SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update input sizes, dump worstcase, benchmarking

Browse Source
This commit is contained in:
Alwin Berger 2023-02-07 14:59:21 +01:00
parent 594554eca0
commit 9cadc5d61c
7 changed files with 69 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
fuzzers/FRET/benchmark/Makefile
View File

@ -1,4 +1,4 @@
TIME=1600 TIME=5400
corpora/%/seed: corpora/%/seed:
mkdir -p $$(dirname $@) mkdir -p $$(dirname $@)
@ -13,7 +13,7 @@ corpora/%/seed:
DUMP_SEED=seed; \ DUMP_SEED=seed; \
../fuzzer.sh ../fuzzer.sh
timedump/%$(FUZZ_RANDOM): corpora/%/seed timedump/%$(FUZZ_RANDOM)$(SUFFIX): corpora/%/seed
mkdir -p $$(dirname $@) mkdir -p $$(dirname $@)
LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \ LINE=$$(grep "^$$(basename $*)" target_symbols.csv); \
export \ export \
@ -23,7 +23,8 @@ timedump/%$(FUZZ_RANDOM): corpora/%/seed
FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \ FUZZ_INPUT_LEN=$$(echo $$LINE | cut -d, -f4) \
BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \ BREAKPOINT=$$(echo $$LINE | cut -d, -f5) \
SEED_RANDOM=1 \ SEED_RANDOM=1 \
TIME_DUMP=benchmark/$@; \ TIME_DUMP=benchmark/$@ \
CASE_DUMP=benchmark/$@.case; \
../fuzzer.sh + + + + + $(TIME) + + + > $@_log ../fuzzer.sh + + + + + $(TIME) + + + > $@_log
#SEED_DIR=benchmark/corpora/$* #SEED_DIR=benchmark/corpora/$*
@ -33,18 +34,24 @@ all_sequential: timedump/sequential/mpeg2$(FUZZ_RANDOM) timedump/sequential/dijk
all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM) all_kernel: timedump/kernel/bsort$(FUZZ_RANDOM) timedump/kernel/insertsort$(FUZZ_RANDOM) #timedump/kernel/fft$(FUZZ_RANDOM)
all_app: timedump/app/lift$(FUZZ_RANDOM)
all_system: timedump/lift$(FUZZ_RANDOM)$(SUFFIX)
all_period: timedump/waters$(FUZZ_RANDOM)$(SUFFIX)
tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM) tacle_rtos: timedump/tacle_rtos$(FUZZ_RANDOM)
graphics: graphics:
Rscript --vanilla plot_comparison.r sequential audiobeam Rscript --vanilla plot_comparison.r mnt/timedump/sequential audiobeam
Rscript --vanilla plot_comparison.r sequential dijkstra Rscript --vanilla plot_comparison.r mnt/timedump/sequential dijkstra
Rscript --vanilla plot_comparison.r sequential epic Rscript --vanilla plot_comparison.r mnt/timedump/sequential epic
Rscript --vanilla plot_comparison.r sequential g723_enc Rscript --vanilla plot_comparison.r mnt/timedump/sequential g723_enc
# Rscript --vanilla plot_comparison.r sequential gsm_enc # Rscript --vanilla plot_comparison.r mnt/timedump/sequential gsm_enc
# Rscript --vanilla plot_comparison.r sequential huff_dec # Rscript --vanilla plot_comparison.r mnt/timedump/sequential huff_dec
Rscript --vanilla plot_comparison.r sequential mpeg2 Rscript --vanilla plot_comparison.r mnt/timedump/sequential mpeg2
Rscript --vanilla plot_comparison.r sequential rijndael_dec # Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_dec
Rscript --vanilla plot_comparison.r sequential rijndael_enc # Rscript --vanilla plot_comparison.r mnt/timedump/sequential rijndael_enc
clean: clean:
rm -rf corpora timedump rm -rf corpora timedump

6
fuzzers/FRET/benchmark/plot_comparison.r
View File

@ -5,8 +5,8 @@ args = commandArgs(trailingOnly=TRUE)
myolors=c("dark green","dark blue","dark red") # grün, balu, rot myolors=c("dark green","dark blue","dark red") # grün, balu, rot
if (length(args)==0) { if (length(args)==0) {
runtype="timedump_exp02" runtype="timedump"
target="tacle_rtos" target="waters"
filename_1=sprintf("%s.png",target) filename_1=sprintf("%s.png",target)
filename_2=sprintf("%s_maxline.png",target) filename_2=sprintf("%s_maxline.png",target)
filename_3=sprintf("%s_hist.png",target) filename_3=sprintf("%s_hist.png",target)
@ -19,7 +19,7 @@ if (length(args)==0) {
# filename_1=args[3] # filename_1=args[3]
} }
file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s",runtype,target) file_1=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_state",runtype,target)
file_2=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_afl",runtype,target) file_2=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_afl",runtype,target)
file_3=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_random",runtype,target) file_3=sprintf("~/code/FRET/LibAFL/fuzzers/FRET/benchmark/%s/%s_random",runtype,target)
timetrace <- read.table(file_1, quote="\"", comment.char="") timetrace <- read.table(file_1, quote="\"", comment.char="")

4
fuzzers/FRET/benchmark/target_symbols.csv
View File

@ -13,4 +13,6 @@ huff_dec,huff_dec_main,huff_dec_encoded,419,huff_dec_return
huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return huff_enc,huff_enc_main,huff_enc_plaintext,600,huff_enc_return
gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return gsm_enc,gsm_enc_main,gsm_enc_pcmdata,6400,gsm_enc_return
tmr,main,FUZZ_INPUT,32,trigger_Qemu_break tmr,main,FUZZ_INPUT,32,trigger_Qemu_break
tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break
waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
1 kernel main_function input_symbol input_size return_function
13 huff_enc huff_enc_main huff_enc_plaintext 600 huff_enc_return
14 gsm_enc gsm_enc_main gsm_enc_pcmdata 6400 gsm_enc_return
15 tmr main FUZZ_INPUT 32 trigger_Qemu_break
16 tacle_rtos prvStage0 FUZZ_INPUT 604 trigger_Qemu_break
17 lift main_lift FUZZ_INPUT 100 trigger_Qemu_break
18 waters main_waters FUZZ_INPUT 4096 trigger_Qemu_break

8
fuzzers/FRET/fuzzer.sh
View File

@ -9,8 +9,10 @@ cd "$parent_path"
[ -n "$5" -a "$5" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$5" [ -n "$5" -a "$5" != "+" -a -z "$BREAKPOINT" ] && export BREAKPOINT="$5"
[ -n "$6" -a "$6" != "+" -a -z "$FUZZ_ITERS" ] && export FUZZ_ITERS="$6" [ -n "$6" -a "$6" != "+" -a -z "$FUZZ_ITERS" ] && export FUZZ_ITERS="$6"
[ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7" [ -n "$7" -a "$7" != "+" -a -z "$TIME_DUMP" ] && export TIME_DUMP="$7"
[ -n "$8" -a "$8" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$8" [ -n "$8" -a "$8" != "+" -a -z "$CASE_DUMP" ] && export CASE_DUMP="$8"
[ -n "$9" -a "$9" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="$9" [ -n "$9" -a "$9" != "+" -a -z "$DO_SHOWMAP" ] && export DO_SHOWMAP="$9"
[ -n "${10}" -a "${10}" != "+" -a -z "$SHOWMAP_TEXTINPUT" ] && export SHOWMAP_TEXTINPUT="${10}"
[ -n "${11}" -a "${11}" != "+" -a -z "$TRACE_DUMP" ] && export TRACE_DUMP="${11}"
[ -z "$FUZZER" ] && export FUZZER=target/debug/fret [ -z "$FUZZER" ] && export FUZZER=target/debug/fret
$FUZZER -icount shift=3,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2 $FUZZER -icount shift=4,align=off,sleep=off -machine mps2-an385 -monitor null -kernel $KERNEL -serial null -nographic -S -semihosting --semihosting-config enable=on,target=native -snapshot -drive if=none,format=qcow2,file=dummy.qcow2

26
fuzzers/FRET/src/fuzzer.rs
View File

@ -28,7 +28,7 @@ use libafl::{
stages::StdMutationalStage, stages::StdMutationalStage,
state::{HasCorpus, StdState, HasMetadata}, state::{HasCorpus, StdState, HasMetadata},
Error, Error,
prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager}, Evaluator, prelude::{SimpleMonitor, SimpleEventManager, AsMutSlice, RandBytesGenerator, Generator, SimpleRestartingEventManager, HasBytesVec}, Evaluator,
}; };
use libafl_qemu::{ use libafl_qemu::{
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
@ -151,6 +151,7 @@ pub fn fuzz() {
if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") { if let Ok(input_len) = env::var("FUZZ_INPUT_LEN") {
unsafe {MAX_INPUT_SIZE = str::parse::<usize>(&input_len).expect("FUZZ_INPUT_LEN was not a number");} unsafe {MAX_INPUT_SIZE = str::parse::<usize>(&input_len).expect("FUZZ_INPUT_LEN was not a number");}
} }
unsafe {dbg!(MAX_INPUT_SIZE);}
let mut run_client = |state: Option<_>, mut mgr, _core_id| { let mut run_client = |state: Option<_>, mut mgr, _core_id| {
// Initialize QEMU // Initialize QEMU
@ -172,11 +173,11 @@ pub fn fuzz() {
let mut harness = |input: &BytesInput| { let mut harness = |input: &BytesInput| {
let target = input.target_bytes(); let target = input.target_bytes();
let mut buf = target.as_slice(); let mut buf = target.as_slice();
let len = buf.len(); let mut len = buf.len();
unsafe { unsafe {
if len > MAX_INPUT_SIZE { if len > MAX_INPUT_SIZE {
buf = &buf[0..MAX_INPUT_SIZE]; buf = &buf[0..MAX_INPUT_SIZE];
// len = MAX_INPUT_SIZE; len = MAX_INPUT_SIZE;
} }
emu.write_phys_mem(input_addr, buf); emu.write_phys_mem(input_addr, buf);
@ -222,7 +223,7 @@ pub fn fuzz() {
); );
#[cfg(feature = "systemstate")] #[cfg(feature = "systemstate")]
let mut feedback = feedback_or!( let mut feedback = feedback_or!(
// DumpSystraceFeedback::with_dump(None), // DumpSystraceFeedback::with_dump(env::var("TRACE_DUMP").ok().map(PathBuf::from)),
NovelSystemStateFeedback::default(), NovelSystemStateFeedback::default(),
feedback feedback
); );
@ -377,6 +378,23 @@ pub fn fuzz() {
} }
} }
} }
if let Ok(td) = env::var("CASE_DUMP") {
println!("Dumping worst case to {:?}", td);
let corpus = state.corpus();
let mut worst = Duration::new(0,0);
let mut worst_input = None;
for i in 0..corpus.count() {
let tc = corpus.get(i).expect("Could not get element from corpus").borrow();
if worst < tc.exec_time().expect("Testcase missing duration") {
worst_input = Some(tc.input().as_ref().unwrap().bytes().to_owned());
worst = tc.exec_time().expect("Testcase missing duration");
}
}
match worst_input {
Some(wi) => {fs::write(&td,wi).expect("Failed to write worst corpus element");},
None => (),
}
}
}, },
} }
} }

11
fuzzers/FRET/src/lib.rs Normal file
View File

@ -0,0 +1,11 @@
#![feature(is_sorted)]
#[cfg(target_os = "linux")]
mod fuzzer;
#[cfg(target_os = "linux")]
mod clock;
#[cfg(target_os = "linux")]
mod qemustate;
#[cfg(target_os = "linux")]
pub mod systemstate;
#[cfg(target_os = "linux")]
mod worst;

12
fuzzers/FRET/src/systemstate/mod.rs
View File

@ -42,9 +42,9 @@ static mut CURRENT_SYSTEMSTATE_VEC: Vec<RawFreeRTOSSystemState> = vec![];
/// A reduced version of freertos::TCB_t /// A reduced version of freertos::TCB_t
#[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq)] #[derive(Debug, Default, Serialize, Deserialize, Clone, PartialEq)]
pub struct RefinedTCB { pub struct RefinedTCB {
task_name: String, pub task_name: String,
priority: u32, pub priority: u32,
base_priority: u32, pub base_priority: u32,
mutexes_held: u32, mutexes_held: u32,
notify_value: u32, notify_value: u32,
notify_state: u8, notify_state: u8,
@ -94,11 +94,11 @@ impl RefinedTCB {
/// Refined information about the states an execution transitioned between /// Refined information about the states an execution transitioned between
#[derive(Debug, Default, Serialize, Deserialize, Clone)] #[derive(Debug, Default, Serialize, Deserialize, Clone)]
pub struct RefinedFreeRTOSSystemState { pub struct RefinedFreeRTOSSystemState {
start_tick: u64, pub start_tick: u64,
end_tick: u64, pub end_tick: u64,
last_pc: Option<u64>, last_pc: Option<u64>,
input_counter: u32, input_counter: u32,
current_task: RefinedTCB, pub current_task: RefinedTCB,
ready_list_after: Vec<RefinedTCB>, ready_list_after: Vec<RefinedTCB>,
} }
impl PartialEq for RefinedFreeRTOSSystemState { impl PartialEq for RefinedFreeRTOSSystemState {