symqemu mutator options

custom_mutators/aflpp_tritondse/README.md

@@ -10,8 +10,11 @@
 ../../afl-cc -o ../../test-instr ../../test-instr.c
 mkdir -p in
 echo aaaa > in/in
-TRITON_DSE_TARGET=../../test-instr AFL_CUSTOM_MUTATOR_ONLY=1 AFL_SYNC_TIME=1 AFL_PYTHON_MODULE=aflpp_tritondse PYTHONPATH=. ../../afl-fuzz -i in -o out -- ../../test-instr
+AFL_DISABLE_TRIM=1 AFL_CUSTOM_MUTATOR_ONLY=1 AFL_SYNC_TIME=1 AFL_PYTHON_MODULE=aflpp_tritondse PYTHONPATH=. ../../afl-fuzz -i in -o out -- ../../test-instr
 ```
 
 Note that this custom mutator works differently, new finds are synced
-after 10-60 seconds to the fuzzing instance.
+after 10-60 seconds to the fuzzing instance. This is necessary because only
+C/C++ mutators have access to the internal AFL++ state.
+
+Hence the symqemu customer mutator is more effective.

custom_mutators/symqemu/README.md

@@ -2,10 +2,18 @@
 
 This uses the symcc to find new paths into the target.
 
+## How to build and use
+
 To use this custom mutator follow the steps in the symqemu repository 
 [https://github.com/eurecom-s3/symqemu/](https://github.com/eurecom-s3/symqemu/) 
 on how to build symqemu-x86_x64 and put it in your `PATH`.
 
-just type `make` to build this custom mutator.
+Just type `make` to build this custom mutator.
 
 ```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symqemu/symqemu-mutator.so AFL_DISABLE_TRIM=1 afl-fuzz ...```
+
+## Options
+
+`SYMQEMU_ALL=1` - use concolic solving on **all** queue items, not only interesting/favorite ones.
+
+`SYMQEMU_LATE=1` - use concolic solving only after there have been no finds for 5 minutes.

custom_mutators/symqemu/symqemu.c

@@ -23,6 +23,8 @@ static u32   found_items = 0;
 typedef struct my_mutator {
 
   afl_state_t *afl;
+  u32          all;
+  u32          late;
   u8          *mutator_buf;
   u8          *out_dir;
   u8          *target;
@@ -156,18 +158,19 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
 
   data->argv[0] = data->symqemu;
   data->argv[1] = data->target;
+  data->afl = afl;
+  data->seed = seed;
+  afl_struct = afl;
+
+  if (getenv("SYMQEMU_ALL")) { data->all = 1; }
+  if (getenv("SYMQEMU_LATE")) { data->late = 1; }
+  if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
 
   DBG("out_dir=%s, target=%s, input_file=%s, argc=%u\n", data->out_dir,
       data->target,
       data->input_file ? (char *)data->input_file : (char *)"<stdin>",
       data->argc);
 
-  if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
-
-  data->afl = afl;
-  data->seed = seed;
-  afl_struct = afl;
-
   if (debug) {
 
     fprintf(stderr, "[");
@@ -189,15 +192,40 @@ void afl_custom_splice_optout(void *data) {
 
 }
 
+/* Get unix time in milliseconds */
+
+inline u64 get_cur_time(void) {
+
+  struct timeval  tv;
+  struct timezone tz;
+
+  gettimeofday(&tv, &tz);
+
+  return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000);
+
+}
+
 u32 afl_custom_fuzz_count(my_mutator_t *data, const u8 *buf, size_t buf_size) {
 
-  if (likely(!afl_struct->queue_cur->favored ||
+  if (likely((!afl_struct->queue_cur->favored ||
-             afl_struct->queue_cur->was_fuzzed)) {
+              afl_struct->queue_cur->was_fuzzed) &&
+             !data->all)) {
 
     return 0;
 
   }
 
+  if (likely(data->late)) {
+
+    if (unlikely(get_cur_time() - afl_struct->last_find_time <=
+                 10 * 60 * 1000)) {
+
+      return 0;
+
+    }
+
+  }
+
   int         pipefd[2];
   struct stat st;
 

src/afl-common.c

@@ -949,7 +949,7 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
 
 /* Get unix time in milliseconds */
 
-u64 get_cur_time(void) {
+inline u64 get_cur_time(void) {
 
   struct timeval  tv;
   struct timezone tz;