Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upUnicorn CompareCoverage + Neverzero counters #50
Conversation
This comment has been minimized.
This comment has been minimized.
|
ATTENTION |
|
We might simply want to do something like cur_loc &= MAP_SIZE - 7;in So that we never write out of bounds, what do you think @andreafioraldi |
This comment has been minimized.
This comment has been minimized.
|
Fixed, Ty for the tip |
This comment has been minimized.
This comment has been minimized.
|
Segfaults for me (SIGSEV) :( 0x7ffff5986a36 <cpu_x86_exec+902> xor rsi, r14
0x7ffff5986a39 <cpu_x86_exec+905> inc BYTE PTR [rcx+rsi*1]
→ 0x7ffff5986a3c <cpu_x86_exec+908> adc DWORD PTR [rcx+rsi*1], 0x0I'll try to see what and why... |
This comment has been minimized.
This comment has been minimized.
|
Oke got this covered. |
This comment has been minimized.
This comment has been minimized.
|
Oke so non-scientific results: |
Fixed SIGSEV due to wrong pointer size
This comment has been minimized.
This comment has been minimized.
|
Ok ty for the adc fix, it was a typo. |
This comment has been minimized.
This comment has been minimized.
|
Regards the two INC_AFL_AREA macros in QEMU and Uc, they are similar but not equal. |
This comment has been minimized.
This comment has been minimized.
|
Last thing before merge: @domenukk try to repeat your experiment using an uninformed input (eg. "\x00"*32) and compcov level 2. |
This comment has been minimized.
This comment has been minimized.
I agree they are not equal in QEMU and UC (could still be combined somhow, probably), however even in one mode, they are used twice. and at I would suggest using INC_AFL_AREA(loc) in afl-unicorn-cpu-inl.h - maybe by adding a new header file for it - also?That way future patches (Neverzero for different architectures, etc.) don't need to touch multiple files. Your call. I'll do some additional "proper" testing of compcov later, I think I have some test cases where it will shine, thanks! :) |
This comment has been minimized.
This comment has been minimized.
|
See now. |
This comment has been minimized.
This comment has been minimized.
|
For lack of time ended up doing the same (quick) test of the ASN1 parser again, but with an quasi-empty seed set. Again, this test is very unscientific. |
This comment has been minimized.
This comment has been minimized.
|
It's time to merge! |
This comment has been minimized.
This comment has been minimized.
|
@domenukk what path value are you comparing? the afl path value? that is not a good one :) |
This comment has been minimized.
This comment has been minimized.
|
Yeah @vanhauser-thc you're 100% right but running afl-cov on pieces of binary data emulated with Unicorn is not so simple. He should adapt this instrumentation of QEMU (https://github.com/andreafioraldi/afl-queue-bb-coverage) to Unicorn to measure BBs coverage of afl-unicorn. |
This comment has been minimized.
This comment has been minimized.
|
Yeah this occurred to me also yesterday, since compcov might add new artificial edges, I guess(?) |
andreafioraldi commentedAug 28, 2019
•
edited
Now CompareCoverage is enabled for unicorn_mode (only x86 atm).
I changed a lot the structure of the patch for unicorn and so performance tests are needed.
My preliminary tests shows that the speed is almost the same, please double check (maybe @domenukk directly if you want so that you can also check the compatibility with your unicorefuzz).
I added a test for compcov,
unicorn_mode/samples/compcov_x64.Like QEMU, AFL_COMPCOV_LEVEL=1 enable compcov only for comparisons with immediates and AFL_COMPCOV_LEVEL=2 logs all comparisons.
Regards other architectures I'm an instrinsic x86 guy and I'm not confident in implementing this for the other architectures. If you want to help me look at the
qemu/target-i386/trannslate.cpatch and insert proper calls toafl_gen_compcovafter the comparisons in the other files (qemu/target-ARCHNAME/translate.c).