SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add interrupt fuzzing

Browse Source
This commit is contained in:
Alwin Berger 2023-02-27 10:39:52 +01:00
parent e5ac5ba825
commit e0f73778e2
4 changed files with 44 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
fuzzers/FRET/Cargo.toml
View File

@ -16,6 +16,7 @@ feed_systemgraph = [ "systemstate" ]
feed_systemtrace = [ "systemstate" ]
feed_longest = [ ]
feed_afl = [ ]
fuzz_int = [ ]
[profile.release]
lto = true

28
fuzzers/FRET/benchmark/Snakefile
View File

@ -43,6 +43,30 @@ rule build_graph:
shell:
"cargo build --target-dir {output} {def_flags},feed_systemgraph"
rule build_showmap_int:
output:
directory("bins/target_showmap_int")
shell:
"cargo build --target-dir {output} {def_flags},systemstate,fuzz_int"
rule build_random_int:
output:
directory("bins/target_random_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_longest,fuzz_int"
rule build_state_int:
output:
directory("bins/target_state_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_systemtrace,fuzz_int"
rule build_afl_int:
output:
directory("bins/target_afl_int")
shell:
"cargo build --target-dir {output} {def_flags},feed_afl,feed_longest,fuzz_int"
rule run_bench:
input:
"build/{target}.elf",
@ -150,3 +174,7 @@ rule all_periodic:
rule all_compare_afl_longest:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl','feedlongest','feedaflnolongest'], target=['waters'],num=range(0,10))
rule all_micro:
input:
expand("timedump/{fuzzer}/{target}.{num}", fuzzer=['afl_int','state_int','random_int'], target=['micro_int'],num=range(0,10))

1
fuzzers/FRET/benchmark/target_symbols.csv
View File

@ -17,3 +17,4 @@ tacle_rtos,prvStage0,FUZZ_INPUT,604,trigger_Qemu_break
lift,main_lift,FUZZ_INPUT,100,trigger_Qemu_break
waters,main_waters,FUZZ_INPUT,4096,trigger_Qemu_break
micro_branchless,main_branchless,FUZZ_INPUT,4,trigger_Qemu_break
micro_int,main_branchless,FUZZ_INPUT,16,trigger_Qemu_break
1 kernel main_function input_symbol input_size return_function
17 lift main_lift FUZZ_INPUT 100 trigger_Qemu_break
18 waters main_waters FUZZ_INPUT 4096 trigger_Qemu_break
19 micro_branchless main_branchless FUZZ_INPUT 4 trigger_Qemu_break
20 micro_int main_branchless FUZZ_INPUT 16 trigger_Qemu_break

14
fuzzers/FRET/src/fuzzer.rs
View File

@ -1,7 +1,7 @@
//! A fuzzer using qemu in systemmode for binary-only coverage of kernels
//!
use core::time::Duration;
use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}};
use std::{env, path::PathBuf, process::{self, abort}, io::{Read, Write}, fs::{self, OpenOptions}, cmp::min};
use libafl::{
bolts::{
@ -64,7 +64,7 @@ pub fn fuzz() {
str::parse::<usize>(&s).expect("FUZZ_SIZE was not a number");
};
// Hardcoded parameters
let timeout = Duration::from_secs(3);
let timeout = Duration::from_secs(1);
let broker_port = 1337;
let cores = Cores::from_cmdline("1").unwrap();
let corpus_dirs = [PathBuf::from("./corpus")];
@ -177,6 +177,16 @@ pub fn fuzz() {
let mut buf = target.as_slice();
let mut len = buf.len();
unsafe {
#[cfg(feature = "fuzz_int")]
{
let mut t : [u8; 4] = [0,0,0,0];
for i in 0..min(4,len) {
t[i as usize]=buf[i as usize];
}
libafl_int_offset = u32::from_le_bytes(t);
buf = &buf[min(4,len) as usize..];
len = buf.len();
}
if len > MAX_INPUT_SIZE {
buf = &buf[0..MAX_INPUT_SIZE];
len = MAX_INPUT_SIZE;