added mmopt power schedule

2025-06-19 13:03:44 +00:00 · 2020-03-17 21:42:36 +01:00
parent 4009f3a987
commit 3aa7242925
7 changed files with 52 additions and 32 deletions
--- a/src/afl-fuzz-globals.c
+++ b/src/afl-fuzz-globals.c
@ -30,8 +30,8 @@ s8  interesting_8[] = {INTERESTING_8};
 s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
 s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};

-char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe",
-                                          "lin",     "quad", "exploit"};
+char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast",    "coe",  "lin",
+                                          "quad",    "exploit", "mmopt"};

 u8 *doc_path = NULL;                    /* gath to documentation dir        */

--- a/src/afl-fuzz-queue.c
+++ b/src/afl-fuzz-queue.c
@ -328,20 +328,24 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
  // Longer execution time means longer work on the input, the deeper in
  // coverage, the better the fuzzing, right? -mh

-  if (q->exec_us * 0.1 > avg_exec_us)
-    perf_score = 10;
-  else if (q->exec_us * 0.25 > avg_exec_us)
-    perf_score = 25;
-  else if (q->exec_us * 0.5 > avg_exec_us)
-    perf_score = 50;
-  else if (q->exec_us * 0.75 > avg_exec_us)
-    perf_score = 75;
-  else if (q->exec_us * 4 < avg_exec_us)
-    perf_score = 300;
-  else if (q->exec_us * 3 < avg_exec_us)
-    perf_score = 200;
-  else if (q->exec_us * 2 < avg_exec_us)
-    perf_score = 150;
+  if (afl->schedule != MMOPT) {
+
+    if (q->exec_us * 0.1 > avg_exec_us)
+      perf_score = 10;
+    else if (q->exec_us * 0.25 > avg_exec_us)
+      perf_score = 25;
+    else if (q->exec_us * 0.5 > avg_exec_us)
+      perf_score = 50;
+    else if (q->exec_us * 0.75 > avg_exec_us)
+      perf_score = 75;
+    else if (q->exec_us * 4 < avg_exec_us)
+      perf_score = 300;
+    else if (q->exec_us * 3 < avg_exec_us)
+      perf_score = 200;
+    else if (q->exec_us * 2 < avg_exec_us)
+      perf_score = 150;
+
+  }

  /* Adjust score based on bitmap size. The working theory is that better
     coverage translates to better targets. Multiplier from 0.25x to 3x. */
@ -431,12 +435,9 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
      break;

    case FAST:
-      if (q->fuzz_level < 16) {
-
+      if (q->fuzz_level < 16)
        factor = ((u32)(1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz);
-
-      } else
-
+      else
        factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_p2(fuzz));
      break;

@ -446,6 +447,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
      factor = q->fuzz_level * q->fuzz_level / (fuzz == 0 ? 1 : fuzz);
      break;

+    case MMOPT:
+
+      if (afl->max_depth - q->depth < 5) perf_score *= 1.5;
+
+      break;
+
    default: PFATAL("Unknown Power Schedule");

  }
@ -458,8 +465,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
  if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3)
    perf_score *= 2;
  else if (perf_score < 1)
-    perf_score =
-        1;  // Add a lower bound to AFLFast's energy assignment strategies
+    // Add a lower bound to AFLFast's energy assignment strategies
+    perf_score = 1;

  /* Make sure that we don't go over limit. */

--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@ -96,8 +96,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
      "Execution control settings:\n"
      "  -p schedule   - power schedules recompute a seed's performance "
      "score.\n"
-      "                  <explore (default), fast, coe, lin, quad, or "
-      "exploit>\n"
+      "                  <explore (default), fast, coe, lin, quad, exploit, "
+      "mmopt>\n"
      "                  see docs/power_schedules.md\n"
      "  -f file       - location read by the fuzzed program (stdin)\n"
      "  -t msec       - timeout for each run (auto-scaled, 50-%d ms)\n"
@ -300,6 +300,10 @@ int main(int argc, char **argv_orig, char **envp) {

          afl->schedule = QUAD;

+        } else if (!stricmp(optarg, "mopt") || !stricmp(optarg, "mmopt")) {
+
+          afl->schedule = MMOPT;
+
        } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") ||

                   !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) {
@ -755,6 +759,7 @@ int main(int argc, char **argv_orig, char **envp) {
      break;
    case LIN: OKF("Using linear power schedule (LIN)"); break;
    case QUAD: OKF("Using quadratic power schedule (QUAD)"); break;
+    case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break;
    case EXPLORE:
      OKF("Using exploration-based constant power schedule (EXPLORE)");
      break;