SYS-OSS/FRET-LibAFL
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

introduce INPUT_BYTES_OFFSET constant

Browse Source
This commit is contained in:
Alwin Berger 2022-06-06 00:42:45 +02:00
parent 2466fc5cb6
commit eb3914e5c1
5 changed files with 38 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
fuzzers/wcet_qemu_sys/src/bin/fuzzer.rs
View File

@ -34,6 +34,7 @@ use wcet_qemu_sys::sysstate::helpers::QemuSystemStateHelper;
use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver;
use wcet_qemu_sys::sysstate::feedbacks::SysStateFeedbackState;
use wcet_qemu_sys::sysstate::feedbacks::NovelSysStateFeedback;
use wcet_qemu_sys::sysstate::INPUT_BYTES_OFFSET;
use wcet_qemu_sys::worst::QemuHashMapObserver;
use wcet_qemu_sys::minimizer::QemuCaseMinimizerStage;
use hashbrown::HashMap;
@ -530,13 +531,15 @@ fn fuzz(
let mut buf = target.as_slice();
let mut len = buf.len();
let mut int_tick : Option<u32> = None;
if len > 2 {
let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt
t[0]=buf[0];
t[1]=buf[1];
int_tick = Some(u32::from_le_bytes(t));
buf = &buf[2..];
len = buf.len();
if INPUT_BYTES_OFFSET!= 0 {
if len > 2 {
let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt
t[0]=buf[0];
t[1]=buf[1];
int_tick = Some(u32::from_le_bytes(t));
buf = &buf[2..];
len = buf.len();
}
}
if len >= 32 {
buf = &buf[0..32];
@ -544,7 +547,9 @@ fn fuzz(
}
unsafe {
libafl_int_offset = 347780+int_tick.unwrap_or(0);
if INPUT_BYTES_OFFSET!= 0 {
libafl_int_offset = 347780+int_tick.unwrap_or(0);
}
// INTR_OFFSET = int_tick;
emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
emu.write_mem(input_addr,buf);
@ -610,7 +615,7 @@ fn fuzz(
// let tracing = ShadowTracingStage::new(&mut executor);
// The order of the stages matter!
let mut stages = tuple_list!(QemuCaseMinimizerStage::new(16),mutation);
let mut stages = tuple_list!(mutation,QemuCaseMinimizerStage::new(16));
// Remove target ouput (logs still survive)
#[cfg(unix)]
@ -642,6 +647,7 @@ fn fuzz(
.unwrap();
let newgraph = feedbackstate.graph.map(
|_, n| n.get_taskname(),
// |_, n| format!("{} {:?}",n.get_taskname(),n.get_input_counts().iter().min().unwrap_or(&0)),
|_, e| e,
);
let tempg = format!("{:?}",Dot::with_config(&newgraph, &[Config::EdgeNoLabel]));

21
fuzzers/wcet_qemu_sys/src/bin/showmap.rs
View File

@ -4,6 +4,7 @@ use wcet_qemu_sys::sysstate::helpers::INTR_OFFSET;
use std::io::Read;
use wcet_qemu_sys::sysstate::observers::QemuSysStateObserver;
use wcet_qemu_sys::sysstate::feedbacks::DumpSystraceFeedback;
use wcet_qemu_sys::sysstate::INPUT_BYTES_OFFSET;
use wcet_qemu_sys::worst::QemuHashMapObserver;
use wcet_qemu_sys::{
worst::{DumpMapFeedback,DummyFeedback},
@ -339,13 +340,15 @@ fn fuzz(
let mut buf = target.as_slice();
let mut len = buf.len();
let mut int_tick : Option<u32> = None;
if len > 2 {
let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt
t[0]=buf[0];
t[1]=buf[1];
int_tick = Some(u32::from_le_bytes(t));
buf = &buf[2..];
len = buf.len();
if INPUT_BYTES_OFFSET!= 0 {
if len > 2 {
let mut t : [u8; 4] = [0,0,0,0]; // 4 extra bytes determine the tick to execute an interrupt
t[0]=buf[0];
t[1]=buf[1];
int_tick = Some(u32::from_le_bytes(t));
buf = &buf[2..];
len = buf.len();
}
}
if len >= 32 {
buf = &buf[0..32];
@ -353,7 +356,9 @@ fn fuzz(
}
unsafe {
// libafl_int_offset = 347780+int_tick.unwrap_or(0);
if INPUT_BYTES_OFFSET!= 0 {
libafl_int_offset = 347780+int_tick.unwrap_or(0);
}
// INTR_OFFSET = int_tick;
emu.write_mem(test_length_ptr,&(len as u32).to_le_bytes());
emu.write_mem(input_addr,buf);

10
fuzzers/wcet_qemu_sys/src/sysstate/graph.rs
View File

@ -104,6 +104,9 @@ impl SysGraphNode {
pub fn get_taskname(&self) -> &str {
&self.base.current_task.task_name
}
pub fn get_input_counts(&self) -> Vec<u32> {
self.variants.iter().map(|x| x.input_counter).collect()
}
}
impl PartialEq for SysGraphNode {
fn eq(&self, other: &SysGraphNode) -> bool {
@ -456,13 +459,12 @@ where
let mut collection : Vec<Vec<u8>> = Vec::new();
let mut current_pointer : usize = 0;
let INPUT_BYTES_OFFSET = 0; // Offset for interrupt bytes
for t in &trace.inner {
let node = &g[*t];
for v in &node.variants {
if v.input == input.bytes() {
if v.input_counter > current_pointer.try_into().unwrap() {
collection.push(v.input[INPUT_BYTES_OFFSET+current_pointer..INPUT_BYTES_OFFSET+v.input_counter as usize].to_owned());
collection.push(v.input[current_pointer..v.input_counter as usize].to_owned());
current_pointer = v.input_counter as usize;
}
break;
@ -474,7 +476,7 @@ where
collection[index_to_mutate][i] = myrand.below(0xFF) as u8;
}
for i in collection.concat().iter().enumerate() {
input.bytes_mut()[INPUT_BYTES_OFFSET+i.0]=*i.1;
input.bytes_mut()[i.0]=*i.1;
}
Ok(MutationResult::Mutated)
@ -547,7 +549,7 @@ where
// follow the path, extract snippets from last reads, find common snippets.
// those are likley keys parts. choose random parts from other sibling traces
let inp_c_end = g[*trace.inner.last().unwrap()].base.input_counter;
let mut num_to_reverse = 1;
let mut num_to_reverse = myrand.below(trace.inner.len().try_into().unwrap());
for t in trace.inner.iter().rev() {
let int_c_prefix = g[*t].base.input_counter;
if int_c_prefix < inp_c_end {

2
fuzzers/wcet_qemu_sys/src/sysstate/mod.rs
View File

@ -15,6 +15,8 @@ pub mod observers;
pub mod feedbacks;
pub mod graph;
pub const INPUT_BYTES_OFFSET : u32 = 2; // Offset for interrupt bytes
// Constants
const NUM_PRIOS: usize = 5;

3
fuzzers/wcet_qemu_sys/src/sysstate/observers.rs
View File

@ -1,3 +1,4 @@
use crate::sysstate::INPUT_BYTES_OFFSET;
use libafl::inputs::HasTargetBytes;
use libafl::bolts::HasLen;
use libafl::bolts::tuples::Named;
@ -129,7 +130,7 @@ for mut i in input.drain(..) {
start_tick: start_tick,
end_tick: i.qemu_tick,
ready_list_after: collector,
input_counter: i.input_counter,
input_counter: i.input_counter+INPUT_BYTES_OFFSET,
last_pc: i.last_pc,
});
start_tick=i.qemu_tick;