FRET

Structure

• git submodule update --init
• LibAFL-based fuzzer under LibAFL/fuzzers/FRET
• FreeRTOS demos under FreeRTOS/FreeRTOS/Demo/CORTEX_M3_MPS2_QEMU_GCC
• QEMU instrumentation under qemu-libafl-bridge

HowTo

Development environment

nix develop or nix-shell

Build FRET

cd LibAFL/fuzzers/FRET
# First time and after changes to QEMU
sh -c "unset CUSTOM_QEMU_NO_BUILD CUSTOM_QEMU_NO_CONFIGURE && cargo build"
# Afterwards, simply use
cargo build

Build additional tools

# Trace analysis tool
cd state2gantt && cargo build && cd -
# Benchmark evaluation tool
cd LibAFL/fuzzers/FRET/benchmark/number_cruncher && cargo build && cd -

Build FreeRTOS Demos

cd LibAFL/fuzzers/FRET/benchmark
sh build_all_demos.sh

Example usage

• Build the demos and additional tools first

cd LibAFL/fuzzers/FRET
# Help for arguments
cargo run -- --help
# Example
export DUMP=$(mktemp -d)
dd if=/dev/random of=$DUMP/input bs=8K count=1
# fuzz for 10 seconds
cargo run -- -k benchmark/build/waters_seq_full.elf -c benchmark/target_symbols.csv -n $DUMP/output -tag fuzz -t 10 --seed 123456
# Produce a trace for the worst case found
cargo run -- -k benchmark/build/waters_seq_full.elf -c benchmark/target_symbols.csv -n $DUMP/show -tr showmap -i $DUMP/output.case
# plot the result
../../../state2gantt/driver.sh $DUMP/show.trace.ron
# view the gantt chart
open $DUMP/show_job.html

Perform canned benchmarks

• Build the demos and additional tools first
• Select a benchmark set in LibAFL/fuzzers/FRET/benchmark/Snakefile

# $BENCHDIR
cd LibAFL/fuzzers/FRET/benchmark
# e.g.
snakemake -c 128 set48 set64 set128
# plot the resutls
sh plot_all_benchmarks.sh
sh plot_all_traces.sh