about summary refs log tree commit diff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/afl-fuzz.h25
-rw-r--r--include/config.h8
-rw-r--r--include/envs.h4
-rw-r--r--src/afl-fuzz-state.c28
-rw-r--r--src/afl-fuzz-stats.c12
-rw-r--r--src/afl-fuzz-statsd.c266
-rw-r--r--src/afl-fuzz.c7
7 files changed, 348 insertions, 2 deletions
diff --git a/include/afl-fuzz.h b/include/afl-fuzz.h
index fb661ce5..e9d148e9 100644
--- a/include/afl-fuzz.h
+++ b/include/afl-fuzz.h
@@ -65,6 +65,8 @@
 #include <dlfcn.h>
 #include <sched.h>
 
+#include <netdb.h>
+
 #include <sys/wait.h>
 #include <sys/time.h>
 #ifndef USEMMAP
@@ -76,6 +78,7 @@
 #include <sys/mman.h>
 #include <sys/ioctl.h>
 #include <sys/file.h>
+#include <sys/types.h>
 
 #if defined(__APPLE__) || defined(__FreeBSD__) || defined(__OpenBSD__) || \
     defined(__NetBSD__) || defined(__DragonFly__)
@@ -352,11 +355,12 @@ typedef struct afl_env_vars {
       afl_dumb_forksrv, afl_import_first, afl_custom_mutator_only, afl_no_ui,
       afl_force_ui, afl_i_dont_care_about_missing_crashes, afl_bench_just_one,
       afl_bench_until_crash, afl_debug_child_output, afl_autoresume,
-      afl_cal_fast, afl_cycle_schedules, afl_expand_havoc;
+      afl_cal_fast, afl_cycle_schedules, afl_expand_havoc, afl_statsd;
 
   u8 *afl_tmpdir, *afl_custom_mutator_library, *afl_python_module, *afl_path,
       *afl_hang_tmout, *afl_forksrv_init_tmout, *afl_skip_crashes, *afl_preload,
-      *afl_max_det_extras;
+      *afl_max_det_extras, *afl_statsd_host, *afl_statsd_port,
+      *afl_statsd_tags_flavor;
 
 } afl_env_vars_t;
 
@@ -634,6 +638,16 @@ typedef struct afl_state {
   u64 plot_prev_qc, plot_prev_uc, plot_prev_uh, plot_prev_ed;
 
   u64 stats_last_stats_ms, stats_last_plot_ms, stats_last_ms, stats_last_execs;
+
+  /* StatsD */
+  u64                statsd_last_send_ms;
+  struct sockaddr_in statsd_server;
+  int                statsd_sock;
+  char *             statsd_tags_flavor;
+  char *             statsd_tags_format;
+  char *             statsd_metric_format;
+  int                statsd_metric_format_type;
+
   double stats_avg_exec;
 
   u8 *clean_trace;
@@ -957,6 +971,13 @@ void maybe_update_plot_file(afl_state_t *, double, double);
 void show_stats(afl_state_t *);
 void show_init_stats(afl_state_t *);
 
+/* StatsD */
+
+void statsd_setup_format(afl_state_t *afl);
+int  statsd_socket_init(afl_state_t *afl);
+int  statsd_send_metric(afl_state_t *afl);
+int  statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen);
+
 /* Run */
 
 fsrv_run_result_t fuzz_run_target(afl_state_t *, afl_forkserver_t *fsrv, u32);
diff --git a/include/config.h b/include/config.h
index 5df604e7..7dd045e3 100644
--- a/include/config.h
+++ b/include/config.h
@@ -41,6 +41,14 @@
 
 #define USE_COLOR
 
+/* StatsD config
+   Config can be adjusted via AFL_STATSD_HOST and AFL_STATSD_PORT environment
+   variable.
+*/
+#define STATSD_UPDATE_SEC 1
+#define STATSD_DEFAULT_PORT 8125
+#define STATSD_DEFAULT_HOST "127.0.0.1"
+
 /* If you want to have the original afl internal memory corruption checks.
    Disabled by default for speed. it is better to use "make ASAN_BUILD=1". */
 
diff --git a/include/envs.h b/include/envs.h
index 3a06aa2a..51520312 100644
--- a/include/envs.h
+++ b/include/envs.h
@@ -135,6 +135,10 @@ static char *afl_environment_variables[] = {
     "AFL_SKIP_BIN_CHECK",
     "AFL_SKIP_CPUFREQ",
     "AFL_SKIP_CRASHES",
+    "AFL_STATSD",
+    "AFL_STATSD_HOST",
+    "AFL_STATSD_PORT",
+    "AFL_STATSD_TAGS_FLAVOR",
     "AFL_TMIN_EXACT",
     "AFL_TMPDIR",
     "AFL_TOKEN_FILE",
diff --git a/src/afl-fuzz-state.c b/src/afl-fuzz-state.c
index a8e56e60..b7d44dbf 100644
--- a/src/afl-fuzz-state.c
+++ b/src/afl-fuzz-state.c
@@ -297,6 +297,13 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_cal_fast =
                 get_afl_env(afl_environment_variables[i]) ? 1 : 0;
 
+          } else if (!strncmp(env, "AFL_STATSD",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_statsd =
+                get_afl_env(afl_environment_variables[i]) ? 1 : 0;
+
           } else if (!strncmp(env, "AFL_TMPDIR",
 
                               afl_environment_variable_len)) {
@@ -344,6 +351,27 @@ void read_afl_environment(afl_state_t *afl, char **envp) {
             afl->afl_env.afl_forksrv_init_tmout =
                 (u8 *)get_afl_env(afl_environment_variables[i]);
 
+          } else if (!strncmp(env, "AFL_STATSD_HOST",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_statsd_host =
+                (u8 *)get_afl_env(afl_environment_variables[i]);
+
+          } else if (!strncmp(env, "AFL_STATSD_PORT",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_statsd_port =
+                (u8 *)get_afl_env(afl_environment_variables[i]);
+
+          } else if (!strncmp(env, "AFL_STATSD_TAGS_FLAVOR",
+
+                              afl_environment_variable_len)) {
+
+            afl->afl_env.afl_statsd_tags_flavor =
+                (u8 *)get_afl_env(afl_environment_variables[i]);
+
           }
 
         } else {
diff --git a/src/afl-fuzz-stats.c b/src/afl-fuzz-stats.c
index 654d9059..0cd6f399 100644
--- a/src/afl-fuzz-stats.c
+++ b/src/afl-fuzz-stats.c
@@ -423,6 +423,18 @@ void show_stats(afl_state_t *afl) {
 
   }
 
+  if (unlikely(afl->afl_env.afl_statsd)) {
+
+    if (cur_ms - afl->statsd_last_send_ms > STATSD_UPDATE_SEC * 1000) {
+
+      /* reset counter, even if send failed. */
+      afl->statsd_last_send_ms = cur_ms;
+      if (statsd_send_metric(afl)) { WARNF("coundln't send statsd metric."); }
+
+    }
+
+  }
+
   /* Every now and then, write plot data. */
 
   if (cur_ms - afl->stats_last_plot_ms > PLOT_UPDATE_SEC * 1000) {
diff --git a/src/afl-fuzz-statsd.c b/src/afl-fuzz-statsd.c
new file mode 100644
index 00000000..69cafd90
--- /dev/null
+++ b/src/afl-fuzz-statsd.c
@@ -0,0 +1,266 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <sys/types.h>
+#include <netdb.h>
+#include <unistd.h>
+#include "afl-fuzz.h"
+
+#define MAX_STATSD_PACKET_SIZE 4096
+#define MAX_TAG_LEN 200
+#define METRIC_PREFIX "fuzzing"
+
+/* Tags format for metrics
+  DogStatsD:
+  metric.name:<value>|<type>|#key:value,key2:value2
+
+  InfluxDB
+  metric.name,key=value,key2=value2:<value>|<type>
+
+  Librato
+  metric.name#key=value,key2=value2:<value>|<type>
+
+  SignalFX
+  metric.name[key=value,key2=value2]:<value>|<type>
+
+*/
+
+// after the whole metric.
+#define DOGSTATSD_TAGS_FORMAT "|#banner:%s,afl_version:%s"
+
+// just after the metric name.
+#define LIBRATO_TAGS_FORMAT "#banner=%s,afl_version=%s"
+#define INFLUXDB_TAGS_FORMAT ",banner=%s,afl_version=%s"
+#define SIGNALFX_TAGS_FORMAT "[banner=%s,afl_version=%s]"
+
+// For DogstatsD
+#define STATSD_TAGS_TYPE_SUFFIX 1
+#define STATSD_TAGS_SUFFIX_METRICS                                             \
+  METRIC_PREFIX                                                                \
+  ".cycle_done:%llu|g%s\n" METRIC_PREFIX                                       \
+  ".cycles_wo_finds:%llu|g%s\n" METRIC_PREFIX                                  \
+  ".execs_done:%llu|g%s\n" METRIC_PREFIX                                       \
+  ".execs_per_sec:%0.02f|g%s\n" METRIC_PREFIX                                  \
+  ".paths_total:%u|g%s\n" METRIC_PREFIX                                        \
+  ".paths_favored:%u|g%s\n" METRIC_PREFIX                                      \
+  ".paths_found:%u|g%s\n" METRIC_PREFIX                                        \
+  ".paths_imported:%u|g%s\n" METRIC_PREFIX ".max_depth:%u|g%s\n" METRIC_PREFIX \
+  ".cur_path:%u|g%s\n" METRIC_PREFIX ".pending_favs:%u|g%s\n" METRIC_PREFIX    \
+  ".pending_total:%u|g%s\n" METRIC_PREFIX                                      \
+  ".variable_paths:%u|g%s\n" METRIC_PREFIX                                     \
+  ".unique_crashes:%llu|g%s\n" METRIC_PREFIX                                   \
+  ".unique_hangs:%llu|g%s\n" METRIC_PREFIX                                     \
+  ".total_crashes:%llu|g%s\n" METRIC_PREFIX                                    \
+  ".slowest_exec_ms:%u|g%s\n" METRIC_PREFIX                                    \
+  ".edges_found:%u|g%s\n" METRIC_PREFIX                                        \
+  ".var_byte_count:%u|g%s\n" METRIC_PREFIX ".havoc_expansion:%u|g%s\n"
+
+// For Librato, InfluxDB, SignalFX
+#define STATSD_TAGS_TYPE_MID 2
+#define STATSD_TAGS_MID_METRICS                                                \
+  METRIC_PREFIX                                                                \
+  ".cycle_done%s:%llu|g\n" METRIC_PREFIX                                       \
+  ".cycles_wo_finds%s:%llu|g\n" METRIC_PREFIX                                  \
+  ".execs_done%s:%llu|g\n" METRIC_PREFIX                                       \
+  ".execs_per_sec%s:%0.02f|g\n" METRIC_PREFIX                                  \
+  ".paths_total%s:%u|g\n" METRIC_PREFIX                                        \
+  ".paths_favored%s:%u|g\n" METRIC_PREFIX                                      \
+  ".paths_found%s:%u|g\n" METRIC_PREFIX                                        \
+  ".paths_imported%s:%u|g\n" METRIC_PREFIX ".max_depth%s:%u|g\n" METRIC_PREFIX \
+  ".cur_path%s:%u|g\n" METRIC_PREFIX ".pending_favs%s:%u|g\n" METRIC_PREFIX    \
+  ".pending_total%s:%u|g\n" METRIC_PREFIX                                      \
+  ".variable_paths%s:%u|g\n" METRIC_PREFIX                                     \
+  ".unique_crashes%s:%llu|g\n" METRIC_PREFIX                                   \
+  ".unique_hangs%s:%llu|g\n" METRIC_PREFIX                                     \
+  ".total_crashes%s:%llu|g\n" METRIC_PREFIX                                    \
+  ".slowest_exec_ms%s:%u|g\n" METRIC_PREFIX                                    \
+  ".edges_found%s:%u|g\n" METRIC_PREFIX                                        \
+  ".var_byte_count%s:%u|g\n" METRIC_PREFIX ".havoc_expansion%s:%u|g\n"
+
+void statsd_setup_format(afl_state_t *afl) {
+
+  if (afl->afl_env.afl_statsd_tags_flavor &&
+      strcmp(afl->afl_env.afl_statsd_tags_flavor, "dogstatsd") == 0) {
+
+    afl->statsd_tags_format = DOGSTATSD_TAGS_FORMAT;
+    afl->statsd_metric_format = STATSD_TAGS_SUFFIX_METRICS;
+    afl->statsd_metric_format_type = STATSD_TAGS_TYPE_SUFFIX;
+
+  } else if (afl->afl_env.afl_statsd_tags_flavor &&
+
+             strcmp(afl->afl_env.afl_statsd_tags_flavor, "librato") == 0) {
+
+    afl->statsd_tags_format = LIBRATO_TAGS_FORMAT;
+    afl->statsd_metric_format = STATSD_TAGS_MID_METRICS;
+    afl->statsd_metric_format_type = STATSD_TAGS_TYPE_MID;
+
+  } else if (afl->afl_env.afl_statsd_tags_flavor &&
+
+             strcmp(afl->afl_env.afl_statsd_tags_flavor, "influxdb") == 0) {
+
+    afl->statsd_tags_format = INFLUXDB_TAGS_FORMAT;
+    afl->statsd_metric_format = STATSD_TAGS_MID_METRICS;
+    afl->statsd_metric_format_type = STATSD_TAGS_TYPE_MID;
+
+  } else if (afl->afl_env.afl_statsd_tags_flavor &&
+
+             strcmp(afl->afl_env.afl_statsd_tags_flavor, "signalfx") == 0) {
+
+    afl->statsd_tags_format = SIGNALFX_TAGS_FORMAT;
+    afl->statsd_metric_format = STATSD_TAGS_MID_METRICS;
+    afl->statsd_metric_format_type = STATSD_TAGS_TYPE_MID;
+
+  } else {
+
+    // No tags at all.
+    afl->statsd_tags_format = "";
+    // Still need to pick a format. Doesn't change anything since if will be
+    // replaced by the empty string anyway.
+    afl->statsd_metric_format = STATSD_TAGS_MID_METRICS;
+    afl->statsd_metric_format_type = STATSD_TAGS_TYPE_MID;
+
+  }
+
+}
+
+int statsd_socket_init(afl_state_t *afl) {
+
+  /* Default port and host.
+  Will be overwritten by AFL_STATSD_PORT and AFL_STATSD_HOST environment
+  variable, if they exists.
+  */
+  u16   port = STATSD_DEFAULT_PORT;
+  char *host = STATSD_DEFAULT_HOST;
+
+  if (afl->afl_env.afl_statsd_port) {
+
+    port = atoi(afl->afl_env.afl_statsd_port);
+
+  }
+
+  if (afl->afl_env.afl_statsd_host) { host = afl->afl_env.afl_statsd_host; }
+
+  int sock;
+  if ((sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) == -1) {
+
+    FATAL("Failed to create socket");
+
+  }
+
+  memset(&afl->statsd_server, 0, sizeof(afl->statsd_server));
+  afl->statsd_server.sin_family = AF_INET;
+  afl->statsd_server.sin_port = htons(port);
+
+  struct addrinfo *result;
+  struct addrinfo  hints;
+
+  memset(&hints, 0, sizeof(struct addrinfo));
+  hints.ai_family = AF_INET;
+  hints.ai_socktype = SOCK_DGRAM;
+
+  if ((getaddrinfo(host, NULL, &hints, &result))) {
+
+    FATAL("Fail to getaddrinfo");
+
+  }
+
+  memcpy(&(afl->statsd_server.sin_addr),
+         &((struct sockaddr_in *)result->ai_addr)->sin_addr,
+         sizeof(struct in_addr));
+  freeaddrinfo(result);
+
+  return sock;
+
+}
+
+int statsd_send_metric(afl_state_t *afl) {
+
+  char buff[MAX_STATSD_PACKET_SIZE] = {0};
+
+  /* afl->statsd_sock is set once in the initialisation of afl-fuzz and reused
+  each time If the sendto later fail, we reset it to 0 to be able to recreates
+  it.
+  */
+  if (!afl->statsd_sock) {
+
+    afl->statsd_sock = statsd_socket_init(afl);
+    if (!afl->statsd_sock) {
+
+      WARNF("Cannot create socket");
+      return -1;
+
+    }
+
+  }
+
+  statsd_format_metric(afl, buff, MAX_STATSD_PACKET_SIZE);
+  if (sendto(afl->statsd_sock, buff, strlen(buff), 0,
+             (struct sockaddr *)&afl->statsd_server,
+             sizeof(afl->statsd_server)) == -1) {
+
+    if (!close(afl->statsd_sock)) { PFATAL("Cannot close socket"); }
+    afl->statsd_sock = 0;
+    WARNF("Cannot sendto");
+    return -1;
+
+  }
+
+  return 0;
+
+}
+
+int statsd_format_metric(afl_state_t *afl, char *buff, size_t bufflen) {
+
+  char tags[MAX_TAG_LEN * 2] = {0};
+  if (afl->statsd_tags_format) {
+
+    snprintf(tags, MAX_TAG_LEN * 2, afl->statsd_tags_format, afl->use_banner,
+             VERSION);
+
+  }
+
+  /* Sends multiple metrics with one UDP Packet.
+  bufflen will limit to the max safe size.
+  */
+  if (afl->statsd_metric_format_type == STATSD_TAGS_TYPE_SUFFIX) {
+
+    snprintf(buff, bufflen, afl->statsd_metric_format,
+             afl->queue_cycle ? (afl->queue_cycle - 1) : 0, tags,
+             afl->cycles_wo_finds, tags, afl->fsrv.total_execs, tags,
+             afl->fsrv.total_execs /
+                 ((double)(get_cur_time() - afl->start_time) / 1000),
+             tags, afl->queued_paths, tags, afl->queued_favored, tags,
+             afl->queued_discovered, tags, afl->queued_imported, tags,
+             afl->max_depth, tags, afl->current_entry, tags,
+             afl->pending_favored, tags, afl->pending_not_fuzzed, tags,
+             afl->queued_variable, tags, afl->unique_crashes, tags,
+             afl->unique_hangs, tags, afl->total_crashes, tags,
+             afl->slowest_exec_ms, tags,
+             count_non_255_bytes(afl, afl->virgin_bits), tags,
+             afl->var_byte_count, tags, afl->expand_havoc, tags);
+
+  } else if (afl->statsd_metric_format_type == STATSD_TAGS_TYPE_MID) {
+
+    snprintf(buff, bufflen, afl->statsd_metric_format, tags,
+             afl->queue_cycle ? (afl->queue_cycle - 1) : 0, tags,
+             afl->cycles_wo_finds, tags, afl->fsrv.total_execs, tags,
+             afl->fsrv.total_execs /
+                 ((double)(get_cur_time() - afl->start_time) / 1000),
+             tags, afl->queued_paths, tags, afl->queued_favored, tags,
+             afl->queued_discovered, tags, afl->queued_imported, tags,
+             afl->max_depth, tags, afl->current_entry, tags,
+             afl->pending_favored, tags, afl->pending_not_fuzzed, tags,
+             afl->queued_variable, tags, afl->unique_crashes, tags,
+             afl->unique_hangs, tags, afl->total_crashes, tags,
+             afl->slowest_exec_ms, tags,
+             count_non_255_bytes(afl, afl->virgin_bits), tags,
+             afl->var_byte_count, tags, afl->expand_havoc);
+
+  }
+
+  return 0;
+
+}
+
diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c
index cf0a30c9..dc0eb4a7 100644
--- a/src/afl-fuzz.c
+++ b/src/afl-fuzz.c
@@ -194,6 +194,11 @@ static void usage(u8 *argv0, int more_help) {
       "AFL_SKIP_BIN_CHECK: skip the check, if the target is an executable\n"
       "AFL_SKIP_CPUFREQ: do not warn about variable cpu clocking\n"
       "AFL_SKIP_CRASHES: during initial dry run do not terminate for crashing inputs\n"
+      "AFL_STATSD: enables StatsD metrics collection"
+      "AFL_STATSD_HOST: change default statsd host (default 127.0.0.1)"
+      "AFL_STATSD_PORT: change default statsd port (default: 8125)"
+      "AFL_STATSD_TAGS_FLAVOR: change default statsd tags format (default will disable tags)."
+      "                        Supported formats are: 'dogstatsd', 'librato', 'signalfx' and 'influxdb'"
       "AFL_TMPDIR: directory to use for input file generation (ramdisk recommended)\n"
       //"AFL_PERSISTENT: not supported anymore -> no effect, just a warning\n"
       //"AFL_DEFER_FORKSRV: not supported anymore -> no effect, just a warning\n"
@@ -890,6 +895,8 @@ int main(int argc, char **argv_orig, char **envp) {
 
   }
 
+  if (unlikely(afl->afl_env.afl_statsd)) { statsd_setup_format(afl); }
+
   if (strchr(argv[optind], '/') == NULL && !afl->unicorn_mode) {
 
     WARNF(cLRD
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-05-15 19:58:58 +0000