Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to know from AFLGo that the target has been reached? #19

Closed
fuseproj opened this issue Apr 24, 2018 · 6 comments
Closed

How to know from AFLGo that the target has been reached? #19

fuseproj opened this issue Apr 24, 2018 · 6 comments

Comments

@fuseproj
Copy link

Thanks so much for opening source AFLGo and providing such a good idea for testing!

I started trying AFLGo to do some directed fuzzing these two days and had some observations.

I followed the instructions in README.md and tested xmllint with commit ef709ce2. Since the test input file dtd1 takes a bit longer time, I ignored that case. Both AFL and AFLGo generated some crashes within 3s in average. I found backtraces of the crashes do not contain the target function xmlAddID, one of them is:

Program received signal SIGSEGV, Segmentation fault.
0x00000000004f4c75 in xmlDumpElementContent (buf=0xa26390, content=0xa23070, glob=0x1) at valid.c:1175
1175                if ((content->c1->type == XML_ELEMENT_CONTENT_OR) ||
#0  0x00000000004f4c75 in xmlDumpElementContent (buf=0xa26390, content=0xa23070, glob=0x1) at valid.c:1175
#1  0x00000000004f4953 in xmlDumpElementDecl (buf=0xa26390, elem=0xa26310) at valid.c:1704
#2  0x00000000007846de in xmlBufDumpElementDecl (buf=0xa231a0, elem=0xa26310) at xmlsave.c:501
#3  xmlNodeDumpOutputInternal (ctxt=<optimized out>, cur=0xa26310) at xmlsave.c:939
#4  0x000000000078d9db in xmlNodeListDumpOutput (ctxt=<optimized out>, cur=<optimized out>) at xmlsave.c:825
#5  xmlDtdDumpOutput (ctxt=0xa230f0, dtd=<optimized out>) at xmlsave.c:749
#6  0x0000000000784659 in xmlNodeDumpOutputInternal (ctxt=0xa230f0, cur=0xa22fa0) at xmlsave.c:931
#7  0x0000000000783733 in xmlDocContentDumpOutput (ctxt=0xa230f0, cur=0xa22e40) at xmlsave.c:1234
#8  0x0000000000782aac in xmlSaveDoc (ctxt=0xa26390, doc=0x0) at xmlsave.c:1936
#9  0x000000000041141d in parseAndPrintFile (filename=0x7fffffffbb06 "./crashes/id:000000,sig:11,src:000000,op:havoc,rep:4", rectxt=<optimized out>) at xmllint.c:2705
#10 0x0000000000408561 in main (argc=0x4, argv=0x7fffffffb3a8) at xmllint.c:3759

Similar crashes are also when including dtd1.

I guess it is that there are security bug fixes after ef709ce2 and other bugs dominated this target. So is there a way for AFLGo to check whether the crash indeed reached the target?

Another question is the way -c and -z affect the mutation results. I learned from your paper that initially AFLGo started with exploration mode and do not weigh much about the target at first. Is it used to create enough seeds initially?
@fuseproj
Copy link
Author

And can you help with Bash scripts to run the tests for Binutils? I think testing some newer bugs may help, but I'm not familiar with Bash scripts to generate the distances.

@fuseproj fuseproj mentioned this issue Apr 26, 2018
Closed
@z1w z1w mentioned this issue Jul 27, 2018
Closed
@valour01
Copy link

valour01 commented Aug 5, 2018

I also have the same requirement. Is there a directory containing all the inputs that could hit the targets.

@mboehme
Copy link
Collaborator

mboehme commented Aug 6, 2018

First, no there is no directory that contains only inputs that hit the target.

However, there three things that you can do, depending on whether you want to change the program or the instrumentation.

  1. You change the program, such that it crashes when it reaches a target location, e.g., assert(false);
  2. You change the instrumentation, such that it automatically injects such assertions at the target location.
  3. You keep the distance values for each generated input, and output a ranking of the inputs according to their distance (minimum first).

@mboehme mboehme mentioned this issue Aug 6, 2018
Closed
@lvtao-sec lvtao-sec mentioned this issue Mar 25, 2018
Closed
@mboehme
Copy link
Collaborator

mboehme commented Jan 3, 2020

Closed because inactive.

@mboehme mboehme closed this as completed Jan 3, 2020
@fuzzer123 fuzzer123 mentioned this issue Apr 20, 2018
Closed
@meweez
Copy link

meweez commented Jun 6, 2020

First, no there is no directory that contains only inputs that hit the target.

However, there three things that you can do, depending on whether you want to change the program or the instrumentation.

  1. You change the program, such that it crashes when it reaches a target location, e.g., assert(false);
  2. You change the instrumentation, such that it automatically injects such assertions at the target location.
  3. You keep the distance values for each generated input, and output a ranking of the inputs according to their distance (minimum first).

how can I do this instrumentation?
I want to find out, which test-cases had reached my target, is there any way to separate crashed that reach target, even manually?
Thank you

@meweez
Copy link

meweez commented Jun 15, 2020

For checking that the crash touch target or no, we can use gdb by putting a breakpoint on the target function.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mboehme @valour01 @fuseproj @meweez