diff options
Diffstat (limited to 'test')
| -rwxr-xr-x | test/test-performance.sh | 194 | ||||
| -rwxr-xr-x | test/test.sh | 370 |
2 files changed, 496 insertions, 68 deletions
diff --git a/test/test-performance.sh b/test/test-performance.sh new file mode 100755 index 00000000..87eea665 --- /dev/null +++ b/test/test-performance.sh @@ -0,0 +1,194 @@ +#!/bin/bash + +# if you want a specific performance file (e.g. to compare features to another) +# you can set the AFL_PERFORMANCE_FILE environment variable: +FILE=$AFL_PERFORMANCE_FILE +# otherwise we use ~/.afl_performance +test -z "$FILE" && FILE=~/.afl_performance + +test -e $FILE || { + echo Warning: This script measure the performance of afl++ and saves the result for future comparisons into $FILE + echo Press ENTER to continue or CONTROL-C to abort + read IN +} + +export AFL_QUIET=1 +unset AFL_EXIT_WHEN_DONE +unset AFL_SKIP_CPUFREQ +unset AFL_DEBUG +unset AFL_HARDEN +unset AFL_USE_ASAN +unset AFL_USE_MSAN +unset AFL_CC +unset AFL_PRELOAD +unset AFL_GCC_WHITELIST +unset AFL_LLVM_WHITELIST +unset AFL_LLVM_INSTRIM +unset AFL_LLVM_LAF_SPLIT_SWITCHES +unset AFL_LLVM_LAF_TRANSFORM_COMPARES +unset AFL_LLVM_LAF_SPLIT_COMPARES + +# on OpenBSD we need to work with llvm from /usr/local/bin +test -e /usr/local/bin/opt && { + export PATH=/usr/local/bin:${PATH} +} +# on MacOS X we prefer afl-clang over afl-gcc, because +# afl-gcc does not work there +test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { + AFL_GCC=afl-clang +} || { + AFL_GCC=afl-gcc +} + +ECHO="printf %b\\n" +$ECHO \\101 2>&1 | grep -qE '^A' || { + ECHO= + test -e /bin/printf && { + ECHO="/bin/printf %b\\n" + $ECHO '\\101' 2>&1 | grep -qE '^A' || ECHO= + } +} +test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; } + +GREY="\\033[1;90m" +BLUE="\\033[1;94m" +GREEN="\\033[0;32m" +RED="\\033[0;31m" +YELLOW="\\033[1;93m" +RESET="\\033[0m" + +MEM_LIMIT=150 + +>> $FILE || { echo Error: can not write to $FILE ; exit 1 ; } + +echo Warning: this script is setting performance parameters with afl-system-config +sleep 1 +afl-system-config > /dev/null 2>&1 +echo Performance settings applied. +echo + +$ECHO "${RESET}${GREY}[*] starting afl++ performance test framework ..." + +$ECHO "$BLUE[*] Testing: ${AFL_GCC}" +GCC=x +test -e ../${AFL_GCC} -a -e ../afl-fuzz && { + ../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1 + test -e test-instr.plain && { + $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded" + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC} for 30 seconds" + { + ../afl-fuzz -V 30 -s 123 -m ${MEM_LIMIT} -i in -o out-gcc -- ./test-instr.plain + } >>errors 2>&1 + test -n "$( ls out-gcc/queue/id:000002* 2> /dev/null )" && { + GCC=`grep execs_done out-gcc/fuzzer_stats | awk '{print$3}'` + } || { + echo CUT---------------------------------------------------------------- + cat errors + echo CUT---------------------------------------------------------------- + $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}" + } + rm -rf in out-gcc errors test-instr.plain + } || $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" +} || $ECHO "$YELLOW[-] afl is not compiled, cannot test" + +$ECHO "$BLUE[*] Testing: llvm_mode" +LLVM=x +test -e ../afl-clang-fast -a -e ../afl-fuzz && { + ../afl-clang-fast -o test-instr.llvm ../test-instr.c > /dev/null 2>&1 + test -e test-instr.llvm && { + $ECHO "$GREEN[+] llvm_mode compilation succeeded" + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz for llvm_mode for 30 seconds" + { + ../afl-fuzz -V 30 -s 123 -m ${MEM_LIMIT} -i in -o out-llvm -- ./test-instr.llvm + } >>errors 2>&1 + test -n "$( ls out-llvm/queue/id:000002* 2> /dev/null )" && { + LLVM=`grep execs_done out-llvm/fuzzer_stats | awk '{print$3}'` + } || { + echo CUT---------------------------------------------------------------- + cat errors + echo CUT---------------------------------------------------------------- + $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode" + } + rm -rf in out-llvm errors test-instr.llvm + } || $ECHO "$RED[!] llvm_mode instrumentation failed" +} || $ECHO "$YELLOW[-] llvm_mode is not compiled, cannot test" + +$ECHO "$BLUE[*] Testing: qemu_mode" +QEMU=x +test -e ../afl-qemu-trace -a -e ../afl-fuzz && { + cc -o test-instr.qemu ../test-instr.c > /dev/null 2>&1 + test -e test-instr.qemu && { + $ECHO "$GREEN[+] native compilation with cc succeeded" + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz for qemu_mode for 30 seconds" + { + ../afl-fuzz -Q -V 30 -s 123 -m ${MEM_LIMIT} -i in -o out-qemu -- ./test-instr.qemu + } >>errors 2>&1 + test -n "$( ls out-qemu/queue/id:000002* 2> /dev/null )" && { + QEMU=`grep execs_done out-qemu/fuzzer_stats | awk '{print$3}'` + } || { + echo CUT---------------------------------------------------------------- + cat errors + echo CUT---------------------------------------------------------------- + $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode" + } + rm -rf in out-qemu errors test-instr.qemu + } || $ECHO "$RED[!] qemu_mode instrumentation failed" +} || $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" + +LOW_GCC= +HIGH_GCC= +LAST_GCC= +LOW_LLVM= +HIGH_LLVM= +LAST_LLVM= +LOW_QEMU= +HIGH_QEMU= +LAST_QEMU= + +test -s $FILE && { + while read LINE; do + G=`echo $LINE | awk '{print$1}'` + L=`echo $LINE | awk '{print$2}'` + Q=`echo $LINE | awk '{print$3}'` + test "$G" = x && G= + test "$L" = x && L= + test "$Q" = x && Q= + test -n "$G" && LAST_GCC=$G + test -n "$L" && LAST_LLVM=$L + test -n "$Q" && LAST_QEMU=$Q + test -n "$G" -a -z "$LOW_GCC" && LOW_GCC=$G || { + test -n "$G" -a "$G" -lt "$LOW_GCC" 2> /dev/null && LOW_GCC=$G + } + test -n "$L" -a -z "$LOW_LLVM" && LOW_LLVM=$L || { + test -n "$L" -a "$L" -lt "$LOW_LLVM" 2> /dev/null && LOW_LLVM=$L + } + test -n "$Q" -a -z "$LOW_QEMU" && LOW_QEMU=$Q || { + test -n "$Q" -a "$Q" -lt "$LOW_QEMU" 2> /dev/null && LOW_QEMU=$Q + } + test -n "$G" -a -z "$HIGH_GCC" && HIGH_GCC=$G || { + test -n "$G" -a "$G" -gt "$HIGH_GCC" 2> /dev/null && HIGH_GCC=$G + } + test -n "$L" -a -z "$HIGH_LLVM" && HIGH_LLVM=$L || { + test -n "$L" -a "$L" -gt "$HIGH_LLVM" 2> /dev/null && HIGH_LLVM=$L + } + test -n "$Q" -a -z "$HIGH_QEMU" && HIGH_QEMU=$Q || { + test -n "$Q" -a "$Q" -gt "$HIGH_QEMU" 2> /dev/null && HIGH_QEMU=$Q + } + done < $FILE + $ECHO "$YELLOW[!] Reading saved data from $FILE completed, please compare the results:" + $ECHO "$BLUE[!] afl-cc: lowest=$LOW_GCC highest=$HIGH_GCC last=$LAST_GCC current=$GCC" + $ECHO "$BLUE[!] llvm_mode: lowest=$LOW_LLVM highest=$HIGH_LLVM last=$LAST_LLVM current=$LLVM" + $ECHO "$BLUE[!] qemu_mode: lowest=$LOW_QEMU highest=$HIGH_QEMU last=$LAST_QEMU current=$QEMU" +} || { + $ECHO "$YELLOW[!] First run, just saving data" + $ECHO "$BLUE[!] afl-gcc=$GCC llvm_mode=$LLVM qemu_mode=$QEMU" +} +echo "$GCC $LLVM $QEMU" >> $FILE +$ECHO "$GREY[*] done." +$ECHO "$RESET" diff --git a/test/test.sh b/test/test.sh index 44236b63..781313a7 100755 --- a/test/test.sh +++ b/test/test.sh @@ -24,8 +24,11 @@ $ECHO \\101 2>&1 | grep -qE '^A' || { } test -z "$ECHO" && { printf Error: printf command does not support octal character codes ; exit 1 ; } +CODE=0 + export AFL_EXIT_WHEN_DONE=1 export AFL_SKIP_CPUFREQ=1 +export AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1 unset AFL_QUIET unset AFL_DEBUG unset AFL_HARDEN @@ -33,6 +36,7 @@ unset AFL_USE_ASAN unset AFL_USE_MSAN unset AFL_CC unset AFL_PRELOAD +unset AFL_GCC_WHITELIST unset AFL_LLVM_WHITELIST unset AFL_LLVM_INSTRIM unset AFL_LLVM_LAF_SPLIT_SWITCHES @@ -46,10 +50,11 @@ test -e /usr/local/bin/opt && { # on MacOS X we prefer afl-clang over afl-gcc, because # afl-gcc does not work there test `uname -s` = 'Darwin' -o `uname -s` = 'FreeBSD' && { -AFL_GCC=afl-clang + AFL_GCC=afl-clang } || { -AFL_GCC=afl-gcc + AFL_GCC=afl-gcc } + GREY="\\033[1;90m" BLUE="\\033[1;94m" GREEN="\\033[0;32m" @@ -59,12 +64,14 @@ RESET="\\033[0m" MEM_LIMIT=150 +export PATH=$PATH:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + $ECHO "${RESET}${GREY}[*] starting afl++ test framework ..." $ECHO "$BLUE[*] Testing: ${AFL_GCC}, afl-showmap and afl-fuzz" test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { ../${AFL_GCC} -o test-instr.plain ../test-instr.c > /dev/null 2>&1 - AFL_HARDEN=1 ../${AFL_GCC} -o test-instr.harden ../test-instr.c > /dev/null 2>&1 + AFL_HARDEN=1 ../${AFL_GCC} -o test-compcov.harden test-compcov.c > /dev/null 2>&1 test -e test-instr.plain && { $ECHO "$GREEN[+] ${AFL_GCC} compilation succeeded" echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain > /dev/null 2>&1 @@ -72,20 +79,30 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] ${AFL_GCC} instrumentation should be different on different input but is not" + CODE=1 } || $ECHO "$GREEN[+] ${AFL_GCC} instrumentation present and working correctly" - } || $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" + } || { + $ECHO "$RED[!] ${AFL_GCC} instrumentation failed" + CODE=1 + } rm -f test-instr.plain.0 test-instr.plain.1 } || $ECHO "$RED[!] ${AFL_GCC} failed" - test -e test-instr.harden && { - grep -qa fstack-protector-all test-instr.harden > /dev/null 2>&1 && { + test -e test-compcov.harden && { + grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] ${AFL_GCC} hardened mode succeeded and is working" - } || $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" - rm -f test-instr.harden - } || $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" + } || { + $ECHO "$RED[!] ${AFL_GCC} hardened mode is not hardened" + CODE=1 + } + rm -f test-compcov.harden + } || { + $ECHO "$RED[!] ${AFL_GCC} hardened mode compilation failed" + CODE=1 + } # now we want to be sure that afl-fuzz is working # make sure core_pattern is set to core on linux (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { - $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + $ECHO "$YELLOW[!] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true }) || # make sure crash reporter is disabled on Mac OS X @@ -97,12 +114,18 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for ${AFL_GCC}, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with ${AFL_GCC}" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}" - rm -rf in out + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with ${AFL_GCC}" + CODE=1 + } + rm -rf in out errors } rm -f test-instr.plain } || $ECHO "$YELLOW[-] afl is not compiled, cannot test" @@ -110,7 +133,11 @@ test -e ../${AFL_GCC} -a -e ../afl-showmap -a -e ../afl-fuzz && { $ECHO "$BLUE[*] Testing: llvm_mode" test -e ../afl-clang-fast && { # on FreeBSD need to set AFL_CC - export AFL_CC=`llvm-config --bindir`/clang + if which clang >/dev/null; then + export AFL_CC=`which clang` + else + export AFL_CC=`llvm-config --bindir`/clang + fi ../afl-clang-fast -o test-instr.plain ../test-instr.c > /dev/null 2>&1 AFL_HARDEN=1 ../afl-clang-fast -o test-compcov.harden test-compcov.c > /dev/null 2>&1 test -e test-instr.plain && { @@ -120,36 +147,56 @@ test -e ../afl-clang-fast && { test -e test-instr.plain.0 -a -e test-instr.plain.1 && { diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { $ECHO "$RED[!] llvm_mode instrumentation should be different on different input but is not" + CODE=1 } || $ECHO "$GREEN[+] llvm_mode instrumentation present and working correctly" - } || $ECHO "$RED[!] llvm_mode instrumentation failed" + } || { + $ECHO "$RED[!] llvm_mode instrumentation failed" + CODE=1 + } rm -f test-instr.plain.0 test-instr.plain.1 - } || $ECHO "$RED[!] llvm_mode failed" + } || { + $ECHO "$RED[!] llvm_mode failed" + CODE=1 + } test -e test-compcov.harden && { grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden > /dev/null 2>&1 && { $ECHO "$GREEN[+] llvm_mode hardened mode succeeded and is working" - } || $ECHO "$RED[!] llvm_mode hardened mode is not hardened" + } || { + $ECHO "$RED[!] llvm_mode hardened mode is not hardened" + CODE=1 + } rm -f test-compcov.harden - } || $ECHO "$RED[!] llvm_mode hardened mode compilation failed" + } || { + $ECHO "$RED[!] llvm_mode hardened mode compilation failed" + CODE=1 + } # now we want to be sure that afl-fuzz is working (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { - $ECHO "$RED[!] we cannot run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + $ECHO "$YELLOW[!] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" true }) || # make sure crash reporter is disabled on Mac OS X (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + CODE=1 true }) || { mkdir -p in echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for llvm_mode, this will take approx 10 seconds" { - ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with llvm_mode" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode" - rm -rf in out + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with llvm_mode" + CODE=1 + } + rm -rf in out errors } rm -f test-instr.plain @@ -158,49 +205,176 @@ test -e ../afl-clang-fast && { test -e test-compcov.instrim && { grep -Eq " [1-3] location" test.out && { $ECHO "$GREEN[+] llvm_mode InsTrim feature works correctly" - } || $ECHO "$RED[!] llvm_mode InsTrim feature failed" - } || $ECHO "$RED[!] llvm_mode InsTrim feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode InsTrim feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode InsTrim feature compilation failed" + CODE=1 + } rm -f test-compcov.instrim test.out AFL_LLVM_LAF_SPLIT_SWITCHES=1 AFL_LLVM_LAF_TRANSFORM_COMPARES=1 AFL_LLVM_LAF_SPLIT_COMPARES=1 ../afl-clang-fast -o test-compcov.compcov test-compcov.c > /dev/null 2> test.out test -e test-compcov.compcov && { grep -Eq " [3-9][0-9] location" test.out && { $ECHO "$GREEN[+] llvm_mode laf-intel/compcov feature works correctly" - } || $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" - } || $ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode laf-intel/compcov feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode laf-intel/compcov feature compilation failed" + CODE=1 + } rm -f test-compcov.compcov test.out echo foobar.c > whitelist.txt AFL_LLVM_WHITELIST=whitelist.txt ../afl-clang-fast -o test-compcov test-compcov.c > test.out 2>&1 test -e test-compcov && { grep -q "No instrumentation targets found" test.out && { $ECHO "$GREEN[+] llvm_mode whitelist feature works correctly" - } || $ECHO "$RED[!] llvm_mode whitelist feature failed" - } || $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode whitelist feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode whitelist feature compilation failed" + CODE=1 + } rm -f test-compcov test.out whitelist.txt ../afl-clang-fast -o test-persistent ../experimental/persistent_demo/persistent_demo.c > /dev/null 2>&1 test -e test-persistent && { echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { $ECHO "$GREEN[+] llvm_mode persistent mode feature works correctly" - } || $ECHO "$RED[!] llvm_mode persistent mode feature failed to work" - } || $ECHO "$RED[!] llvm_mode persistent mode feature compilation failed" + } || { + $ECHO "$RED[!] llvm_mode persistent mode feature failed to work" + CODE=1 + } + } || { + $ECHO "$RED[!] llvm_mode persistent mode feature compilation failed" + CODE=1 + } rm -f test-persistent } || $ECHO "$YELLOW[-] llvm_mode not compiled, cannot test" +$ECHO "$BLUE[*] Testing: gcc_plugin" +export AFL_CC=`which gcc` +test -e ../afl-gcc-fast && { + ../afl-gcc-fast -o test-instr.plain.gccpi ../test-instr.c > /dev/null 2>&1 + AFL_HARDEN=1 ../afl-gcc-fast -o test-compcov.harden.gccpi test-compcov.c > /dev/null 2>&1 + test -e test-instr.plain.gccpi && { + $ECHO "$GREEN[+] gcc_plugin compilation succeeded" + echo 0 | ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.0 -r -- ./test-instr.plain.gccpi > /dev/null 2>&1 + ../afl-showmap -m ${MEM_LIMIT} -o test-instr.plain.1 -r -- ./test-instr.plain.gccpi < /dev/null > /dev/null 2>&1 + test -e test-instr.plain.0 -a -e test-instr.plain.1 && { + diff -q test-instr.plain.0 test-instr.plain.1 > /dev/null 2>&1 && { + $ECHO "$RED[!] gcc_plugin instrumentation should be different on different input but is not" + CODE=1 + } || { + $ECHO "$GREEN[+] gcc_plugin instrumentation present and working correctly" + } + } || { + $ECHO "$RED[!] gcc_plugin instrumentation failed" + CODE=1 + } + rm -f test-instr.plain.0 test-instr.plain.1 + } || { + $ECHO "$RED[!] gcc_plugin failed" + CODE=1 + } + + test -e test-compcov.harden.gccpi && { + grep -Eqa 'stack_chk_fail|fstack-protector-all|fortified' test-compcov.harden.gccpi > /dev/null 2>&1 && { + $ECHO "$GREEN[+] gcc_plugin hardened mode succeeded and is working" + } || { + $ECHO "$RED[!] gcc_plugin hardened mode is not hardened" + CODE=1 + } + rm -f test-compcov.harden.gccpi + } || { + $ECHO "$RED[!] gcc_plugin hardened mode compilation failed" + CODE=1 + } + # now we want to be sure that afl-fuzz is working + (test "$(uname -s)" = "Linux" && test "$(sysctl kernel.core_pattern)" != "kernel.core_pattern = core" && { + $ECHO "$YELLOW[!] we should not run afl-fuzz with enabled core dumps. Run 'sudo sh afl-system-config'.$RESET" + true + }) || + # make sure crash reporter is disabled on Mac OS X + (test "$(uname -s)" = "Darwin" && test $(launchctl list 2>/dev/null | grep -q '\.ReportCrash$') && { + $ECHO "$RED[!] we cannot run afl-fuzz with enabled crash reporter. Run 'sudo sh afl-system-config'.$RESET" + CODE=1 + true + }) || { + mkdir -p in + echo 0 > in/in + $ECHO "$GREY[*] running afl-fuzz for gcc_plugin, this will take approx 10 seconds" + { + ../afl-fuzz -V10 -m ${MEM_LIMIT} -i in -o out -- ./test-instr.plain.gccpi >>errors 2>&1 + } >>errors 2>&1 + test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with gcc_plugin" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with gcc_plugin" + CODE=1 + } + rm -rf in out errors + } + rm -f test-instr.plain.gccpi + + # now for the special gcc_plugin things + echo foobar.c > whitelist.txt + AFL_GCC_WHITELIST=whitelist.txt ../afl-gcc-fast -o test-compcov test-compcov.c > /dev/null 2>&1 + test -e test-compcov && { + echo 1 | ../afl-showmap -m ${MEM_LIMIT} -o - -r -- ./test-compcov 2>&1 | grep -q "Captured 1 tuples" && { + $ECHO "$GREEN[+] gcc_plugin whitelist feature works correctly" + } || { + $ECHO "$RED[!] gcc_plugin whitelist feature failed" + CODE=1 + } + } || { + $ECHO "$RED[!] gcc_plugin whitelist feature compilation failed" + CODE=1 + } + rm -f test-compcov test.out whitelist.txt + ../afl-gcc-fast -o test-persistent ../experimental/persistent_demo/persistent_demo.c > /dev/null 2>&1 + test -e test-persistent && { + echo foo | ../afl-showmap -o /dev/null -q -r ./test-persistent && { + $ECHO "$GREEN[+] gcc_plugin persistent mode feature works correctly" + } || { + $ECHO "$RED[!] gcc_plugin persistent mode feature failed to work" + CODE=1 + } + } || { + $ECHO "$RED[!] gcc_plugin persistent mode feature compilation failed" + CODE=1 + } + rm -f test-persistent +} || $ECHO "$YELLOW[-] gcc_plugin not compiled, cannot test" + $ECHO "$BLUE[*] Testing: shared library extensions" -gcc -o test-compcov test-compcov.c > /dev/null 2>&1 +cc -o test-compcov test-compcov.c > /dev/null 2>&1 test -e ../libtokencap.so && { - AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so ./test-compcov foobar > /dev/null 2>&1 + AFL_TOKEN_FILE=token.out LD_PRELOAD=../libtokencap.so DYLD_INSERT_LIBRARIES=../libtokencap.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov foobar > /dev/null 2>&1 grep -q BUGMENOT token.out > /dev/null 2>&1 && { $ECHO "$GREEN[+] libtokencap did successfully capture tokens" - } || $ECHO "$RED[!] libtokencap did not capture tokens" + } || { + $ECHO "$RED[!] libtokencap did not capture tokens" + CODE=1 + } rm -f token.out } || $ECHO "$YELLOW[-] libtokencap is not compiled, cannot test" test -e ../libdislocator.so && { { ulimit -c 1 - LD_PRELOAD=../libdislocator.so ./test-compcov BUFFEROVERFLOW > test.out 2> /dev/null + # DYLD_INSERT_LIBRARIES and DYLD_FORCE_FLAT_NAMESPACE is used on Darwin/MacOSX + LD_PRELOAD=../libdislocator.so DYLD_INSERT_LIBRARIES=../libdislocator.so DYLD_FORCE_FLAT_NAMESPACE=1 ./test-compcov BUFFEROVERFLOW > test.out 2> /dev/null } > /dev/null 2>&1 grep -q BUFFEROVERFLOW test.out > /dev/null 2>&1 && { $ECHO "$RED[!] libdislocator did not detect the memory corruption" + CODE=1 } || $ECHO "$GREEN[+] libdislocator did successfully detect the memory corruption" rm -f test.out core test-compcov.core core.test-compcov } || $ECHO "$YELLOW[-] libdislocator is not compiled, cannot test" @@ -216,40 +390,75 @@ test -e ../afl-qemu-trace && { echo 0 > in/in $ECHO "$GREY[*] running afl-fuzz for qemu_mode, this will take approx 10 seconds" { - ../afl-fuzz -V10 -Q -i in -o out -- ./test-instr > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V10 -Q -i in -o out -- ./test-instr >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode" + RUNTIME=`grep execs_done out/fuzzer_stats | awk '{print$3}'` + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode" + CODE=1 + } + rm -f errors test -e ../libcompcov.so && { $ECHO "$GREY[*] running afl-fuzz for qemu_mode libcompcov, this will take approx 10 seconds" { export AFL_PRELOAD=../libcompcov.so export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V10 -Q -i in -o out -- ./test-compcov > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V10 -Q -i in -o out -- ./test-compcov >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with qemu_mode libcompcov" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode libcompcov" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with qemu_mode libcompcov" + CODE=1 + } } || $ECHO "$YELLOW[-] we cannot test qemu_mode libcompcov because it is not present" - rm -rf in out + rm -f errors + + $ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" + { + export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test-instr | grep "T main" | awk '{ print $1 }') + export AFL_QEMU_PERSISTENT_GPR=1 + ../afl-fuzz -V10 -Q -i in -o out -- ./test-instr > /dev/null 2>&1 + } >>errors 2>&1 + test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { + $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent qemu_mode" + RUNTIMEP=`grep execs_done out/fuzzer_stats | awk '{print$3}'` + test -n "$RUNTIME" -a -n "$RUNTIMEP" && { + SLOW=`expr $RUNTIME '*' 103` # persistent mode should be at least 3% faster - minimum! + FAST=`expr $RUNTIMEP '*' 100` + test "$SLOW" -lt "$FAST" && { + $ECHO "$GREEN[+] persistent qemu_mode was noticeable faster than standard qemu_mode" + } || { + $ECHO "$YELLOW[?] persistent qemu_mode was not noticeable faster than standard qemu_mode" + } + } || { + $ECHO "$YELLOW[?] we got no data on executions performed? weird!" + } + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode" + CODE=1 + exit 1 + } + $ECHO "$YELLOW[?] we need a test case for qemu_mode unsigaction library" + rm -rf in out errors } - } || $ECHO "$RED[-] gcc compilation of test targets failed - what is going on??" + } || { + $ECHO "$RED[-] gcc compilation of test targets failed - what is going on??" + CODE=1 + } - $ECHO "$YELLOW[?] we need a test case for qemu_mode persistent mode" - $ECHO "$YELLOW[?] we need a test case for qemu_mode unsigaction library" - # This works but there are already problems with persistent (e.g. stability) - #$ECHO "$GREY[*] running afl-fuzz for persistent qemu_mode, this will take approx 10 seconds" - #{ - # export AFL_QEMU_PERSISTENT_ADDR=0x$(nm test-instr | grep "T main" | awk '{ print $1 }') - # export AFL_QEMU_PERSISTENT_GPR=1 - # ../afl-fuzz -V10 -Q -i in -o out -- ./test-instr > /dev/null 2>&1 - #} > /dev/null 2>&1 - #test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { - # $ECHO "$GREEN[+] afl-fuzz is working correctly with persistent qemu_mode" - #} || $ECHO "$RED[!] afl-fuzz is not working correctly with persistent qemu_mode" - rm -f test-instr test-compcov } || $ECHO "$YELLOW[-] qemu_mode is not compiled, cannot test" @@ -257,29 +466,54 @@ $ECHO "$BLUE[*] Testing: unicorn_mode" test -d ../unicorn_mode/unicorn && { test -e ../unicorn_mode/samples/simple/simple_target.bin -a -e ../unicorn_mode/samples/compcov_x64/compcov_target.bin && { { + # travis workaround + PY=`which python2.7` + test "$PY" = "/opt/pyenv/shims/python2.7" -a -x /usr/bin/python2.7 && PY=/usr/bin/python2.7 mkdir -p in echo 0 > in/in - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode, this will take approx 15 seconds" + $ECHO "$GREY[*] Using python binary $PY" + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode, this will take approx 25 seconds" { - ../afl-fuzz -V15 -U -i in -o out -d -- python ../unicorn_mode/samples/simple/simple_test_harness.py @@ > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V25 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/simple/simple_test_harness.py @@ >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000002* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode" + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode" + CODE=1 + } + rm -f errors - $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 15 seconds" + printf '\x01\x01' > in/in + # This seed is close to the first byte of the comparison. + # If CompCov works, a new tuple will appear in the map => new input in queue + $ECHO "$GREY[*] running afl-fuzz for unicorn_mode compcov, this will take approx 35 seconds" { export AFL_COMPCOV_LEVEL=2 - ../afl-fuzz -V15 -U -i in -o out -d -- python ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ > /dev/null 2>&1 - } > /dev/null 2>&1 + ../afl-fuzz -V35 -U -i in -o out -d -- "$PY" ../unicorn_mode/samples/compcov_x64/compcov_test_harness.py @@ >>errors 2>&1 + } >>errors 2>&1 test -n "$( ls out/queue/id:000001* 2> /dev/null )" && { $ECHO "$GREEN[+] afl-fuzz is working correctly with unicorn_mode compcov" - } || $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode compcov" - rm -rf in out + } || { + echo CUT------------------------------------------------------------------CUT + cat errors + echo CUT------------------------------------------------------------------CUT + $ECHO "$RED[!] afl-fuzz is not working correctly with unicorn_mode compcov" + CODE=1 + } + rm -rf in out errors } - } || $ECHO "$RED[-] missing sample binaries in unicorn_mode/samples/ - what is going on??" + } || { + $ECHO "$RED[-] missing sample binaries in unicorn_mode/samples/ - what is going on??" + CODE=1 + } } || $ECHO "$YELLOW[-] unicorn_mode is not compiled, cannot test" $ECHO "$GREY[*] all test cases completed.$RESET" - +test "$CODE" = "0" && $ECHO "$GREEN[+] all tests were successful :-)$RESET" +test "$CODE" = "0" || $ECHO "$RED[-] failure in tests :-($RESET" +exit $CODE |