ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

custom havoc mutation

Browse Source
This commit is contained in:
Andrea Fioraldi
2020-03-07 12:11:06 +01:00
parent 1e30c3a941
commit 172d384bf2
7 changed files with 228 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/custom_mutators.md
View File

@ -28,13 +28,14 @@ performed with the custom mutator.
C/C++: C/C++:
```c ```c
void afl_custom_init(unsigned int seed); void afl_custom_init(unsigned int seed);
size_t afl_custom_fuzz(u8* buf, size_t buf_size, size_t afl_custom_fuzz(u8** buf, size_t buf_size, u8* add_buf,
u8* add_buf, size_t add_buf_size, size_t add_buf_size, size_t max_size);
u8* mutated_out, size_t max_size);
size_t afl_custom_pre_save(u8* buf, size_t buf_size, u8** out_buf); size_t afl_custom_pre_save(u8* buf, size_t buf_size, u8** out_buf);
u32 afl_custom_init_trim(u8* buf, size_t buf_size); u32 afl_custom_init_trim(u8* buf, size_t buf_size);
void afl_custom_trim(u8** out_buf, size_t* out_buf_size); void afl_custom_trim(u8** out_buf, size_t* out_buf_size);
u32 afl_custom_post_trim(u8 success); u32 afl_custom_post_trim(u8 success);
size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size);
uint8_t afl_custom_havoc_mutation_probability(void);
``` ```
Python: Python:
@ -56,6 +57,12 @@ def trim():
def post_trim(success): def post_trim(success):
return next_index return next_index
def havoc_mutation(buf, max_size):
return mutated_out
def havoc_mutation_probability():
return probability # int in [0, 100]
``` ```
### Custom Mutation ### Custom Mutation

54
examples/custom_mutators/example.c
View File

@ -30,23 +30,27 @@ void afl_custom_init(unsigned int seed) {
* *
* (Optional for now. Required in the future) * (Optional for now. Required in the future)
* *
* @param[in] buf Input data to be mutated * @param[in] buf Pointer to input data to be mutated
* @param[in] buf_size Size of input data * @param[in] buf_size Size of input data
* @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf Buffer containing the additional test case
* @param[in] add_buf_size Size of the additional test case * @param[in] add_buf_size Size of the additional test case
* @param[out] mutated_out Buffer to store the mutated input
* @param[in] max_size Maximum size of the mutated output. The mutation must not * @param[in] max_size Maximum size of the mutated output. The mutation must not
* produce data larger than max_size. * produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t afl_custom_fuzz(uint8_t *buf, size_t buf_size, size_t afl_custom_fuzz(uint8_t **buf, size_t buf_size,
uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL uint8_t *add_buf,size_t add_buf_size, // add_buf can be NULL
uint8_t *mutated_out, size_t max_size) { size_t max_size) {
// Make sure that the packet size does not exceed the maximum size expected by // Make sure that the packet size does not exceed the maximum size expected by
// the fuzzer // the fuzzer
size_t mutated_size = data_size <= max_size ? data_size : max_size; size_t mutated_size = data_size <= max_size ? data_size : max_size;
if (mutated_size > buf_size)
*buf = realloc(*buf, mutated_size);
uint8_t* mutated_out = *buf;
// Randomly select a command string to add as a header to the packet // Randomly select a command string to add as a header to the packet
memcpy(mutated_out, commands[rand() % 3], 3); memcpy(mutated_out, commands[rand() % 3], 3);
@ -175,3 +179,45 @@ int afl_custom_post_trim(int success) {
return trimmming_steps; return trimmming_steps;
} }
/**
* Perform a single custom mutation on a given input.
* This mutation is stacked with the other muatations in havoc.
*
* (Optional)
*
* @param[in] buf Pointer to the input data to be mutated
* @param[in] buf_size Size of input data
* @param[in] max_size Maximum size of the mutated output. The mutation must not produce data larger than max_size.
* @return Size of the mutated output.
*/
size_t afl_custom_havoc_mutation(uint8_t** buf, size_t buf_size, size_t max_size) {
if (buf_size == 0) {
*buf = realloc(*buf, 1);
**buf = rand() % 256;
buf_size = 1;
}
size_t victim = rand() % buf_size;
(*buf)[victim] += rand() % 10;
return buf_size;
}
/**
* Return the probability (in percentage) that afl_custom_havoc_mutation
* is called in havoc. By default it is 6 %.
*
* (Optional)
*
* @return The probability (0-100).
*/
uint8_t afl_custom_havoc_mutation_probability(void) {
return 5; // 5 %
}

46
include/afl-fuzz.h
View File

@ -480,18 +480,16 @@ struct custom_mutator {
* *
* (Optional for now. Required in the future) * (Optional for now. Required in the future)
* *
* @param[in] buf Input data to be mutated * @param[in] buf Pointer to input data to be mutated
* @param[in] buf_size Size of input data * @param[in] buf_size Size of input data
* @param[in] add_buf Buffer containing the additional test case * @param[in] add_buf Buffer containing the additional test case
* @param[in] add_buf_size Size of the additional test case * @param[in] add_buf_size Size of the additional test case
* @param[out] mutated_out Buffer to store the mutated input
* @param[in] max_size Maximum size of the mutated output. The mutation must not * @param[in] max_size Maximum size of the mutated output. The mutation must not
* produce data larger than max_size. * produce data larger than max_size.
* @return Size of the mutated output. * @return Size of the mutated output.
*/ */
size_t (*afl_custom_fuzz)(u8* buf, size_t buf_size, size_t (*afl_custom_fuzz)(u8** buf, size_t buf_size, u8* add_buf,
u8* add_buf, size_t add_buf_size, size_t add_buf_size, size_t max_size);
u8* mutated_out, size_t max_size);
/** /**
* A post-processing function to use right before AFL writes the test case to * A post-processing function to use right before AFL writes the test case to
@ -561,6 +559,30 @@ struct custom_mutator {
* steps returned in init_trim) * steps returned in init_trim)
*/ */
u32 (*afl_custom_post_trim)(u8 success); u32 (*afl_custom_post_trim)(u8 success);
/**
* Perform a single custom mutation on a given input.
* This mutation is stacked with the other muatations in havoc.
*
* (Optional)
*
* @param[in] buf Pointer to the input data to be mutated
* @param[in] buf_size Size of input data
* @param[in] max_size Maximum size of the mutated output. The mutation must not produce data larger than max_size.
* @return Size of the mutated output.
*/
size_t (*afl_custom_havoc_mutation)(u8** buf, size_t buf_size, size_t max_size);
/**
* Return the probability (in percentage) that afl_custom_havoc_mutation
* is called in havoc. By default it is 6 %.
*
* (Optional)
*
* @return The probability (0-100).
*/
u8 (*afl_custom_havoc_mutation_probability)(void);
}; };
extern struct custom_mutator* mutator; extern struct custom_mutator* mutator;
@ -610,6 +632,8 @@ enum {
/* 03 */ PY_FUNC_INIT_TRIM, /* 03 */ PY_FUNC_INIT_TRIM,
/* 04 */ PY_FUNC_POST_TRIM, /* 04 */ PY_FUNC_POST_TRIM,
/* 05 */ PY_FUNC_TRIM, /* 05 */ PY_FUNC_TRIM,
/* 06 */ PY_FUNC_HAVOC_MUTATION,
/* 07 */ PY_FUNC_HAVOC_MUTATION_PROBABILITY,
PY_FUNC_COUNT PY_FUNC_COUNT
}; };
@ -629,17 +653,19 @@ u8 trim_case_custom(char** argv, struct queue_entry* q, u8* in_buf);
/* Python */ /* Python */
#ifdef USE_PYTHON #ifdef USE_PYTHON
int init_py_module(u8*); int init_py_module(u8*);
void finalize_py_module(); void finalize_py_module();
void init_py(unsigned int seed); void init_py(unsigned int);
size_t fuzz_py(u8* buf, size_t buf_size, size_t fuzz_py(u8**, size_t, u8*, size_t, size_t);
u8* add_buf, size_t add_buf_size, size_t pre_save_py(u8*, size_t, u8**);
u8* mutated_out, size_t max_size);
size_t pre_save_py(u8* data, size_t size, u8** new_data);
u32 init_trim_py(u8*, size_t); u32 init_trim_py(u8*, size_t);
u32 post_trim_py(u8); u32 post_trim_py(u8);
void trim_py(u8**, size_t*); void trim_py(u8**, size_t*);
size_t havoc_mutation_py(u8**, size_t, size_t);
u8 havoc_mutation_probability_py(void);
#endif #endif
/* Queue */ /* Queue */

2
include/alloc-inl.h
View File

@ -34,6 +34,8 @@
#include "types.h" #include "types.h"
#include "debug.h" #include "debug.h"
// Be careful! _WANT_ORIGINAL_AFL_ALLOC is not compatible with custom mutators
#ifndef _WANT_ORIGINAL_AFL_ALLOC #ifndef _WANT_ORIGINAL_AFL_ALLOC
// afl++ stuff without memory corruption checks - for speed // afl++ stuff without memory corruption checks - for speed

16
src/afl-fuzz-mutators.c
View File

@ -147,6 +147,16 @@ void load_custom_mutator(const char* fn) {
} }
/* "afl_custom_havoc_mutation", optional */
mutator->afl_custom_havoc_mutation = dlsym(dh, "afl_custom_havoc_mutation");
if (!mutator->afl_custom_havoc_mutation)
WARNF("Symbol 'afl_custom_havoc_mutation' not found.");
/* "afl_custom_havoc_mutation", optional */
mutator->afl_custom_havoc_mutation_probability = dlsym(dh, "afl_custom_havoc_mutation_probability");
if (!mutator->afl_custom_havoc_mutation_probability)
WARNF("Symbol 'afl_custom_havoc_mutation_probability' not found.");
OKF("Custom mutator '%s' installed successfully.", fn); OKF("Custom mutator '%s' installed successfully.", fn);
/* Initialize the custom mutator */ /* Initialize the custom mutator */
@ -302,6 +312,12 @@ void load_custom_mutator_py(const char* module_name) {
if (py_functions[PY_FUNC_TRIM]) if (py_functions[PY_FUNC_TRIM])
mutator->afl_custom_trim = trim_py; mutator->afl_custom_trim = trim_py;
if (py_functions[PY_FUNC_HAVOC_MUTATION])
mutator->afl_custom_havoc_mutation = havoc_mutation_py;
if (py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY])
mutator->afl_custom_havoc_mutation_probability = havoc_mutation_probability_py;
OKF("Python mutator '%s' installed successfully.", module_name); OKF("Python mutator '%s' installed successfully.", module_name);
/* Initialize the custom mutator */ /* Initialize the custom mutator */

33
src/afl-fuzz-one.c
View File

@ -1540,8 +1540,7 @@ custom_mutator_stage:
if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN; if (stage_max < HAVOC_MIN) stage_max = HAVOC_MIN;
const u32 max_seed_size = 4096 * 4096; const u32 max_seed_size = MAX_FILE;
u8* mutated_buf = ck_alloc(max_seed_size);
orig_hit_cnt = queued_paths + unique_crashes; orig_hit_cnt = queued_paths + unique_crashes;
@ -1590,20 +1589,16 @@ custom_mutator_stage:
ck_read(fd, new_buf, target->len, target->fname); ck_read(fd, new_buf, target->len, target->fname);
close(fd); close(fd);
size_t mutated_size = mutator->afl_custom_fuzz(out_buf, len, size_t mutated_size = mutator->afl_custom_fuzz(&out_buf, len,
new_buf, target->len, new_buf, target->len,
mutated_buf, max_seed_size); max_seed_size);
ck_free(new_buf); ck_free(new_buf);
if (mutated_size > 0) { if (mutated_size > 0) {
out_buf = ck_realloc(out_buf, mutated_size);
memcpy(out_buf, mutated_buf, mutated_size);
if (common_fuzz_stuff(argv, out_buf, (u32)mutated_size)) { if (common_fuzz_stuff(argv, out_buf, (u32)mutated_size)) {
ck_free(mutated_buf);
goto abandon_entry; goto abandon_entry;
} }
@ -1626,9 +1621,11 @@ custom_mutator_stage:
} }
if (mutated_size < len) out_buf = ck_realloc(out_buf, len);
memcpy(out_buf, in_buf, len);
} }
ck_free(mutated_buf);
new_hit_cnt = queued_paths + unique_crashes; new_hit_cnt = queued_paths + unique_crashes;
stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
@ -1681,6 +1678,17 @@ havoc_stage:
havoc_queued = queued_paths; havoc_queued = queued_paths;
u8 stacked_custom = (mutator && mutator->afl_custom_havoc_mutation);
u8 stacked_custom_prob = 6; // like one of the default mutations in havoc
if (stacked_custom && mutator->afl_custom_havoc_mutation_probability) {
stacked_custom_prob = mutator->afl_custom_havoc_mutation_probability();
if (stacked_custom_prob > 100)
FATAL("The probability returned by afl_custom_havoc_mutation_propability has to be in the range 0-100.");
}
/* We essentially just do several thousand runs (depending on perf_score) /* We essentially just do several thousand runs (depending on perf_score)
where we take the input file and make random stacked tweaks. */ where we take the input file and make random stacked tweaks. */
@ -1692,6 +1700,13 @@ havoc_stage:
for (i = 0; i < use_stacking; ++i) { for (i = 0; i < use_stacking; ++i) {
if (stacked_custom && UR(100) < stacked_custom_prob) {
temp_len = mutator->afl_custom_havoc_mutation(&out_buf, temp_len,
MAX_FILE);
}
switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
case 0: case 0:

93
src/afl-fuzz-python.c
View File

@ -55,6 +55,8 @@ int init_py_module(u8* module_name) {
py_functions[PY_FUNC_POST_TRIM] = py_functions[PY_FUNC_POST_TRIM] =
PyObject_GetAttrString(py_module, "post_trim"); PyObject_GetAttrString(py_module, "post_trim");
py_functions[PY_FUNC_TRIM] = PyObject_GetAttrString(py_module, "trim"); py_functions[PY_FUNC_TRIM] = PyObject_GetAttrString(py_module, "trim");
py_functions[PY_FUNC_HAVOC_MUTATION] = PyObject_GetAttrString(py_module, "havoc_mutation");
py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY] = PyObject_GetAttrString(py_module, "havoc_mutation_probability");
for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) { for (py_idx = 0; py_idx < PY_FUNC_COUNT; ++py_idx) {
@ -159,16 +161,15 @@ void init_py(unsigned int seed) {
} }
} }
size_t fuzz_py(u8* buf, size_t buf_size, size_t fuzz_py(u8** buf, size_t buf_size, u8* add_buf, size_t add_buf_size,
u8* add_buf, size_t add_buf_size, size_t max_size) {
u8* mutated_out, size_t max_size) {
size_t mutated_size; size_t mutated_size;
PyObject *py_args, *py_value; PyObject *py_args, *py_value;
py_args = PyTuple_New(3); py_args = PyTuple_New(3);
/* buf */ /* buf */
py_value = PyByteArray_FromStringAndSize(buf, buf_size); py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
if (!py_value) { if (!py_value) {
Py_DECREF(py_args); Py_DECREF(py_args);
@ -211,7 +212,10 @@ size_t fuzz_py(u8* buf, size_t buf_size,
if (py_value != NULL) { if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value); mutated_size = PyByteArray_Size(py_value);
memcpy(mutated_out, PyByteArray_AsString(py_value), mutated_size); if (buf_size < mutated_size)
*buf = ck_realloc(*buf, mutated_size);
memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value); Py_DECREF(py_value);
return mutated_size; return mutated_size;
@ -359,5 +363,84 @@ void trim_py(u8** out_buf, size_t* out_buf_size) {
} }
size_t havoc_mutation_py(u8** buf, size_t buf_size, size_t max_size) {
size_t mutated_size;
PyObject *py_args, *py_value;
py_args = PyTuple_New(2);
/* buf */
py_value = PyByteArray_FromStringAndSize(*buf, buf_size);
if (!py_value) {
Py_DECREF(py_args);
FATAL("Failed to convert arguments");
}
PyTuple_SetItem(py_args, 0, py_value);
/* max_size */
#if PY_MAJOR_VERSION >= 3
py_value = PyLong_FromLong(max_size);
#else
py_value = PyInt_FromLong(max_size);
#endif
if (!py_value) {
Py_DECREF(py_args);
FATAL("Failed to convert arguments");
}
PyTuple_SetItem(py_args, 1, py_value);
py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION], py_args);
Py_DECREF(py_args);
if (py_value != NULL) {
mutated_size = PyByteArray_Size(py_value);
if (buf_size < mutated_size)
*buf = ck_realloc(*buf, mutated_size);
memcpy(*buf, PyByteArray_AsString(py_value), mutated_size);
Py_DECREF(py_value);
return mutated_size;
} else {
PyErr_Print();
FATAL("Call failed");
}
}
u8 havoc_mutation_probability_py(void) {
PyObject *py_args, *py_value;
py_args = PyTuple_New(0);
py_value = PyObject_CallObject(py_functions[PY_FUNC_HAVOC_MUTATION_PROBABILITY], py_args);
Py_DECREF(py_args);
if (py_value != NULL) {
long prob = PyLong_AsLong(py_value);
Py_DECREF(py_value);
return (u8)prob;
} else {
PyErr_Print();
FATAL("Call failed");
}
}
#endif /* USE_PYTHON */ #endif /* USE_PYTHON */