alwin.berger/FRET-LibAFL
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1,585 Commits 19 Branches 28 Tags
Commit Graph

1585 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Dongjia Zhang
936e2221d1
Cargo-make (#537) 
* timeout utility

* example build.toml

* upd

* ci

* Update build_and_test.yml

* Update build_and_test.yml

* rename, qemu_launcher

* libpngs

* fix

* upd

* del

* do_nothing -> unsupported

* rename

* use command

* non qemu fuzzbench

* script.sh

* mroe

* qemu

* fix

* generic

* fix

* fix

* allow 124

* quotes

* fix

* fix

* fix

* stderr to devnull

* chg
 2022-02-20 03:32:43 +01:00
Evan Richter
7150ffc5e6
[libafl_qemu] EasyElf::resolve_symbol return GuestAddr (#540) 
Also enforce Linux support at the crate level instead of item by item
 2022-02-16 21:34:56 +01:00
Andrea Fioraldi
a03d733cf9
libafl_qemu decouple hooks from the executor and QemuForkExecutor (#528) 
* QemuHooks

* option state hooks

* QemuForkExecutor

* enforce no side effects in QemuForkExecutor

* child hooks fixes

* fixes

* qemu_launcher

* examples and fixes

* fix sugar

* clippy

* fmt

* no timeout for fuzzbench_fork_qemu

* Update libafl_qemu/src/hooks.rs

Co-authored-by: Alwin Berger <50980804+alwinber@users.noreply.github.com>

* clippy

Co-authored-by: Alwin Berger <50980804+alwinber@users.noreply.github.com>
 2022-02-15 22:11:24 +01:00
Dongjia Zhang
86b4ff9c2f
Set default connect address to IP (#539) 2022-02-15 17:44:58 +01:00
Andrea Fioraldi
479f9471ff
Walk the map observer using as_ref_iter() in the map feedback (#535) 
* Walk the map observer using into_iter() in the map feedback

* fmt

* map observers as iterators

* perf

* IntoMutIterator and IntoRefIterator

* Clone

* clippy
 2022-02-14 18:12:19 +01:00
Farouk Faiz
2dcdaaa89f
Intial support to Python bindings for the libafl crate (#429) 
* Add libafl py module

* Hardcoded baby_fuzzer

* Trait abstraction: MapObserver
Send type name as a param as it's needed for extracting the rust struct from the PyObject

* Fix merge

* Impl traits for python wrappers

* Add PythonExecutor
Not buildable version

* Executor trait bindings

* Monitor trait bindings

* EventManager trait bindings

* Fix warnings

* Add corpus trait bindings

* Use corpus trait bindings

* Rand trait bindings

* Remove python feature from default

* Add cfg attribute

* Fix fmt

* No std box

* Fix clippy

* turn OwnedInProcessExecutor in a simple type alias

* remove crate-type from libafl's Cargo.toml

* Add python baby_fuzzer

* Fix doc

* Maturin doc

* multiple map observer

* fmt

* build pylibafl with nightly

* macro for map element type

* Update py baby_fuzzer & fmt

* Mutator bindings

* fmt

* merge conflicts

* StdMutationalStage bindings
Not working: Cannot pass mutator to new method because not clonable

* Stage bindings

* StagesOwnedList bindings
Not working: Stage not clonable

* Unsafe transmute copy fix

* Use Stage bindings in baby_fuzzer

* fmt

* fmt

* Fix doc

* fix merge

* Remove x86_64 feature from pylibafl

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
 2022-02-14 11:41:39 +01:00
Dongjia Zhang
393afa56c8
Github workflows frida build on windows (#536) 
* Update build_and_test.yml

* Update build_and_test.yml

* clippy

* clippy

* clippy
 2022-02-13 05:10:17 +01:00
Dominik Maier
7dad2153e2
Clippy for Cargo (#532) 
* Clippy for Cargo

* clippy fixes

* clippy fixes

* edition

* fix

* wrong self hidden

* fix

* more clippy
 2022-02-11 14:34:01 +01:00
Andrea Fioraldi
a4c9d2d19e
Fix ASAN backtrace (#534) 2022-02-11 14:31:18 +01:00
Dongjia Zhang
d676363c64
Fix Forkserver Example (#533) 
* fix

* fix

* fix

* update

* change
 2022-02-11 10:41:07 +01:00
Dongjia Zhang
53bc6e2318
test_all_fuzzers.sh fix (#531) 
* fix

* fix

* fix
 2022-02-11 10:04:04 +01:00
Dongjia Zhang
42cab49f3e
Forkserver builder fix (#529) 
* fix

* fix

* fmt

* no @@

* fuzzer change

* parse_afl_cmdline

* comma
 2022-02-11 09:38:26 +01:00
Andrea Fioraldi
eb668384bb
Fix hardcoded BacktraceObserver (#530) 
* refactor BacktraceObserver and InProcessForkExecutor

* cleanup

* fix improcess

* fix

* mormanti

* win fix

* clippy

* fix backtrace_baby_fuzzers/command_executor

* win fix

* clippy
 2022-02-10 21:45:20 +01:00
Dongjia Zhang
9d38fff662
Autodict forkserver (#525) 
* Builder for ForkserverExecutor

* add

* clippy warnings

* comment

* stash

* tmp

* change

* revert

* use_shmem_feature field

* change the harness back

* wip

* wip

* revert

* works

* clippy

* Makefile fix

* doc

* clippy

* rename to program

* rename, fix, envs

* lifetime

* arg_input_file

* stash

* read autodict from forkserver

* works

* clippy & fmt

* fmt

* fix

* fix

* fmt

* better harness

* arg_input_file_std

* rename

* fix
 2022-02-10 10:27:51 +01:00
Dongjia Zhang
9482433e54
Forkserver builder (#523) 
* Builder for ForkserverExecutor

* add

* clippy warnings

* comment

* stash

* tmp

* change

* revert

* use_shmem_feature field

* change the harness back

* wip

* wip

* revert

* works

* clippy

* Makefile fix

* doc

* clippy

* rename to program

* rename, fix, envs

* lifetime

* arg_input_file

* bug fix

* arg_input_file

* builder()

* doc

* clippy & fmt

* clippy & fmt
 2022-02-09 22:07:15 +01:00
Andrea Fioraldi
63d89463a3
Improve libafl_qemu snapshots (#484) 
* mprotect

* expose EnumIter

* thread safe mem snapshot

* update qemu hash

* clippy

* child helpers

* fixes

* fix build

* fix dep
 2022-02-09 09:40:59 +01:00
Dominik Maier
6bfbdd6318
Add sdk linker flag for broken MacOS systems (#527) 2022-02-08 18:29:48 +01:00
Dominik Maier
a3345902c2
Shorthand for differential fuzzing results (#526) 
* Shorthand for differential fuzzing results

* must_use
 2022-02-08 04:07:42 +01:00
Dongjia Zhang
914bcd5c47
Frida Doc (#515) 
* draft

* add

* more newlines
 2022-02-07 23:39:53 +01:00
Dominik Maier
98fbe83c15
Differential executor, diff feedback, stdio observers for command executor (#521) 
* started diff fuzzer

* finished DifferentialExecutor

* adapt builder, more diff fuzz infra

* diff eq feedback

* stdout observer started:

* stdio observers

* stdio observers

* no_std, fixes

* no_std tests
 2022-02-06 18:20:57 +01:00
Andrea Fioraldi
1fca710813
llvm-config --libs only for apple (#522) 
* Fuck apple

* fix fuzzbench_text
 2022-02-04 11:49:02 +01:00
Sagittarius-a
2bb60fb756
Fix documentation typos (#514) 
* Fix typos in LibAFL doc comments

* Fix doc comment for ProgressReporter trait

* Remove unused comment

* Link ShMem by name in doc comment
 2022-02-03 16:31:19 +01:00
epi
3dcb191baf
Removed subcommands from FuzzerOptions (#516) 
* updated code that removes subcommands from FuzzerOptions

* updated docs, added headings

* updated test to reflect new api

* repeat requires replay

* removed global; removed Option where appropriate; housekeeping; tests

* removed unnecessary cfg check from tests
 2022-02-03 16:29:54 +01:00
Andrea Fioraldi
c561182f07
Set map observers initial value to T::default() on creation (#520) 2022-02-03 14:25:25 +01:00
Andrea Fioraldi
f527aab15e
Non weak default sanitizers options functions (#519) 2022-02-03 10:44:23 +01:00
Andrea Fioraldi
0062bab412
libafl_cc: -fsanitize=fuzzer is an alias to --libafl (#518) 
* libafl_cc: -fsanitize=fuzzer is an alias to --libafl

* no link runtime
 2022-02-02 21:47:23 +01:00
Andrea Fioraldi
465275aecb
Allow incomplete feature (#517) 
suppress the specialization feature warning
 2022-02-02 17:55:46 +01:00
Dongjia Zhang
3c4ec38d83
Win Fix (#513) 
* win_fix

* fmt

* another fmt
 2022-02-02 00:26:10 +01:00
s1341
e41b76fe31
Throw an exception on a failed new in frida ASan, instead of just returning null (#512) 2022-02-01 15:28:44 +01:00
Dongjia Zhang
fb21c4ff82
Frida Runtime Tuples (#457) 
* an attempt to make runtimes into tuples

* wip

* wip

* wipp

* getter

* refactor

* fmt

* fix

* compiles

* fuzzer change

* coverage working

* asan & less unwrap() & fixes

* inst size, fmt

* build & coverage works on asan

* amd64 fix
 2022-02-01 14:34:53 +01:00
Andrea Fioraldi
dd002a081b
Implement coverage accounting (BB metric atm) (#507) 
* bb accounting llvm pass

* bb metric

* accoutning corpus scheduler

* fix warnings

* alloc

* clippy

* fix dockerfile

* clippy

* coverage accounting example

* finish CoverageAccountingCorpusScheduler

* fmt

* --libs in llvm-config

* merge
 2022-02-01 14:08:38 +01:00
Dominik Maier
6810e6085b
Builder for CommandExecutor & Tokens Refactoring (#508) 
* builder for CommandExecutor

* tokens api cleanup, clippy

* fix doctest

* cleanup

* added testcase, remodelled

* command executor builder fix

* fix fuzzer(?)

* implemented From for configurator

* nits

* clippy

* unused

* autotokens

* cleanup

* nits

* Err instead of empty tokens

* fix tokens fn

* fix err

* more error fixing

* tokens remodelling

* typo

* recoverable fail on missing autotokens

* clippy, nostd

* asslice, into_iter, etc. for tokens

* adapt fuzzers

* iter

* fixes, clippy

* fix

* more clippy

* no_std

* more fix

* fixed typo

* cmd_executor builds again

* bring back ASAN stuff to Command Executor

* forkserver speedup

* no need to static

* back to earlier
 2022-02-01 10:10:47 +01:00
Dongjia Zhang
c61fed6ca9
Use Unix timer_* API instead of setitimer (#510) 
* fix linter errors for armv7 (docs)

* introduce HasOnCrashReset trait; use timer_* API instead of setitimer for unix TimeoutExecutor

* fixes: PR #469 annotations and CI issues

* reintroduce setitimer for apple as macOS does not feature the POSIX timer API

* more macos and windows CI fixes

* more macos and windows CI fixes cont.

* HasOnCrashReset -> HasPostRunReset

* remove drop impl for Windows TimeoutExecutor

* adjust target cfgs for timeout stuff (android also did not work)

* add call to inner post_run_reset

* remove HasPostRunReset in favor of making it a trait fn of Executor

* add post_run_reset's to CombinedExecutor

* clippy: addr_of! instead of raw pointer casts

* link librt in libafl_cc (required by timer_* API)

* minor fixes and cleanup

* remove unused import for targets other than linux

* fix win

* merge

* fix

Co-authored-by: pr0me <g33sus@gmail.com>
 2022-02-01 04:48:03 +01:00
Dominik Maier
9dfc6aa404
CI and fixes for arm32 no_std build (#511) 
* arm32 no_std fixes and clippy

* moved criterion to benches crate

* benches no longer live here
 2022-02-01 00:57:58 +01:00
Youssef
e307dfb16f
Implement backtrace observers for crash dedupe (#379) 
* create stacktrace observer

* create stacktrace feedback

* post-merge fixes

* address comments

* update Cargo.toml

* fix CI issue + dynamic naming

* duplicate baby_fizzer

* update stacktrace baby_fuzzer

* force unwinding tables

* ignore test dumps

* fix stacktrace baby_fuzzer logic

* upgrade Backtrace version

* trigger observers.post_exec in crash_handler

* implement NewHashFeedbackState and update logic

* digest symbols pointers

* cleanup

* minimal output

* fix backdated EventFirer generic param

* add baby_fuzzer example with a fork executor

* duplicate baby_fuzzer_stacktrace with forkexecutor

* backtrace collection implemented

* add c app fuzzer example with a fork executor

* group backtrace baby fuzzers

* added c code baby fuzzer with inprocess executor

* remove need for static COLLECT_BACKTRACE

* moved code to stacktrace.rs + fixed bug

* add comment

* add command executor fuzzer example

* post merge cleanup

* add missing doc

* address comment

* fix nit

* clean duplicate variable in timeout handler

* fix command executor bt collection

* clean code and use StdShMem

* cleanup

* add ObserverWithHashField + rename StacktraceObserver

* rename + refactor some code

* add CommandBacktraceObserver

* update command executor

* update baby fuzzers

* simplify BacktraceSharedMemoryWrapper

* use better names + static methods

* use std feature macro on BacktraceObserver + fix bug

* use Box in HashValueWrapper to minimize variants size diff

* use copy_from_slice

* std conditional backtrace collection

* fix std import

* fix comment

* add exit_kind to observer.post_exec

* added hash trait to Input

* collect backtrace in post_exec

* add crash handlers to InProcessForkExecutor

* fix panic message

* duplicate forkserver fuzzer example

minimal example

update

* proto bt collection working

* rename CommandBacktraceExecutor to ASANBacktraceExecutor

* refactor ASANBacktraceObserver

* support for forkserver working

* update fuzzer example

* less verbosity

* Post merge fixes

* implement hash for GeneralizedInput

* update forkserver example after merge

* clippy fixes

* fix inproc test

* fixes for cargo hack --feature-powerset

* fix baby_no_std

* implement Hash for NautilusInput

* update fork executor baby fuzzer

* fix doc

* implement Hash for PacketData

* fix windows build

* fix windows no_std

* fix backtrace baby fuzzers README

* add comments

* move setup_bt_panic to constructor

* pre/post child exec hooks in Observer

* setup_child_panic_hook

* fix ObserversOwnedMap on nightly

* add backtrace fuzzers to CI checks

* fix typo

* fix relative paths in test_all_fuzzers.sh

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
 2022-01-31 15:58:15 +01:00
epi
62e514e61d
Make harness-args available to all subcommands in opt parser (#509) 2022-01-31 12:53:59 +01:00
epi
4862928e1e
[READY] Add options parser (#493) 
* added parser to workspace

* added parser to utils

* added must_use/docstring

* added qemu_args/removed mod names

* implemented subcommands, added example

* added crate docs

* updated based on StdFuzzer options

* added frida optiosn

* added qemu parser example

* added repeat option

* added custom subcommands

* comments and nitpickery

* pedantic fixes

* updated per review

* additional doc-comment over attribute fixes

* moved everything to bolts::cli; updated docs and things

* removed utils/fuzzer-options from cargo.toml

* forgot std flag; added

* fmt
 2022-01-28 18:10:09 +01:00
epi
2a8efa7d6d
extended inmemory; added exit to qemu (#506) 2022-01-28 18:09:04 +01:00
Andrea Fioraldi
95ba7d61ce
remvoe fprintf from autotokens pass (#505) 2022-01-28 13:51:55 +01:00
Dongjia Zhang
93f28b41be
Update frida README.md (#503) 2022-01-28 10:11:06 +01:00
epi
78bbe034a1
extend python forkserver api (#500) 
* initial attempt at api extension; untested

* updated/tested on forkserver_simple
 2022-01-28 09:43:21 +01:00
Evan Richter
4e3e31df4e
[libafl_qemu] GuestAddr type (#501) 
Guest addresses now represented by correct sized integers.

Previously u64 was used to represent guest addresses. This is great for
64-bit targets, but clunky for other architectures. This introduces a
GuestAddr type alias that is defined based on the selected emulation
architecture.

Note: This changes only the user-facing Rust interface. Before
traversing the FFI boundary, all GuestAddrs are sized back to u64.

Another Note: Guest addresses _from_ the FFI boundary are completely
trusted. Values that are too large are truncated to fit into a GuestAddr
using the `as GuestAddr` cast. This may not be ideal, as errors could be
masked. If desired and the performance is ok, a non-breaking update
could change all `as` casts to `.try_into().unwrap()` so that critical
failures in FFI are always checked.
 2022-01-28 09:42:23 +01:00
Dongjia Zhang
efb5e25411
Fix shadow bit for libafl_frida on Linux (#502) 2022-01-28 09:26:24 +01:00
epi
21668b094b
Expose more options to python qemu sugar (#492) 
* registered forkserver sugar, if unix

* exposed multiple options to python sugar constructor

* pedantic clippy is pedantic

* fixes from review/shortened attribute
 2022-01-27 09:27:25 +01:00
Evan Richter
4a6616bdfe
[libafl_qemu] simplify emu::{read,write}_mem (#496) 
Methods read_mem and write_mem now operate on &[u8], not &[T]

The generic T slice interface was prone to various footguns:
* i32 is the default Rust integer type, but buffers are often expected
  to hold u8. This means the following code writes 16 bytes to the
  guest, not 4:

      let buf = [0; 4];
      emu.write_mem(addr, &buf);

* If a buffer of 16-bit or larger integers (&[u64] for example) is
  needed to read/write, the user will need to consider host/guest
  endianness. The byte array methods in std are a good, explicit
  alternative.

  Perhaps libafl_qemu could expose/define "to/from guest endianness"
  helper functions or extension traits using the established cfg flags,
  so that guest endianness is always right by default.

* emu::read_mem causes insta-UB if a user did something like:

      let mut my_bool = false;
      emu.read_mem(addr, &mut my_bool);

  It's less surprising for users to just operate on plain-ol' bytes,
  which they can explicitly transmute if they wish.
 2022-01-27 09:05:33 +01:00
Andrea Fioraldi
408431ba5c
Fix libafl import features in libafl_targets (#495) 
* fix

* fix
 2022-01-26 22:29:25 +01:00
Dongjia Zhang
62614ce101
LLVM AutoTokens (#470) 
* posix dict2file llvm pass

* new PM

* working

* clean up

* fmt

* fix

* silence clippy

* bring the println back

* early return

* rename

* weak symbols

* linux onky

* fuzzbench change

* only linux

* linux only

* cfg

* cfg

* fix

* fix

* fix

* why

* fix

* bug fix

* rename

* rename

* macros & rename

* add_from_autotokens

* fix fuzzbench

* std -> core

* builder pattern?

* clippy

* wrong cfg

* cfgstd

* fuzzbench fmt

* no unsafe

* update fuzzbench_text

* use TokenSectiopn

Co-authored-by: Andrea Fioraldi <andreafioraldi@gmail.com>
 2022-01-26 19:23:04 +01:00
Andrea Fioraldi
0223d8a0c6
Implement Grimoire (#487) 
* GeneralizedInput

* GeneralizationStage

* generalization finished

* GrimoireExtensionMutator

* grimoire_mutated flag and propore HasTargetBytes

* use alloc

* working baby fuzzer for grimoire

* fmt

* GrimoireRecursiveReplacementMutator

* extend_with_random_generalized

* extend_with_random_generalized

* GrimoireStringReplacementMutator

* GrimoireRandomDeleteMutator

* clippy

* fuzzbench_text

* fix fuzzbench_text
 2022-01-25 21:34:10 +01:00
Andrea Fioraldi
b459933d29
AnyMap and owned collections of Observers and Stages (#491) 
* AnyMap and owned observers

* owned stages

* alloc

* panic on (de)serializing ObserversOwnedMap

* clippy
 2022-01-24 20:59:37 +01:00
Dongjia Zhang
2730515c46
Asan Fix (#490) 
* fix

* fmt
 2022-01-24 09:17:19 +01:00