Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AFL integration with multiple AFL instances running and a SymCC instance with only a single AFL process. #1166

Merged
merged 9 commits into from
Jun 2, 2021
Merged

AFL integration with multiple AFL instances running and a SymCC instance with only a single AFL process. #1166

merged 9 commits into from
Jun 2, 2021

Conversation

DavidKorczynski
Copy link
Contributor

@DavidKorczynski DavidKorczynski commented Jun 1, 2021
edited
Loading

This integrates a version where two AFL processes are started.

The reason for this integration is that some integrations (eclipser and symcc) rely on multiple processes as part of their workflow. This potentially gives an unfair total amount of CPU time or an unfair amount of time spent context switching in comparison to the other integrations, which in turn may twist the truth of the results. This integration is meant to be used as a comparison to such integrations. This came up from a discussion with @vanhauser-thc over here #1165 (comment)

@google-cla google-cla bot added the cla: yes label Jun 1, 2021
@DavidKorczynski
Copy link
Contributor Author

As an extra note on this, I assume this is something that should also be considered in other integrations? For example, Van Hauser mentions another example of comparing Eclipser and afl++ versus afl++ and afl++. Down the line it may also be that more multi-process tools are coming in.

@inferno-chromium
Copy link
Collaborator

Can you request an experiment as well in this pr

@DavidKorczynski
Copy link
Contributor Author

DavidKorczynski commented Jun 1, 2021
edited
Loading

Can you request an experiment as well in this pr

Yeah.

I will also a second flavour of SymCC that relies on a single AFL instance rather than one (the documentation suggests two https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L91 but also says It is possible to run SymCC with only an AFL master or only a secondary AFLinstance; see the AFL docs for the implications. https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L112)

@sebastianpoeplau am not entirely sure what implications this refers to - if you have the time then I would be happy to hear about those.

@inferno-chromium inferno-chromium enabled auto-merge (squash) June 1, 2021 20:50
@DavidKorczynski
Copy link
Contributor Author

DavidKorczynski commented Jun 1, 2021
edited
Loading

I have run the three modified fuzzers from this pr symcc_afl, symcc_afl_single and afl_two_instances on the libhtp_fuzz_htp benchmark for a short period of time. All three work on that so this one should be good to go.

@DavidKorczynski DavidKorczynski changed the title AFL integration with multiple AFL instances running AFL integration with multiple AFL instances running and a SymCC instance with only a single AFL process. Jun 1, 2021
@DavidKorczynski DavidKorczynski marked this pull request as draft June 1, 2021 21:57
auto-merge was automatically disabled June 1, 2021 21:57

Pull request was converted to draft

@DavidKorczynski DavidKorczynski marked this pull request as ready for review June 1, 2021 21:57
@inferno-chromium inferno-chromium merged commit 8c1a617 into google:master Jun 2, 2021
This was referenced Jun 3, 2021
Merged
Closed
@sebastianpoeplau
Copy link

I will also a second flavour of SymCC that relies on a single AFL instance rather than one (the documentation suggests two https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L91 but also says It is possible to run SymCC with only an AFL master or only a secondary AFLinstance; see the AFL docs for the implications. https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L112)

@sebastianpoeplau am not entirely sure what implications this refers to - if you have the time then I would be happy to hear about those.

My understanding from the AFL docs is that master instances perform a set of deterministic mutations before proceeding to randomly mutating inputs (called "havoc" in the AFL UI); secondary instances skip the deterministic stage and start with "havoc" immediately. The consequences for SymCC, I think, are that running with only a secondary instance will lose any benefit that the deterministic mutations might have; running with only a master doesn't have that problem, but I believe then it takes longer until AFL reads inputs from SymCC for the first time.

@vanhauser-thc
Copy link
Collaborator

I will also a second flavour of SymCC that relies on a single AFL instance rather than one (the documentation suggests two https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L91 but also says It is possible to run SymCC with only an AFL master or only a secondary AFLinstance; see the AFL docs for the implications. https://github.com/eurecom-s3/symcc/blob/9b20609adab02279c181010c8b1e61a9a9acac62/docs/Fuzzing.txt#L112)
@sebastianpoeplau am not entirely sure what implications this refers to - if you have the time then I would be happy to hear about those.

My understanding from the AFL docs is that master instances perform a set of deterministic mutations before proceeding to randomly mutating inputs (called "havoc" in the AFL UI); secondary instances skip the deterministic stage and start with "havoc" immediately. The consequences for SymCC, I think, are that running with only a secondary instance will lose any benefit that the deterministic mutations might have; running with only a master doesn't have that problem, but I believe then it takes longer until AFL reads inputs from SymCC for the first time.

In afl++ we just changed this - -M does not do deterministic anymore because it is pretty pointless (as analyzed from several experiments I made).
Also -M was never required, for neither vanilla afl nor afl++.
In my experience for symcc/Eclipers/etc. a single vanilla afl-fuzz -S is better than -M or having -M and -S. (and for afl++ I would recommend the same).

@sebastianpoeplau
Copy link

Sounds good! In vanilla afl -M has the effect of changing the layout of the output directory compared to the behavior with neither -M nor -S, effectively introducing a subdirectory per instance. Is that the default in afl++ already?

@vanhauser-thc
Copy link
Collaborator

@sebastianpoeplau yes. basically if neither -M or -S is given -S default is set

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@inferno-chromium inferno-chromium inferno-chromium approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DavidKorczynski @inferno-chromium @sebastianpoeplau @vanhauser-thc