set up configurations

fuzzers/FRET/Cargo.toml

@@ -5,7 +5,7 @@ authors = ["Andrea Fioraldi <andreafioraldi@gmail.com>", "Dominik Maier <domenuk
 edition = "2021"
 
 [features]
-default = ["std", "snapshot_restore", "singlecore", "feed_longest", "feed_afl", "restarting"]
+default = ["std", "snapshot_restore", "singlecore", "restarting", "feed_systemtrace", "fuzz_int" ]
 std = []
 snapshot_restore = []
 snapshot_fast = [ "snapshot_restore" ]
@@ -19,6 +19,10 @@ feed_longest = [ ]
 feed_afl = [ ]
 feed_genetic = [ ]
 fuzz_int = [ ]
+gensize_1 = [ ]
+gensize_10 = [ ]
+gensize_100 = [ ]
+observer_hitcounts = []
 
 [profile.release]
 lto = true

fuzzers/FRET/benchmark/Snakefile

@@ -20,17 +20,17 @@ rule build_feedlongest:
     shell:
         "cargo build --target-dir {output} {def_flags},feed_longest"
 
-rule build_feedaflnolongest:
+rule build_afl_longest:
     output:
-        directory("bins/target_feedaflnolongest")
+        directory("bins/target_afl_longest")
     shell:
-        "cargo build --target-dir {output} {def_flags},feed_afl"
+        "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest"
 
 rule build_afl:
     output:
         directory("bins/target_afl")
     shell:
-        "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest"
+        "cargo build --target-dir {output} {def_flags},feed_afl,observer_hitcounts"
 
 rule build_state:
     output:
@@ -62,11 +62,17 @@ rule build_state_int:
     shell:
         "cargo build --target-dir {output} {def_flags},feed_systemtrace,fuzz_int"
 
+rule build_afl_longest_int:
+    output:
+        directory("bins/target_afl_longest_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest,fuzz_int"
+
 rule build_afl_int:
     output:
         directory("bins/target_afl_int")
     shell:
-        "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest,fuzz_int"
+        "cargo build --target-dir {output} {def_flags},feed_afl,fuzz_int,observer_hitcounts"
 
 rule build_feedlongest_int:
     output:
@@ -74,24 +80,48 @@ rule build_feedlongest_int:
     shell:
         "cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int"
 
-rule build_feedgeneration:
+rule build_feedgeneration1:
     output:
-        directory("bins/target_feedgeneration")
+        directory("bins/target_feedgeneration1")
     shell:
-        "cargo build --target-dir {output} {def_flags},feed_genetic"
+        "cargo build --target-dir {output} {def_flags},feed_genetic,gensize_1"
 
-rule build_feedgeneration_int:
+rule build_feedgeneration1_int:
     output:
-        directory("bins/target_feedgeneration_int")
+        directory("bins/target_feedgeneration1_int")
     shell:
-        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int"
+        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_1"
+
+rule build_feedgeneration10:
+    output:
+        directory("bins/target_feedgeneration10")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,gensize_10"
+
+rule build_feedgeneration10_int:
+    output:
+        directory("bins/target_feedgeneration10_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_10"
+
+rule build_feedgeneration100:
+    output:
+        directory("bins/target_feedgeneration100")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,gensize_100"
+
+rule build_feedgeneration100_int:
+    output:
+        directory("bins/target_feedgeneration100_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_genetic,fuzz_int,gensize_100"
 
 rule run_bench:
     input:
         "build/{target}.elf",
         "bins/target_{fuzzer}"
     output:
-        multiext("timedump/{fuzzer}/{target}.{num}", "", ".log", ".case")
+        multiext("timedump/{fuzzer}/{target}.{num}", "", ".log") # , ".case"
     run:
         with open('target_symbols.csv') as csvfile:
             reader = csv.DictReader(csvfile)
@@ -112,9 +142,9 @@ rule run_bench:
                 export BREAKPOINT={bkp}
                 export SEED_RANDOM={wildcards.num}
                 export TIME_DUMP=$(pwd)/{output[0]}
-                export CASE_DUMP=$(pwd)/{output[2]}
+                export CASE_DUMP=$(pwd)/{output[0]}.case
                 export TRACE_DUMP=$(pwd)/{output[0]}.trace
-                export FUZZ_ITERS=180
+                export FUZZ_ITERS=21600
                 export FUZZER=$(pwd)/{input[1]}/debug/fret
                 set +e
                 ../fuzzer.sh > {output[1]} 2>&1 
@@ -192,17 +222,29 @@ rule all_bins:
         "bins/target_state",
         "bins/target_graph"
 
-rule all_periodic:
+rule all_main:
     input:
-        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl','state'], target=['waters','watersv2'],num=range(0,10))
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random','afl_longest','state','feedgeneration10'], target=['waters','watersv2'],num=range(0,10))
 
-rule all_compare_afl_longest:
+rule all_main_int:
     input:
-        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration','feedlongest'], target=['waters','watersv2'],num=range(0,10))
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_longest_int','state_int','feedgeneration10_int'], target=['waters_int','watersv2_int'],num=range(0,10))
 
-rule all_micro:
+rule all_compare_feedgeneration:
     input:
-        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['random_int','afl_int','state_int','feedgeneration_int'], target=['waters_int','watersv2_int'],num=range(0,10))
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1','feedgeneration10','feedgeneration100'], target=['waters','watersv2'],num=range(0,10))
+
+rule all_compare_feedgeneration_int:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['feedgeneration1_int','feedgeneration10_int','feedgeneration100_int'], target=['waters_int','watersv2_int'],num=range(0,10))
+
+rule all_compare_afl:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','afl_longest','feedlongest'], target=['waters','watersv2'],num=range(0,10))
+
+rule all_compare_afl_int:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','afl_longest_int','feedlongest_int'], target=['waters_int','watersv2_int'],num=range(0,10))
 
 rule all_images:
     input:

fuzzers/FRET/src/fuzzer.rs

@@ -26,7 +26,7 @@ use libafl::{
     schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
     state::{HasCorpus, StdState, HasMetadata, HasNamedMetadata},
     Error,
-    prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec, minimizer::TopRatedsMetadata, havoc_mutations, StdScheduledMutator}, Evaluator, stages::StdMutationalStage,
+    prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec, minimizer::TopRatedsMetadata, havoc_mutations, StdScheduledMutator, HitcountsMapObserver}, Evaluator, stages::StdMutationalStage,
 };
 use libafl_qemu::{
     edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
@@ -211,6 +211,7 @@ pub fn fuzz() {
                         buf = &buf[libafl_num_interrupts*4..];
                         len = buf.len();
                     }
+                    // println!("Load: {:?}", libafl_interrupt_offsets[0..libafl_num_interrupts].to_vec());
                 }
                 if len > MAX_INPUT_SIZE {
                     buf = &buf[0..MAX_INPUT_SIZE];
@@ -241,6 +242,8 @@ pub fn fuzz() {
         let edges = unsafe { &mut edges::EDGES_MAP };
         let edges_counter = unsafe { &mut edges::MAX_EDGES_NUM };
         let edges_observer = VariableMapObserver::new("edges", edges, edges_counter);
+        #[cfg(feature = "observer_hitcounts")]
+        let edges_observer = HitcountsMapObserver::new(edges_observer);
 
         // Create an observation channel to keep track of the execution time
         let clock_time_observer = QemuClockObserver::new("clocktime");
@@ -279,6 +282,7 @@ pub fn fuzz() {
         #[cfg(feature = "feed_systemtrace")]
         let mut feedback = feedback_or!(
             feedback,
+            // AlwaysTrueFeedback::new(),
             NovelSystemStateFeedback::default()
         );
         #[cfg(feature = "feed_systemgraph")]

fuzzers/FRET/src/systemstate/mutators.rs

@@ -91,7 +91,7 @@ where
             }
         }
 
-        println!("Vor Mutator: {:?}", interrupt_offsets[0..num_interrupts].to_vec());
+        // println!("Vor Mutator: {:?}", interrupt_offsets[0..num_interrupts].to_vec());
         // let num_i = min(target_bytes.len() / 4, DO_NUM_INTERRUPT);
         let mut suffix = target_bytes.split_off(4 * num_interrupts);
         let mut prefix : Vec<[u8; 4]> = vec![];
@@ -112,10 +112,10 @@ where
                 let m = interrupt_offsets[0..num_interrupts].iter().any(|x| (curr.start_tick..curr.end_tick).contains(&(*x as u64)));
                 if m {
                     marks.push((curr, i, 1));
-                    println!("1: {}",curr.current_task.task_name);
+                    // println!("1: {}",curr.current_task.task_name);
                 } else if last_m {
                     marks.push((curr, i, 2));
-                    println!("2: {}",curr.current_task.task_name);
+                    // println!("2: {}",curr.current_task.task_name);
                 } else {
                     marks.push((curr, i, 0));
                 }