nautilus-fuzz / nautilus Goto Github PK
View Code? Open in Web Editor NEWA grammar based feedback Fuzzer
License: GNU Affero General Public License v3.0
A grammar based feedback Fuzzer
License: GNU Affero General Public License v3.0
While running the command from the example i get the following error:
researcher@DESKTOP:~/leaning_to_fuzz/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
Finished dev [unoptimized + debuginfo] target(s) in 0.07s
Runningtarget/debug/generator -g grammars/grammar_py_example.py -t 100
thread 'main' panicked at 'Mismatch between definition and access oftree_depth
. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
0: rust_begin_unwind
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/std/src/panicking.rs:575:5
1: core::panicking::panic_fmt
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/panicking.rs:64:14
2: clap::parser::error::MatchesError::unwrap
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
3: clap::parser::matches::arg_matches::ArgMatches::get_one
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
4: generator::main
at ./fuzzer/src/generator.rs:66:23
5: core::ops::function::FnOnce::call_once
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/ops/function.rs:507:5
note: Some details are omitted, run withRUST_BACKTRACE=full
for a verbose backtrace.
Hi,
I realise that the ANTLR parser don't seem to be in this new version of nautilus, is the import of ANTLR grammars into nautilus no longer supported?
regex_mutator::generate()
panics with the following examples
"[^+*?]+"
"[^xu]"
"[^\\\\']"
"u{[0-9a-fA-F]+}"
".*"
"\\$[a-zA-Z_]\\w*"
"\\s"
When I run the command "cargo run --release -- -g grammars/grammar_py_example.py -o /tmp/workdir -- ./test @@", there is some errors:
error[E0554]: #![feature]
may not be used on the stable release channel
--> grammartec/src/lib.rs:17:1
|
17 | #![feature(exclusive_range_pattern)]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error[E0554]: #![feature]
may not be used on the stable release channel
--> grammartec/src/lib.rs:18:1
|
18 | #![feature(step_trait)]
| ^^^^^^^^^^^^^^^^^^^^^^^
#![feature]
may not be used on the stable release channelWhat should I do next.
Hello,
it seems like there is a bug in the regex mutator.
If you supply the following grammar to the generator
ctx.rule("START", "{CHAR}")
ctx.regex("CHAR", ".")
it panics every other invocation in append_unicode_range()
:
$ ./target/release/generator -g ./demo.py -t 1
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', regex_mutator/src/lib.rs:113:45
stack backtrace:
0: rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
1: core::panicking::panic_fmt
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
2: core::panicking::panic
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:50:5
3: regex_mutator::generate
4: grammartec::rule::Rule::generate
5: grammartec::tree::Tree::generate_from_rule
6: grammartec::context::Context::generate_tree_from_nt
7: generator::main
What rust toolchain are you using to compile the project.
It failed with multiple toolchains on different packages for different reasons.
So far I've tried:
stable-x86_64-unknown-linux-gnu
nightly-2019-09-11-x86_64-unknown-linux-gnu
nightly-2019-12-11-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu (default)
NONE of these is able to compile and run the simple example:
cargo run --bin generator -- -g grammars/lua.py -t 100
The following regex rule can produce a u32 value that cannot be converted to a char :
ctx.regex(u'ANY', '.*')
As a consequence, the regex_mutator
will panic in append_unicode_range
on line 116, because from_u32
will return a None
that the code tries to unwrap:
fn append_unicode_range(res: &mut Vec<u8>, scr: &mut RegexScript, cls: ClassUnicodeRange) {
let mut chr_a_buf = [0; 4];
let mut chr_b_buf = [0; 4];
cls.start().encode_utf8(&mut chr_a_buf);
cls.end().encode_utf8(&mut chr_b_buf);
let a = u32::from_le_bytes(chr_a_buf);
let b = u32::from_le_bytes(chr_b_buf);
let c = scr.get_range(a as usize, (b + 1) as usize) as u32;
append_char(res, std::char::from_u32(c).unwrap());
}
I suggest capping the value of b+1
to char::MAX
to prevent this error, or using char::from_u32_unchecked
instead.
I got an error when I run nautilus with solidity as my target. It said thread 'fuzzer_2' panicked at 'shm_id "No space left on device
.
thread 'fuzzer_1' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
stack backtrace:
thread 'fuzzer_2' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
0: 0x5555556e6bfc - std::backtrace_rs::backtrace::libunwind::trace::h2ab374bc2a3b7023
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
1: 0x5555556e6bfc - std::backtrace_rs::backtrace::trace_unsynchronized::h128cb5178b04dc46
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x5555556e6bfc - std::sys_common::backtrace::_print_fmt::h5344f9eefca2041f
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:67:5
3: 0x5555556e6bfc - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h213003bc5c7acf04
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:46:22
4: 0x555555708e5c - core::fmt::write::h78bf85fc3e93663f
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/fmt/mod.rs:1126:17
5: 0x5555556e4165 - std::io::Write::write_fmt::he619515c888f21a5
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/io/mod.rs:1667:15
6: 0x5555556e87c0 - std::sys_common::backtrace::_print::hf706674f77848203
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:49:5
7: 0x5555556e87c0 - std::sys_common::backtrace::print::hf0b6c7a88804ec56
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:36:9
8: 0x5555556e87c0 - std::panicking::default_hook::{{closure}}::h2dde766cd83a333a
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:210:50
9: 0x5555556e8377 - std::panicking::default_hook::h501e3b2e134eb149
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:227:9
10: 0x5555556e8e74 - std::panicking::rust_panic_with_hook::hc09e869c4cf00885
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:624:17
11: 0x5555556e8950 - std::panicking::begin_panic_handler::{{closure}}::hc2c6d70142458fc8
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:521:13
12: 0x5555556e70a4 - std::sys_common::backtrace::__rust_end_short_backtrace::had58f7c459a1cd6e
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:141:18
13: 0x5555556e88b9 - rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
14: 0x55555559db3b - std::panicking::begin_panic_fmt::h72e1f9ab89522086
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:460:5
15: 0x5555556c4322 - forksrv::ForkServer::new::h32c3a55efbd4dcac
16: 0x5555555c827e - fuzzer::fuzzer::Fuzzer::new::hc13533b0a5d67be8
17: 0x5555555a44f5 - fuzzer::fuzzing_thread::h8950c25ab0c74bcf
18: 0x5555555ae752 - std::sys_common::backtrace::__rust_begin_short_backtrace::h256253a3ae85ff90
19: 0x5555555c1497 - core::ops::function::FnOnce::call_once{{vtable.shim}}::h85a6a903e174724b
20: 0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h59eef3b9c8a82350
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
21: 0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::hb5bbe017c347469c
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
22: 0x5555556ec653 - std::sys::unix::thread::Thread::new::thread_start::h62931528f61e35f5
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys/unix/thread.rs:106:17
23: 0x7ffff7a1f609 - start_thread
at /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
24: 0x7ffff77ef293 - clone
25: 0x0 - <unknown>
stack backtrace:
Segmentation fault
But I still have much free space on disk.
cityoflight77@vps:~/nautilus$ df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 150G 35G 110G 24% /
cityoflight77@vps:~/nautilus$ df -h /dev/shm
Filesystem Size Used Avail Use% Mounted on
tmpfs 7.7G 0 7.7G 0% /dev/shm
default shared memory limits
cityoflight77@vps:~/nautilus$ ipcs -l
------ Messages Limits --------
max queues system wide = 32000
max size of message (bytes) = 8192
default max size of queue (bytes) = 16384
------ Shared Memory Limits --------
max number of segments = 4096
max seg size (kbytes) = 18014398509465599
max total shared memory (kbytes) = 18014398509481980
min seg size (bytes) = 1
------ Semaphore Limits --------
max number of arrays = 32000
max semaphores per array = 32000
max semaphores system wide = 1024000000
max ops per semop call = 500
semaphore max value = 32767
When I change shmmni to bigger value and reboot than default nautilus will return same error.
And same error happened when I try to fuzz mruby with root. But the error doesn't happened when I fuzz mruby with sudo user.
Any idea @andreafioraldi ?
Hi, I am trying to set up nautilus. When I use the grammar of javascript to test sqlite, it panicked with the following log after running for 33 mins:
thread 'fuzzer_1' panicked at 'couldn't read child hello: Custom { kind: TimedOut, error: "timed out waiting for fd to be ready" }', forksrv/src/lib.rs:95:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'RAND_2698731594: Any', fuzzer/src/main.rs:495:9
The CMD line I am using is: cargo run --release -- -g grammars/javascript_new.py -o /tmp/workdir -- ~/sqlite/bld2/sqlite3 -init @@
Hi, I found when I fuzz ChakraCore with nautilus( with the builtin js grammar), the path number of different instance can be extremely different.
I launched 10 fuzz instances at the same time and fuzz for 24 hours, one instance discovered 13.3k path while others discovered only 6~7k.
As the paper shows, the p-value of nautilus is low. So I wonder the reason for this situation.
Hi !
I just followed your instruction to fuzz the test.c demo with nautilus but I got this :
Compiling textwrap v0.11.0
error[E0554]: #![feature] may not be used on the stable release channel
--> /home/crypt/.cargo/registry/src/github.com-1ecc6299db9ec823/lock_api-0.3.3/src/lib.rs:89:34
|
89 | #![cfg_attr(feature = "nightly", feature(const_fn))]
| ^^^^^^^^^^^^^^^^^
error: aborting due to previous error
For more information about this error, try rustc --explain E0554.
error: could not compile lock_api.
warning: build failed, waiting for other jobs to finish...
error: build failed
Also, I didn't succeed at running this command :
git clone '[email protected]:nautilus-fuzz/nautilus.git'
Because I got this error :
Cloning into 'nautilus'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Thus I just cloned the repository in this way :
git clone https://github.com/nautilus-fuzz/nautilus.git
Any workaround for the first error ?
Feature: Let the user specify weights for individual rules, that are used to bias generation towards/against these specific rules.
I get such errors while fuzzing. Should I be worried?
thread 'fuzzer_18' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
note: run with RUST_BACKTRACE=1
environment variable to display a backtrace
thread 'fuzzer_10' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
thread 'fuzzer_20' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
I also get things like "found fu**y bit 4299"
Nautilus cannot find any path while fuzzing ChakraCore with grammars/javascript_new.py
.
I set up nautilus with the instructions in README.md
Then I enlarged the size of bitmap to 1 << 20 and instrument ChakraCore with afl-clang-fast.
modified the config.ron
at
bitmap_size: 1048576, //1<<20
pathed file forksrv/src/lib.rs
at
return (shm_id, trace_bits as *mut [u8; 1 << 20]);
It cannot find any path during fuzzing. See following output.
------------------------------------------------------
Run Time: 0 days, 0 hours, 0 minutes, 45 seconds
Execution Count: 2643
Executions per Sec: 71
Left in queue: 0
Trees in Chunkstore: 1
------------------------------------------------------
Last ASAN crash: Not found yet.
Last SIG crash: Not found yet.
Last Timeout: No Timeout yet.
Total ASAN crashes: 0
Total SIG crashes: 0
------------------------------------------------------
New paths found by Gen: 1
New paths found by Min: 0
New paths found by Min Rec: 0
New paths found by Det: 0
New paths found by Splice: 0
New paths found by Havoc: 0
New paths found by Havoc Rec: 0
------------------------------------------------------
git:(master) ✗ uname -a
Linux alucard 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
git:(master) ✗ rustc --version
rustc 1.45.0-nightly (75e1463c5 2020-05-13)
git:(master) ✗ rustup toolchain list
stable-x86_64-unknown-linux-gnu (default)
nightly-2020-05-14-x86_64-unknown-linux-gnu
Hi,
I adopted Nautilus on PHP.
After fuzzing for a while, It hangs up.
Then I launched 10 instances for PHP and all of them have this problem.
See follow.
_ _ _ _ _
| \ | | | | (_) |
| \| | __ _ _ _| |_ _| |_ _ ___
| . ` |/ _` | | | | __| | | | | / __|
| |\ | (_| | |_| | |_| | | |_| \__ \
|_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
|_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
------------------------------------------------------
Run Time: 0 days, 4 hours, 12 minutes, 46 seconds
Execution Count: 1230536
Executions per Sec: 217
Left in queue: 3266
Trees in Chunkstore: 8312
------------------------------------------------------
Last ASAN crash: Not found yet.
Last SIG crash: Not found yet.
Last Timeout: [2020-07-26] 23:35:20
Total ASAN crashes: 0
Total SIG crashes: 0
------------------------------------------------------
New paths found by Gen: 53
New paths found by Min: 726
New paths found by Min Rec: 470
New paths found by Det: 12
New paths found by Splice: 5160
New paths found by Havoc: 1474
New paths found by Havoc Rec: 657
------------------------------------------------------
Hangup------------------------------------------------
Do you have any idea about this problem?
Thanks.
The generator binary will not compile for me.
Not sure what details are relevant here.
Cargo version 1.61.0
Cloned master
Ubuntu 20.04
> RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
Finished dev [unoptimized + debuginfo] target(s) in 0.06s
Running `target/debug/generator -g grammars/grammar_py_example.py -t 100`
thread 'main' panicked at 'Mismatch between definition and access of `tree_depth`. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
0: rust_begin_unwind
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/panicking.rs:143:14
2: clap::parser::error::MatchesError::unwrap
at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
3: clap::parser::matches::arg_matches::ArgMatches::get_one
at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
4: generator::main
at ./fuzzer/src/generator.rs:66:23
5: core::ops::function::FnOnce::call_once
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Panic when generating grammar. Here is my setup on ubuntu 20.04
cityoflight@nautilus:~/nautilus$ rustc -V
rustc 1.57.0-nightly (9dd4ce80f 2021-09-17)
cityoflight@nautilus:~/nautilus$ python3
Python 3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
Panic trace
cityoflight@nautilus:~/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 2
Finished dev [unoptimized + debuginfo] target(s) in 0.07s
Running `target/debug/generator -g grammars/grammar_py_example.py -t 2`
thread 'main' panicked at 'assertion failed: `(left != right)`
left: `0`,
right: `0`: The Python interpreter is not initalized and the `auto-initialize` feature is not enabled.
Consider calling `pyo3::prepare_freethreaded_python()` before attempting to use Python APIs.', /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
stack backtrace:
0: rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
1: core::panicking::panic_fmt
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
2: core::panicking::assert_failed_inner
3: core::panicking::assert_failed
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:141:5
4: pyo3::gil::GILGuard::acquire::{{closure}}
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
5: parking_lot::once::Once::call_once_force::{{closure}}
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:189:13
6: parking_lot::once::Once::call_once_slow
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:304:9
7: parking_lot::once::Once::call_once_force
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:188:9
8: pyo3::gil::GILGuard::acquire
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:220:17
9: pyo3::python::Python::acquire_gil
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/python.rs:214:9
10: generator::python_grammar_loader::load_python_grammar
at ./fuzzer/src/python_grammar_loader.rs:77:15
11: generator::main
at ./fuzzer/src/generator.rs:86:15
12: core::ops::function::FnOnce::call_once
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
nautilus/regex_mutator/src/lib.rs
Line 171 in b6fa83d
Should probably be while !stack.is_empty()
When i run 'cargo run ../AFLplusplus/afl-qemu-trace -- ./main @@', it's fail.
Finished dev [unoptimized + debuginfo] target(s) in 0.04s
Running target/debug/fuzzer ../AFLplusplus/afl-qemu-trace -- ./main '@@'
[2022-11-22] 08:13:05 Starting Fuzzing...
thread 'fuzzer_1' panicked at 'couldn't read child hello: Error { kind: UnexpectedEof, message: "failed to fill whole buffer" }', forksrv/src/lib.rs:98:22.
What should I address it?
Hi @eqv,
This Nautilus 2.0 looks great! I am interested in its new feature that supports binary protocols/formats. It would be great if you could add some tutorial(s) showing how it can be done. For example, how can we fuzz popular targets like LibPNG or ProFTPD with Nautilus 2.0?
Cheers!
Thuan
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.