search

AFLplusplus / LibAFL

Advanced Fuzzing Library - Slot your Fuzzer together in Rust! Scales across cores and machines. For Windows, Android, MacOS, Linux, no_std, ...
Other
2.03k stars 319 forks source link

Which Observer/Feedback Combination Should I Use for Coverage Guidance? #2708

Open riesentoaster opened 18 hours ago

riesentoaster commented 18 hours ago

I'm confused as to which combination of MapObservers and Feedbacks I should use. Is there a good overview of what the different options do/how to combine them? I have found some ways to accomplish some progress, but I feel like I might be missing something. Sorry if this is a stupid question.

I'm collecting coverage based on clang's -fsanitize-coverage=trace-pc-guard. The implementation of the two functions is a simple set or counter logic, redirected into some shared memory to get coverage back to the fuzzer:

void __sanitizer_cov_trace_pc_guard_init(uint32_t *start, uint32_t *stop)
{
  if (start == stop)
  {
    return;
  };

  guard_start = start;
  guard_stop = stop;

  memset(guard_start, 0, guard_stop - guard_start);
}

void __sanitizer_cov_trace_pc_guard(uint32_t *guard)
{
    if (!cov_shmem_init) return; // ignore coverage before initialization
    // *(guard - guard_start  cov_shmem_ptr) = 1; // set
    *(guard - guard_start  cov_shmem_ptr) += 1; // counter
}

In the fuzzer, I have a ShMem object that contains the coverage data. How do I process it?

domenukk commented 17 hours ago

If you know the size of the map beforehand, use a ConstMapObserver if you con't, use a StdMapObserver (I think?) And then slot it into any kind of map feedback. Probably it's best to take whatever the Fuzzbench fuzzers use

riesentoaster commented 13 hours ago

The fuzzbench example (fuzzers/inprocess/fuzzbench) uses StdMapObserver > HitcountsMapObserver with track_indices > MaxMapFeedback. I'll try that.

In general, it'd be really nice to have some more beginner-friendly documentation for the observers/feedbacks. The book doesn't go into any details and the code documentation isn't very extensive and requires a good understanding of the different options already.

domenukk commented 9 hours ago

PRs welcome :) Hitcounts wrap a normal map observer and reduce them to buckets. It's a weird one since it consumes another observer

riesentoaster commented 3 hours ago

PRs welcome :)

Not sure you want a PR based on my understanding :D.

This also seems related to #833, which is still a good idea imo.