diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/afl-fuzz-bitmap.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-globals.c | 69 | ||||
| -rw-r--r-- | src/afl-fuzz-init.c | 2 | ||||
| -rw-r--r-- | src/afl-fuzz-queue.c | 49 | ||||
| -rw-r--r-- | src/afl-fuzz.c | 11 |
5 files changed, 83 insertions, 50 deletions
diff --git a/src/afl-fuzz-bitmap.c b/src/afl-fuzz-bitmap.c index f9f05131..7e2d3212 100644 --- a/src/afl-fuzz-bitmap.c +++ b/src/afl-fuzz-bitmap.c @@ -499,7 +499,7 @@ static void write_crash_readme(afl_state_t *afl) { "drop\n" "an mail at <afl-users@googlegroups.com> once the issues are fixed\n\n" - " https://github.com/vanhauser-thc/AFLplusplus\n\n", + " https://github.com/AFLplusplus/AFLplusplus\n\n", afl->orig_cmdline, DMS(afl->fsrv.mem_limit << 20)); /* ignore errors */ diff --git a/src/afl-fuzz-globals.c b/src/afl-fuzz-globals.c index 1f207870..efffa749 100644 --- a/src/afl-fuzz-globals.c +++ b/src/afl-fuzz-globals.c @@ -30,8 +30,8 @@ s8 interesting_8[] = {INTERESTING_8}; s16 interesting_16[] = {INTERESTING_8, INTERESTING_16}; s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32}; -char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", - "lin", "quad", "exploit"}; +char *power_names[POWER_SCHEDULES_NUM] = {"explore", "fast", "coe", "lin", + "quad", "exploit", "mmopt"}; u8 *doc_path = NULL; /* gath to documentation dir */ @@ -148,130 +148,151 @@ void read_afl_environment(afl_state_t *afl, char **envp) { match = 1; if (!strncmp(env, "AFL_SKIP_CPUFREQ", afl_environment_variable_len)) { - afl->afl_env.afl_skip_cpufreq = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_skip_cpufreq = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_EXIT_WHEN_DONE", afl_environment_variable_len)) { - afl->afl_env.afl_exit_when_done = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_exit_when_done = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_NO_AFFINITY", afl_environment_variable_len)) { - afl->afl_env.afl_no_affinity = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_no_affinity = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_SKIP_CRASHES", afl_environment_variable_len)) { - afl->afl_env.afl_skip_crashes = (u8 *)get_afl_env(env); + afl->afl_env.afl_skip_crashes = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_HANG_TMOUT", afl_environment_variable_len)) { - afl->afl_env.afl_hang_tmout = (u8 *)get_afl_env(env); + afl->afl_env.afl_hang_tmout = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_SKIP_BIN_CHECK", afl_environment_variable_len)) { - afl->afl_env.afl_skip_bin_check = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_skip_bin_check = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_DUMB_FORKSRV", afl_environment_variable_len)) { - afl->afl_env.afl_dumb_forksrv = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_dumb_forksrv = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_IMPORT_FIRST", afl_environment_variable_len)) { - afl->afl_env.afl_import_first = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_import_first = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_ONLY", afl_environment_variable_len)) { - afl->afl_env.afl_custom_mutator_only = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_custom_mutator_only = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_NO_UI", afl_environment_variable_len)) { - afl->afl_env.afl_no_ui = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_no_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_FORCE_UI", afl_environment_variable_len)) { - afl->afl_env.afl_force_ui = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_force_ui = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES", afl_environment_variable_len)) { afl->afl_env.afl_i_dont_care_about_missing_crashes = - get_afl_env(env) ? 1 : 0; + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_BENCH_JUST_ONE", afl_environment_variable_len)) { - afl->afl_env.afl_bench_just_one = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_bench_just_one = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_BENCH_UNTIL_CRASH", afl_environment_variable_len)) { - afl->afl_env.afl_bench_until_crash = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_bench_until_crash = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_DEBUG_CHILD_OUTPUT", afl_environment_variable_len)) { - afl->afl_env.afl_debug_child_output = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_debug_child_output = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_AUTORESUME", afl_environment_variable_len)) { - afl->afl_env.afl_autoresume = get_afl_env(env) ? 1 : 0; + afl->afl_env.afl_autoresume = + get_afl_env(afl_environment_variables[i]) ? 1 : 0; } else if (!strncmp(env, "AFL_TMPDIR", afl_environment_variable_len)) { - afl->afl_env.afl_tmpdir = (u8 *)get_afl_env(env); + afl->afl_env.afl_tmpdir = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_POST_LIBRARY", afl_environment_variable_len)) { - afl->afl_env.afl_post_library = (u8 *)get_afl_env(env); + afl->afl_env.afl_post_library = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_CUSTOM_MUTATOR_LIBRARY", afl_environment_variable_len)) { - afl->afl_env.afl_custom_mutator_library = (u8 *)get_afl_env(env); + afl->afl_env.afl_custom_mutator_library = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PYTHON_MODULE", afl_environment_variable_len)) { - afl->afl_env.afl_python_module = (u8 *)get_afl_env(env); + afl->afl_env.afl_python_module = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PATH", afl_environment_variable_len)) { - afl->afl_env.afl_path = (u8 *)get_afl_env(env); + afl->afl_env.afl_path = + (u8 *)get_afl_env(afl_environment_variables[i]); } else if (!strncmp(env, "AFL_PRELOAD", afl_environment_variable_len)) { - afl->afl_env.afl_preload = (u8 *)get_afl_env(env); + afl->afl_env.afl_preload = + (u8 *)get_afl_env(afl_environment_variables[i]); } diff --git a/src/afl-fuzz-init.c b/src/afl-fuzz-init.c index 40ee7d7f..6b5fa24f 100644 --- a/src/afl-fuzz-init.c +++ b/src/afl-fuzz-init.c @@ -181,7 +181,7 @@ void bind_to_free_cpu(afl_state_t *afl) { ck_free(procs); #else #warning \ - "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/vanhauser-thc/AFLplusplus" + "For this platform we do not have free CPU binding code yet. If possible, please supply a PR to https://github.com/AFLplusplus/AFLplusplus" #endif size_t cpu_start = 0; diff --git a/src/afl-fuzz-queue.c b/src/afl-fuzz-queue.c index 37d18a2d..cfeab798 100644 --- a/src/afl-fuzz-queue.c +++ b/src/afl-fuzz-queue.c @@ -328,20 +328,24 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { // Longer execution time means longer work on the input, the deeper in // coverage, the better the fuzzing, right? -mh - if (q->exec_us * 0.1 > avg_exec_us) - perf_score = 10; - else if (q->exec_us * 0.25 > avg_exec_us) - perf_score = 25; - else if (q->exec_us * 0.5 > avg_exec_us) - perf_score = 50; - else if (q->exec_us * 0.75 > avg_exec_us) - perf_score = 75; - else if (q->exec_us * 4 < avg_exec_us) - perf_score = 300; - else if (q->exec_us * 3 < avg_exec_us) - perf_score = 200; - else if (q->exec_us * 2 < avg_exec_us) - perf_score = 150; + if (afl->schedule != MMOPT) { + + if (q->exec_us * 0.1 > avg_exec_us) + perf_score = 10; + else if (q->exec_us * 0.25 > avg_exec_us) + perf_score = 25; + else if (q->exec_us * 0.5 > avg_exec_us) + perf_score = 50; + else if (q->exec_us * 0.75 > avg_exec_us) + perf_score = 75; + else if (q->exec_us * 4 < avg_exec_us) + perf_score = 300; + else if (q->exec_us * 3 < avg_exec_us) + perf_score = 200; + else if (q->exec_us * 2 < avg_exec_us) + perf_score = 150; + + } /* Adjust score based on bitmap size. The working theory is that better coverage translates to better targets. Multiplier from 0.25x to 3x. */ @@ -431,12 +435,9 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { break; case FAST: - if (q->fuzz_level < 16) { - + if (q->fuzz_level < 16) factor = ((u32)(1 << q->fuzz_level)) / (fuzz == 0 ? 1 : fuzz); - - } else - + else factor = MAX_FACTOR / (fuzz == 0 ? 1 : next_p2(fuzz)); break; @@ -446,6 +447,12 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { factor = q->fuzz_level * q->fuzz_level / (fuzz == 0 ? 1 : fuzz); break; + case MMOPT: + + if (afl->max_depth - q->depth < 5) perf_score *= 1.5; + + break; + default: PFATAL("Unknown Power Schedule"); } @@ -458,8 +465,8 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) { if (afl->limit_time_sig != 0 && afl->max_depth - q->depth < 3) perf_score *= 2; else if (perf_score < 1) - perf_score = - 1; // Add a lower bound to AFLFast's energy assignment strategies + // Add a lower bound to AFLFast's energy assignment strategies + perf_score = 1; /* Make sure that we don't go over limit. */ diff --git a/src/afl-fuzz.c b/src/afl-fuzz.c index 5e2b89ad..10fee76c 100644 --- a/src/afl-fuzz.c +++ b/src/afl-fuzz.c @@ -96,8 +96,8 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) { "Execution control settings:\n" " -p schedule - power schedules recompute a seed's performance " "score.\n" - " <explore (default), fast, coe, lin, quad, or " - "exploit>\n" + " <explore (default), fast, coe, lin, quad, exploit, " + "mmopt>\n" " see docs/power_schedules.md\n" " -f file - location read by the fuzzed program (stdin)\n" " -t msec - timeout for each run (auto-scaled, 50-%d ms)\n" @@ -300,6 +300,10 @@ int main(int argc, char **argv_orig, char **envp) { afl->schedule = QUAD; + } else if (!stricmp(optarg, "mopt") || !stricmp(optarg, "mmopt")) { + + afl->schedule = MMOPT; + } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") || !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) { @@ -671,7 +675,7 @@ int main(int argc, char **argv_orig, char **envp) { OKF("afl++ is maintained by Marc \"van Hauser\" Heuse, Heiko \"hexcoder\" " "Eißfeldt, Andrea Fioraldi and Dominik Maier"); OKF("afl++ is open source, get it at " - "https://github.com/vanhauser-thc/AFLplusplus"); + "https://github.com/AFLplusplus/AFLplusplus"); OKF("Power schedules from github.com/mboehme/aflfast"); OKF("Python Mutator and llvm_mode whitelisting from github.com/choller/afl"); OKF("afl-tmin fork server patch from github.com/nccgroup/TriforceAFL"); @@ -755,6 +759,7 @@ int main(int argc, char **argv_orig, char **envp) { break; case LIN: OKF("Using linear power schedule (LIN)"); break; case QUAD: OKF("Using quadratic power schedule (QUAD)"); break; + case MMOPT: OKF("Using modified MOpt power schedule (MMOPT)"); break; case EXPLORE: OKF("Using exploration-based constant power schedule (EXPLORE)"); break; |