SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

more speedy settings

Browse Source
This commit is contained in:
Dominik Maier 2020-12-11 11:10:45 +01:00
commit b1aafd7a28
6 changed files with 84 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -10,6 +10,7 @@ Cargo.lock
*.dll *.dll
*.exe *.exe
callgrind.out.*
perf.data perf.data
perf.data.old perf.data.old

3
afl/Cargo.toml
View File

@ -23,7 +23,6 @@ harness = false
[profile.release] [profile.release]
lto = true lto = true
codegen-units = 1
opt-level = 3 opt-level = 3
debug = true debug = true
@ -38,4 +37,4 @@ num = "*"
xxhash-rust = { version = "0.8.0", features = ["xxh3"] } # xxh3 hashing for rust xxhash-rust = { version = "0.8.0", features = ["xxh3"] } # xxh3 hashing for rust
serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib serde = { version = "1.0", default-features = false, features = ["alloc"] } # serialization lib
erased-serde = "0.3.12" erased-serde = "0.3.12"
postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat postcard = { version = "0.5.1", features = ["alloc"] } # no_std compatible serde serialization fromat

72
afl/src/mutators/scheduled.rs
View File

@ -20,20 +20,15 @@ where
} }
/// Get the next mutation to apply /// Get the next mutation to apply
#[inline]
fn schedule( fn schedule(
&mut self, &mut self,
mutations_count: usize,
rand: &mut R, rand: &mut R,
_input: &I, _input: &I,
) -> Result<MutationFunction<Self, C, I, R>, AflError> { ) -> usize {
let count = self.mutations_count() as u64; debug_assert!(mutations_count > 0);
if count == 0 { rand.below(mutations_count as u64) as usize
return Err(AflError::Empty("no mutations".into()));
}
let idx;
{
idx = rand.below(count) as usize;
}
Ok(self.mutation_by_idx(idx))
} }
/// New default implementation for mutate /// New default implementation for mutate
@ -47,7 +42,8 @@ where
) -> Result<(), AflError> { ) -> Result<(), AflError> {
let num = self.iterations(rand, input); let num = self.iterations(rand, input);
for _ in 0..num { for _ in 0..num {
self.schedule(rand, input)?(self, rand, corpus, input)?; let idx = self.schedule(self.mutations_count(), rand, input);
self.mutation_by_idx(idx)(self, rand, corpus, input)?;
} }
Ok(()) Ok(())
} }
@ -86,14 +82,17 @@ where
I: Input, I: Input,
R: Rand, R: Rand,
{ {
#[inline]
fn mutation_by_idx(&self, index: usize) -> MutationFunction<Self, C, I, R> { fn mutation_by_idx(&self, index: usize) -> MutationFunction<Self, C, I, R> {
self.mutations[index] self.mutations[index]
} }
#[inline]
fn mutations_count(&self) -> usize { fn mutations_count(&self) -> usize {
self.mutations.len() self.mutations.len()
} }
#[inline]
fn add_mutation(&mut self, mutation: MutationFunction<Self, C, I, R>) { fn add_mutation(&mut self, mutation: MutationFunction<Self, C, I, R>) {
self.mutations.push(mutation) self.mutations.push(mutation)
} }
@ -151,7 +150,7 @@ where
/// Schedule some selected byte level mutations given a ScheduledMutator type /// Schedule some selected byte level mutations given a ScheduledMutator type
pub struct HavocBytesMutator<SM, C, I, R> pub struct HavocBytesMutator<SM, C, I, R>
where where
SM: ScheduledMutator<C, I, R>, SM: ScheduledMutator<C, I, R> + HasMaxSize,
C: Corpus<I, R>, C: Corpus<I, R>,
I: Input + HasBytesVec, I: Input + HasBytesVec,
R: Rand, R: Rand,
@ -162,7 +161,7 @@ where
impl<SM, C, I, R> Mutator<C, I, R> for HavocBytesMutator<SM, C, I, R> impl<SM, C, I, R> Mutator<C, I, R> for HavocBytesMutator<SM, C, I, R>
where where
SM: ScheduledMutator<C, I, R>, SM: ScheduledMutator<C, I, R> + HasMaxSize,
C: Corpus<I, R>, C: Corpus<I, R>,
I: Input + HasBytesVec, I: Input + HasBytesVec,
R: Rand, R: Rand,
@ -173,15 +172,55 @@ where
rand: &mut R, rand: &mut R,
corpus: &C, corpus: &C,
input: &mut I, input: &mut I,
stage_idx: i32, _stage_idx: i32,
) -> Result<(), AflError> { ) -> Result<(), AflError> {
self.scheduled.mutate(rand, corpus, input, stage_idx) //self.scheduled.mutate(rand, corpus, input, stage_idx);
let num = self.scheduled.iterations(rand, input);
for _ in 0..num {
let idx = self.scheduled.schedule(13, rand, input);
match idx {
0=> mutation_bitflip(self, rand, corpus, input)?,
1=> mutation_byteflip(self, rand, corpus, input)?,
2=> mutation_byteinc(self, rand, corpus, input)?,
3=> mutation_bytedec(self, rand, corpus, input)?,
4=> mutation_byteneg(self, rand, corpus, input)?,
5=> mutation_byterand(self, rand, corpus, input)?,
6=> mutation_byteadd(self, rand, corpus, input)?,
7=> mutation_wordadd(self, rand, corpus, input)?,
8=> mutation_dwordadd(self, rand, corpus, input)?,
9=> mutation_byteinteresting(self, rand, corpus, input)?,
10=> mutation_wordinteresting(self, rand, corpus, input)?,
11=> mutation_dwordinteresting(self, rand, corpus, input)?,
_=> mutation_splice(self, rand, corpus, input)?,
};
}
Ok(())
}
}
impl<SM, C, I, R> HasMaxSize for HavocBytesMutator<SM, C, I, R>
where
SM: ScheduledMutator<C, I, R> + HasMaxSize,
C: Corpus<I, R>,
I: Input + HasBytesVec,
R: Rand,
{
#[inline]
fn max_size(&self) -> usize {
self.scheduled.max_size()
}
#[inline]
fn set_max_size(&mut self, max_size: usize) {
self.scheduled.set_max_size(max_size);
} }
} }
impl<SM, C, I, R> HavocBytesMutator<SM, C, I, R> impl<SM, C, I, R> HavocBytesMutator<SM, C, I, R>
where where
SM: ScheduledMutator<C, I, R>, SM: ScheduledMutator<C, I, R> + HasMaxSize,
C: Corpus<I, R>, C: Corpus<I, R>,
I: Input + HasBytesVec, I: Input + HasBytesVec,
R: Rand, R: Rand,
@ -239,6 +278,7 @@ where
scheduled.add_mutation(mutation_bitflip);*/ scheduled.add_mutation(mutation_bitflip);*/
scheduled.add_mutation(mutation_splice); scheduled.add_mutation(mutation_splice);
HavocBytesMutator { HavocBytesMutator {
scheduled: scheduled, scheduled: scheduled,
phantom: PhantomData, phantom: PhantomData,

20
afl/src/serde_anymap.rs
View File

@ -156,6 +156,7 @@ macro_rules! create_serde_registry_for_trait {
} }
impl SerdeAnyMap { impl SerdeAnyMap {
#[inline]
pub fn get<T>(&self) -> Option<&T> pub fn get<T>(&self) -> Option<&T>
where where
T: $trait_name, T: $trait_name,
@ -165,6 +166,7 @@ macro_rules! create_serde_registry_for_trait {
.map(|x| x.as_ref().as_any().downcast_ref::<T>().unwrap()) .map(|x| x.as_ref().as_any().downcast_ref::<T>().unwrap())
} }
#[inline]
pub fn get_mut<T>(&mut self) -> Option<&mut T> pub fn get_mut<T>(&mut self) -> Option<&mut T>
where where
T: $trait_name, T: $trait_name,
@ -174,6 +176,7 @@ macro_rules! create_serde_registry_for_trait {
.map(|x| x.as_mut().as_any_mut().downcast_mut::<T>().unwrap()) .map(|x| x.as_mut().as_any_mut().downcast_mut::<T>().unwrap())
} }
#[inline]
pub fn insert<T>(&mut self, t: T) pub fn insert<T>(&mut self, t: T)
where where
T: $trait_name, T: $trait_name,
@ -182,10 +185,12 @@ macro_rules! create_serde_registry_for_trait {
.insert(unpack_type_id(TypeId::of::<T>()), Box::new(t)); .insert(unpack_type_id(TypeId::of::<T>()), Box::new(t));
} }
#[inline]
pub fn len(&self) -> usize { pub fn len(&self) -> usize {
self.map.len() self.map.len()
} }
#[inline]
pub fn contains<T>(&self) -> bool pub fn contains<T>(&self) -> bool
where where
T: $trait_name, T: $trait_name,
@ -212,6 +217,7 @@ macro_rules! create_serde_registry_for_trait {
} }
impl NamedSerdeAnyMap { impl NamedSerdeAnyMap {
#[inline]
pub fn get<T>(&self, name: &String) -> Option<&T> pub fn get<T>(&self, name: &String) -> Option<&T>
where where
T: Any, T: Any,
@ -224,6 +230,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn by_typeid( pub fn by_typeid(
&self, &self,
name: &String, name: &String,
@ -237,6 +244,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn get_mut<T>(&mut self, name: &String) -> Option<&mut T> pub fn get_mut<T>(&mut self, name: &String) -> Option<&mut T>
where where
T: Any, T: Any,
@ -249,6 +257,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn by_typeid_mut( pub fn by_typeid_mut(
&mut self, &mut self,
name: &String, name: &String,
@ -262,6 +271,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn get_all<T>( pub fn get_all<T>(
&self, &self,
) -> Option< ) -> Option<
@ -281,6 +291,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn all_by_typeid( pub fn all_by_typeid(
&self, &self,
typeid: &TypeId, typeid: &TypeId,
@ -296,6 +307,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn get_all_mut<T>( pub fn get_all_mut<T>(
&mut self, &mut self,
) -> Option< ) -> Option<
@ -316,6 +328,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn all_by_typeid_mut( pub fn all_by_typeid_mut(
&mut self, &mut self,
typeid: &TypeId, typeid: &TypeId,
@ -331,6 +344,7 @@ macro_rules! create_serde_registry_for_trait {
} }
} }
#[inline]
pub fn all_typeids( pub fn all_typeids(
&self, &self,
) -> core::iter::Map< ) -> core::iter::Map<
@ -340,6 +354,7 @@ macro_rules! create_serde_registry_for_trait {
self.map.keys().map(|x| pack_type_id(*x)) self.map.keys().map(|x| pack_type_id(*x))
} }
#[inline]
pub fn for_each( pub fn for_each(
&self, &self,
func: fn(&TypeId, &Box<dyn $trait_name>) -> Result<(), AflError>, func: fn(&TypeId, &Box<dyn $trait_name>) -> Result<(), AflError>,
@ -352,6 +367,7 @@ macro_rules! create_serde_registry_for_trait {
Ok(()) Ok(())
} }
#[inline]
pub fn for_each_mut( pub fn for_each_mut(
&mut self, &mut self,
func: fn(&TypeId, &mut Box<dyn $trait_name>) -> Result<(), AflError>, func: fn(&TypeId, &mut Box<dyn $trait_name>) -> Result<(), AflError>,
@ -364,6 +380,7 @@ macro_rules! create_serde_registry_for_trait {
Ok(()) Ok(())
} }
#[inline]
pub fn insert(&mut self, val: Box<dyn $trait_name>, name: &String) { pub fn insert(&mut self, val: Box<dyn $trait_name>, name: &String) {
let id = unpack_type_id((*val).type_id()); let id = unpack_type_id((*val).type_id());
if !self.map.contains_key(&id) { if !self.map.contains_key(&id) {
@ -375,10 +392,12 @@ macro_rules! create_serde_registry_for_trait {
.insert(xxhash_rust::xxh3::xxh3_64(name.as_bytes()), val); .insert(xxhash_rust::xxh3::xxh3_64(name.as_bytes()), val);
} }
#[inline]
pub fn len(&self) -> usize { pub fn len(&self) -> usize {
self.map.len() self.map.len()
} }
#[inline]
pub fn contains_type<T>(&self) -> bool pub fn contains_type<T>(&self) -> bool
where where
T: Any, T: Any,
@ -386,6 +405,7 @@ macro_rules! create_serde_registry_for_trait {
self.map.contains_key(&unpack_type_id(TypeId::of::<T>())) self.map.contains_key(&unpack_type_id(TypeId::of::<T>()))
} }
#[inline]
pub fn contains<T>(&self, name: &String) -> bool pub fn contains<T>(&self, name: &String) -> bool
where where
T: Any, T: Any,

4
fuzzers/libfuzzer/src/lib.rs
View File

@ -18,6 +18,7 @@ use afl::executors::{Executor, ExitKind};
use afl::feedbacks::MaxMapFeedback; use afl::feedbacks::MaxMapFeedback;
use afl::generators::RandPrintablesGenerator; use afl::generators::RandPrintablesGenerator;
use afl::mutators::scheduled::HavocBytesMutator; use afl::mutators::scheduled::HavocBytesMutator;
use afl::mutators::HasMaxSize;
use afl::observers::StdMapObserver; use afl::observers::StdMapObserver;
use afl::stages::mutational::StdMutationalStage; use afl::stages::mutational::StdMutationalStage;
use afl::utils::StdRand; use afl::utils::StdRand;
@ -66,7 +67,8 @@ pub extern "C" fn afl_libfuzzer_main() {
state.add_feedback(Box::new(edges_feedback)); state.add_feedback(Box::new(edges_feedback));
let mut engine = Engine::new(executor); let mut engine = Engine::new(executor);
let mutator = HavocBytesMutator::new_default(); let mut mutator = HavocBytesMutator::new_default();
mutator.set_max_size(4096);
let stage = StdMutationalStage::new(mutator); let stage = StdMutationalStage::new(mutator);

5
fuzzers/libfuzzer/test.sh
View File

@ -3,8 +3,9 @@
cargo build --release cargo build --release
make -C runtime make -C runtime
./compiler test/test.c -o test_fuzz.elf ./compiler -flto=thin -c test/test.c -o test_fuzz.o
./compiler -flto=thin -fuse-ld=lld test_fuzz.o -o test_fuzz.elf
RUST_BACKTRACE=1 ./test_fuzz.elf RUST_BACKTRACE=1 ./test_fuzz.elf
rm ./test_fuzz.elf #rm ./test_fuzz.elf