search

google / silifuzz

Apache License 2.0
379 stars 25 forks source link

Query on missing snapshot from runnable corpus generated from fuzzing unicorn(emulator) #6

Open jafarsarif10 opened 9 months ago

jafarsarif10 commented 9 months ago

Hi Silifuzz author,

I am currently using Silifuzz as a part of my research, and during my experiments, I encountered a particular scenario that I'd like to discuss.

I fuzzed the the provided unicorn with the centipede and generated the corpus. While converting result corpus to the runnable corpus, I noticed in the log there are lots of snapshot misbehaving with flags such as

The snapshot id was also listed on the logs. However, when I was trying to print the trace for those specific snapshot, they were absent from the runnable corpus.

I would greatly appreciate it if you could address the following queries, as your insights would not only benefit my research but also enhance my understanding of the Silifuzz workflow: 1) Are the aforementioned snapshot present in the final runnable corpus with say different snapshot id? 2) If these snapshots are not included in the runnable corpus, is there a way we can execute those snapshots using runner as I fell those could generate interesting scenario in the real hardware?

Thank you for your time and assistance.

ksteuck commented 9 months ago
  1. Are the aforementioned snapshot present in the final runnable corpus with say different snapshot id?

Some of the snapshots will be in the runnable corpus, others won't. simple_fix_tool is used to discover the necessary memory mappings and capture the expected end state for the snapshots produced by fuzzing the proxy. The kinds of errors you described may or may not be fixable. For example, "Memory state mismatch" is typically fixable by capturing the actual memory state but a SIGFPE execution misbehave is not.

To give a concrete example, consider the following code

mov rax, 0x10000
mov [rax], 0

this snapshot can be fixed by mapping a page at 0x10000. Replace 0x10000 with 0x0 and this is not fixable b/c 0x0 isn't mappable in a typical scenario. Take a different example

rdrand rax
mov 0x10000, rax

This snapshot isn't fixable b/c the memory contents at 0x10000 will always be different.

  1. If these snapshots are not included in the runnable corpus, is there a way we can execute those snapshots using runner as I fell those could generate interesting scenario in the real hardware?

Currently, no. Silifuzz infrastructure imposes certain limitations on the kind of programs that can be efficiently run using the runner binary. Specifically, the snapshots must be deterministic and not raise any signals. The fix_tool ensures this is the case. In our real-life setup we use fuzz_filter_tool during fuzzing (--input_filter) to drive the fuzzing process towards maximizing coverage without breaking the limitations on determinism etc.

HTH