-
-
Notifications
You must be signed in to change notification settings - Fork 327
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement a barebones v8 executor #744
Closed
Closed
Changes from 1 commit
Commits
Show all changes
16 commits
Select commit
Hold shift + click to select a range
9738119
initial v8 commit: functional executor, no observers yet
addisoncrump 3399a3c
implement coverage
addisoncrump 176e317
remove excess debug prints
addisoncrump a033c3b
add docs + module loading
addisoncrump 3a5304b
add type observer
addisoncrump 9bbaad4
reduce complexity of executor
addisoncrump f392b95
Simplification for netbsd-specific code (#750)
devnexen 55993da
Add test case minimising stage (tmin) (#735)
addisoncrump 1c01d66
Implement a corpus minimiser (cmin) (#739)
addisoncrump 8a7cda8
Skippable stage, generator wrapper for Grimoire (#748)
domenukk 98cc70b
MapFeedback: Adding support for with_name() (#752)
TeumessianFox c82070c
dragonflybsd build fix for core affinity. (#753)
devnexen eeb03bb
make static v8 accessors
addisoncrump 4a3fdad
attach mapping data to state
addisoncrump 6a98eb4
forcibly fail observers used in non-alwaysunique
addisoncrump 8a03a35
make RUNTIME and WORKER accessible
addisoncrump File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
corpus | ||
minimized | ||
solutions |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
[package] | ||
name = "baby_fuzzer_minimizing" | ||
version = "0.8.1" | ||
authors = ["Andrea Fioraldi <[email protected]>", "Dominik Maier <[email protected]>", "Addison Crump <[email protected]>"] | ||
edition = "2021" | ||
|
||
[features] | ||
default = ["std"] | ||
tui = [] | ||
std = [] | ||
|
||
[profile.dev] | ||
panic = "abort" | ||
|
||
[profile.release] | ||
panic = "abort" | ||
lto = true | ||
codegen-units = 1 | ||
opt-level = 3 | ||
debug = true | ||
|
||
[dependencies] | ||
libafl = { path = "../../libafl/" } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
# Baby fuzzer | ||
|
||
This is a minimalistic example about how to create a libafl based fuzzer which leverages minimisation. | ||
|
||
The fuzzer steps until a crash occurs, minimising each corpus entry as it is discovered. Then, once a | ||
solution is found, it attempts to minimise that as well. | ||
|
||
The tested program is a simple Rust function without any instrumentation. | ||
For real fuzzing, you will want to add some sort to add coverage or other feedback. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
use std::path::PathBuf; | ||
#[cfg(windows)] | ||
use std::ptr::write_volatile; | ||
|
||
use libafl::prelude::*; | ||
|
||
/// Coverage map with explicit assignments due to the lack of instrumentation | ||
static mut SIGNALS: [u8; 16] = [0; 16]; | ||
|
||
/// Assign a signal to the signals map | ||
fn signals_set(idx: usize) { | ||
unsafe { SIGNALS[idx] = 1 }; | ||
} | ||
|
||
#[allow(clippy::similar_names)] | ||
pub fn main() -> Result<(), Error> { | ||
// The closure that we want to fuzz | ||
let mut harness = |input: &BytesInput| { | ||
let target = input.target_bytes(); | ||
let buf = target.as_slice(); | ||
signals_set(0); | ||
if !buf.is_empty() && buf[0] == b'a' { | ||
signals_set(1); | ||
if buf.len() > 1 && buf[1] == b'b' { | ||
signals_set(2); | ||
if buf.len() > 2 && buf[2] == b'c' { | ||
return ExitKind::Crash; | ||
} | ||
} | ||
} | ||
ExitKind::Ok | ||
}; | ||
|
||
// Create an observation channel using the signals map | ||
let observer = | ||
unsafe { StdMapObserver::new_from_ptr("signals", SIGNALS.as_mut_ptr(), SIGNALS.len()) }; | ||
|
||
let factory = MapEqualityFactory::new_from_observer(&observer); | ||
|
||
// Feedback to rate the interestingness of an input | ||
let mut feedback = MaxMapFeedback::new(&observer); | ||
|
||
// A feedback to choose if an input is a solution or not | ||
let mut objective = CrashFeedback::new(); | ||
|
||
// The Monitor trait define how the fuzzer stats are displayed to the user | ||
let mon = SimpleMonitor::new(|s| println!("{}", s)); | ||
|
||
let mut mgr = SimpleEventManager::new(mon); | ||
|
||
let corpus_dir = PathBuf::from("./corpus"); | ||
let solution_dir = PathBuf::from("./solutions"); | ||
|
||
// create a State from scratch | ||
let mut state = StdState::new( | ||
// RNG | ||
StdRand::with_seed(current_nanos()), | ||
// Corpus that will be evolved, we keep it in memory for performance | ||
OnDiskCorpus::new(&corpus_dir).unwrap(), | ||
// Corpus in which we store solutions (crashes in this example), | ||
// on disk so the user can get them after stopping the fuzzer | ||
OnDiskCorpus::new(&solution_dir).unwrap(), | ||
// States of the feedbacks. | ||
// The feedbacks can report the data that should persist in the State. | ||
&mut feedback, | ||
// Same for objective feedbacks | ||
&mut objective, | ||
) | ||
.unwrap(); | ||
|
||
// A queue policy to get testcasess from the corpus | ||
let scheduler = QueueScheduler::new(); | ||
|
||
// A fuzzer with feedbacks and a corpus scheduler | ||
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective); | ||
|
||
// Create the executor for an in-process function with just one observer | ||
let mut executor = InProcessExecutor::new( | ||
&mut harness, | ||
tuple_list!(observer), | ||
&mut fuzzer, | ||
&mut state, | ||
&mut mgr, | ||
) | ||
.expect("Failed to create the Executor"); | ||
|
||
// Generator of printable bytearrays of max size 32 | ||
let mut generator = RandPrintablesGenerator::new(32); | ||
|
||
// Generate 8 initial inputs | ||
state | ||
.generate_initial_inputs(&mut fuzzer, &mut executor, &mut generator, &mut mgr, 8) | ||
.expect("Failed to generate the initial corpus"); | ||
|
||
// Setup a mutational stage with a basic bytes mutator | ||
let mutator = StdScheduledMutator::new(havoc_mutations()); | ||
let minimizer = StdScheduledMutator::new(havoc_mutations()); | ||
let mut stages = tuple_list!( | ||
StdMutationalStage::new(mutator), | ||
StdTMinMutationalStage::new(minimizer, factory, 128) | ||
); | ||
|
||
while state.solutions().is_empty() { | ||
fuzzer.fuzz_one(&mut stages, &mut executor, &mut state, &mut mgr)?; | ||
} | ||
|
||
let minimized_dir = PathBuf::from("./minimized"); | ||
|
||
let mut state = StdState::new( | ||
StdRand::with_seed(current_nanos()), | ||
OnDiskCorpus::new(&minimized_dir).unwrap(), | ||
InMemoryCorpus::new(), | ||
&mut (), | ||
&mut (), | ||
) | ||
.unwrap(); | ||
|
||
// The Monitor trait define how the fuzzer stats are displayed to the user | ||
let mon = SimpleMonitor::new(|s| println!("{}", s)); | ||
|
||
let mut mgr = SimpleEventManager::new(mon); | ||
|
||
let minimizer = StdScheduledMutator::new(havoc_mutations()); | ||
let mut stages = tuple_list!(StdTMinMutationalStage::new( | ||
minimizer, | ||
CrashFeedbackFactory::default(), | ||
1 << 10 | ||
)); | ||
|
||
let scheduler = QueueScheduler::new(); | ||
|
||
// A fuzzer with feedbacks and a corpus scheduler | ||
let mut fuzzer = StdFuzzer::new(scheduler, (), ()); | ||
|
||
// Create the executor for an in-process function with just one observer | ||
let mut executor = InProcessExecutor::new(&mut harness, (), &mut fuzzer, &mut state, &mut mgr)?; | ||
|
||
state.load_initial_inputs_forced(&mut fuzzer, &mut executor, &mut mgr, &[solution_dir])?; | ||
stages.perform_all(&mut fuzzer, &mut executor, &mut state, &mut mgr, 0)?; | ||
|
||
Ok(()) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is a
OnDiskCorpus
kept in memory?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, that'd need a CachedOnDiskCorpus or a InMemoryCorpus
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So the comment is outdated here