From 9cadc5d61c3069f9dce04040274598e03b76d105 Mon Sep 17 00:00:00 2001 From: Alwin Berger Date: Tue, 7 Feb 2023 14:59:21 +0100 Subject: [PATCH] update input sizes, dump worstcase, benchmarking --- fuzzers/FRET/benchmark/Makefile | 31 ++++++++++++++--------- fuzzers/FRET/benchmark/plot_comparison.r | 6 ++--- fuzzers/FRET/benchmark/target_symbols.csv | 4 ++- fuzzers/FRET/fuzzer.sh | 8 +++--- fuzzers/FRET/src/fuzzer.rs | 26 ++++++++++++++++--- fuzzers/FRET/src/lib.rs | 11 ++++++++ fuzzers/FRET/src/systemstate/mod.rs | 12 ++++----- 7 files changed, 69 insertions(+), 29 deletions(-) create mode 100644 fuzzers/FRET/src/lib.rs diff --git a/fuzzers/FRET/benchmark/Makefile b/fuzzers/FRET/benchmark/Makefile index 3fc48d7afd..c3b915bf3a 100644 --- a/fuzzers/FRET/benchmark/Makefile +++ b/fuzzers/FRET/benchmark/Makefile @@ -1,4 +1,4 @@ -TIME=1600 +TIME=5400 corpora/%/seed: mkdir -p $$(dirname $@) @@ -13,7 +13,7 @@ corpora/%/seed: DUMP_SEED=seed; \ ../fuzzer.sh -timedump/%$(FUZZ_RANDOM): corpora/%/seed +timedump/%$(FUZZ_RANDOM)$(SUFFIX): corpora/%/seed mkdir -p $$(dirname $@) LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \ export \ @@ -23,7 +23,8 @@ timedump/%$(FUZZ_RANDOM): corpora/%/seed FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \ BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \ SEED_RANDOM=1 \ - TIME_DUMP=benchmark/$@; \ + TIME_DUMP=benchmark/$@ \ + CASE_DUMP=benchmark/$@.case; \ ../fuzzer.sh + + + + + $(TIME) + + + > $@_log #SEED_DIR=benchmark/corpora/$* @@ -33,18 +34,24 @@ all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijk all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM) +all_app: timedump/app/lift$(FUZZ_RANDOM) + +all_system: timedump/lift$(FUZZ_RANDOM)$(SUFFIX) + +all_period: timedump/waters$(FUZZ_RANDOM)$(SUFFIX) + tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM) graphics: - Rscript --vanilla plot_comparison.r sequential audiobeam - Rscript --vanilla plot_comparison.r sequential dijkstra - Rscript --vanilla plot_comparison.r sequential epic - Rscript --vanilla plot_comparison.r sequential g723_enc - # Rscript --vanilla plot_comparison.r sequential gsm_enc - # Rscript --vanilla plot_comparison.r sequential huff_dec - Rscript --vanilla plot_comparison.r sequential mpeg2 - Rscript --vanilla plot_comparison.r sequential rijndael_dec - Rscript --vanilla plot_comparison.r sequential rijndael_enc + Rscript --vanilla plot_comparison.r mnt/timedump/sequential audiobeam + Rscript --vanilla plot_comparison.r mnt/timedump/sequential dijkstra + Rscript --vanilla plot_comparison.r mnt/timedump/sequential epic + Rscript --vanilla plot_comparison.r mnt/timedump/sequential g723_enc + # Rscript --vanilla plot_comparison.r mnt/timedump/sequential gsm_enc + # Rscript --vanilla plot_comparison.r mnt/timedump/sequential huff_dec + Rscript --vanilla plot_comparison.r mnt/timedump/sequential mpeg2 + # Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_dec + # Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_enc clean: rm -rf corpora timedump \ No newline at end of file diff --git a/fuzzers/FRET/benchmark/plot_comparison.r b/fuzzers/FRET/benchmark/plot_comparison.r index c3cc84b9f1..046024c5bc 100644 --- a/fuzzers/FRET/benchmark/plot_comparison.r +++ b/fuzzers/FRET/benchmark/plot_comparison.r @@ -5,8 +5,8 @@ args = commandArgs(trailingOnly=TRUE) myolors=c("dark green","dark blue","dark red") # grĂ¼n, balu, rot if (length(args)==0) { - runtype="timedump_exp02" - target="tacle_rtos" + runtype="timedump" + target="waters" filename_1=sprintf("%s.png",target) filename_2=sprintf("%s_maxline.png",target) filename_3=sprintf("%s_hist.png",target) @@ -19,7 +19,7 @@ if (length(args)==0) { # filename_1=args[3] } -file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s",runtype,target) +file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_state",runtype,target) file_2=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_afl",runtype,target) file_3=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_random",runtype,target) timetrace <- read.table(file_1, quote="\"", comment.char="") diff --git a/fuzzers/FRET/benchmark/target_symbols.csv b/fuzzers/FRET/benchmark/target_symbols.csv index 503b7e34e1..f4f2b7fc51 100644 --- a/fuzzers/FRET/benchmark/target_symbols.csv +++ b/fuzzers/FRET/benchmark/target_symbols.csv @@ -13,4 +13,6 @@ huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return tmr,main,FUZZ_INPUT,32,trigger_Qemu_break -tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break \ No newline at end of file +tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break +lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break +waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break \ No newline at end of file diff --git a/fuzzers/FRET/fuzzer.sh b/fuzzers/FRET/fuzzer.sh index 18ef7146ff..fd791d8630 100755 --- a/fuzzers/FRET/fuzzer.sh +++ b/fuzzers/FRET/fuzzer.sh @@ -9,8 +9,10 @@ cd "$parent_path" [ -n "$5" -a "$5" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$5" [ -n "$6" -a "$6" != "+" -a -z "$FUZZ_ITERS" ] && export FUZZ_ITERS="$6" [ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7" -[ -n "$8" -a "$8" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$8" -[ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$9" +[ -n "$8" -a "$8" != "+" -a -z "$CASE_DUMP" ] && export CASE_DUMP="$8" +[ -n "$9" -a "$9" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$9" +[ -n "${10}" -a "${10}" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="${10}" +[ -n "${11}" -a "${11}" != "+" -a -z "$TRACE_DUMP" ] && export TRACE_DUMP="${11}" [ -z "$FUZZER" ] && export FUZZER=target/debug/fret -$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \ No newline at end of file +$FUZZER -icount shift=4,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 \ No newline at end of file diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index 2d8b2ab31a..4ffc3eb228 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -28,7 +28,7 @@ use libafl::{ stages::StdMutationalStage, state::{HasCorpus, StdState, HasMetadata}, Error, - prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager}, Evaluator, + prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec}, Evaluator, }; use libafl_qemu::{ edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, @@ -151,6 +151,7 @@ pub fn fuzz() { if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") { unsafe {MAX_INPUT_SIZE = str::parse::(&input_len).expect("FUZZ_INPUT_LEN was not a number");} } + unsafe {dbg!(MAX_INPUT_SIZE);} let mut run_client = |state: Option<_>, mut mgr, _core_id| { // Initialize QEMU @@ -172,11 +173,11 @@ pub fn fuzz() { let mut harness = |input: &BytesInput| { let target = input.target_bytes(); let mut buf = target.as_slice(); - let len = buf.len(); + let mut len = buf.len(); unsafe { if len > MAX_INPUT_SIZE { buf = &buf[0..MAX_INPUT_SIZE]; - // len = MAX_INPUT_SIZE; + len = MAX_INPUT_SIZE; } emu.write_phys_mem(input_addr, buf); @@ -222,7 +223,7 @@ pub fn fuzz() { ); #[cfg(feature = "systemstate")] let mut feedback = feedback_or!( - // DumpSystraceFeedback::with_dump(None), + // DumpSystraceFeedback::with_dump(env::var("TRACE_DUMP").ok().map(PathBuf::from)), NovelSystemStateFeedback::default(), feedback ); @@ -377,6 +378,23 @@ pub fn fuzz() { } } } + if let Ok(td) = env::var("CASE_DUMP") { + println!("Dumping worst case to {:?}", td); + let corpus = state.corpus(); + let mut worst = Duration::new(0,0); + let mut worst_input = None; + for i in 0..corpus.count() { + let tc = corpus.get(i).expect("Could not get element from corpus").borrow(); + if worst < tc.exec_time().expect("Testcase missing duration") { + worst_input = Some(tc.input().as_ref().unwrap().bytes().to_owned()); + worst = tc.exec_time().expect("Testcase missing duration"); + } + } + match worst_input { + Some(wi) => {fs::write(&td,wi).expect("Failed to write worst corpus element");}, + None => (), + } + } }, } } diff --git a/fuzzers/FRET/src/lib.rs b/fuzzers/FRET/src/lib.rs new file mode 100644 index 0000000000..36557a3ab5 --- /dev/null +++ b/fuzzers/FRET/src/lib.rs @@ -0,0 +1,11 @@ +#![feature(is_sorted)] +#[cfg(target_os = "linux")] +mod fuzzer; +#[cfg(target_os = "linux")] +mod clock; +#[cfg(target_os = "linux")] +mod qemustate; +#[cfg(target_os = "linux")] +pub mod systemstate; +#[cfg(target_os = "linux")] +mod worst; \ No newline at end of file diff --git a/fuzzers/FRET/src/systemstate/mod.rs b/fuzzers/FRET/src/systemstate/mod.rs index 6269d9cbcb..7d4f04e0d2 100644 --- a/fuzzers/FRET/src/systemstate/mod.rs +++ b/fuzzers/FRET/src/systemstate/mod.rs @@ -42,9 +42,9 @@ static mut CURRENT_SYSTEMSTATE_VEC: Vec = vec![]; /// A reduced version of freertos::TCB_t #[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq)] pub struct RefinedTCB { - task_name: String, - priority: u32, - base_priority: u32, + pub task_name: String, + pub priority: u32, + pub base_priority: u32, mutexes_held: u32, notify_value: u32, notify_state: u8, @@ -94,11 +94,11 @@ impl RefinedTCB { /// Refined information about the states an execution transitioned between #[derive(Debug, Default, Serialize, Deserialize, Clone)] pub struct RefinedFreeRTOSSystemState { - start_tick: u64, - end_tick: u64, + pub start_tick: u64, + pub end_tick: u64, last_pc: Option, input_counter: u32, - current_task: RefinedTCB, + pub current_task: RefinedTCB, ready_list_after: Vec, } impl PartialEq for RefinedFreeRTOSSystemState {