better seeding + trace cutout

2024-09-10 16:18:25 +02:00 · 2024-09-10 16:18:25 +02:00 · e6cf64541d
commit e6cf64541d
parent 6a98489e32
2 changed files with 32 additions and 18 deletions
--- a/fuzzers/FRET/benchmark/Snakefile
+++ b/fuzzers/FRET/benchmark/Snakefile
@ -142,8 +142,23 @@ rule tarnsform_trace:
    output:
        "{remote}timedump/{fuzzer}/{target}#{num}_case.jobs.csv",
        "{remote}timedump/{fuzzer}/{target}#{num}_case.resp.csv"
-    shell:
-        "$(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]}"
+    run:
+        with open('target_symbols.csv') as csvfile:
+            reader = csv.DictReader(csvfile)
+            line = next((x for x in reader if x['\ufeffkernel']==wildcards.target), None)
+            if line == None:
+                return False
+            kernel=line['\ufeffkernel']
+            fuzz_main=line['main_function']
+            fuzz_input=line['input_symbol']
+            fuzz_len=line['input_size']
+            bkp=line['return_function']
+            select_task=line['select_task']
+            script="""
+                echo $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -t {select_task}
+                $(pwd)/../../../../state2gantt/target/debug/state2gantt -i {input} -a {output[0]} -r {output[1]} -t {select_task}
+                """
+            shell(script)

 rule trace2gantt:
    input:
--- a/fuzzers/FRET/src/fuzzer.rs
+++ b/fuzzers/FRET/src/fuzzer.rs
@ -15,13 +15,9 @@ edges::{self, edges_map_mut_ptr, QemuEdgeCoverageHelper, MAX_EDGES_FOUND}, elf::
 };
 use rand::{SeedableRng, StdRng, Rng};
 use crate::{
-    time::{
-        clock::{ClockTimeFeedback, IcHist, QemuClockIncreaseFeedback, QemuClockObserver, FUZZ_START_TIMESTAMP, QEMU_ICOUNT_SHIFT},
-        worst::{AlwaysTrueFeedback, ExecTimeIncFeedback, TimeMaximizerCorpusScheduler, TimeProbMassScheduler, TimeStateMaximizerCorpusScheduler},
-        qemustate::QemuStateRestoreHelper
-    },
-    systemstate::{self, feedbacks::{DumpSystraceFeedback, SystraceErrorFeedback}, helpers::{get_function_range, load_symbol, try_load_symbol, QemuSystemStateHelper}, observers::QemuSystemStateObserver, schedulers::{GenerationScheduler, LongestTraceScheduler}, stg::{stg_map_mut_slice, GraphMaximizerCorpusScheduler, STGEdge, STGNode, StgFeedback, MAX_STG_NUM}},
-    systemstate::mutational::{input_bytes_to_interrupt_times, InterruptShiftStage},
+    systemstate::{self, feedbacks::{DumpSystraceFeedback, SystraceErrorFeedback}, helpers::{get_function_range, load_symbol, try_load_symbol, QemuSystemStateHelper}, mutational::{input_bytes_to_interrupt_times, InterruptShiftStage}, observers::QemuSystemStateObserver, schedulers::{GenerationScheduler, LongestTraceScheduler}, stg::{stg_map_mut_slice, GraphMaximizerCorpusScheduler, STGEdge, STGNode, StgFeedback, MAX_STG_NUM}}, time::{
+        clock::{ClockTimeFeedback, IcHist, QemuClockIncreaseFeedback, QemuClockObserver, FUZZ_START_TIMESTAMP, QEMU_ICOUNT_SHIFT, QEMU_ISNS_PER_USEC}, qemustate::QemuStateRestoreHelper, worst::{AlwaysTrueFeedback, ExecTimeIncFeedback, TimeMaximizerCorpusScheduler, TimeProbMassScheduler, TimeStateMaximizerCorpusScheduler}
+    }
 };
 use std::time::SystemTime;
 use petgraph::dot::Dot;
@ -33,6 +29,7 @@ use crate::cli::Commands;
 use crate::cli::set_env_from_config;
 use clap::Parser;
 use log;
+use rand::RngCore;

 // Constants ================================================================================

@ -274,14 +271,18 @@ let api_ranges : Vec<_> = api_ranges.into_iter().collect();
 let isr_ranges : Vec<_> = isr_ranges.into_iter().collect();

 /// Setup the interrupt inputs. Noop if interrupts are not fuzzed
-fn setup_interrupt_inputs(mut input : MultipartInput<BytesInput>, interrupt_config : &Vec<(usize,u32)>) -> MultipartInput<BytesInput> {
+fn setup_interrupt_inputs(mut input : MultipartInput<BytesInput>, interrupt_config : &Vec<(usize,u32)>, mut random: Option<&mut StdRng>) -> MultipartInput<BytesInput> {
    #[cfg(feature = "fuzz_int")]
    for (i,_) in interrupt_config {
        let name = format!("isr_{}_times",i);
        if input.parts_by_name(&name).next().is_none() {
+            if let Some(random) = random.as_mut() {
+                input.add_part(name, BytesInput::new((0..MAX_NUM_INTERRUPT).map(|_| (random.next_u32()%(100*1000*QEMU_ISNS_PER_USEC)).to_le_bytes()).flatten().collect()));
+            } else {
                input.add_part(name, BytesInput::new([0; MAX_NUM_INTERRUPT*4].to_vec()));
            }
        }
+    }
    input
 }

@ -536,7 +537,7 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                Ok(x) => x,
                Err(_) => {
                    println!("Interpreting input file as raw input");
-                    setup_interrupt_inputs(MultipartInput::from([("bytes",BytesInput::new(input.as_os_str().as_encoded_bytes().to_vec()))]), &interrupt_config)
+                    setup_interrupt_inputs(MultipartInput::from([("bytes",BytesInput::new(input.as_os_str().as_encoded_bytes().to_vec()))]), &interrupt_config, None)
                }
            };
            fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, show_input)
@ -548,9 +549,8 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                unsafe {
                    let mut rng = StdRng::seed_from_u64(se);
                    for _ in 0..100 {
-                        let inp1 = BytesInput::new(vec![rng.gen::<u8>(); MAX_NUM_INTERRUPT*4]);
-                        let inp2 = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
-                        let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config);
+                        let inp2 = BytesInput::new((0..MAX_INPUT_SIZE).map(|_| rng.gen::<u8>()).collect());
+                        let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config, Some(&mut rng));
                        fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
                    }
                }
@ -591,9 +591,8 @@ let run_client = |state: Option<_>, mut mgr, _core_id| {
                        while start_time.elapsed() < target_duration {
                            // let inp = generator.generate(&mut state).unwrap();
                            // libafl's generator is too slow
-                            let inp1 = BytesInput::new(vec![rng.gen::<u8>(); MAX_NUM_INTERRUPT*4]);
-                            let inp2 = BytesInput::new(vec![rng.gen::<u8>(); MAX_INPUT_SIZE]);
-                            let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config);
+                            let inp2 = BytesInput::new((0..MAX_INPUT_SIZE).map(|_| rng.gen::<u8>()).collect());
+                            let inp = setup_interrupt_inputs(MultipartInput::from([("bytes",inp2)]), &interrupt_config, Some(&mut rng));
                            fuzzer.evaluate_input(&mut state, &mut executor, &mut mgr, inp).unwrap();
                        }
                    }} else {