diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-10 19:46:46 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-10 19:46:46 +0200 |
| commit | 9de74cce92ed9a6552d518b195fc1dfb02fa584d (patch) | |
| tree | 26d2c378b99ad7e912bbc79632871105e8fa1743 | |
| parent | 125a59df91bb09f3288371185c15a48a08376bfe (diff) | |
| download | afl++-9de74cce92ed9a6552d518b195fc1dfb02fa584d.tar.gz | |
radamsa mutator as havoc cycle replacement with probability 1/24
| -rw-r--r-- | Makefile | 15 | ||||
| -rw-r--r-- | include/afl-fuzz.h | 20 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 55 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 38 | ||||
| -rw-r--r-- | src/third_party/.gitignore | 8 | ||||
| m--------- | src/third_party/libradamsa | 0 |
7 files changed, 121 insertions, 20 deletions
@@ -33,7 +33,8 @@ SH_PROGS = afl-plot afl-cmin afl-whatsup afl-system-config MANPAGES=$(foreach p, $(PROGS) $(SH_PROGS), $(p).8) CFLAGS ?= -O3 -funroll-loops -CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign -I include/ \ +CFLAGS += -Wall -D_FORTIFY_SOURCE=2 -g -Wno-pointer-sign \ + -I include/ -I src/third_party/libradamsa/ \ -DAFL_PATH=\"$(HELPER_PATH)\" -DDOC_PATH=\"$(DOC_PATH)\" \ -DBIN_PATH=\"$(BIN_PATH)\" -Wno-unused-function @@ -183,8 +184,11 @@ src/afl-forkserver.o : src/afl-forkserver.c include/forkserver.h src/afl-sharedmem.o : src/afl-sharedmem.c include/sharedmem.h $(CC) $(CFLAGS) -c src/afl-sharedmem.c -o src/afl-sharedmem.o -afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) +src/third_party/libradamsa/libradamsa.a : src/third_party/libradamsa/libradamsa.c src/third_party/libradamsa/radamsa.h + $(MAKE) -C src/third_party/libradamsa/ + +afl-fuzz: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o $@ $(PYFLAGS) $(LDFLAGS) afl-showmap: src/afl-showmap.c src/afl-common.o src/afl-sharedmem.o $(COMM_HDR) | test_x86 $(CC) $(CFLAGS) src/$@.c src/afl-common.o src/afl-sharedmem.o -o $@ $(LDFLAGS) @@ -200,8 +204,8 @@ afl-gotcpu: src/afl-gotcpu.c $(COMM_HDR) | test_x86 # document all mutations and only do one run (use with only one input file!) -document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 - $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) +document: include/afl-fuzz.h $(AFL_FUZZ_FILES) src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o $(COMM_HDR) | test_x86 + $(CC) $(CFLAGS) $(AFL_FUZZ_FILES) -D_AFL_DOCUMENT_MUTATIONS src/third_party/libradamsa/libradamsa.a src/afl-common.o src/afl-sharedmem.o src/afl-forkserver.o -o afl-fuzz-document $(LDFLAGS) $(PYFLAGS) code-format: @@ -256,6 +260,7 @@ clean: $(MAKE) -C libtokencap clean $(MAKE) -C qemu_mode/unsigaction clean $(MAKE) -C qemu_mode/libcompcov clean + $(MAKE) -C src/third_party/libradamsa/ clean distrib: all -$(MAKE) -C llvm_mode diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h index e856b23e..413fbca0 100644 --- a/include/afl-fuzz.h +++ b/include/afl-fuzz.h @@ -284,6 +284,8 @@ extern char* power_names[POWER_SCHEDULES_NUM]; extern u8 schedule; /* Power schedule (default: EXPLORE)*/ extern u8 havoc_max_mult; +extern u8 use_radamsa; + extern u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ @@ -399,6 +401,9 @@ extern u64 stage_finds[32], /* Patterns found per fuzz stage */ extern u32 rand_cnt; /* Random number counter */ #endif +extern u32 rand_seed[2]; +extern s64 init_seed; + extern u64 total_cal_us, /* Total calibration time (us) */ total_cal_cycles; /* Total calibration cycles */ @@ -642,11 +647,9 @@ static inline u32 UR(u32 limit) { #else if (!fixed_seed && unlikely(!rand_cnt--)) { - u32 seed[2]; - - ck_read(dev_urandom_fd, &seed, sizeof(seed), "/dev/urandom"); - srandom(seed[0]); - rand_cnt = (RESEED_RNG / 2) + (seed[1] % RESEED_RNG); + ck_read(dev_urandom_fd, &rand_seed, sizeof(rand_seed), "/dev/urandom"); + srandom(rand_seed[0]); + rand_cnt = (RESEED_RNG / 2) + (rand_seed[1] % RESEED_RNG); } @@ -655,6 +658,13 @@ static inline u32 UR(u32 limit) { } +static inline u32 get_rand_seed() { + + if (fixed_seed) return (u32)init_seed; + return rand_seed[0]; + +} + /* Find first power of two greater or equal to val (assuming val under 2^63). */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index a5ccfdf9..236c4dd3 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -95,6 +95,8 @@ char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult = HAVOC_MAX_MULT; +u8 use_radamsa; + u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ @@ -210,6 +212,9 @@ u64 stage_finds[32], /* Patterns found per fuzz stage */ u32 rand_cnt; /* Random number counter */ #endif +u32 rand_seed[2]; +s64 init_seed; + u64 total_cal_us, /* Total calibration time (us) */ total_cal_cycles; /* Total calibration cycles */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 31d58a10..5a53de4d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -24,6 +24,9 @@ */ #include "afl-fuzz.h" +#include "radamsa.h" + +#define RADAMSA_CHANCE 24 /* MOpt */ @@ -1728,11 +1731,61 @@ havoc_stage: for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { + if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { + + u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + + u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + ck_free(out_buf); + out_buf = new_buf; + + } else { + + ck_free(new_buf); + + } + + goto havoc_run_point; + + } + u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { + + /*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { + + // Ramdsa stage stacked with the AFL havoc mutations. + // This is very slow, I maintain the commendted code for future or + // particular uses. + + u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + + u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + ck_free(out_buf); + out_buf = new_buf; + + } else { + + ck_free(new_buf); + + } + + continue; + + }*/ switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { @@ -2108,6 +2161,8 @@ havoc_stage: } +havoc_run_point: + if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry; /* out_buf might have been mangled a bit, so let's restore it to its diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3460f91d..d5dfa7cc 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,6 +24,7 @@ */ #include "afl-fuzz.h" +#include "radamsa.h" /* Display usage hints. */ @@ -119,7 +120,6 @@ int main(int argc, char** argv) { u8 mem_limit_given = 0; u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); char** use_argv; - s64 init_seed; struct timeval tv; struct timezone tz; @@ -134,7 +134,7 @@ int main(int argc, char** argv) { init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); while ((opt = getopt(argc, argv, - "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:h")) > 0) + "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:hR")) > 0) switch (opt) { @@ -511,6 +511,13 @@ int main(int argc, char** argv) { usage(argv[0]); return -1; break; // not needed + + case 'R': + + if (use_radamsa) FATAL("Multiple -R options not supported"); + use_radamsa = 1; + + break; default: usage(argv[0]); @@ -518,8 +525,27 @@ int main(int argc, char** argv) { if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " + "Eissfeldt and Andrea Fioraldi"); + OKF("afl++ is open source, get it at " + "https://github.com/vanhauser-thc/AFLplusplus"); + OKF("Power schedules from github.com/mboehme/aflfast"); + OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); + OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); + OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); + if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed); srandom((u32)init_seed); + + if (use_radamsa) { + + OKF("Using Radamsa add-on"); + /* randamsa_init installs some signal hadlers, call it firstly so that + AFL++ can then replace those signal handlers */ + radamsa_init(); + + } + setup_signal_handlers(); check_asan_opts(); @@ -560,14 +586,6 @@ int main(int argc, char** argv) { "fuzzing the right binary: " cRST "%s", argv[optind]); - OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " - "Eissfeldt and Andrea Fioraldi"); - OKF("afl++ is open source, get it at " - "https://github.com/vanhauser-thc/AFLplusplus"); - OKF("Power schedules from github.com/mboehme/aflfast"); - OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); - OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); - OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); ACTF("Getting to work..."); switch (schedule) { diff --git a/src/third_party/.gitignore b/src/third_party/.gitignore new file mode 100644 index 00000000..6a3b0d84 --- /dev/null +++ b/src/third_party/.gitignore @@ -0,0 +1,8 @@ +radamsa.c +tmp +bin/radamsa +bin/radamsa.exe +ol.c* +bin/ol +.seal-of-quality + diff --git a/src/third_party/libradamsa b/src/third_party/libradamsa new file mode 160000 +Subproject 578bd7f2f749ff8bb5377893731a32516b8b96c |