search

R9295 / afl-fuzz

afl-fuzz, now in rust!
Apache License 2.0
0 stars 0 forks source link

AFL++ Corpus entry Format #2

Open R9295 opened 5 months ago

R9295 commented 5 months ago 
id:000003,src:000001,time:52,execs:672,op:havoc,rep:2,+cov

Id is incremental src is the input that led to it. src may be followed by +00000? if it was a spliced mutation with the spliced input id prepended. eg: src:000001+000002 exects = total execs of forkserver time = now() - fuzz_start() op is the operation that led to its discovery (eg. arith, flip1, havoc etc) afl_stage_short TODO

 if (afl->stage_cur_byte >= 0) {

        sprintf(ret + strlen(ret), ",pos:%d", afl->stage_cur_byte);

        if (afl->stage_val_type != STAGE_VAL_NONE) {

          sprintf(ret + strlen(ret), ",val:%s%+d",
                  (afl->stage_val_type == STAGE_VAL_BE) ? "be:" : "",
                  afl->stage_cur_val);

        }

      } else {

        sprintf(ret + strlen(ret), ",rep:%d", afl->stage_cur_val);

      }

rep is index of stage in stages list? +cov if it leads to new coverage or +tout if is timeout

id:000001,time:0,execs:0,orig:testfile

all seeds, when initially added to queue, have 0 time and 0 execs with a orig:filename prepended.

TODO: 

sync:x

TODO: SIMPLE_FILES

REFS:

 queue_fn = alloc_printf(
        "%s/queue/id:%06u,%s%s%s", afl->out_dir, afl->queued_items,
        describe_op(afl, new_bits + is_timeout,
                    NAME_MAX - strlen("id:000000,")),
        afl->file_extension ? "." : "",
        afl->file_extension ? (const char *)afl->file_extension : "");

https://github.com/AFLplusplus/AFLplusplus/blob/stable/src/afl-fuzz-bitmap.c#L293C5-L293C16

R9295 commented 4 months ago

List of relevant stages

  1. calibration
  2. havoc
  3. init
  4. quick (quick skip effective map)
  5. colorization (redqueen)
  6. input-to-state (?) (redqueen)
  7. custom-mutator
  8. splice
R9295 commented 4 months ago

stage_cur_val = stack mutations count