diff options
| author | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-10 19:46:46 +0200 |
|---|---|---|
| committer | Andrea Fioraldi <andreafioraldi@gmail.com> | 2019-10-10 19:46:46 +0200 |
| commit | 9de74cce92ed9a6552d518b195fc1dfb02fa584d (patch) | |
| tree | 26d2c378b99ad7e912bbc79632871105e8fa1743 /src | |
| parent | 125a59df91bb09f3288371185c15a48a08376bfe (diff) | |
| download | afl++-9de74cce92ed9a6552d518b195fc1dfb02fa584d.tar.gz | |
radamsa mutator as havoc cycle replacement with probability 1/24
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-globals.c | 5 | ||||
| -rw-r--r-- | src/afl-fuzz-one.c | 55 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 38 | ||||
| -rw-r--r-- | src/third_party/.gitignore | 8 | ||||
| m--------- | src/third_party/libradamsa | 0 |
5 files changed, 96 insertions, 10 deletions
diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index a5ccfdf9..236c4dd3 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -95,6 +95,8 @@ char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", u8 schedule = EXPLORE; /* Power schedule (default: EXPLORE)*/ u8 havoc_max_mult = HAVOC_MAX_MULT; +u8 use_radamsa; + u8 skip_deterministic, /* Skip deterministic stages? */ force_deterministic, /* Force deterministic stages? */ use_splicing, /* Recombine input files? */ @@ -210,6 +212,9 @@ u64 stage_finds[32], /* Patterns found per fuzz stage */ u32 rand_cnt; /* Random number counter */ #endif +u32 rand_seed[2]; +s64 init_seed; + u64 total_cal_us, /* Total calibration time (us) */ total_cal_cycles; /* Total calibration cycles */ diff --git a/src/afl-fuzz-one.c b/src/afl-fuzz-one.c index 31d58a10..5a53de4d 100644 --- a/src/afl-fuzz-one.c +++ b/src/afl-fuzz-one.c @@ -24,6 +24,9 @@ */ #include "afl-fuzz.h" +#include "radamsa.h" + +#define RADAMSA_CHANCE 24 /* MOpt */ @@ -1728,11 +1731,61 @@ havoc_stage: for (stage_cur = 0; stage_cur < stage_max; ++stage_cur) { + if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { + + u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + + u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + ck_free(out_buf); + out_buf = new_buf; + + } else { + + ck_free(new_buf); + + } + + goto havoc_run_point; + + } + u32 use_stacking = 1 << (1 + UR(HAVOC_STACK_POW2)); stage_cur_val = use_stacking; for (i = 0; i < use_stacking; ++i) { + + /*if (use_radamsa && UR(RADAMSA_CHANCE) == 0) { + + // Ramdsa stage stacked with the AFL havoc mutations. + // This is very slow, I maintain the commendted code for future or + // particular uses. + + u32 max_len = temp_len + choose_block_len(HAVOC_BLK_XL); + u8* new_buf = ck_alloc_nozero(max_len); + + u32 new_len = radamsa_mutate(out_buf, temp_len, new_buf, max_len, get_rand_seed()); + + if (new_len) { + + temp_len = new_len; + ck_free(out_buf); + out_buf = new_buf; + + } else { + + ck_free(new_buf); + + } + + continue; + + }*/ switch (UR(15 + ((extras_cnt + a_extras_cnt) ? 2 : 0))) { @@ -2108,6 +2161,8 @@ havoc_stage: } +havoc_run_point: + if (common_fuzz_stuff(argv, out_buf, temp_len)) goto abandon_entry; /* out_buf might have been mangled a bit, so let's restore it to its diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 3460f91d..d5dfa7cc 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -24,6 +24,7 @@ */ #include "afl-fuzz.h" +#include "radamsa.h" /* Display usage hints. */ @@ -119,7 +120,6 @@ int main(int argc, char** argv) { u8 mem_limit_given = 0; u8 exit_1 = !!getenv("AFL_BENCH_JUST_ONE"); char** use_argv; - s64 init_seed; struct timeval tv; struct timezone tz; @@ -134,7 +134,7 @@ int main(int argc, char** argv) { init_seed = tv.tv_sec ^ tv.tv_usec ^ getpid(); while ((opt = getopt(argc, argv, - "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:h")) > 0) + "+i:I:o:f:m:t:T:dnCB:S:M:x:QUWe:p:s:V:E:L:hR")) > 0) switch (opt) { @@ -511,6 +511,13 @@ int main(int argc, char** argv) { usage(argv[0]); return -1; break; // not needed + + case 'R': + + if (use_radamsa) FATAL("Multiple -R options not supported"); + use_radamsa = 1; + + break; default: usage(argv[0]); @@ -518,8 +525,27 @@ int main(int argc, char** argv) { if (optind == argc || !in_dir || !out_dir) usage(argv[0]); + OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " + "Eissfeldt and Andrea Fioraldi"); + OKF("afl++ is open source, get it at " + "https://github.com/vanhauser-thc/AFLplusplus"); + OKF("Power schedules from github.com/mboehme/aflfast"); + OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); + OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); + OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); + if (fixed_seed) OKF("Running with fixed seed: %u", (u32)init_seed); srandom((u32)init_seed); + + if (use_radamsa) { + + OKF("Using Radamsa add-on"); + /* randamsa_init installs some signal hadlers, call it firstly so that + AFL++ can then replace those signal handlers */ + radamsa_init(); + + } + setup_signal_handlers(); check_asan_opts(); @@ -560,14 +586,6 @@ int main(int argc, char** argv) { "fuzzing the right binary: " cRST "%s", argv[optind]); - OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " - "Eissfeldt and Andrea Fioraldi"); - OKF("afl++ is open source, get it at " - "https://github.com/vanhauser-thc/AFLplusplus"); - OKF("Power schedules from github.com/mboehme/aflfast"); - OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); - OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); - OKF("MOpt Mutator from github.com/puppet-meteor/MOpt-AFL"); ACTF("Getting to work..."); switch (schedule) { diff --git a/src/third_party/.gitignore b/src/third_party/.gitignore new file mode 100644 index 00000000..6a3b0d84 --- /dev/null +++ b/src/third_party/.gitignore @@ -0,0 +1,8 @@ +radamsa.c +tmp +bin/radamsa +bin/radamsa.exe +ol.c* +bin/ol +.seal-of-quality + diff --git a/src/third_party/libradamsa b/src/third_party/libradamsa new file mode 160000 +Subproject 578bd7f2f749ff8bb5377893731a32516b8b96c |