add interrupt fuzzing

fuzzers/FRET/Cargo.toml

@@ -16,6 +16,7 @@ feed_systemgraph = [ "systemstate" ]
 feed_systemtrace = [ "systemstate" ]
 feed_longest = [ ]
 feed_afl = [ ]
+fuzz_int = [ ]
 
 [profile.release]
 lto = true

fuzzers/FRET/benchmark/Snakefile

@@ -43,6 +43,30 @@ rule build_graph:
     shell:
         "cargo build --target-dir {output} {def_flags},feed_systemgraph"
 
+rule build_showmap_int:
+    output:
+        directory("bins/target_showmap_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},systemstate,fuzz_int"
+
+rule build_random_int:
+    output:
+        directory("bins/target_random_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int"
+
+rule build_state_int:
+    output:
+        directory("bins/target_state_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_systemtrace,fuzz_int"
+
+rule build_afl_int:
+    output:
+        directory("bins/target_afl_int")
+    shell:
+        "cargo build --target-dir {output} {def_flags},feed_afl,feed_longest,fuzz_int"
+
 rule run_bench:
     input:
         "build/{target}.elf",
@@ -149,4 +173,8 @@ rule all_periodic:
 
 rule all_compare_afl_longest:
     input:
-        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','feedlongest','feedaflnolongest'], target=['waters'],num=range(0,10))
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','feedlongest','feedaflnolongest'], target=['waters'],num=range(0,10))
+
+rule all_micro:
+    input:
+        expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','state_int','random_int'], target=['micro_int'],num=range(0,10))

fuzzers/FRET/benchmark/target_symbols.csv

@@ -16,4 +16,5 @@ tmr,main,FUZZ_INPUT,32,trigger_Qemu_break
 tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
 lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break
 waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
-micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
+micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
+micro_int,main_branchless,FUZZ_INPUT,16,trigger_Qemu_break

fuzzers/FRET/src/fuzzer.rs

@@ -1,7 +1,7 @@
 //! A fuzzer using qemu in systemmode for binary-only coverage of kernels
 //!
 use core::time::Duration;
-use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}};
+use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}, cmp::min};
 
 use libafl::{
     bolts::{
@@ -64,7 +64,7 @@ pub fn fuzz() {
         str::parse::<usize>(&s).expect("FUZZ_SIZE was not a number");
     };
     // Hardcoded parameters
-    let timeout = Duration::from_secs(3);
+    let timeout = Duration::from_secs(1);
     let broker_port = 1337;
     let cores = Cores::from_cmdline("1").unwrap();
     let corpus_dirs = [PathBuf::from("./corpus")];
@@ -177,6 +177,16 @@ pub fn fuzz() {
             let mut buf = target.as_slice();
             let mut len = buf.len();
             unsafe {
+                #[cfg(feature = "fuzz_int")]
+                {
+                    let mut t : [u8; 4] = [0,0,0,0];
+                    for i in 0..min(4,len) {
+                        t[i as usize]=buf[i as usize];
+                    }
+                    libafl_int_offset = u32::from_le_bytes(t);
+                    buf = &buf[min(4,len) as usize..];
+                    len = buf.len();
+                }
                 if len > MAX_INPUT_SIZE {
                     buf = &buf[0..MAX_INPUT_SIZE];
                     len = MAX_INPUT_SIZE;