Skip to content

Port random fuzzing parameters to AFLplusplus #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 8 commits into
base: stable
Choose a base branch
from
Open

Port random fuzzing parameters to AFLplusplus #1

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4f1f4e3
port random fuzzing parameters into afl++
jiradeto Aug 26, 2021
b960042
adjust default parameter
jiradeto Sep 18, 2021
0a2111b
initialize fuzzing params
jiradeto Sep 23, 2021
3d9cf95
initialize fuzzing params using function
jiradeto Sep 23, 2021
7eb9fb0
remove struct that stores potential favored inputs
jiradeto Oct 1, 2021
2910361
skip mini map elimination
jiradeto Oct 1, 2021
65ce02b
fix typo
jiradeto Oct 4, 2021
986d6b5
address PR feedbacks
jiradeto Oct 4, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 37 additions & 4 deletions include/afl-fuzz.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,10 @@ struct tainted {

};

struct potential_favored_input {
struct queue_entry *queue;
struct potential_favored_input *next;
};
struct queue_entry {

u8 *fname; /* File name for the test case */
Expand All @@ -165,7 +169,8 @@ struct queue_entry {
favored, /* Currently favored? */
fs_redundant, /* Marked as redundant in the fs? */
is_ascii, /* Is the input just ascii text? */
disabled; /* Is disabled from fuzz selection */
disabled, /* Is disabled from fuzz selection */
is_selected;

u32 bitmap_size, /* Number of bits set in bitmap */
fuzz_level, /* Number of fuzzing iterations */
Expand All @@ -174,7 +179,9 @@ struct queue_entry {
u64 exec_us, /* Execution time (us) */
handicap, /* Number of queue cycles behind */
depth, /* Path depth */
exec_cksum; /* Checksum of the execution trace */
exec_cksum, /* Checksum of the execution trace */
rand,
num_fuzzed;

u8 *trace_mini; /* Trace bytes, if kept */
u32 tc_ref; /* Trace bytes ref count */
Expand All @@ -191,7 +198,7 @@ struct queue_entry {
u8 * cmplog_colorinput; /* the result buf of colorization */
struct tainted *taint; /* Taint information from CmpLog */

struct queue_entry *mother; /* queue entry this based on */
struct queue_entry *mother; /* queue entry this based on */

};

Expand All @@ -203,6 +210,8 @@ struct extra_data {

};



struct auto_extra_data {

u8 data[MAX_AUTO_EXTRA]; /* Dictionary token data */
Expand Down Expand Up @@ -519,7 +528,12 @@ typedef struct afl_state {
expand_havoc, /* perform expensive havoc after no find */
cycle_schedules, /* cycle power schedules? */
old_seed_selection, /* use vanilla afl seed selection */
reinit_table; /* reinit the queue weight table */
reinit_table, /* reinit the queue weight table */
disable_weighted_random_selection,
disable_random_favorites,
enable_uniformly_random_favorites,
disable_afl_default_favorites,
disable_randomized_fuzzing_params;

u8 *virgin_bits, /* Regions yet untouched by fuzzing */
*virgin_tmout, /* Bits we haven't seen in tmouts */
Expand Down Expand Up @@ -631,6 +645,8 @@ typedef struct afl_state {
struct extra_data *extras; /* Extra tokens to fuzz with */
u32 extras_cnt; /* Total number of tokens read */

struct potential_favored_input* potential_favored_list[MAP_SIZE];

struct auto_extra_data
a_extras[MAX_AUTO_EXTRAS]; /* Automatically selected extras */
u32 a_extras_cnt; /* Total number of tokens available */
Expand Down Expand Up @@ -751,6 +767,17 @@ typedef struct afl_state {
* is too large) */
struct queue_entry **q_testcase_cache;

int randomize_parameters_prob;

/* list of fuzzing parameter constants found in config.h */
u32 custom_havoc_cycles;
u32 custom_havoc_stack_pow2;
u32 custom_havoc_blk_small;
u32 custom_havok_blk_medium;
u32 custom_havoc_blk_large;
u32 custom_splice_cycles;
u32 custom_splice_havoc;

#ifdef INTROSPECTION
char mutation[8072];
char m_tmp[4096];
Expand All @@ -760,6 +787,8 @@ typedef struct afl_state {

} afl_state_t;



struct custom_mutator {

const char *name;
Expand Down Expand Up @@ -1038,6 +1067,10 @@ void update_bitmap_score(afl_state_t *, struct queue_entry *);
void cull_queue(afl_state_t *);
u32 calculate_score(afl_state_t *, struct queue_entry *);

/* random_params */
u32 rand_int_in_range(afl_state_t * afl, int low, int high);
double rand_double(afl_state_t * afl) ;

/* Bitmap */

void write_bitmap(afl_state_t *);
Expand Down
66 changes: 51 additions & 15 deletions src/afl-fuzz-one.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -84,24 +84,24 @@ static inline u32 choose_block_len(afl_state_t *afl, u32 limit) {

case 0:
min_value = 1;
max_value = HAVOC_BLK_SMALL;
max_value = afl->custom_havoc_blk_small;
break;

case 1:
min_value = HAVOC_BLK_SMALL;
max_value = HAVOC_BLK_MEDIUM;
min_value = afl->custom_havoc_blk_small;
max_value = afl->custom_havok_blk_medium;
break;

default:

if (likely(rand_below(afl, 10))) {

min_value = HAVOC_BLK_MEDIUM;
max_value = HAVOC_BLK_LARGE;
min_value = afl->custom_havok_blk_medium;
max_value = afl->custom_havoc_blk_large;

} else {

min_value = HAVOC_BLK_LARGE;
min_value = afl->custom_havoc_blk_large;
max_value = HAVOC_BLK_XL;

}
Expand Down Expand Up @@ -1798,7 +1798,7 @@ u8 fuzz_one_original(afl_state_t *afl) {

afl->stage_name = "custom mutator";
afl->stage_short = "custom";
afl->stage_max = HAVOC_CYCLES * perf_score / afl->havoc_div / 100;
afl->stage_max = afl->custom_havoc_cycles * perf_score / afl->havoc_div / 100;
afl->stage_val_type = STAGE_VAL_NONE;
bool has_custom_fuzz = false;

Expand Down Expand Up @@ -1954,7 +1954,7 @@ u8 fuzz_one_original(afl_state_t *afl) {

afl->stage_name = "havoc";
afl->stage_short = "havoc";
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
perf_score / afl->havoc_div / 100;

} else {
Expand All @@ -1964,7 +1964,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle);
afl->stage_name = afl->stage_name_buf;
afl->stage_short = "splice";
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;

}

Expand Down Expand Up @@ -2029,7 +2029,7 @@ u8 fuzz_one_original(afl_state_t *afl) {

for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {

u32 use_stacking = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
u32 use_stacking = 1 << (1 + rand_below(afl, afl->custom_havoc_stack_pow2));

afl->stage_cur_val = use_stacking;

Expand Down Expand Up @@ -2786,7 +2786,7 @@ u8 fuzz_one_original(afl_state_t *afl) {

retry_splicing:

if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
if (afl->use_splicing && splice_cycle++ < afl->custom_splice_cycles &&
afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {

struct queue_entry *target;
Expand Down Expand Up @@ -2881,6 +2881,26 @@ u8 fuzz_one_original(afl_state_t *afl) {

}

static void reset_fuzzing_params(afl_state_t * afl) {
afl->custom_havoc_cycles = HAVOC_CYCLES;
afl->custom_havoc_stack_pow2 = HAVOC_STACK_POW2;
afl->custom_havoc_blk_small = HAVOC_BLK_SMALL;
afl->custom_havok_blk_medium = HAVOC_BLK_MEDIUM;
afl->custom_havoc_blk_large = HAVOC_BLK_LARGE;
afl->custom_splice_cycles = SPLICE_CYCLES;
afl->custom_splice_havoc = SPLICE_HAVOC;
}

static void randomize_fuzzing_params(afl_state_t * afl) {
afl->custom_havoc_cycles = rand_int_in_range(afl, 192, 320);
afl->custom_havoc_stack_pow2 = rand_int_in_range(afl, 4, 10);
afl->custom_havoc_blk_small = rand_int_in_range(afl, 24, 40);
afl->custom_havok_blk_medium = rand_int_in_range(afl, 96, 160);
afl->custom_havoc_blk_large = rand_int_in_range(afl, 1000, 2000);
afl->custom_splice_cycles = rand_int_in_range(afl, 10, 20);
afl->custom_splice_havoc = rand_int_in_range(afl, 24, 40);
}

/* MOpt mode */
static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {

Expand All @@ -2907,6 +2927,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
u8 a_collect[MAX_AUTO_EXTRA];
u32 a_len = 0;

// only fuzz selected inputs from our custom selection algorithm
if (!afl->disable_weighted_random_selection && !afl->queue_cur->is_selected)
return 1;

#ifdef IGNORE_FINDS

/* In IGNORE_FINDS mode, skip any entries that weren't in the
Expand Down Expand Up @@ -2961,6 +2985,18 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {

}


// assign probability based on frequncy that the seed was chosen
if (!afl->disable_randomized_fuzzing_params) {
// randomize fuzzing params with probabilities
int multiplier = afl->queue_cur->num_fuzzed ? ((int)(afl->queue_cur->num_fuzzed/5000.0)) + 1: 0;
afl->randomize_parameters_prob = MIN(MAX(multiplier * 5, 5), 75);
if (rand_below(afl, 100) < afl->randomize_parameters_prob)
randomize_fuzzing_params(afl);
else
reset_fuzzing_params(afl);
}

/* Map the test case into memory. */
orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
len = afl->queue_cur->len;
Expand Down Expand Up @@ -4298,7 +4334,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {

afl->stage_name = MOpt_globals.havoc_stagename;
afl->stage_short = MOpt_globals.havoc_stagenameshort;
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
perf_score / afl->havoc_div / 100;

} else {
Expand All @@ -4309,7 +4345,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
MOpt_globals.splice_stageformat, splice_cycle);
afl->stage_name = afl->stage_name_buf;
afl->stage_short = MOpt_globals.splice_stagenameshort;
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;

}

Expand Down Expand Up @@ -4349,7 +4385,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {

afl->stage_name = MOpt_globals.havoc_stagename;
afl->stage_short = MOpt_globals.havoc_stagenameshort;
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
perf_score / afl->havoc_div / 100;

} else {
Expand All @@ -4359,7 +4395,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
MOpt_globals.splice_stageformat, splice_cycle);
afl->stage_name = afl->stage_name_buf;
afl->stage_short = MOpt_globals.splice_stagenameshort;
afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;

}

Expand Down
Loading