SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmplog observer

Browse Source
This commit is contained in:
Andrea Fioraldi 2021-05-20 01:25:01 +02:00 committed by Omree
parent ccfc95aa3a
commit 933b65dd86
7 changed files with 160 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
fuzzers/libfuzzer_stb_image/Cargo.toml
View File

@ -17,8 +17,7 @@ debug = true
[dependencies] [dependencies]
libafl = { path = "../../libafl/" } libafl = { path = "../../libafl/" }
libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_edges", "sancov_cmplog", "libfuzzer"] }
libafl_targets = { path = "../../libafl_targets/", features = ["sancov_pcguard_edges", "libfuzzer"] }
[build-dependencies] [build-dependencies]
cc = { version = "1.0", features = ["parallel"] } cc = { version = "1.0", features = ["parallel"] }

7
fuzzers/libfuzzer_stb_image/src/main.rs
View File

@ -12,11 +12,11 @@ use libafl::{
events::setup_restarting_mgr_std, events::setup_restarting_mgr_std,
executors::{inprocess::InProcessExecutor, ExitKind}, executors::{inprocess::InProcessExecutor, ExitKind},
feedback_or, feedback_or,
feedbacks::{CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback}, feedbacks::{CmpFeedback, CrashFeedback, MapFeedbackState, MaxMapFeedback, TimeFeedback},
fuzzer::{Fuzzer, StdFuzzer}, fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes}, inputs::{BytesInput, HasTargetBytes},
mutators::scheduled::{havoc_mutations, StdScheduledMutator}, mutators::scheduled::{havoc_mutations, StdScheduledMutator},
mutators::token_mutations::I2SRandReplace, mutators::token_mutations::{I2SRandReplace, Tokens},
observers::{StdMapObserver, TimeObserver}, observers::{StdMapObserver, TimeObserver},
stages::{StdMutationalStage, TracingStage}, stages::{StdMutationalStage, TracingStage},
state::{HasCorpus, StdState}, state::{HasCorpus, StdState},
@ -72,6 +72,9 @@ fn fuzz(corpus_dirs: &[PathBuf], objective_dir: PathBuf, broker_port: u16) -> Re
// Create an observation channel to keep track of the execution time // Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time"); let time_observer = TimeObserver::new("time");
let cmplog = unsafe { &mut CMPLOG_MAP };
let cmplog_observer = CmpLogObserver::new("cmplog", cmplog);
let cmplog = unsafe { &mut CMPLOG_MAP }; let cmplog = unsafe { &mut CMPLOG_MAP };
let cmplog_observer = CmpLogObserver::new("cmplog", cmplog, true); let cmplog_observer = CmpLogObserver::new("cmplog", cmplog, true);

15
libafl/src/bolts/tuples.rs
View File

@ -361,9 +361,12 @@ where
} }
/// Merge two `TupeList` /// Merge two `TupeList`
pub trait Merge<T> { pub trait Merge<T>: TupleList
where
T: TupleList,
{
/// The Resulting [`TupleList`], of an [`Merge::merge()`] call /// The Resulting [`TupleList`], of an [`Merge::merge()`] call
type MergeResult; type MergeResult: TupleList;
/// Merge and return the merged tuple /// Merge and return the merged tuple
#[must_use] #[must_use]
@ -371,7 +374,10 @@ pub trait Merge<T> {
} }
/// Implement merge for an empty tuple list. /// Implement merge for an empty tuple list.
impl<T> Merge<T> for () { impl<T> Merge<T> for ()
where
T: TupleList,
{
type MergeResult = T; type MergeResult = T;
fn merge(self, value: T) -> Self::MergeResult { fn merge(self, value: T) -> Self::MergeResult {
@ -382,7 +388,10 @@ impl<T> Merge<T> for () {
/// Implement merge for non-empty tuple list. /// Implement merge for non-empty tuple list.
impl<Head, Tail, T> Merge<T> for (Head, Tail) impl<Head, Tail, T> Merge<T> for (Head, Tail)
where where
T: TupleList,
Self: TupleList,
Tail: Merge<T>, Tail: Merge<T>,
(Head, Tail::MergeResult): TupleList,
{ {
type MergeResult = (Head, Tail::MergeResult); type MergeResult = (Head, Tail::MergeResult);

2
libafl/src/observers/cmp.rs
View File

@ -115,7 +115,7 @@ impl<'a, CM> StdCmpObserver<'a, CM>
where where
CM: CmpMap, CM: CmpMap,
{ {
/// Creates a new [`CmpObserver`] with the given name. /// Creates a new [`StdCmpObserver`] with the given name.
#[must_use] #[must_use]
pub fn new(name: &'static str, map: &'a mut CM) -> Self { pub fn new(name: &'static str, map: &'a mut CM) -> Self {
Self { Self {

179
libafl/src/stages/tracing.rs
View File

@ -1,96 +1,163 @@
use core::{marker::PhantomData, mem::drop}; use core::marker::PhantomData;
use crate::{ use crate::{
bolts::rands::Rand,
corpus::Corpus, corpus::Corpus,
executors::{Executor, HasExecHooksTuple, HasObservers, HasObserversHooks}, fuzzer::Evaluator,
inputs::Input, inputs::Input,
mark_feature_time, mark_feature_time,
observers::ObserversTuple, mutators::Mutator,
stages::Stage, stages::Stage,
start_timer, start_timer,
state::{HasClientPerfStats, HasCorpus, HasExecutions}, state::{HasClientPerfStats, HasCorpus, HasRand},
Error, Error,
}; };
#[cfg(feature = "introspection")] #[cfg(feature = "introspection")]
use crate::stats::PerfFeature; use crate::stats::PerfFeature;
/// The default mutational stage // TODO multi mutators stage
#[derive(Clone, Debug)]
pub struct TracingStage<C, EM, I, OT, S, TE, Z> /// A Mutational stage is the stage in a fuzzing run that mutates inputs.
/// Mutational stages will usually have a range of mutations that are
/// being applied to the input one by one, between executions.
pub trait TracingStage<C, E, EM, I, M, S, Z>: Stage<E, EM, S, Z>
where where
I: Input,
C: Corpus<I>, C: Corpus<I>,
TE: Executor<EM, I, S, Z> + HasObservers<OT> + HasObserversHooks<EM, I, OT, S, Z>, M: Mutator<I, S>,
OT: ObserversTuple + HasExecHooksTuple<EM, I, S, Z>, I: Input,
S: HasClientPerfStats + HasExecutions + HasCorpus<C, I>, S: HasClientPerfStats + HasCorpus<C, I>,
Z: Evaluator<E, EM, I, S>,
{ {
tracer_executor: TE, /// The mutator registered for this stage
#[allow(clippy::type_complexity)] fn mutator(&self) -> &M;
phantom: PhantomData<(C, EM, I, OT, S, TE, Z)>,
/// The mutator registered for this stage (mutable)
fn mutator_mut(&mut self) -> &mut M;
/// Gets the number of iterations this mutator should run for.
fn iterations(&self, state: &mut S) -> usize;
/// Runs this (mutational) stage for the given testcase
#[allow(clippy::cast_possible_wrap)] // more than i32 stages on 32 bit system - highly unlikely...
fn perform_mutational(
&mut self,
fuzzer: &mut Z,
executor: &mut E,
state: &mut S,
manager: &mut EM,
corpus_idx: usize,
) -> Result<(), Error> {
let num = self.iterations(state);
for i in 0..num {
start_timer!(state);
let mut input = state
.corpus()
.get(corpus_idx)?
.borrow_mut()
.load_input()?
.clone();
mark_feature_time!(state, PerfFeature::GetInputFromCorpus);
start_timer!(state);
self.mutator_mut().mutate(state, &mut input, i as i32)?;
mark_feature_time!(state, PerfFeature::Mutate);
// Time is measured directly the `evaluate_input` function
let (_, corpus_idx) = fuzzer.evaluate_input(state, executor, manager, input)?;
start_timer!(state);
self.mutator_mut().post_exec(state, i as i32, corpus_idx)?;
mark_feature_time!(state, PerfFeature::MutatePostExec);
}
Ok(())
}
} }
impl<E, C, EM, I, OT, S, TE, Z> Stage<E, EM, S, Z> for TracingStage<C, EM, I, OT, S, TE, Z> /// Default value, how many iterations each stage gets, as an upper bound
/// It may randomly continue earlier.
pub static DEFAULT_MUTATIONAL_MAX_ITERATIONS: u64 = 128;
/// The default mutational stage
#[derive(Clone, Debug)]
pub struct StdMutationalStage<C, E, EM, I, M, R, S, Z>
where where
I: Input,
C: Corpus<I>, C: Corpus<I>,
TE: Executor<EM, I, S, Z> + HasObservers<OT> + HasObserversHooks<EM, I, OT, S, Z>, M: Mutator<I, S>,
OT: ObserversTuple + HasExecHooksTuple<EM, I, S, Z>, I: Input,
S: HasClientPerfStats + HasExecutions + HasCorpus<C, I>, R: Rand,
S: HasClientPerfStats + HasCorpus<C, I> + HasRand<R>,
Z: Evaluator<E, EM, I, S>,
{
mutator: M,
#[allow(clippy::type_complexity)]
phantom: PhantomData<(C, E, EM, I, R, S, Z)>,
}
impl<C, E, EM, I, M, R, S, Z> MutationalStage<C, E, EM, I, M, S, Z>
for StdMutationalStage<C, E, EM, I, M, R, S, Z>
where
C: Corpus<I>,
M: Mutator<I, S>,
I: Input,
R: Rand,
S: HasClientPerfStats + HasCorpus<C, I> + HasRand<R>,
Z: Evaluator<E, EM, I, S>,
{
/// The mutator, added to this stage
#[inline]
fn mutator(&self) -> &M {
&self.mutator
}
/// The list of mutators, added to this stage (as mutable ref)
#[inline]
fn mutator_mut(&mut self) -> &mut M {
&mut self.mutator
}
/// Gets the number of iterations as a random number
fn iterations(&self, state: &mut S) -> usize {
1 + state.rand_mut().below(DEFAULT_MUTATIONAL_MAX_ITERATIONS) as usize
}
}
impl<C, E, EM, I, M, R, S, Z> Stage<E, EM, S, Z> for StdMutationalStage<C, E, EM, I, M, R, S, Z>
where
C: Corpus<I>,
M: Mutator<I, S>,
I: Input,
R: Rand,
S: HasClientPerfStats + HasCorpus<C, I> + HasRand<R>,
Z: Evaluator<E, EM, I, S>,
{ {
#[inline] #[inline]
fn perform( fn perform(
&mut self, &mut self,
fuzzer: &mut Z, fuzzer: &mut Z,
_executor: &mut E, executor: &mut E,
state: &mut S, state: &mut S,
manager: &mut EM, manager: &mut EM,
corpus_idx: usize, corpus_idx: usize,
) -> Result<(), Error> { ) -> Result<(), Error> {
start_timer!(state); self.perform_mutational(fuzzer, executor, state, manager, corpus_idx)
let input = state
.corpus()
.get(corpus_idx)?
.borrow_mut()
.load_input()?
.clone();
mark_feature_time!(state, PerfFeature::GetInputFromCorpus);
start_timer!(state);
self.tracer_executor
.pre_exec_observers(fuzzer, state, manager, &input)?;
mark_feature_time!(state, PerfFeature::PreExecObservers);
start_timer!(state);
drop(
self.tracer_executor
.run_target(fuzzer, state, manager, &input)?,
);
mark_feature_time!(state, PerfFeature::TargetExecution);
*state.executions_mut() += 1;
start_timer!(state);
self.tracer_executor
.post_exec_observers(fuzzer, state, manager, &input)?;
mark_feature_time!(state, PerfFeature::PostExecObservers);
Ok(())
} }
} }
impl<C, EM, I, OT, S, TE, Z> TracingStage<C, EM, I, OT, S, TE, Z> impl<C, E, EM, I, M, R, S, Z> StdMutationalStage<C, E, EM, I, M, R, S, Z>
where where
I: Input,
C: Corpus<I>, C: Corpus<I>,
TE: Executor<EM, I, S, Z> + HasObservers<OT> + HasObserversHooks<EM, I, OT, S, Z>, M: Mutator<I, S>,
OT: ObserversTuple + HasExecHooksTuple<EM, I, S, Z>, I: Input,
S: HasClientPerfStats + HasExecutions + HasCorpus<C, I>, R: Rand,
S: HasClientPerfStats + HasCorpus<C, I> + HasRand<R>,
Z: Evaluator<E, EM, I, S>,
{ {
/// Creates a new default mutational stage /// Creates a new default mutational stage
pub fn new(tracer_executor: TE) -> Self { pub fn new(mutator: M) -> Self {
Self { Self {
tracer_executor, mutator,
phantom: PhantomData, phantom: PhantomData,
} }
} }

22
libafl_targets/src/cmplog.rs
View File

@ -2,9 +2,12 @@
//! The values will then be used in subsequent mutations. //! The values will then be used in subsequent mutations.
use libafl::{ use libafl::{
observers::{CmpMap, CmpValues}, bolts::{ownedref::OwnedRefMut, tuples::Named},
executors::HasExecHooks,
observers::{CmpMap, CmpObserver, CmpValues, Observer},
Error, Error,
}; };
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
// TODO compile time flag // TODO compile time flag
@ -140,12 +143,11 @@ pub static mut libafl_cmplog_enabled: u8 = 0;
pub use libafl_cmplog_enabled as CMPLOG_ENABLED; pub use libafl_cmplog_enabled as CMPLOG_ENABLED;
/// A [`CmpObserver`] observer for `CmpLog` /// A [`CmpObserver`] observer for CmpLog
#[derive(Serialize, Deserialize, Debug)] #[derive(Serialize, Deserialize, Debug)]
pub struct CmpLogObserver<'a> { pub struct CmpLogObserver<'a> {
map: OwnedRefMut<'a, CmpLogMap>, map: OwnedRefMut<'a, CmpLogMap>,
size: Option<OwnedRefMut<'a, usize>>, size: Option<OwnedRefMut<'a, usize>>,
add_meta: bool,
name: String, name: String,
} }
@ -169,10 +171,7 @@ impl<'a> CmpObserver<CmpLogMap> for CmpLogObserver<'a> {
impl<'a> Observer for CmpLogObserver<'a> {} impl<'a> Observer for CmpLogObserver<'a> {}
impl<'a, EM, I, S, Z> HasExecHooks<EM, I, S, Z> for CmpLogObserver<'a> impl<'a, EM, I, S, Z> HasExecHooks<EM, I, S, Z> for CmpLogObserver<'a> {
where
S: HasMetadata,
{
fn pre_exec( fn pre_exec(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
@ -190,16 +189,13 @@ where
fn post_exec( fn post_exec(
&mut self, &mut self,
_fuzzer: &mut Z, _fuzzer: &mut Z,
state: &mut S, _state: &mut S,
_mgr: &mut EM, _mgr: &mut EM,
_input: &I, _input: &I,
) -> Result<(), Error> { ) -> Result<(), Error> {
unsafe { unsafe {
CMPLOG_ENABLED = 0; CMPLOG_ENABLED = 0;
} }
if self.add_meta {
self.add_cmpvalues_meta(state);
}
Ok(()) Ok(())
} }
} }
@ -213,11 +209,11 @@ impl<'a> Named for CmpLogObserver<'a> {
impl<'a> CmpLogObserver<'a> { impl<'a> CmpLogObserver<'a> {
/// Creates a new [`CmpLogObserver`] with the given name. /// Creates a new [`CmpLogObserver`] with the given name.
#[must_use] #[must_use]
pub fn new(name: &'static str, map: &'a mut CmpLogMap, add_meta: bool) -> Self { pub fn new(name: &'static str, map: &'a mut CmpLogMap) -> Self {
Self { Self {
name: name.to_string(), name: name.to_string(),
size: None, size: None,
add_meta,
map: OwnedRefMut::Ref(map), map: OwnedRefMut::Ref(map),
} }
} }

23
libafl_targets/src/sancov_cmp.c
View File

@ -33,13 +33,13 @@ void __sanitizer_cov_trace_cmp1(uint8_t arg1, uint8_t arg2) {
uintptr_t k = RETADDR; uintptr_t k = RETADDR;
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
#ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
#ifdef SANCOV_VALUE_PROFILE #ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
__libafl_targets_value_profile1(k, arg1, arg2); __libafl_targets_value_profile1(k, arg1, arg2);
#endif #endif
#ifdef SANCOV_CMPLOG #ifdef SANCOV_CMPLOG
k &= CMPLOG_MAP_W - 1;
__libafl_targets_cmplog(k, 1, (uint64_t)arg1, (uint64_t)arg2); __libafl_targets_cmplog(k, 1, (uint64_t)arg1, (uint64_t)arg2);
#endif #endif
@ -50,13 +50,13 @@ void __sanitizer_cov_trace_cmp2(uint16_t arg1, uint16_t arg2) {
uintptr_t k = RETADDR; uintptr_t k = RETADDR;
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
#ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
#ifdef SANCOV_VALUE_PROFILE #ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
__libafl_targets_value_profile2(k, arg1, arg2); __libafl_targets_value_profile2(k, arg1, arg2);
#endif #endif
#ifdef SANCOV_CMPLOG #ifdef SANCOV_CMPLOG
k &= CMPLOG_MAP_W - 1;
__libafl_targets_cmplog(k, 2, (uint64_t)arg1, (uint64_t)arg2); __libafl_targets_cmplog(k, 2, (uint64_t)arg1, (uint64_t)arg2);
#endif #endif
@ -67,13 +67,13 @@ void __sanitizer_cov_trace_cmp4(uint32_t arg1, uint32_t arg2) {
uintptr_t k = RETADDR; uintptr_t k = RETADDR;
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
#ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
#ifdef SANCOV_VALUE_PROFILE #ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
__libafl_targets_value_profile4(k, arg1, arg2); __libafl_targets_value_profile4(k, arg1, arg2);
#endif #endif
#ifdef SANCOV_CMPLOG #ifdef SANCOV_CMPLOG
k &= CMPLOG_MAP_W - 1;
__libafl_targets_cmplog(k, 4, (uint64_t)arg1, (uint64_t)arg2); __libafl_targets_cmplog(k, 4, (uint64_t)arg1, (uint64_t)arg2);
#endif #endif
@ -84,6 +84,7 @@ void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) {
uintptr_t k = RETADDR; uintptr_t k = RETADDR;
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
#ifdef SANCOV_VALUE_PROFILE #ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1; k &= MAP_SIZE - 1;
__libafl_targets_value_profile8(k, arg1, arg2); __libafl_targets_value_profile8(k, arg1, arg2);
@ -93,13 +94,6 @@ void __sanitizer_cov_trace_cmp8(uint64_t arg1, uint64_t arg2) {
__libafl_targets_cmplog(k, 8, (uint64_t)arg1, (uint64_t)arg2); __libafl_targets_cmplog(k, 8, (uint64_t)arg1, (uint64_t)arg2);
#endif #endif
#ifdef SANCOV_VALUE_PROFILE
__libafl_targets_value_profile8(k, arg1, arg2);
#endif
#ifdef SANCOV_CMPLOG
__libafl_targets_cmplog(k, 8, (uint64_t)arg1, (uint64_t)arg2);
#endif
} }
void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) { void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
@ -112,9 +106,9 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
uintptr_t k = rt + i; uintptr_t k = rt + i;
k = (k >> 4) ^ (k << 8); k = (k >> 4) ^ (k << 8);
k &= MAP_SIZE - 1;
// val , cases[i + 2] // val , cases[i + 2]
#ifdef SANCOV_VALUE_PROFILE #ifdef SANCOV_VALUE_PROFILE
k &= MAP_SIZE - 1;
switch (cases[1]) { switch (cases[1]) {
case 8: case 8:
__libafl_targets_value_profile1(k, (uint8_t)val, (uint8_t)cases[i + 2]); __libafl_targets_value_profile1(k, (uint8_t)val, (uint8_t)cases[i + 2]);
@ -131,6 +125,7 @@ void __sanitizer_cov_trace_switch(uint64_t val, uint64_t *cases) {
} }
#endif #endif
#ifdef SANCOV_CMPLOG #ifdef SANCOV_CMPLOG
k &= CMPLOG_MAP_W - 1;
__libafl_targets_cmplog(k, cases[1] / 8, val, cases[i + 2]); __libafl_targets_cmplog(k, cases[1] / 8, val, cases[i + 2]);
#endif #endif