fi

.gitmodules

@@ -25,3 +25,7 @@
 [submodule "nyx_mode/QEMU-Nyx"]
 	path = nyx_mode/QEMU-Nyx
 	url = https://github.com/nyx-fuzz/QEMU-Nyx
+[submodule "xgboost"]
+	path = xgboost
+	url = https://github.com/dmlc/xgboost
+	branch = 742c19f

GNUmakefile

@@ -471,8 +471,13 @@ src/afl-forkserver.o : $(COMM_HDR) src/afl-forkserver.c include/forkserver.h
 src/afl-sharedmem.o : $(COMM_HDR) src/afl-sharedmem.c include/sharedmem.h
 	$(CC) $(CFLAGS) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -c src/afl-sharedmem.c -o src/afl-sharedmem.o
 
-afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/hashmap.c | test_x86
-	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -Wno-shift-count-overflow $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/hashmap.c -o $@ $(PYFLAGS) $(LDFLAGS) -lm
+libxgboost.so:
+	git submodule init
+	git submodule update --recursive
+	mkdir -p xgboost/build && cd xgboost && git submodule init && git submodule update --recursive && cd build && cmake -DUSE_OPENMP=OFF -DHIDE_CXX_SYMBOLS=ON .. && make && cp -v ../lib/libxgboost.so ../..
+
+afl-fuzz: $(COMM_HDR) include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/hashmap.c libxgboost.so | test_x86
+	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) -Wno-shift-count-overflow $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o src/hashmap.c -o $@ $(PYFLAGS) $(LDFLAGS) -I./xgboost/include -lm -L. -lxgboost
 
 afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o $(COMM_HDR) | test_x86
 	$(CC) $(CFLAGS) $(COMPILE_STATIC) $(CFLAGS_FLTO) $(SPECIAL_PERFORMANCE) src/$@.c src/afl-fuzz-mutators.c src/afl-fuzz-python.c src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o src/afl-performance.o -o $@ $(PYFLAGS) $(LDFLAGS)

src/afl-common.c

@@ -486,7 +486,7 @@ u8 *find_afl_binary(u8 *own_loc, u8 *fname) {
 
   if ((tmp = strrchr(fname, '.'))) {
 
-    if (!strcasecmp(tmp, ".so") || !strcasecmp(tmp, ".dylib")) { perm = R_OK; }
+    if (!strcasecmp(tmp, ".bin") || !strcasecmp(tmp, ".so") || !strcasecmp(tmp, ".dylib")) { perm = R_OK; }
 
   }
 

src/afl-fuzz-queue.c

@@ -26,6 +26,7 @@
 #include <limits.h>
 #include <ctype.h>
 #include <math.h>
+#include <xgboost/c_api.h>
 
 #ifdef _STANDALONE_MODULE
 void minimize_bits(afl_state_t *afl, u8 *dst, u8 *src) {
@@ -117,7 +118,7 @@ void create_alias_table(afl_state_t *afl) {
 
     double avg_exec_us = 0.0;
     double avg_bitmap_size = 0.0;
-    double avg_top_size = 0.0;
+    double avg_len = 0.0;
     u32    active = 0;
 
     for (i = 0; i < n; i++) {
@@ -128,8 +129,8 @@ void create_alias_table(afl_state_t *afl) {
       if (likely(!q->disabled)) {
 
         avg_exec_us += q->exec_us;
-        avg_bitmap_size += log(q->bitmap_size);
-        avg_top_size += q->tc_ref;
+        avg_bitmap_size += q->bitmap_size;
+        avg_len += q->len;
         ++active;
 
       }
@@ -138,7 +139,10 @@ void create_alias_table(afl_state_t *afl) {
 
     avg_exec_us /= active;
     avg_bitmap_size /= active;
-    avg_top_size /= active;
+    avg_len /= active;
+
+    float *table = malloc((active + 1) * 3 * sizeof(float));
+    float *pentry = table;
 
     for (i = 0; i < n; i++) {
 
@@ -146,29 +150,52 @@ void create_alias_table(afl_state_t *afl) {
 
       if (likely(!q->disabled)) {
 
-        q->weight =
-            compute_weight(afl, q, avg_exec_us, avg_bitmap_size, avg_top_size);
+        *pentry++ = q->len / avg_len;
+        *pentry++ = q->exec_us / avg_exec_us;
+        *pentry++ = q->bitmap_size / avg_bitmap_size;
         q->perf_score = calculate_score(afl, q);
-        sum += q->weight;
 
       }
 
     }
 
-    if (unlikely(afl->schedule == MMOPT) && afl->queued_discovered) {
+    DMatrixHandle dtest;
+    BoosterHandle booster;
 
-      u32 cnt = afl->queued_discovered >= 5 ? 5 : afl->queued_discovered;
+    // Erstellen einer DMatrix aus dem Array
+    XGDMatrixCreateFromMat((float *)table, 3, active, -1, &dtest);
+    XGBoosterCreate(&dtest, 1, &booster);
+    u8* model = NULL;//find_afl_binary("/out", "model.bin");
+    if (!model) model = find_afl_binary("./", "model.bin");
+    if (!model) FATAL("mode.bin not found!");
+    if (XGBoosterLoadModel(booster, "./model.bin"))
+      FATAL("model load failed!");
     
-      for (i = n - cnt; i < n; i++) {
+        bst_ulong out_len;
+    const float *predictions;
+    XGBoosterPredict(booster, dtest, 0, 0, 0, &out_len, &predictions);
 
-        struct queue_entry *q = afl->queue_buf[i];
+    // Ausgabe der Vorhersagen
+    int count = 0;
+    for (i = 0; i < n; i++) {
 
-        if (likely(!q->disabled)) { q->weight *= 2.0; }
+      struct queue_entry *q = afl->queue_buf[i];
+
+      if (likely(!q->disabled)) {
+        if (unlikely(afl->debug))
+        fprintf(stderr, "Prediction[%u] = %f\n", i, predictions[count]);
+        afl->queue_buf[i]->weight = predictions[count++];
+        sum += predictions[count++];
 
       }
 
     }
 
+    // Freigeben der Ressourcen
+    XGBoosterFree(booster);
+    XGDMatrixFree(dtest);
+    free(table);
+
     for (i = 0; i < n; i++) {
 
       // weight is always 0 for disabled entries