How to save testcases generated by DIE?

[QuXing9]

Hello! I just finished reading your paper, it's great! And I hope to run DIE on my local machine, but there are some problems I can't solve and I wish you can help me. My questions as follows:

1. Have I installed the DIE successfully?

   Firstly, I instrumented my JS engine with the afl-clang-fast from the original AFL. When running the populate script and attach the tmux corpus, I received the following messages:

   [*] Insert a new path: ./corpus/output-x/00xxxx-corpus.js
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-x/00xxxx-corpus.js output-x/.cov_diff
   [*] Checking corpus: ./corpus/output-x/00xxxx-corpus.js
   [*] Insert a new path: ./corpus/output-x/00xxxx-corpus.js
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-x/00xxxx-corpus.js output-x/.cov_diff
   [*] Checking corpus: ./corpus/output-x/00xxxx-corpus.js
   [*] Insert a new path: ./corpus/output-x/00xxxx-corpus.js
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js insertPath ./corpus/output-x/00xxxx-corpus.js output-x/.cov_diff
   
   +++ Testing aborted by user +++
   [+] We're done here. Have a nice day!
   

   And when connecting to redis database with redis-cli -p 9000 I see the following keys:

    1) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9592"
    2) "pathBitmap"
    3) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9602"
    4) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9562"
    5) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9587"
    6) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9552"
    7) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9597"
    8) "crashQueue"
    9) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9542"
   10) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9532"
   11) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9572"
   12) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9582"
   13) "crashBitmap"
   14) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9537"
   15) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9567"
   16) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9547"
   17) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9557"
   18) "fuzzers"
   19) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9527"
   20) "fuzzers:fuzzer-ws-X299-WU8-3f35a809c8b14ce3-9577"
   21) "newPathsQueue"
   

   Does it mean that the fuzzer was well registered and executed?

   Next, I set up the client. I build the server and client on the same machine.

   So, i skip execution ./fuzz/scripts/redis.py and running ./fuzz/scripts/run.sh ~/ch ./DIE-corpus ch, I get the following messages:

   [*] No -t option specified, so I'll use exec timeout of 1000 ms.
   [+] All set and ready to roll!
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js reportStatus fuzzer-$(hostname)-$(cat /etc/machine-id|cut -c 1-16)-16583 output-15/fuzzer_stats
   [*] Get a next testcase
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js getNextTestcase output-15/.cur_input.js
   [*] Generating testcases...
   [*] Command: timeout 30 node ./fuzz/afl/../TS/esfuzz.js output-15/.cur_input.js output-15/fuzz_inputs 100 2079661984 > /dev/null
   [*] Scanning 'output-15/fuzz_inputs'...
   [*] Spinning up the fork server...
   [+] All right - fork server is up.
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js downloadBitmap crashBitmap output-15/.gcov_crash
   [*] Command: node ./fuzz/afl/../TS/redis_ctrl.js reportStatus fuzzer-$(hostname)-$(cat /etc/machine-id|cut -c 1-16)-16583 output-15/fuzzer_stats
   [*] Time - Generation: 202.00 ea/s, Execution: 20.20 ea/s
   

   contents in file fuzzer_stats are

   start_time        : 1600228579
   last_update       : 1600238323
   fuzzer_pid        : 16513
   cycles_done       : 0
   execs_done        : 48460
   execs_per_sec     : 9.41
   paths_total       : 0
   paths_favored     : 0
   paths_found       : 0
   paths_imported    : 0
   max_depth         : 0
   cur_path          : 484
   pending_favs      : 0
   pending_total     : 0
   variable_paths    : 0
   stability         : 100.00%
   bitmap_cvg        : 0.00%
   unique_crashes    : 0
   unique_hangs      : 2
   last_path         : 0
   last_crash        : 0
   last_hang         : 1600231336
   execs_since_crash : 48460
   exec_timeout      : 1000
   afl_banner        : ch
   afl_version       : 2.52b
   target_mode       : default
   command_line      : ./fuzz/afl/afl-fuzz -m none -o output-1 ./engines/chakracore-1.11.5/out/Debug/ch -lib=/path/to/DIE/DIE-corpus/lib.js -lib=/path/to/DIE/DIE-corpus/jsc.js -lib=/path/to/DIE/DIE-corpus/v8.js -lib=/path/to/DIE/DIE-corpus/ffx.js -lib=/path/to/DIE/DIE-corpus/chakra.js @@
   

   My installation is complete here. Does those look correct?

2. How to save mutated seeds before executed by instrumented JS Engines?

• Following the installation steps above, I got some files at path/to/DIE/output-1/hangs finally. they are named like id:000000,src:0000xx,op:js,pos:0. Are these files causing the engine timeout?
• If I want to save every test case generated by DIE, regardless of the JS engine's performance, what should I do?

Looking forward to your reply, thank you in advance.

[thdusdl1219]

1. It looks correct but I suggest compiling JS engines with provided scripts under the engines directory as many issues seem happening if you use afl provided afl-clang-fast.
2. you can find the files path/to/DIE/output-1/fuzz_inputs/. You may be able to save test cases by modifying writeToFile function in DIE/fuzz/TS/base/estestcase.ts.

[QuXing9]

1. It looks correct but I suggest compiling JS engines with provided scripts under the engines directory as many issues seem happening if you use afl provided afl-clang-fast.
2. you can find the files path/to/DIE/output-1/fuzz_inputs/. You may be able to save test cases by modifying writeToFile function in DIE/fuzz/TS/base/estestcase.ts.

Got it! The system is currently running normally. Thanks for your help! 👍