search

intel / tsffs

A snapshotting, coverage-guided fuzzer for software (UEFI, Kernel, firmware, BIOS) built on SIMICS
https://intel.github.io/tsffs/
Apache License 2.0
276 stars 18 forks source link

Can tsffs report the coverage rate of fuzz? #71

Closed gandalf4a closed 6 months ago

gandalf4a commented 7 months ago

I tried the two demos you provided:

  1. fuzz EDK2 UEFI Application image

  2. fuzz platform BIOS FD image image

None of this gives me coverage information, so what do I need to do?

cglosner commented 7 months ago

There is a script, scripts/cov.sh, that should produce a coverage report, but it wasn't working for me so I also am curious about generating coverage information.

[root@7cfda620aa4b example]# ./../../tsffs/scripts/cov.sh 
/workspace/tsffs/scripts /workspace/projects/example
info: cargo-llvm-cov currently setting cfg(coverage); you can opt-out it by passing --no-cfg-coverage
I will run `rustup component add llvm-tools-preview --toolchain stable-x86_64-unknown-linux-gnu` to install the `llvm-tools-preview` component for the selected toolchain.
Proceed? [Y/n] y
info: downloading component 'llvm-tools'
info: installing component 'llvm-tools'
 29.6 MiB /  29.6 MiB (100 %)  25.4 MiB/s in  1s ETA:  0s
error: none of the selected packages contains these features: 6.0.169
error: process didn't exit successfully: `/root/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/bin/cargo test --tests --manifest-path /workspace/tsffs/Cargo.toml --target-dir /workspace/tsffs/target/llvm-cov-target --features=6.0.169` (exit status: 101)
novafacing commented 7 months ago

cov.sh is just for test coverage of tsffs, so it won't give what you want. Tsffs logs to log.json new coverage/findings by edge, that combined with the timestamp is enough to get cov/time info, I can provide a simple script if desired. This same cov info is also output with @tsffs.log_level = 2 or higher.

gandalf4a commented 6 months ago

I tested the log_level parameter as follows, but I still didn't see the cov info. Is there a problem with the usage, or output the cov info at another location?

$ vim fuzz.simics
+    tsffs.log-level 2
or
+    @tsffs.log_level = 2

image

novafacing commented 6 months ago

You're getting corpus entries so you should be seeing the output -- is there a log.json in your project directory? If not, you probably need to update your TSFFS build, this feature was added recently.