SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rename bin, allow random fuzzing

Browse Source
This commit is contained in:
Alwin Berger 2023-01-09 13:53:32 +01:00
parent 7ca2d43f3d
commit 68c4887dad
5 changed files with 29 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
fuzzers/FRET/Cargo.toml
View File

@ -1,5 +1,5 @@
[package] [package]
name = "qemu_systemmode" name = "fret"
version = "0.8.2" version = "0.8.2"
authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"] authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenukk@gmail.com>"]
edition = "2021" edition = "2021"

8
fuzzers/FRET/benchmark/Makefile
View File

@ -1,3 +1,5 @@
TIME=7200
corpora/%/seed: corpora/%/seed:
mkdir -p $$(dirname $@) mkdir -p $$(dirname $@)
LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \ LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
@ -11,7 +13,7 @@ corpora/%/seed:
DUMP_SEED=seed; \ DUMP_SEED=seed; \
../fuzzer.sh ../fuzzer.sh
timedump/%: corpora/%/seed timedump/%$(FUZZ_RANDOM): corpora/%/seed
mkdir -p $$(dirname $@) mkdir -p $$(dirname $@)
LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \ LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
export \ export \
@ -22,7 +24,9 @@ timedump/%: corpora/%/seed
BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \ BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
SEED_DIR=benchmark/corpora/$* \ SEED_DIR=benchmark/corpora/$* \
TIME_DUMP=benchmark/$@; \ TIME_DUMP=benchmark/$@; \
../fuzzer.sh + + + + + 5 + + + ../fuzzer.sh + + + + + $(TIME) + + +
all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijkstra$(FUZZ_RANDOM) timedump/sequential/epic$(FUZZ_RANDOM)
clean: clean:
rm -rf corpora timedump rm -rf corpora timedump

3
fuzzers/FRET/benchmark/target_symbols.csv
View File

@ -1,2 +1,5 @@
kernel,main_function,input_symbol,input_size,return_function kernel,main_function,input_symbol,input_size,return_function
mpeg2,main,mpeg2_oldorgframe,90112,mpeg2_return mpeg2,main,mpeg2_oldorgframe,90112,mpeg2_return
audiobeam,main,audiobeam_input,11520,audiobeam_return
epic,main,epic_image,4096,epic_return
dijkstra,main,dijkstra_AdjMatrix,10000,dijkstra_return
1 kernel main_function input_symbol input_size return_function
2 mpeg2 main mpeg2_oldorgframe 90112 mpeg2_return
3 audiobeam main audiobeam_input 11520 audiobeam_return
4 epic main epic_image 4096 epic_return
5 dijkstra main dijkstra_AdjMatrix 10000 dijkstra_return

4
fuzzers/FRET/fuzzer.sh
View File

@ -11,4 +11,6 @@ cd "$parent_path"
[ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7" [ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7"
[ -n "$8" -a "$8" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$8" [ -n "$8" -a "$8" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$8"
[ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$9" [ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$9"
target/debug/qemu_systemmode -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native # -snapshot -drive if=none,format=qcow2,file=dummy.qcow2
[ -z "$FUZZER" ] && export FUZZER=target/debug/fret
$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native # -snapshot -drive if=none,format=qcow2,file=dummy.qcow2

13
fuzzers/FRET/src/fuzzer.rs
View File

@ -28,7 +28,7 @@ use libafl::{
stages::StdMutationalStage, stages::StdMutationalStage,
state::{HasCorpus, StdState}, state::{HasCorpus, StdState},
Error, Error,
prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice}, Evaluator, prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator}, Evaluator,
}; };
use libafl_qemu::{ use libafl_qemu::{
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
@ -314,9 +314,20 @@ pub fn fuzz() {
Ok(t) => { Ok(t) => {
println!("Iterations {}",t); println!("Iterations {}",t);
let num = str::parse::<u64>(&t).expect("FUZZ_ITERS was not a number"); let num = str::parse::<u64>(&t).expect("FUZZ_ITERS was not a number");
if let Ok(_) = env::var("FUZZ_RANDOM") { unsafe {
println!("Random Fuzzing, ignore corpus");
let mut generator = RandBytesGenerator::new(MAX_INPUT_SIZE);
let target_duration = Duration::from_secs(num);
let start_time = std::time::Instant::now();
while start_time.elapsed() < target_duration {
let inp = generator.generate(&mut state).unwrap();
fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
}
}} else {
fuzzer fuzzer
.fuzz_loop_for_duration(&mut stages, &mut executor, &mut state, &mut mgr, Duration::from_secs(num)) .fuzz_loop_for_duration(&mut stages, &mut executor, &mut state, &mut mgr, Duration::from_secs(num))
.unwrap(); .unwrap();
}
if let Ok(td) = env::var("TIME_DUMP") { if let Ok(td) = env::var("TIME_DUMP") {
let mut file = OpenOptions::new() let mut file = OpenOptions::new()
.read(true) .read(true)