ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-12 18:18:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

radamsa mutator as havoc cycle replacement with probability 1/24

Browse Source
This commit is contained in:
Andrea Fioraldi
2019-10-10 19:46:46 +02:00
parent 125a59df91
commit 9de74cce92
7 changed files with 122 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
Makefile
View File

@ -33,7 +33,8 @@ SH_PROGS = afl-plot afl-cmin afl-whatsup afl-system-config
MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8)
CFLAGS ?= -O3 -funroll-loops CFLAGS ?= -O3 -funroll-loops
CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ \ CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \
-I include/ -I src/third_party/libradamsa/ \
-DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \
-DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function
@ -183,8 +184,11 @@ src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h
src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h
$(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o $(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 src/third_party/libradamsa/libradamsa.a : src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h
$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) $(MAKE) -C src/third_party/libradamsa/
afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS)
afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS) $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS)
@ -200,8 +204,8 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86
# document all mutations and only do one run (use with only one input file!) # document all mutations and only do one run (use with only one input file!)
document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86
$(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS)
code-format: code-format:
@ -256,6 +260,7 @@ clean:
$(MAKE) -C libtokencap clean $(MAKE) -C libtokencap clean
$(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/unsigaction clean
$(MAKE) -C qemu_mode/libcompcov clean $(MAKE) -C qemu_mode/libcompcov clean
$(MAKE) -C src/third_party/libradamsa/ clean
distrib: all distrib: all
-$(MAKE) -C llvm_mode -$(MAKE) -C llvm_mode

20
include/afl-fuzz.h
View File

@ -284,6 +284,8 @@ extern char* power_names[POWER_SCHEDULES_NUM];
extern u8 schedule; /* Power schedule (default: EXPLORE)*/ extern u8 schedule; /* Power schedule (default: EXPLORE)*/
extern u8 havoc_max_mult; extern u8 havoc_max_mult;
extern u8 use_radamsa;
extern u8 skip_deterministic, /* Skip deterministic stages? */ extern u8 skip_deterministic, /* Skip deterministic stages? */
force_deterministic, /* Force deterministic stages? */ force_deterministic, /* Force deterministic stages? */
use_splicing, /* Recombine input files? */ use_splicing, /* Recombine input files? */
@ -399,6 +401,9 @@ extern u64 stage_finds[32], /* Patterns found per fuzz stage */
extern u32 rand_cnt; /* Random number counter */ extern u32 rand_cnt; /* Random number counter */
#endif #endif
extern u32 rand_seed[2];
extern s64 init_seed;
extern u64 total_cal_us, /* Total calibration time (us) */ extern u64 total_cal_us, /* Total calibration time (us) */
total_cal_cycles; /* Total calibration cycles */ total_cal_cycles; /* Total calibration cycles */
@ -642,11 +647,9 @@ static inline u32 UR(u32 limit) {
#else #else
if (!fixed_seed && unlikely(!rand_cnt--)) { if (!fixed_seed && unlikely(!rand_cnt--)) {
u32 seed[2]; ck_read(dev_urandom_fd, &rand_seed, sizeof(rand_seed), "/dev/urandom");
srandom(rand_seed[0]);
ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); rand_cnt = (RESEED_RNG / 2) + (rand_seed[1] % RESEED_RNG);
srandom(seed[0]);
rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG);
} }
@ -655,6 +658,13 @@ static inline u32 UR(u32 limit) {
} }
static inline u32 get_rand_seed() {
if (fixed_seed) return (u32)init_seed;
return rand_seed[0];
}
/* Find first power of two greater or equal to val (assuming val under /* Find first power of two greater or equal to val (assuming val under
2^63). */ 2^63). */

5
src/afl-fuzz-globals.c
View File

@ -95,6 +95,8 @@ char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe",
u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/
u8 havoc_max_mult = HAVOC_MAX_MULT; u8 havoc_max_mult = HAVOC_MAX_MULT;
u8 use_radamsa;
u8 skip_deterministic, /* Skip deterministic stages? */ u8 skip_deterministic, /* Skip deterministic stages? */
force_deterministic, /* Force deterministic stages? */ force_deterministic, /* Force deterministic stages? */
use_splicing, /* Recombine input files? */ use_splicing, /* Recombine input files? */
@ -210,6 +212,9 @@ u64 stage_finds[32], /* Patterns found per fuzz stage */
u32 rand_cnt; /* Random number counter */ u32 rand_cnt; /* Random number counter */
#endif #endif
u32 rand_seed[2];
s64 init_seed;
u64 total_cal_us, /* Total calibration time (us) */ u64 total_cal_us, /* Total calibration time (us) */
total_cal_cycles; /* Total calibration cycles */ total_cal_cycles; /* Total calibration cycles */

55
src/afl-fuzz-one.c
View File

@ -24,6 +24,9 @@
*/ */
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include "radamsa.h"
#define RADAMSA_CHANCE 24
/* MOpt */ /* MOpt */
@ -1728,11 +1731,61 @@ havoc_stage:
for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) {
if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
if (new_len) {
temp_len = new_len;
ck_free(out_buf);
out_buf = new_buf;
} else {
ck_free(new_buf);
}
goto havoc_run_point;
}
u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2));
stage_cur_val = use_stacking; stage_cur_val = use_stacking;
for (i = 0; i < use_stacking; ++i) { for (i = 0; i < use_stacking; ++i) {
/*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) {
// Ramdsa stage stacked with the AFL havoc mutations.
// This is very slow, I maintain the commendted code for future or
// particular uses.
u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL);
u8* new_buf = ck_alloc_nozero(max_len);
u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed());
if (new_len) {
temp_len = new_len;
ck_free(out_buf);
out_buf = new_buf;
} else {
ck_free(new_buf);
}
continue;
}*/
switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) {
@ -2108,6 +2161,8 @@ havoc_stage:
} }
havoc_run_point:
if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry; if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry;
/* out_buf might have been mangled a bit, so let's restore it to its /* out_buf might have been mangled a bit, so let's restore it to its

38
src/afl-fuzz.c
View File

@ -24,6 +24,7 @@
*/ */
#include "afl-fuzz.h" #include "afl-fuzz.h"
#include "radamsa.h"
/* Display usage hints. */ /* Display usage hints. */
@ -119,7 +120,6 @@ int main(int argc, char** argv) {
u8 mem_limit_given = 0; u8 mem_limit_given = 0;
u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE");
char** use_argv; char** use_argv;
s64 init_seed;
struct timeval tv; struct timeval tv;
struct timezone tz; struct timezone tz;
@ -134,7 +134,7 @@ int main(int argc, char** argv) {
init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid();
while ((opt = getopt(argc, argv, while ((opt = getopt(argc, argv,
"+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:h")) > 0) "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:hR")) > 0)
switch (opt) { switch (opt) {
@ -511,6 +511,13 @@ int main(int argc, char** argv) {
usage(argv[0]); usage(argv[0]);
return -1; return -1;
break; // not needed break; // not needed
case 'R':
if (use_radamsa) FATAL("Multiple -R options not supported");
use_radamsa = 1;
break;
default: usage(argv[0]); default: usage(argv[0]);
@ -518,8 +525,27 @@ int main(int argc, char** argv) {
if (optind == argc || !in_dir || !out_dir) usage(argv[0]); if (optind == argc || !in_dir || !out_dir) usage(argv[0]);
OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" "
"Eissfeldt and Andrea Fioraldi");
OKF("afl++ is open source, get it at "
"https://github.com/vanhauser-thc/AFLplusplus");
OKF("Power schedules from github.com/mboehme/aflfast");
OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl");
OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL");
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed); if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed);
srandom((u32)init_seed); srandom((u32)init_seed);
if (use_radamsa) {
OKF("Using Radamsa add-on");
/* randamsa_init installs some signal hadlers, call it firstly so that
AFL++ can then replace those signal handlers */
radamsa_init();
}
setup_signal_handlers(); setup_signal_handlers();
check_asan_opts(); check_asan_opts();
@ -560,14 +586,6 @@ int main(int argc, char** argv) {
"fuzzing the right binary: " cRST "%s", "fuzzing the right binary: " cRST "%s",
argv[optind]); argv[optind]);
OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" "
"Eissfeldt and Andrea Fioraldi");
OKF("afl++ is open source, get it at "
"https://github.com/vanhauser-thc/AFLplusplus");
OKF("Power schedules from github.com/mboehme/aflfast");
OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl");
OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL");
OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL");
ACTF("Getting to work..."); ACTF("Getting to work...");
switch (schedule) { switch (schedule) {

8
src/third_party/.gitignore vendored Normal file
View File

@ -0,0 +1,8 @@
radamsa.c
tmp
bin/radamsa
bin/radamsa.exe
ol.c*
bin/ol
.seal-of-quality

1
src/third_party/libradamsa vendored Submodule

Submodule src/third_party/libradamsa added at 578bd7f2f7