New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ankou fails during initialization #2
Comments
Hey @Rumata888 . Thanks for trying out Ankou! This is a problem of communication between Ankou and the compiled binary. Ankou intends to reproduce the way AFL works but there may be issues. Could you give more details on how you compiled this binary so I can reproduce and debug the issue? |
afl++ has an advanced feature where there can be a back-and-forth communication between target and afl-fuzz. But I just added a check to only accept an afl-fuzz transfer request if it was compiled with LTO. |
HI. I don't see a dev branch @vanhauser-thc . It seems you haven't pushed the commit. |
Ah, @vanhauser-thc, sorry. You meant in afl++. Will try that. |
Still getting the same problem. Tried with afl-gcc and everything worked. Any ideas? |
Just to confirm my understanding: Using vanilla AFL (not AFL++), you compiled with |
I tried a compiled binary with afl++ 3.00a with vanilla afl-fuzz from google and as expected this works fine. |
I was using AFL++, not vanilla AFL (wanted to try ankou with laf-intel). afl-clang-fast failed on me, afl-gcc worked. |
Actually, the whole communication with the binary is broken. The fork server doesn't even start correctly. I think we never tried to use
This is the function doing the initialization in Ankou. As I remember, it was just a translation of the equivalent |
it looks to me like the forkserver control in fuzz-loop.go is implemented wrong. the initial first read is not made and that might be the reason. |
Thanks a lot for looking at it ❤️ ! Will try to get this fix before next week. |
I got back in the code. Actually the read is done, but in the |
Ah that is the issue. |
The value returned by the fork server at the first read should not be considered at all. Before, Ankou was in effect panic-ing if the value was not nil. See this issue: #2
Ok thanks a ton for the help! Pushed a commit which removes this check. @Rumata888 tell me if now it works for you 😀. |
If you removed the check just for the first read on the forkserver pipe, but all other reads do the crash check - then it is the correct fix :) |
off-topic @Jiliac if you want to improve your benchmarks on fuzzbench then just use afl++ as the compiler for the targets. I recommend CLASSIC + CTX + laf-intel for that
|
Very good point on fuzzbench settings! I should include them. But fuzzbench doesn't accept Ankou in its benchmarks so far because Ankou gets too memory hungry when the PCA mode starts. I think it might be doable to optimize, but it'd be a lot of work. |
Yes, it works, thanks. |
Why not LTO? Isn't it faster supposedly? |
LTO and pcguard in afl++ are collision free, which is an amazing thing, however requires that the fuzzer knows how large the map of the target is. that is why we transfer that special value in the beginning that made ankou crash. (actually not fully true, if the target has less than 64k edges then they work fine with any afl spin-off. however there will be no speed increase. although the coverage will not be colliding anymore) |
Thanks for the explanation. |
Yes Ankou was developped first for multicore, and then adapted to run on only 1 core to be able to benchmark the same way other fuzzing paper did. Can you give more details on your setting? How many cores you are using? All of them are at 70% for long period of time? Is the memory full? |
I'm using it in a Linux Virtual machine with 8 cores dedicated to it out of 8 cores on the host. When I'm running 8 instances of afl or libfuzzer in fork mode with 8 threads, the CPU utilization is close to 100%. When I'm running ANKOU with 8 threads it averages around 70%. 7 GB of 32 GB of memory dedicated to the virtual machine are in use. It seems that there is a bottleneck. |
Very weird, I never had this problem before. What's your target? The one you mentioned above? Is it from the beginning, or after some time, like 5 to 10 minutes, when the PCA mode activates? |
A mail parsing library. When the PCA mode activates. It's been fuzzing for more than 30h now, but CPU usage rarely goes higher than 80%. Also, a large chunk of that usage is ANKOU itself, not the fuzzed application |
Then probably the PCA process is the bottleneck. It can potentially happen for programs with too many branches but I have never seen it happen in practice until now. Would have to experiment directly on the same target you are to be sure. |
Well, it's a pity. I think it could be enhanced by using SIMD on x64 targets. Also, it seems, that for test cases where token repetitions result in loops it quickly becomes ineffective because of test case growth. So while the idea is nice, you can't use it everywhere. |
Yes I looked into SIMD, but I didn't see a simple way to benefit from it for Go code. Seems like all the operations should be written manually :/ The "loop problem" should be handle by the "log transformation" used by AFL, shouldn't it? From AFL doc:
This way each new iteration in a loop is less meaningful than the previous ones. Did you see this problem in practice? |
Log buckets prevent AFL from adding test-cases with slight increases in particular edge count. Ankou determines whether a test-case should be added by how different it is from the current basis. The problem with that is that it will be much more likely that a test-case is distant enough from the current basis if one of its independent edges has a maximized hit count. But the hit count is logarithmic, so the test-case grows larger. |
Ah very good point! Actually, for the implementation, we used the AFL insight in the PCA. When we create the vector on which is used in Ankou algorithm (PCA + fitness function), we actually use the logarithm of the hit count. You can see this in the code ( |
Yup. I looked at it once again and it seems the problem was that initially aflplusplus generated several long test cases. Since ANKOU added them and they had unique coverage, it made it harder to add smaller inputs (they have to trigger very different edges to be inserted into the corpus when they don't have loops). I think Ankou would benefit from an initial check and a disclaimer, that its performance can degrade when presented with such initial corpus. |
Hi. I'm using the latest version of AFLPlusPlus with afl-clang-fast. The compiled harness definitely accepts input. However, for some reason ankou gives the following error during initialization for each case:
Problem when writing in control pipe: invalid argument
I run it with the following command:
./Ankou -app ./fuzzed_app -threads 1 -dict my.dict -i fuzz/ankou_input -o fuzz/ankou_output
Any ideas what could be the issue here?
Running with regular afl-fuzz works
The text was updated successfully, but these errors were encountered: