ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-20 21:25:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

symqemu mutator options

Browse Source
This commit is contained in:
vanhauser-thc
2023-05-18 10:50:10 +02:00
parent abd6eace9d
commit 401d7617ef
4 changed files with 51 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
custom_mutators/aflpp_tritondse/README.md
View File

@ -10,8 +10,11 @@
../../afl-cc -o ../../test-instr ../../test-instr.c
mkdir -p in
echo aaaa > in/in
TRITON_DSE_TARGET=../../test-instr AFL_CUSTOM_MUTATOR_ONLY=1 AFL_SYNC_TIME=1 AFL_PYTHON_MODULE=aflpp_tritondse PYTHONPATH=. ../../afl-fuzz -i in -o out -- ../../test-instr
AFL_DISABLE_TRIM=1 AFL_CUSTOM_MUTATOR_ONLY=1 AFL_SYNC_TIME=1 AFL_PYTHON_MODULE=aflpp_tritondse PYTHONPATH=. ../../afl-fuzz -i in -o out -- ../../test-instr
```
Note that this custom mutator works differently, new finds are synced
after 10-60 seconds to the fuzzing instance.
after 10-60 seconds to the fuzzing instance. This is necessary because only
C/C++ mutators have access to the internal AFL++ state.
Hence the symqemu customer mutator is more effective.

10
custom_mutators/symqemu/README.md
View File

@ -2,10 +2,18 @@
This uses the symcc to find new paths into the target.
## How to build and use
To use this custom mutator follow the steps in the symqemu repository
[https://github.com/eurecom-s3/symqemu/](https://github.com/eurecom-s3/symqemu/)
on how to build symqemu-x86_x64 and put it in your `PATH`.
just type `make` to build this custom mutator.
Just type `make` to build this custom mutator.
```AFL_CUSTOM_MUTATOR_LIBRARY=custom_mutators/symqemu/symqemu-mutator.so AFL_DISABLE_TRIM=1 afl-fuzz ...```
## Options
`SYMQEMU_ALL=1` - use concolic solving on **all** queue items, not only interesting/favorite ones.
`SYMQEMU_LATE=1` - use concolic solving only after there have been no finds for 5 minutes.

44
custom_mutators/symqemu/symqemu.c
View File

@ -23,6 +23,8 @@ static u32 found_items = 0;
typedef struct my_mutator {
afl_state_t *afl;
u32 all;
u32 late;
u8 *mutator_buf;
u8 *out_dir;
u8 *target;
@ -156,18 +158,19 @@ my_mutator_t *afl_custom_init(afl_state_t *afl, unsigned int seed) {
data->argv[0] = data->symqemu;
data->argv[1] = data->target;
data->afl = afl;
data->seed = seed;
afl_struct = afl;
if (getenv("SYMQEMU_ALL")) { data->all = 1; }
if (getenv("SYMQEMU_LATE")) { data->late = 1; }
if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
DBG("out_dir=%s, target=%s, input_file=%s, argc=%u\n", data->out_dir,
data->target,
data->input_file ? (char *)data->input_file : (char *)"<stdin>",
data->argc);
if (data->input_file) { setenv("SYMCC_INPUT_FILE", data->input_file, 1); }
data->afl = afl;
data->seed = seed;
afl_struct = afl;
if (debug) {
fprintf(stderr, "[");
@ -189,15 +192,40 @@ void afl_custom_splice_optout(void *data) {
}
/* Get unix time in milliseconds */
inline u64 get_cur_time(void) {
struct timeval tv;
struct timezone tz;
gettimeofday(&tv, &tz);
return (tv.tv_sec * 1000ULL) + (tv.tv_usec / 1000);
}
u32 afl_custom_fuzz_count(my_mutator_t *data, const u8 *buf, size_t buf_size) {
if (likely(!afl_struct->queue_cur->favored ||
afl_struct->queue_cur->was_fuzzed)) {
if (likely((!afl_struct->queue_cur->favored ||
afl_struct->queue_cur->was_fuzzed) &&
!data->all)) {
return 0;
}
if (likely(data->late)) {
if (unlikely(get_cur_time() - afl_struct->last_find_time <=
10 * 60 * 1000)) {
return 0;
}
}
int pipefd[2];
struct stat st;

2
src/afl-common.c
View File

@ -949,7 +949,7 @@ void read_bitmap(u8 *fname, u8 *map, size_t len) {
/* Get unix time in milliseconds */
u64 get_cur_time(void) {
inline u64 get_cur_time(void) {
struct timeval tv;
struct timezone tz;