Add NetworkCorpusSynchronizationMode

With this change, distributed fuzzing instances can now be configured do
only synchronize their corpus "up" (just to master instances), "down"
(just to workers), "full" (to all directly connected instances), or
"none" (to no other instances). This allows fine control over which
instances share a common corpus in distributed fuzzing.

Cloud/GCE/config-template.sh

@@ -51,3 +51,8 @@ ROOT_MACHINE_TYPE=e2-standard-2
 MASTER_MACHINE_TYPE=e2-standard-2
 # 8 cores, 8 GB
 WORKER_MACHINE_TYPE=e2-highcpu-8
+
+# Worker instance type, can be "permanent" or "preemtible". Preemptible instances are (much) cheaper but live at most 24
+# hours and may be shut down at any time. Typically it only makes sense to use preemtible instances when the corpora
+# between workers and masters are synchronized as 24h is otherwise not long enough for a decent fuzzing run.
+WORKER_INSTANCE_TYPE=permanent

Cloud/GCE/start.sh

@@ -78,6 +78,15 @@ fi
 # Number of worker machines that we'll need to start, each running $NUM_WORKERS_PER_MACHINE Fuzzilli instances
 num_worker_machines=$(($NUM_WORKERS / $NUM_WORKERS_PER_MACHINE))
 
+if [ "$WORKER_INSTANCE_TYPE" = "permanent" ]; then
+  WORKER_INSTANCE_TYPE_FLAGS="--maintenance-policy=MIGRATE"
+elif [ "$WORKER_INSTANCE_TYPE" = "preemtible" ]; then
+  WORKER_INSTANCE_TYPE_FLAGS="--maintenance-policy=TERMINATE --preemptible"
+else
+  echo "[!] Invalid worker instance type: $WORKER_INSTANCE_TYPE"
+  exit 1
+fi
+
 # The instance hierarchy. Will contains the number of master instances on every level.
 hierarchy=()
 
@@ -114,7 +123,7 @@ if [ "$START_ROOT" = true ]; then
         --container-tty \
         --container-command=/bin/bash \
         --container-arg="-c" \
-        --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --networkMaster=0.0.0.0:1337 --resume --storagePath=/home/fuzzer/fuzz $FUZZILLI_ROOT_ARGS $FUZZILLI_ARGS $BINARY" \
+        --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --instanceType=master --bindTo=0.0.0.0:1337 --resume --storagePath=/home/fuzzer/fuzz $FUZZILLI_ROOT_ARGS $FUZZILLI_ARGS $BINARY" \
         --container-mount-host-path=mount-path=/home/fuzzer/fuzz,host-path=/home/$USER/fuzz,mode=rw \
         --network-tier=PREMIUM \
         --maintenance-policy=MIGRATE \
@@ -158,7 +167,7 @@ if [ "$START_MASTERS" = true ]; then
                 --container-tty \
                 --container-command=/bin/bash \
                 --container-arg="-c" \
-                --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --networkWorker=$master_ip:1337 --networkMaster=0.0.0.0:1337 $FUZZILLI_ARGS $BINARY" \
+                --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --instanceType=intermediate --connectTo=$master_ip:1337 --bindTo=0.0.0.0:1337 $FUZZILLI_ARGS $BINARY" \
                 --network-tier=PREMIUM \
                 --maintenance-policy=MIGRATE \
                 --labels=container-vm=$IMAGE,level=$level,role=master,session=$SESSION
@@ -202,10 +211,9 @@ if [ "$START_WORKERS" = true ]; then
             --container-tty \
             --container-command=/bin/bash \
             --container-arg="-c" \
-            --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --logLevel=warning --jobs=$NUM_WORKERS_PER_MACHINE --networkWorker=$master_ip:1337 $FUZZILLI_ARGS $BINARY" \
+            --container-arg="sysctl -w 'kernel.core_pattern=|/bin/false' && ./Fuzzilli --logLevel=warning --jobs=$NUM_WORKERS_PER_MACHINE --instanceType=worker --connectTo=$master_ip:1337 $FUZZILLI_ARGS $BINARY" \
             --no-address \
-            --maintenance-policy=TERMINATE \
-            --preemptible \
+            $WORKER_INSTANCE_TYPE_FLAGS \
             --labels=container-vm=$IMAGE,role=worker,session=$SESSION
 
             running_instances=$(( $running_instances + $instances_to_start ))

Sources/Fuzzilli/Configuration.swift

@@ -43,15 +43,6 @@ public struct Configuration {
     /// other as it forces them to (re)discover edges in a different way.
     public let dropoutRate: Double
 
-    /// Whether the corpus is synchronized between workers and masters.
-    ///
-    /// If true, instances will send any sample added to their corpus to their master/workers, which import them.
-    /// This generally causes all instances to operate on roughly the same corpus.
-    /// If false, this will cause the workers to behave like isolated instances, which may cause
-    /// them to focus on other things and therefore possibly find different bugs.
-    /// Crashing samples will always be forwarded to master instances.
-    public let synchronizeCorpus: Bool
-
     /// Abstractly interpret the generated FuzzIL programs to compute static type information.
     /// This is used by code generators to produce valid code as much as possible. However,
     /// it is a performance overhead and is also imprecise as the execution semantics of FuzzIL
@@ -75,12 +66,9 @@ public struct Configuration {
                 skipStartupTests: Bool = false,
                 logLevel: LogLevel = .info,
                 crashTests: [String] = [],
-                isMaster: Bool = false,
-                isWorker: Bool = false,
                 isFuzzing: Bool = true,
                 minimizationLimit: Double = 0.0,
                 dropoutRate: Double = 0,
-                synchronizeCorpus: Bool = true,
                 useAbstractInterpretation: Bool = true,
                 collectRuntimeTypes: Bool = false,
                 enableDiagnostics: Bool = false,
@@ -90,7 +78,6 @@ public struct Configuration {
         self.crashTests = crashTests
         self.isFuzzing = isFuzzing
         self.dropoutRate = dropoutRate
-        self.synchronizeCorpus = synchronizeCorpus
         self.minimizationLimit = minimizationLimit
         self.useAbstractInterpretation = useAbstractInterpretation
         self.collectRuntimeTypes = collectRuntimeTypes