diff --git a/fuzzers/FRET/Cargo.toml b/fuzzers/FRET/Cargo.toml index 13778f3b90..d42c2d9312 100644 --- a/fuzzers/FRET/Cargo.toml +++ b/fuzzers/FRET/Cargo.toml @@ -16,6 +16,7 @@ feed_systemgraph = [ "systemstate" ] feed_systemtrace = [ "systemstate" ] feed_longest = [ ] feed_afl = [ ] +fuzz_int = [ ] [profile.release] lto = true diff --git a/fuzzers/FRET/benchmark/Snakefile b/fuzzers/FRET/benchmark/Snakefile index d0cd8a8bd9..faae700ba5 100644 --- a/fuzzers/FRET/benchmark/Snakefile +++ b/fuzzers/FRET/benchmark/Snakefile @@ -43,6 +43,30 @@ rule build_graph: shell: "cargo build --target-dir {output} {def_flags},feed_systemgraph" +rule build_showmap_int: + output: + directory("bins/target_showmap_int") + shell: + "cargo build --target-dir {output} {def_flags},systemstate,fuzz_int" + +rule build_random_int: + output: + directory("bins/target_random_int") + shell: + "cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int" + +rule build_state_int: + output: + directory("bins/target_state_int") + shell: + "cargo build --target-dir {output} {def_flags},feed_systemtrace,fuzz_int" + +rule build_afl_int: + output: + directory("bins/target_afl_int") + shell: + "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest,fuzz_int" + rule run_bench: input: "build/{target}.elf", @@ -149,4 +173,8 @@ rule all_periodic: rule all_compare_afl_longest: input: - expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','feedlongest','feedaflnolongest'], target=['waters'],num=range(0,10)) \ No newline at end of file + expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','feedlongest','feedaflnolongest'], target=['waters'],num=range(0,10)) + +rule all_micro: + input: + expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','state_int','random_int'], target=['micro_int'],num=range(0,10)) \ No newline at end of file diff --git a/fuzzers/FRET/benchmark/target_symbols.csv b/fuzzers/FRET/benchmark/target_symbols.csv index fff51edf76..cdf2bb942b 100644 --- a/fuzzers/FRET/benchmark/target_symbols.csv +++ b/fuzzers/FRET/benchmark/target_symbols.csv @@ -16,4 +16,5 @@ tmr,main,FUZZ_INPUT,32,trigger_Qemu_break tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break -micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break \ No newline at end of file +micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break +micro_int,main_branchless,FUZZ_INPUT,16,trigger_Qemu_break \ No newline at end of file diff --git a/fuzzers/FRET/src/fuzzer.rs b/fuzzers/FRET/src/fuzzer.rs index 550dd0d06f..4259067bed 100644 --- a/fuzzers/FRET/src/fuzzer.rs +++ b/fuzzers/FRET/src/fuzzer.rs @@ -1,7 +1,7 @@ //! A fuzzer using qemu in systemmode for binary-only coverage of kernels //! use core::time::Duration; -use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}}; +use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}, cmp::min}; use libafl::{ bolts::{ @@ -64,7 +64,7 @@ pub fn fuzz() { str::parse::(&s).expect("FUZZ_SIZE was not a number"); }; // Hardcoded parameters - let timeout = Duration::from_secs(3); + let timeout = Duration::from_secs(1); let broker_port = 1337; let cores = Cores::from_cmdline("1").unwrap(); let corpus_dirs = [PathBuf::from("./corpus")]; @@ -177,6 +177,16 @@ pub fn fuzz() { let mut buf = target.as_slice(); let mut len = buf.len(); unsafe { + #[cfg(feature = "fuzz_int")] + { + let mut t : [u8; 4] = [0,0,0,0]; + for i in 0..min(4,len) { + t[i as usize]=buf[i as usize]; + } + libafl_int_offset = u32::from_le_bytes(t); + buf = &buf[min(4,len) as usize..]; + len = buf.len(); + } if len > MAX_INPUT_SIZE { buf = &buf[0..MAX_INPUT_SIZE]; len = MAX_INPUT_SIZE;