_main,audiobeam_input,11520,audiobeam_return,NONE,
epic,epic_main,epic_image,4096,epic_return,NONE,
dijkstra,dijkstra_main,dijkstra_AdjMatrix,10000,dijkstra_return,NONE,
fft,fft_main,fft_twidtable,2046,fft_return,NONE,
bsort,bsort_main,bsort_Array,400,bsort_return,NONE,
insertsort,insertsort_main,insertsort_a,400,insertsort_return,NONE,
g723_enc,g723_enc_main,g723_enc_INPUT,1024,g723_enc_return,NONE,
rijndael_dec,rijndael_dec_main,rijndael_dec_data,32768,rijndael_dec_return,NONE,
rijndael_enc,rijndael_enc_main,rijndael_enc_data,31369,rijndael_enc_return,NONE,
huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return,NONE,
huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return,NONE,
gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return,NONE,
tmr,main,FUZZ_INPUT,32,trigger_Qemu_break,NONE,
tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break,NONE,
lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break,NONE,
waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,
watersv2,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,
waterspart,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,
waterspartv2,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,
waters_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
watersv2_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
waterspart_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
waterspartv2_int,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break,1129,0#1000
micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break,NONE,0#1000
micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break,NONE,
micro_int,main_int,FUZZ_INPUT,16,trigger_Qemu_break,NONE,0#1000
micro_longint,main_micro_longint,FUZZ_INPUT,16,trigger_Qemu_break,NONE,0#1000
minimal,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break,NONE,0#1000
gen3,main_minimal,FUZZ_INPUT,4096,trigger_Qemu_break,NONE,0#1000
interact,main_interact,FUZZ_INPUT,4096,trigger_Qemu_break,NONE,0#1000
interact,main_interact,FUZZ_INPUT,4096,trigger_Qemu_break,NONE,
interact_int,main_interact,FUZZ_INPUT,4096,trigger_Qemu_break,NONE,0#1000
release,main_release,FUZZ_INPUT,4096,trigger_Qemu_break,T3,0#10000;1#1000;2#2000;3#3000
release,main_release,FUZZ_INPUT,4096,trigger_Qemu_break,T3,0#10000;1#5000;2#2000;3#3000

1 kernel main_function input_symbol input_size return_function select_task interrupts
2 mpeg2 mpeg2_main mpeg2_oldorgframe 90112 mpeg2_return NONE 0#1000
3 audiobeam audiobeam_main audiobeam_input 11520 audiobeam_return NONE 0#1000
4 epic epic_main epic_image 4096 epic_return NONE 0#1000
5 dijkstra dijkstra_main dijkstra_AdjMatrix 10000 dijkstra_return NONE 0#1000
6 fft fft_main fft_twidtable 2046 fft_return NONE 0#1000
7 bsort bsort_main bsort_Array 400 bsort_return NONE 0#1000
8 insertsort insertsort_main insertsort_a 400 insertsort_return NONE 0#1000
9 g723_enc g723_enc_main g723_enc_INPUT 1024 g723_enc_return NONE 0#1000
10 rijndael_dec rijndael_dec_main rijndael_dec_data 32768 rijndael_dec_return NONE 0#1000
11 rijndael_enc rijndael_enc_main rijndael_enc_data 31369 rijndael_enc_return NONE 0#1000
12 huff_dec huff_dec_main huff_dec_encoded 419 huff_dec_return NONE 0#1000
13 huff_enc huff_enc_main huff_enc_plaintext 600 huff_enc_return NONE 0#1000
14 gsm_enc gsm_enc_main gsm_enc_pcmdata 6400 gsm_enc_return NONE 0#1000
15 tmr main FUZZ_INPUT 32 trigger_Qemu_break NONE 0#1000
16 tacle_rtos prvStage0 FUZZ_INPUT 604 trigger_Qemu_break NONE 0#1000
17 lift main_lift FUZZ_INPUT 100 trigger_Qemu_break NONE 0#1000
18 waters main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
19 watersv2 main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
20 waterspart main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
21 waterspartv2 main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
22 waters_int main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
23 watersv2_int main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
24 waterspart_int main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
25 waterspartv2_int main_waters FUZZ_INPUT 4096 trigger_Qemu_break 1129 0#1000
26 micro_branchless main_branchless FUZZ_INPUT 4 trigger_Qemu_break NONE 0#1000
27 micro_int main_int FUZZ_INPUT 16 trigger_Qemu_break NONE 0#1000
28 micro_longint main_micro_longint FUZZ_INPUT 16 trigger_Qemu_break NONE 0#1000
29 minimal main_minimal FUZZ_INPUT 4096 trigger_Qemu_break NONE 0#1000
30 gen3 main_minimal FUZZ_INPUT 4096 trigger_Qemu_break NONE 0#1000
31 interact main_interact FUZZ_INPUT 4096 trigger_Qemu_break NONE 0#1000
32 interact_int main_interact FUZZ_INPUT 4096 trigger_Qemu_break NONE 0#1000
33 release main_release FUZZ_INPUT 4096 trigger_Qemu_break T3 0#10000;1#1000;2#2000;3#3000 0#10000;1#5000;2#2000;3#3000
34

1
fuzzers/FRET/src/systemstate/mutational.rs
View File

@ -131,6 +131,7 @@ where
state: &mut Self::State,
manager: &mut EM
) -> Result<(), Error> {
if self.interrup_config.len() == 0 {return Ok(());} // configuration implies no interrupts
let mut myrand = StdRand::new();
myrand.set_seed(state.rand_mut().next());