eurecom-s3 / invscov Goto Github PK
View Code? Open in Web Editor NEWThe Use of Likely Invariants as Feedback for Fuzzers
Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi
License: Apache License 2.0
The Use of Likely Invariants as Feedback for Fuzzers
Home Page: https://www.usenix.org/conference/usenixsecurity21/presentation/fioraldi
License: Apache License 2.0
Your code is not even released and here's your first issue... :-)
We'd love to see your code enabled into afl++ as a special mode.
Afl++ is already supported in Fuzzbench and it used actively to test new fuzzing techniques. If you could enable invscov in mainstream afl++, we'd easily be able to test it with a combination of other afl++ options!
Afl++ is also used in OSS-Fuzz, which is used to continuously fuzz hundreds of open source projects.
Hi ~
I am focusing on the research work in the field of invariants. I am very curious about whether the invariants mining tool daikon used in invscov is suitable for server programs, that is, reading input through sockets?
Hello andreafioraldi , Invscov is a very interesting idea. I benefit a lot from it. Thank you very much :)
As mentioned in readme, invScov uses the following steps:
But I have a small question. If we want to fuzz the target program that is compiled by Makefile, and there are many project files. In this case, what should I do to fuzz these complex programs? Specifically, I don't know how to do steps 2, 3 and 4 for such a complex project.
I successfully used invscov to fuzz some very simple demos, but I was very confused about using it to fuzz other complex projects.
Looking forward to your reply :)
I want to fuzz cgc program, but invscov only support 64 bit program.How do i add the 32 bit platform support?
The release code using AFLplusplus 2.65c, which is a bit old. Now the latest AFLplusplus version is 3.14c. I want to replace the 2.65c version with the latest 3.14c version. Is it OK to patch the differences that diff shows? Any suggestions for me? Thanks a lot.
The diff tool shows that:
$ diff -ru AFLplusplus AFLplusplus-2.65c/
diff -ru AFLplusplus/llvm_mode/afl-clang-fast.c AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c
--- AFLplusplus/llvm_mode/afl-clang-fast.c 2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-clang-fast.c 2020-05-15 14:36:51.000000000 +0800
@@ -584,11 +584,9 @@
be_quiet = 1;
- instrument_mode = INSTRUMENT_DEFAULT;
-
-/*#ifdef USE_TRACE_PC
+#ifdef USE_TRACE_PC
instrument_mode = INSTRUMENT_PCGUARD;
-#endif*/
+#endif
if (getenv("USE_TRACE_PC") || getenv("AFL_USE_TRACE_PC") ||
getenv("AFL_LLVM_USE_TRACE_PC") || getenv("AFL_TRACE_PC")) {
diff -ru AFLplusplus/llvm_mode/afl-llvm-pass.so.cc AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc
--- AFLplusplus/llvm_mode/afl-llvm-pass.so.cc 2021-11-19 08:31:53.637050904 +0800
+++ AFLplusplus-2.65c/llvm_mode/afl-llvm-pass.so.cc 2020-05-15 14:36:51.000000000 +0800
@@ -266,12 +266,7 @@
AFLPrevLoc = new GlobalVariable(
M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc");
#else
- //AFLPrevLoc = new GlobalVariable(
- // M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
- // GlobalVariable::GeneralDynamicTLSModel, 0, false);
- AFLPrevLoc = M.getGlobalVariable("__afl_prev_loc");
- if (AFLPrevLoc == nullptr)
- AFLPrevLoc = new GlobalVariable(
+ AFLPrevLoc = new GlobalVariable(
M, Int32Ty, false, GlobalValue::ExternalLinkage, 0, "__afl_prev_loc", 0,
GlobalVariable::GeneralDynamicTLSModel, 0, false);
#endif
diff -ru AFLplusplus/src/afl-common.c AFLplusplus-2.65c/src/afl-common.c
--- AFLplusplus/src/afl-common.c 2021-11-19 15:01:11.153806707 +0800
+++ AFLplusplus-2.65c/src/afl-common.c 2020-05-15 14:36:51.000000000 +0800
@@ -884,6 +884,7 @@
timeout.tv_sec = (timeout_ms / 1000);
timeout.tv_usec = (timeout_ms % 1000) * 1000;
+ size_t read_total = 0;
size_t len_read = 0;
while (len_read < len) {
@@ -906,6 +907,7 @@
len_read = read(fd, ((u8 *)buf) + len_read, len - len_read);
if (!len_read) { return 0; }
+ read_total += len_read;
}
diff -ru AFLplusplus/src/afl-fuzz-one.c AFLplusplus-2.65c/src/afl-fuzz-one.c
--- AFLplusplus/src/afl-fuzz-one.c 2021-11-19 08:31:53.641050896 +0800
+++ AFLplusplus-2.65c/src/afl-fuzz-one.c 2020-05-15 14:36:51.000000000 +0800
@@ -488,8 +488,6 @@
if (afl->queue_cur->cal_failed < CAL_CHANCES) {
- afl->queue_cur->exec_cksum = 0;
-
res =
calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
@@ -2638,8 +2636,6 @@
if (afl->queue_cur->cal_failed < CAL_CHANCES) {
- afl->queue_cur->exec_cksum = 0;
-
res =
calibrate_case(afl, afl->queue_cur, in_buf, afl->queue_cycle - 1, 0);
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.