diff options
| author | Your Name <you@example.com> | 2021-11-15 17:14:04 +0000 |
|---|---|---|
| committer | Your Name <you@example.com> | 2021-11-15 17:14:04 +0000 |
| commit | e1d3fe30dec150aa7111cb623a7362a8026963a8 (patch) | |
| tree | 742fa445c7dcf1bf868bd025ee7680dd13b27604 | |
| parent | de90fd652e01797f129bfc23c24fa766b4c756a2 (diff) | |
| download | afl++-e1d3fe30dec150aa7111cb623a7362a8026963a8.tar.gz | |
Changes to allow configuration of stalker adjacent blocks
| -rw-r--r-- | frida_mode/README.md | 5 | ||||
| -rw-r--r-- | frida_mode/frida.map | 1 | ||||
| -rw-r--r-- | frida_mode/include/stalker.h | 1 | ||||
| -rw-r--r-- | frida_mode/src/js/api.js | 7 | ||||
| -rw-r--r-- | frida_mode/src/js/js_api.c | 8 | ||||
| -rw-r--r-- | frida_mode/src/stalker.c | 18 | ||||
| -rw-r--r-- | frida_mode/ts/lib/afl.ts | 12 | ||||
| -rw-r--r-- | include/envs.h | 2 |
8 files changed, 51 insertions, 3 deletions
diff --git a/frida_mode/README.md b/frida_mode/README.md index 8211224d..a75324d5 100644 --- a/frida_mode/README.md +++ b/frida_mode/README.md @@ -215,6 +215,11 @@ gdb \ ``` * `AFL_FRIDA_SECCOMP_FILE` - Write a log of any syscalls made by the target to the specified file. +* `AFL_FRIDA_STALKER_ADJACENT_BLOCKS` - Configure the number of adjacent blocks + to fetch when generating instrumented code. By fetching blocks in the same + order they appear in the original program, rather than the order of execution + should help reduce locallity and adjacency. This includes allowing us to vector + between adjancent blocks using a NOP slide rather than an immediate branch. * `AFL_FRIDA_STALKER_IC_ENTRIES` - Configure the number of inline cache entries stored along-side branch instructions which provide a cache to avoid having to call back into FRIDA to find the next block. Default is 32. diff --git a/frida_mode/frida.map b/frida_mode/frida.map index 7be41aa0..61eb19ee 100644 --- a/frida_mode/frida.map +++ b/frida_mode/frida.map @@ -29,6 +29,7 @@ js_api_set_prefetch_disable; js_api_set_seccomp_file; js_api_set_stalker_callback; + js_api_set_stalker_adjacent_blocks; js_api_set_stalker_ic_entries; js_api_set_stats_file; js_api_set_stats_interval; diff --git a/frida_mode/include/stalker.h b/frida_mode/include/stalker.h index 8a111b90..666787e9 100644 --- a/frida_mode/include/stalker.h +++ b/frida_mode/include/stalker.h @@ -5,6 +5,7 @@ extern guint stalker_ic_entries; extern gboolean backpatch_enable; +extern guint stalker_adjacent_blocks; void stalker_config(void); void stalker_init(void); diff --git a/frida_mode/src/js/api.js b/frida_mode/src/js/api.js index 5db62389..8e810d09 100644 --- a/frida_mode/src/js/api.js +++ b/frida_mode/src/js/api.js @@ -205,6 +205,12 @@ class Afl { const buf = Memory.allocUtf8String(file); Afl.jsApiSetSeccompFile(buf); } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + static setStalkerAdjacentBlocks(val) { + Afl.jsApiSetStalkerAdjacentBlocks(val); + } /* * Set a function to be called for each instruction which is instrumented * by AFL FRIDA mode. @@ -294,6 +300,7 @@ Afl.jsApiSetPrefetchBackpatchDisable = Afl.jsApiGetFunction("js_api_set_prefetch Afl.jsApiSetPrefetchDisable = Afl.jsApiGetFunction("js_api_set_prefetch_disable", "void", []); Afl.jsApiSetSeccompFile = Afl.jsApiGetFunction("js_api_set_seccomp_file", "void", ["pointer"]); Afl.jsApiSetStalkerCallback = Afl.jsApiGetFunction("js_api_set_stalker_callback", "void", ["pointer"]); +Afl.jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction("js_api_set_stalker_adjacent_blocks", "void", ["uint32"]); Afl.jsApiSetStalkerIcEntries = Afl.jsApiGetFunction("js_api_set_stalker_ic_entries", "void", ["uint32"]); Afl.jsApiSetStatsFile = Afl.jsApiGetFunction("js_api_set_stats_file", "void", ["pointer"]); Afl.jsApiSetStatsInterval = Afl.jsApiGetFunction("js_api_set_stats_interval", "void", ["uint64"]); diff --git a/frida_mode/src/js/js_api.c b/frida_mode/src/js/js_api.c index c1f092c9..8e0a549c 100644 --- a/frida_mode/src/js/js_api.c +++ b/frida_mode/src/js/js_api.c @@ -250,3 +250,11 @@ __attribute__((visibility("default"))) void js_api_set_backpatch_disable(void) { } + +__attribute__((visibility("default"))) void js_api_set_stalker_adjacent_blocks( + guint val) { + + stalker_adjacent_blocks = val; + +} + diff --git a/frida_mode/src/stalker.c b/frida_mode/src/stalker.c index 35a9d856..65ed5d50 100644 --- a/frida_mode/src/stalker.c +++ b/frida_mode/src/stalker.c @@ -7,6 +7,7 @@ guint stalker_ic_entries = 0; gboolean backpatch_enable = TRUE; +guint stalker_adjacent_blocks = 0; static GumStalker *stalker = NULL; @@ -60,7 +61,9 @@ void stalker_config(void) { backpatch_enable = (getenv("AFL_FRIDA_INST_NO_BACKPATCH") == NULL); - stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); + stalker_ic_entries = util_read_num("AFL_FRIDA_STALKER_ADJACENT_BLOCKS"); + + stalker_adjacent_blocks = util_read_num("AFL_FRIDA_STALKER_IC_ENTRIES"); observer = g_object_new(GUM_TYPE_AFL_STALKER_OBSERVER, NULL); @@ -92,6 +95,7 @@ void stalker_init(void) { FOKF("Instrumentation - backpatch [%c]", backpatch_enable ? 'X' : ' '); FOKF("Stalker - ic_entries [%u]", stalker_ic_entries); + FOKF("Stalker - adjacent_blocks [%u]", stalker_adjacent_blocks); #if !(defined(__x86_64__) || defined(__i386__)) if (stalker_ic_entries != 0) { @@ -100,13 +104,21 @@ void stalker_init(void) { } + if (stalker_adjacent_blocks != 0) { + + FFATAL("AFL_FRIDA_STALKER_ADJACENT_BLOCKS not supported"); + + } + #endif if (stalker_ic_entries == 0) { stalker_ic_entries = 32; } + if (stalker_adjacent_blocks == 0) { stalker_adjacent_blocks = 32; } + #if defined(__x86_64__) || defined(__i386__) - stalker = - g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, NULL); + stalker = g_object_new(GUM_TYPE_STALKER, "ic-entries", stalker_ic_entries, + "adjacent-blocks", stalker_adjacent_blocks, NULL); #else stalker = gum_stalker_new(); #endif diff --git a/frida_mode/ts/lib/afl.ts b/frida_mode/ts/lib/afl.ts index 3639d670..e20ad3ec 100644 --- a/frida_mode/ts/lib/afl.ts +++ b/frida_mode/ts/lib/afl.ts @@ -241,6 +241,13 @@ class Afl { Afl.jsApiSetSeccompFile(buf); } + /** + * See `AFL_FRIDA_STALKER_ADJACENT_BLOCKS`. + */ + public static setStalkerAdjacentBlocks(val: number): void { + Afl.jsApiSetStalkerAdjacentBlocks(val); + } + /* * Set a function to be called for each instruction which is instrumented * by AFL FRIDA mode. @@ -425,6 +432,11 @@ class Afl { "void", ["pointer"]); + private static readonly jsApiSetStalkerAdjacentBlocks = Afl.jsApiGetFunction( + "js_api_set_stalker_adjacent_blocks", + "void", + ["uint32"]); + private static readonly jsApiSetStalkerIcEntries = Afl.jsApiGetFunction( "js_api_set_stalker_ic_entries", "void", diff --git a/include/envs.h b/include/envs.h index 0ba79092..a3ba5e88 100644 --- a/include/envs.h +++ b/include/envs.h @@ -76,6 +76,8 @@ static char *afl_environment_variables[] = { "AFL_FRIDA_PERSISTENT_DEBUG", "AFL_FRIDA_PERSISTENT_HOOK", "AFL_FRIDA_PERSISTENT_RET", + "AFL_FRIDA_STALKER_IC_ENTRIES", + "AFL_FRIDA_STALKER_ADJACENT_BLOCKS", "AFL_FRIDA_STATS_FILE", "AFL_FRIDA_STATS_INTERVAL", "AFL_FRIDA_TRACEABLE", |