SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

get time from ClockTimeFeedback

Browse Source
This commit is contained in:
Alwin Berger 2022-12-12 15:30:05 +01:00
parent 6ad55e3b29
commit e3f38edd0a
1 changed files with 11 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
fuzzers/FRET/src/fuzzer.rs
View File

@ -18,12 +18,12 @@ use libafl::{
executors::{ExitKind, TimeoutExecutor}, executors::{ExitKind, TimeoutExecutor},
feedback_or, feedback_or,
feedback_or_fast, feedback_or_fast,
feedbacks::{CrashFeedback, MaxMapFeedback, TimeFeedback, TimeoutFeedback}, feedbacks::{CrashFeedback, MaxMapFeedback, TimeoutFeedback},
fuzzer::{Fuzzer, StdFuzzer}, fuzzer::{Fuzzer, StdFuzzer},
inputs::{BytesInput, HasTargetBytes}, inputs::{BytesInput, HasTargetBytes},
monitors::MultiMonitor, monitors::MultiMonitor,
mutators::scheduled::{havoc_mutations, StdScheduledMutator}, mutators::scheduled::{havoc_mutations, StdScheduledMutator},
observers::{TimeObserver, VariableMapObserver}, observers::{VariableMapObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler}, schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::StdMutationalStage, stages::StdMutationalStage,
state::{HasCorpus, StdState}, state::{HasCorpus, StdState},
@ -34,7 +34,10 @@ use libafl_qemu::{
edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor, edges, edges::QemuEdgeCoverageHelper, elf::EasyElf, emu::Emulator, GuestPhysAddr, QemuExecutor,
QemuHooks, Regs, QemuHooks, Regs,
}; };
use crate::{clock::QemuClockObserver, qemustate::QemuStateRestoreHelper}; use crate::{
clock::{QemuClockObserver, ClockTimeFeedback},
qemustate::QemuStateRestoreHelper,
};
pub static mut MAX_INPUT_SIZE: usize = 50; pub static mut MAX_INPUT_SIZE: usize = 50;
@ -91,14 +94,6 @@ pub fn fuzz() {
emu.set_breakpoint(breakpoint); // BREAKPOINT emu.set_breakpoint(breakpoint); // BREAKPOINT
// let saved_cpu_states: Vec<_> = (0..emu.num_cpus())
// .map(|i| emu.cpu_from_index(i).save_state())
// .collect();
// emu.save_snapshot("start", true);
// let snap = emu.create_fast_snapshot(true);
// The wrapped harness function, calling out to the LLVM-style harness // The wrapped harness function, calling out to the LLVM-style harness
let mut harness = |input: &BytesInput| { let mut harness = |input: &BytesInput| {
let target = input.target_bytes(); let target = input.target_bytes();
@ -118,25 +113,12 @@ pub fn fuzz() {
let mut pcs = (0..emu.num_cpus()) let mut pcs = (0..emu.num_cpus())
.map(|i| emu.cpu_from_index(i)) .map(|i| emu.cpu_from_index(i))
.map(|cpu| -> Result<u32, String> { cpu.read_reg(Regs::Pc) }); .map(|cpu| -> Result<u32, String> { cpu.read_reg(Regs::Pc) });
let _ret = match pcs match pcs
.find(|pc| (breakpoint..breakpoint + 5).contains(pc.as_ref().unwrap_or(&0))) .find(|pc| (breakpoint..breakpoint + 5).contains(pc.as_ref().unwrap_or(&0)))
{ {
Some(_) => ExitKind::Ok, Some(_) => ExitKind::Ok,
None => ExitKind::Crash, None => ExitKind::Crash,
}; }
// OPTION 1: restore only the CPU state (registers et. al)
// for (i, s) in saved_cpu_states.iter().enumerate() {
// emu.cpu_from_index(i).restore_state(s);
// }
// OPTION 2: restore a slow vanilla QEMU snapshot
// emu.load_snapshot("start", true);
// OPTION 3: restore a fast devices+mem snapshot
// emu.restore_fast_snapshot(snap);
_ret
} }
}; };
@ -146,7 +128,7 @@ pub fn fuzz() {
let edges_observer = VariableMapObserver::new("edges", edges, edges_counter); let edges_observer = VariableMapObserver::new("edges", edges, edges_counter);
// Create an observation channel to keep track of the execution time // Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time"); let clock_time_observer = QemuClockObserver::new("clocktime");
// Feedback to rate the interestingness of an input // Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR // This one is composed by two Feedbacks in OR
@ -154,7 +136,7 @@ pub fn fuzz() {
// New maximization map feedback linked to the edges observer and the feedback state // New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::new_tracking(&edges_observer, true, true), MaxMapFeedback::new_tracking(&edges_observer, true, true),
// Time feedback, this one does not need a feedback state // Time feedback, this one does not need a feedback state
TimeFeedback::new_with_observer(&time_observer) ClockTimeFeedback::new_with_observer(&clock_time_observer)
); );
// A feedback to choose if an input is a solution or not // A feedback to choose if an input is a solution or not
@ -191,7 +173,7 @@ pub fn fuzz() {
let executor = QemuExecutor::new( let executor = QemuExecutor::new(
&mut hooks, &mut hooks,
&mut harness, &mut harness,
tuple_list!(edges_observer, time_observer, QemuClockObserver::default()), tuple_list!(edges_observer, clock_time_observer),
&mut fuzzer, &mut fuzzer,
&mut state, &mut state,
&mut mgr, &mut mgr,