-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stability problem #2
Comments
What stability means and the possible causes for low stability in AFL That last bit is actually fairly interesting: it measures the consistency of Now, most targets will just get a 100% score, but when you see lower figures,
The paths where variable behavior is detected are marked with a matching entry |
How is stability calculated in the code?
|
The 1st known causes of low stability in ptfuzzer. There are tip_fup packets in the packets recorded by PT. And tip_fup, along with several following packets, will cause unstable behaviors for the fuzzing process, thus resulting in low stability. We found 2 patterns of tip_fup packets can be deleted from raw PT packets.
And when these 2 patterns are deleted, we may get a higher stability in ptfuzzer. |
After applying the aforementioned patterns to filter fup packets, the traces still differs for two command line executions according to my test. The first one is:
However, the traces differ in file length only. So we assume the buffer we use for storing PT packets if full. This problem is confirmed. When we enlarge the perf aux buffer (_HF_PERF_AUX_SZ in pt.h) from 1M to 16M, and the problem is gone. The second one is:
However, the traces differs not in fup packets. So we assume we write log files to the current directory while ls is running. It should be confirmed later. |
stability after filtering the two fup packets patterns in ptfuzzer
Anyway, stability still goes down after filtering the two fup patterns However, something is interesting. in tip mode, when we exclude tip_pge and tip_pgd packets from the decoding process, stability is always 100% and ptfuzzer found several crashes in this situation |
Decoding psb packet tip_pge: 11111 But when there are tip_fup packets generated, they look like this: tip_pge: 11111 And psb packet will reset some values to 0, and tnt packet between tip_pge and psb will not be processed, so it will cause low stability in ptfuzzer. |
测试pandoc时发现了一种新的扰动模式:
这种新的模型仍然由fup引起,上面fup包已经被删除,原始fup包应该在tip_gpd之前。与之前fup包不同的是,此处fup包引起了一个有效的pge,在这个pge中由两个tip包,即tip: 2afd279和tip: 2afd33b,按照此前的规则处理方式,这两个tip包是不能被忽略的,从而导致不稳定性。 从地址可以看出,此处多引入的两个tip包仍然在程序的有效地址范围之内,因此怀疑此处是程序对某种信号的处理代码,从而由系统的中断处理函数进入了程序自定义的信号处理函数。 通过设定地址过滤的upper limit,让这段信号处理代码不被记录,在fuzz初期stability达到了100%,但在半分钟之后降至69%,估计可能是因为其他原因引起。 |
Pandoc is programmed using Haskell. |
The stability of AFL is not 100% (lower than 20%) due to decoding TNT packets. If we only decode TIP packet, the stability is better but is still not 100%.
The text was updated successfully, but these errors were encountered: