search

AngoraFuzzer / Angora

Angora is a mutation-based fuzzer. The main goal of Angora is to increase branch coverage by solving path constraints without symbolic execution.
Apache License 2.0
925 stars 167 forks source link

Angora terminates when fuzzing uniq in LAVA-M #40

Open BBge opened 5 years ago

BBge commented 5 years ago

Hi, I use wllvm to compile 4 programs from LAVA-M since I cannot build xx.track from compiling directly. While Anogra terminates soon when fuzzing uniq. I use the following cmd: ./angora_fuzzer -i /input -o /output -T 500+ -M 5000 -t /uniq-track -- /uniq-fast @@

And the following is the message from Angora:

WARN angora::fuzz_main > output directory is "/home/puppet/test1.1" INFO angora::fuzz_main > depot: DepotDir { inputs_dir: "/home/puppet/test1.1/queue", hangs_dir: "/home/puppet/test1.1/hangs", crashes_dir: "/home/puppet/test1.1/crashes", seeds_dir: "/home/puppet/LAVA-M/uniq_input3" } INFO angora::fuzz_main > CommandOpt { id: 0, main: ("/home/puppet/LAVA-M/uniq-fast", ["@@"]), track: ("/home/puppet/LAVA-M/uniq-track", ["@@"]), tmp_dir: "/home/puppet/test1.1/tmp", out_file: "/home/puppet/test1.1/tmp/cur_input", forksrv_socket_path: "/home/puppet/test1.1/tmp/forksrv_socket", track_path: "/home/puppet/test1.1/tmp/track", is_stdin: false, search_method: Gd, mem_limit: 5000, time_limit: 1, is_raw: true, ld_library: "$LD_LIBRARY_PATH:/home/puppet/AFL/Angora/clang/clang+llvm/lib", enable_afl: true, enable_exploitation: true } INFO angora::executor::forksrv > All right -- Init ForkServer /home/puppet/test1.1/tmp/forksrv_socket_0 successfully! INFO angora::depot::sync > sync 1 file from seeds. INFO angora::bind_cpu > Found 1 cores. INFO angora::bind_cpu > Free Cpus: [0]

ANGORA (_/) FUZZER (x'.') -- OVERVIEW -- TIMING | ALL: [00:00:00], TRACK: [00:00:00] COVERAGE | EDGE: 757.00, DENSITY: 0.07% EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0 SPEED | PERIOD: 0.00r/s TIME: 1761.00us, FOUND | PATH: 1, HANGS: 0, CRASHES: 0 -- FUZZ -- EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 CMPFN | CONDS: 0, EXEC:

ANGORA (_/) FUZZER (='o') .o -- OVERVIEW -- TIMING | ALL: [00:00:05], TRACK: [00:00:00] COVERAGE | EDGE: 757.00, DENSITY: 0.07% EXECS | TOTAL: 1, ROUND: 1, MAX_R: 0 SPEED | PERIOD: 0.20r/s TIME: 1761.00us, FOUND | PATH: 1, HANGS: 0, CRASHES: 0 -- FUZZ -- EXPLORE | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 EXPLOIT | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 CMPFN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 LEN | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 AFL | CONDS: 0, EXEC: 0, TIME: [00:00:00], FOUND: 0 - 0 - 0 OTHER | CONDS: 0, EXEC: 1, TIME: [00:00:00], FOUND: 1 - 0 - 0 -- SEARCH -- SEARCH | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 UNDESIR | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 ONEBYTE | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 INCONSIS | CMP: 0 / 0, BOOL: 0 / 0, SW: 0 / 0 -- STATE -- | NORMAL: 0d - 0p, NORMAL_END: 0d - 0p, ONE_BYTE: 0d - 0p | DET: 0d - 0p, TIMEOUT: 0d - 0p, UNSOLVABLE: 0d - 0p

INFO angora::depot::dump > dump constraints and chart..

spinpx commented 5 years ago

It seems that the input bytes were not marked as tainted.

Have you modified this before compiling? https://github.com/AngoraFuzzer/Angora/blob/master/docs/lava.md#uniq