SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add feature flags for fuzz components

Browse Source
This commit is contained in:
Alwin Berger 2022-05-04 22:55:26 +02:00
parent 18a592d763
commit 70dec21c8c
2 changed files with 59 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
fuzzers/wcet_qemu_sys/Cargo.toml
View File

@ -9,6 +9,19 @@ default = ["std"]
std = []
multicore = []
# select which feedbacks to use. enable at least one.
feed_afl = []
feed_clock = []
feed_state = []
feed_graph = []
# choose exactly one scheduler
sched_queue = []
sched_state = []
sched_graph = []
muta_snip = [ "sched_graph" ]
[profile.release]
debug = true

62
fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
View File

@ -1,5 +1,8 @@
//! A singlethreaded QEMU fuzzer that can auto-restart.
use libafl::inputs::Input;
use libafl::feedbacks::Feedback;
use libafl::HasFeedback;
use libafl::bolts::tuples::MatchName;
use libafl::state::HasFeedbackStates;
use wcet_qemu_sys::sysstate::graph::SysGraphMetadata;
@ -333,13 +336,15 @@ fn fuzz(
let clock_observer = QemuClockObserver::default();
// Create an observation channel using cmplog map
let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true);
// let cmplog_observer = CmpLogObserver::new("cmplog", unsafe { &mut cmplog::CMPLOG_MAP }, true);
// The state of the edges feedback.
let feedback_state = MapFeedbackState::with_observer(&edges_observer);
let sysstate_observer = QemuSysStateObserver::new();
// let sysstate_feedback_state = SysStateFeedbackState::default();
#[cfg(feature = "sched_state")]
let sysstate_feedback_state = SysStateFeedbackState::default();
#[cfg(not(feature = "sched_state"))]
let sysstate_feedback_state = SysGraphFeedbackState::new();
let target_map : HashMap<(u64,u64),u8> = match dump_edges {
@ -359,20 +364,19 @@ fn fuzz(
},
};
// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false),
// HitImprovingFeedback::new(target_map.clone(), &edges_observer),
// QemuClockIncreaseFeedback::default(),
ClockFeedback::new_with_observer(&clock_observer),
// NovelSysStateFeedback::default(),
SysMapFeedback::new()
);
let feedback = ClockFeedback::new_with_observer(&clock_observer);
#[cfg(feature = "feed_afl")]
let feedback = feedback_or!(feedback, MaxMapFeedback::new_tracking(&feedback_state, &edges_observer, true, false));
#[cfg(feature = "feed_clock")]
let feedback = feedback_or!(feedback, QemuClockIncreaseFeedback::default());
#[cfg(feature = "feed_state")]
let feedback = feedback_or!(feedback, NovelSysStateFeedback::default());
#[cfg(feature = "feed_graph")]
let feedback = feedback_or!(feedback, SysMapFeedback::new());
// A feedback to choose if an input is a solution or not
// let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer));
let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer),HitSysStateFeedback::new(target_trace));
// let objective = feedback_or!(HitFeedback::new(target_map,0.0,&edges_observer));
// let objective = SortedFeedback::new();
// create a State from scratch
@ -396,20 +400,25 @@ fn fuzz(
// Setup a randomic Input2State stage
// let i2s = StdMutationalStage::new(StdScheduledMutator::new(tuple_list!(I2SRandReplace::new())));
#[cfg(feature = "muta_snip")]
let mutator_list = havoc_mutations().merge(tokens_mutations())
.merge(tuple_list!(RandGraphSnippetMutator::new()));
#[cfg(not(feature = "muta_snip"))]
let mutator_list = havoc_mutations().merge(tokens_mutations());
// Setup a MOPT mutator
let mutator = StdMOptMutator::new(&mut state, havoc_mutations()
.merge(tokens_mutations())
.merge(tuple_list!(RandGraphSnippetMutator::new())),
5)?;
let mutator = StdMOptMutator::new(&mut state, mutator_list,5)?;
// let power = PowerMutationalStage::new(mutator, PowerSchedule::FAST, &edges_observer);
let mutation = StdMutationalStage::new(mutator);
// A minimization+queue policy to get testcasess from the corpus
// let scheduler = IndexesLenTimeMinimizerCorpusScheduler::new(PowerQueueCorpusScheduler::new());
// let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
#[cfg(feature = "sched_queue")]
let scheduler = QueueCorpusScheduler::new();
#[cfg(feature = "sched_state")]
let scheduler = TimeStateMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
#[cfg(feature = "sched_graph")]
let scheduler = GraphMaximizerCorpusScheduler::new(QueueCorpusScheduler::new());
// let scheduler = QueueCorpusScheduler::new();
// A fuzzer with feedbacks and a corpus scheduler
@ -512,14 +521,16 @@ fn fuzz(
dup2(null_fd, io::stderr().as_raw_fd())?;
}
// fuzzer
// .fuzz_for_solution(&mut stages, &mut executor, &mut state, &mut mgr)
// .expect("Error in the fuzzing loop");
fuzzer
.fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20)
.fuzz_for_solution_or_n(&mut stages, &mut executor, &mut state, &mut mgr, 10000)
.expect("Error in the fuzzing loop");
// fuzzer
// .fuzz_loop_for(&mut stages, &mut executor, &mut state, &mut mgr, 20)
// .expect("Error in the fuzzing loop");
#[cfg(feature = "feed_graph")]
{
let feedbackstate = state
.feedback_states()
.match_name::<SysGraphFeedbackState>("SysMap")
@ -528,10 +539,9 @@ fn fuzz(
|_, n| n.get_taskname(),
|_, e| e,
);
// println!("{:?}",feedbackstate.graph);
// println!("{:?}",Dot::with_config(&feedbackstate.graph, &[Config::EdgeNoLabel]));
let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel]));
fs::write("./graph.dot",tempg).expect("Graph can not be written");
}
// Never reached