ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-14 19:08:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

added afl_custom_mutator_only

Browse Source
This commit is contained in:
van Hauser
2019-09-16 16:17:16 +02:00
parent 46ac559003
commit 428b88a82a
8 changed files with 33 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
TODO
View File

@ -4,8 +4,6 @@ Roadmap 2.54d:
afl-fuzz: afl-fuzz:
- enable python mutator for MOpt - enable python mutator for MOpt
- enable custom mutator for MOpt - enable custom mutator for MOpt
- make custom mutator to call other mutators as well unless
AFL_CUSTOM_MUTATOR_ONLY=1 is set
- add superion? - add superion?
remote feature remote feature

2
docs/ChangeLog
View File

@ -18,6 +18,8 @@ Version ++2.54d (dev):
---------------------- ----------------------
- persistent mode for QEMU (see qemu_mode/README.md) - persistent mode for QEMU (see qemu_mode/README.md)
- custom mutator library is now a standard mutator, to exclusivly use it
add AFL_CUSTOM_MUTATOR_ONLY (that will trigger the previous behaviour)
- no more unlinking the input file, this way the input file can also be a - no more unlinking the input file, this way the input file can also be a
FIFO or disk partition FIFO or disk partition
- reducing duplicate code in afl-fuzz - reducing duplicate code in afl-fuzz

9
docs/custom_mutator.txt
View File

@ -18,8 +18,13 @@ environment variable. The library must export the afl_custom_mutator() function
must be compiled as a shared object. For example: must be compiled as a shared object. For example:
$CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so $CC -shared -Wall -O3 <lib-name>.c -o <lib-name>.so
AFL will call the afl_custom_mutator() function every time it needs to mutate Note: unless AFL_CUSTOM_MUTATOR_ONLY is set, its state mutator like any others,
a test case. For some cases, the format of the mutated data returned from so it will be used for some test cases, and other mutators for others.
Only if AFL_CUSTOM_MUTATOR_ONLY is set the afl_custom_mutator() function will
be called every time it needs to mutate test case!
For some cases, the format of the mutated data returned from
the custom mutator is not suitable to directly execute the target with this input. the custom mutator is not suitable to directly execute the target with this input.
For example, when using libprotobuf-mutator, the data returned is in a protobuf For example, when using libprotobuf-mutator, the data returned is in a protobuf
format which corresponds to a given grammar. In order to execute the target, format which corresponds to a given grammar. In order to execute the target,

5
docs/env_variables.txt
View File

@ -202,8 +202,9 @@ checks or alter some of the more exotic semantics of the tool:
for more. for more.
- Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with - Setting AFL_CUSTOM_MUTATOR_LIBRARY to a shared library with
afl_custom_mutator() export will run all mutations solely to this function. afl_custom_mutator() export run additional mutations though this library.
see docs/custom_mutator.txt If AFL_CUSTOM_MUTATOR_ONLY is also set, all mutations will solely be
performed with/from the libary. see docs/custom_mutator.txt
- For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled - For AFL_PYTHON_MODULE and AFL_PYTHON_ONLY - they require to be compiled
with -DUSE_PYTHON. Please see docs/python_mutators.txt with -DUSE_PYTHON. Please see docs/python_mutators.txt

1
include/afl-fuzz.h
View File

@ -251,6 +251,7 @@ extern u64 mem_limit; /* Memory cap for child (MB) */
extern u8 cal_cycles, /* Calibration cycles defaults */ extern u8 cal_cycles, /* Calibration cycles defaults */
cal_cycles_long, debug, /* Debug mode */ cal_cycles_long, debug, /* Debug mode */
custom_only, /* Custom mutator only mode */
python_only; /* Python-only mode */ python_only; /* Python-only mode */
extern u32 stats_update_freq; /* Stats update frequency (execs) */ extern u32 stats_update_freq; /* Stats update frequency (execs) */

1
src/afl-fuzz-globals.c
View File

@ -84,6 +84,7 @@ u64 mem_limit = MEM_LIMIT; /* Memory cap for child (MB) */
u8 cal_cycles = CAL_CYCLES, /* Calibration cycles defaults */ u8 cal_cycles = CAL_CYCLES, /* Calibration cycles defaults */
cal_cycles_long = CAL_CYCLES_LONG, debug, /* Debug mode */ cal_cycles_long = CAL_CYCLES_LONG, debug, /* Debug mode */
custom_only, /* Custom mutator only mode */
python_only; /* Python-only mode */ python_only; /* Python-only mode */
u32 stats_update_freq = 1; /* Stats update frequency (execs) */ u32 stats_update_freq = 1; /* Stats update frequency (execs) */

7
src/afl-fuzz-one.c
View File

@ -516,10 +516,17 @@ u8 fuzz_one_original(char** argv) {
stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt; stage_finds[STAGE_CUSTOM_MUTATOR] += new_hit_cnt - orig_hit_cnt;
stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max; stage_cycles[STAGE_CUSTOM_MUTATOR] += stage_max;
if (custom_only) {
/* Skip other stages */
ret_val = 0;
goto abandon_entry; goto abandon_entry;
} }
}
/* Skip right away if -d is given, if it has not been chosen sufficiently /* Skip right away if -d is given, if it has not been chosen sufficiently
often to warrant the expensive deterministic stage (fuzz_level), or often to warrant the expensive deterministic stage (fuzz_level), or
if it has gone through deterministic testing in earlier, resumed runs if it has gone through deterministic testing in earlier, resumed runs

10
src/afl-fuzz.c
View File

@ -622,6 +622,16 @@ int main(int argc, char** argv) {
} }
if (getenv("AFL_CUSTOM_MUTATOR_ONLY")) {
/* This ensures we don't proceed to havoc/splice */
custom_only = 1;
/* Ensure we also skip all deterministic steps */
skip_deterministic = 1;
}
get_core_count(); get_core_count();
#ifdef HAVE_AFFINITY #ifdef HAVE_AFFINITY