From bd5ccc69772c4c025de6a669f19b65c1065b9bf5 Mon Sep 17 00:00:00 2001 From: Han Zheng Date: Mon, 17 Feb 2025 08:30:57 +0100 Subject: [PATCH 1/7] add doc for deterministic mode --- docs/skipdet_mode.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 docs/skipdet_mode.md diff --git a/docs/skipdet_mode.md b/docs/skipdet_mode.md new file mode 100644 index 00000000..87271734 --- /dev/null +++ b/docs/skipdet_mode.md @@ -0,0 +1,29 @@ +# MendelFuzz: The Return of the Deterministic Stage. + +* Authors: Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer. + +* Maintainer: [Han Zheng](https://github.com/kdsjZh) + +* Preprint: Accepted by [FSE 2025](https://mpi-softsec.github.io/papers/FSE25-mendelfuzz.pdf) + +* Artifact: https://github.com/hexhive/mendelFuzz-Artifact/ + +## Motivation + +Prior works observed that the deterministic stage is not efficient in real-world fuzzing practice. +Therefore, AFL++ disabled it by default since `++3.00c`. While the setup notably boosts the exploration, it is not always the best option. + +In this work, we analyze the overhead and the contributions of the deterministic stage. Our observations suggest that 1) deterministic stage can contribute to coverage, but consumes too much (> 90%) time +in the campaign. 2) mutating a small percentage of (0.5%) bytes and (20%) seeds contributes to >80% of new paths found in the deterministic stage. + +Inspired by these takeaways, we developed MendelFuzz to identify these critical bytes and seeds to boost the deterministic stage. MendelFuzz retains the benefits of the classic deterministic stage by +only enumerating a tiny part of the total deterministic state space. + +## Usage + +MendelFuzz is the default mode in AFL++. Just follow the standard fuzzing practice! + + +## Code Structure + +The implementation is mainly available at `src/afl-fuzz-skipdet.c`. From 68f5c4811e67d02245a1520fc3649b287337b596 Mon Sep 17 00:00:00 2001 From: Han Zheng Date: Mon, 17 Feb 2025 09:40:58 +0100 Subject: [PATCH 2/7] move to feature --- docs/features.md | 1 + docs/skipdet_mode.md | 29 ----------------------------- 2 files changed, 1 insertion(+), 29 deletions(-) delete mode 100644 docs/skipdet_mode.md diff --git a/docs/features.md b/docs/features.md index b75c103c..07abb9da 100644 --- a/docs/features.md +++ b/docs/features.md @@ -106,6 +106,7 @@ Among others, the following features and patches have been integrated: * Win32 PE binary-only fuzzing with QEMU and Wine * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) +* The new deterministic mode [MendelFuzz](https://mpi-softsec.github.io/papers/FSE25-mendelfuzz.pdf) * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) * LLVM mode Ngram coverage by Adrian Herrera diff --git a/docs/skipdet_mode.md b/docs/skipdet_mode.md deleted file mode 100644 index 87271734..00000000 --- a/docs/skipdet_mode.md +++ /dev/null @@ -1,29 +0,0 @@ -# MendelFuzz: The Return of the Deterministic Stage. - -* Authors: Han Zheng, Flavio Toffalini, Marcel Böhme, and Mathias Payer. - -* Maintainer: [Han Zheng](https://github.com/kdsjZh) - -* Preprint: Accepted by [FSE 2025](https://mpi-softsec.github.io/papers/FSE25-mendelfuzz.pdf) - -* Artifact: https://github.com/hexhive/mendelFuzz-Artifact/ - -## Motivation - -Prior works observed that the deterministic stage is not efficient in real-world fuzzing practice. -Therefore, AFL++ disabled it by default since `++3.00c`. While the setup notably boosts the exploration, it is not always the best option. - -In this work, we analyze the overhead and the contributions of the deterministic stage. Our observations suggest that 1) deterministic stage can contribute to coverage, but consumes too much (> 90%) time -in the campaign. 2) mutating a small percentage of (0.5%) bytes and (20%) seeds contributes to >80% of new paths found in the deterministic stage. - -Inspired by these takeaways, we developed MendelFuzz to identify these critical bytes and seeds to boost the deterministic stage. MendelFuzz retains the benefits of the classic deterministic stage by -only enumerating a tiny part of the total deterministic state space. - -## Usage - -MendelFuzz is the default mode in AFL++. Just follow the standard fuzzing practice! - - -## Code Structure - -The implementation is mainly available at `src/afl-fuzz-skipdet.c`. From 2c2a0471cdc64f9f348fd28948ca0ee51dcc4468 Mon Sep 17 00:00:00 2001 From: Han Zheng Date: Mon, 17 Feb 2025 09:42:56 +0100 Subject: [PATCH 3/7] fix --- docs/features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/features.md b/docs/features.md index 07abb9da..6d67ac1f 100644 --- a/docs/features.md +++ b/docs/features.md @@ -106,7 +106,7 @@ Among others, the following features and patches have been integrated: * Win32 PE binary-only fuzzing with QEMU and Wine * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) -* The new deterministic mode [MendelFuzz](https://mpi-softsec.github.io/papers/FSE25-mendelfuzz.pdf) +* The new deterministic mode by Han Zheng: [https://github.com/hexhive/mendelFuzz-Artifact/](https://github.com/hexhive/mendelFuzz-Artifact/) * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) * LLVM mode Ngram coverage by Adrian Herrera From 29f48ab3e7c1d7639c8682b10c2e2c4360bc56f5 Mon Sep 17 00:00:00 2001 From: Han Zheng Date: Mon, 17 Feb 2025 09:43:59 +0100 Subject: [PATCH 4/7] update --- docs/features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/features.md b/docs/features.md index 6d67ac1f..e98d60fe 100644 --- a/docs/features.md +++ b/docs/features.md @@ -106,7 +106,7 @@ Among others, the following features and patches have been integrated: * Win32 PE binary-only fuzzing with QEMU and Wine * AFLfast's power schedules by Marcel Böhme: [https://github.com/mboehme/aflfast](https://github.com/mboehme/aflfast) -* The new deterministic mode by Han Zheng: [https://github.com/hexhive/mendelFuzz-Artifact/](https://github.com/hexhive/mendelFuzz-Artifact/) +* The fast deterministic stage by Han Zheng: [https://github.com/hexhive/mendelFuzz-Artifact/](https://github.com/hexhive/mendelFuzz-Artifact/) * The MOpt mutator: [https://github.com/puppet-meteor/MOpt-AFL](https://github.com/puppet-meteor/MOpt-AFL) * LLVM mode Ngram coverage by Adrian Herrera From 6f018b3d80e8eddeef10159fa7c308dce5fb2dd0 Mon Sep 17 00:00:00 2001 From: "Dongjia \"toka\" Zhang" Date: Tue, 18 Feb 2025 14:09:43 +0100 Subject: [PATCH 5/7] del --- utils/aflpp_driver/aflpp_driver.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/utils/aflpp_driver/aflpp_driver.c b/utils/aflpp_driver/aflpp_driver.c index 9b79ef9b..6cf62dab 100644 --- a/utils/aflpp_driver/aflpp_driver.c +++ b/utils/aflpp_driver/aflpp_driver.c @@ -392,10 +392,6 @@ __attribute__((weak)) int LLVMFuzzerRunDriver( __afl_manual_init(); - // Call LLVMFuzzerTestOneInput here so that coverage caused by initialization - // on the first execution of LLVMFuzzerTestOneInput is ignored. - callback(dummy_input, 4); - __asan_poison_memory_region(__afl_fuzz_ptr, MAX_FILE); size_t prev_length = 0; From 2843b7eb0275a50a157884b32cadfa652873909f Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Mon, 17 Feb 2025 19:00:49 +0000 Subject: [PATCH 6/7] feat: enable arm runners in CI --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index ffb0e908..21fddfbf 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,7 +14,7 @@ jobs: runs-on: "${{ matrix.os }}" strategy: matrix: - os: [ubuntu-24.04, ubuntu-22.04] + os: [ubuntu-24.04, ubuntu-22.04, ubuntu-24.04-arm] env: AFL_SKIP_CPUFREQ: 1 AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES: 1 From 6f433b5d73798cf20c15d525e76c57f6a43949fc Mon Sep 17 00:00:00 2001 From: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com> Date: Mon, 17 Feb 2025 19:03:51 +0000 Subject: [PATCH 7/7] feat: re-enable arm64 docker containers. Use GH arm runners --- .github/workflows/container.yml | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml index 2fafa70f..4a4fa028 100644 --- a/.github/workflows/container.yml +++ b/.github/workflows/container.yml @@ -35,20 +35,41 @@ jobs: apt-get install -y libcmocka-dev && make -i tests " + build-and-test-arm64: + name: Test arm64 image + runs-on: ubuntu-24.04-arm + steps: + - name: Checkout + uses: actions/checkout@v4 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + - name: Build arm64 + uses: docker/build-push-action@v6 + with: + context: . + tags: aflplusplus:test-arm64 + load: true + cache-to: type=gha,mode=max + build-args: | + TEST_BUILD=1 + - name: Test arm64 + run: > + docker run --rm aflplusplus:test-arm64 bash -c " + apt-get update && + apt-get install -y libcmocka-dev && + make -i tests + " push: name: Push amd64 and arm64 images runs-on: ubuntu-latest needs: - build-and-test-amd64 + - build-and-test-arm64 if: ${{ github.event_name == 'push' && github.repository == 'AFLplusplus/AFLplusplus' }} steps: - name: Checkout uses: actions/checkout@v3 - #- name: Set up QEMU - # uses: docker/setup-qemu-action@v2 - # with: - # platforms: arm64 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 - name: Login to docker.io @@ -69,8 +90,7 @@ jobs: uses: docker/build-push-action@v3 with: context: . - platforms: linux/amd64 - #,linux/arm64 + platforms: linux/amd64,linux/arm64 push: true tags: ${{ steps.push-tags.outputs.PUSH_TAGS }} cache-from: type=gha