search

nautilus-fuzz / nautilus

A grammar based feedback Fuzzer
MIT License
424 stars 64 forks source link

No path while fuzzing ChakraCore #5

Closed zr950624 closed 4 years ago

zr950624 commented 4 years ago

Nautilus cannot find any path while fuzzing ChakraCore with grammars/javascript_new.py. I set up nautilus with the instructions in README.md Then I enlarged the size of bitmap to 1 << 20 and instrument ChakraCore with afl-clang-fast. modified the config.ron at 

bitmap_size:                            1048576, //1<<20

pathed file forksrv/src/lib.rs at

return (shm_id, trace_bits as *mut [u8; 1 << 20]);

Fuzzer status

It cannot find any path during fuzzing. See following output.

------------------------------------------------------
Run Time: 0 days, 0 hours, 0 minutes, 45 seconds
Execution Count:          2643
Executions per Sec:       71
Left in queue:            0
Trees in Chunkstore:      1
------------------------------------------------------
Last ASAN crash:          Not found yet.
Last SIG crash:           Not found yet.
Last Timeout:             No Timeout yet.
Total ASAN crashes:       0
Total SIG crashes:        0
------------------------------------------------------
New paths found by Gen:          1
New paths found by Min:          0
New paths found by Min Rec:      0
New paths found by Det:          0
New paths found by Splice:       0
New paths found by Havoc:        0
New paths found by Havoc Rec:    0
------------------------------------------------------

My System Infomation

git:(master) ✗ uname -a
Linux alucard 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

git:(master) ✗ rustc --version
rustc 1.45.0-nightly (75e1463c5 2020-05-13)

git:(master) ✗ rustup toolchain list
stable-x86_64-unknown-linux-gnu (default)
nightly-2020-05-14-x86_64-unknown-linux-gnu
eqv commented 4 years ago

Can you confirm that AFL++ finds paths on the same target binary?

zr950624 commented 4 years ago

Can you confirm that AFL++ finds paths on the same target binary?

Yes, AFL++ works well with enlarging memory settings by using -m none.

               american fuzzy lop ++2.64d (ch) [explore] {0}
┌─ process timing ────────────────────────────────────┬─ overall results ────┐
│        run time : 0 days, 0 hrs, 0 min, 8 sec       │  cycles done : 0     │
│   last new path : 0 days, 0 hrs, 0 min, 0 sec       │  total paths : 31    │
│ last uniq crash : none seen yet                     │ uniq crashes : 0     │
│  last uniq hang : none seen yet                     │   uniq hangs : 0     │
├─ cycle progress ───────────────────┬─ map coverage ─┴──────────────────────┤
│  now processing : 0.0 (0.0%)       │    map density : 3.26% / 7.39%        │
│ paths timed out : 0 (0.00%)        │ count coverage : 1.69 bits/tuple      │
├─ stage progress ───────────────────┼─ findings in depth ───────────────────┤
│  now trying : calibration          │ favored paths : 20 (64.52%)           │
│ stage execs : 17/40 (42.50%)       │  new edges on : 30 (96.77%)           │
│ total execs : 1097                 │ total crashes : 0 (0 unique)          │
│  exec speed : 55.31/sec (slow!)    │  total tmouts : 0 (0 unique)          │
├─ fuzzing strategy yields ──────────┴───────────────┬─ path geometry ───────┤
│   bit flips : 0/0, 0/0, 0/0                        │    levels : 2         │
│  byte flips : 0/0, 0/0, 0/0                        │   pending : 31        │
│ arithmetics : 0/0, 0/0, 0/0                        │  pend fav : 20        │
│  known ints : 0/0, 0/0, 0/0                        │ own finds : 10        │
│  dictionary : 0/0, 0/0, 0/0                        │  imported : n/a       │
│   havoc/rad : 0/0, 0/0, 0/0                        │ stability : 99.63%    │
│   py/custom : 0/0, 0/0                             ├───────────────────────┘
│        trim : 28.69%/88, n/a                       │          [cpu000:  6%]
└────────────────────────────────────────────────────┘
eqv commented 4 years ago

I'll look into this later. Can you check if it works without the bitmap size changes?

zr950624 commented 4 years ago

I'll look into this later. Can you check if it works without the bitmap size changes?

Still no path without bitmap size changes.

eqv commented 4 years ago

I tried to compile chakracore with afl-clang-fast, but ran into some problems regarding the fact that it is split into the "ch" binary, and libChakraCore.so. Could you post your build steps in a reproducible way?

zr950624 commented 4 years ago

I tried to compile chakracore with afl-clang-fast, but ran into some problems regarding the fact that it is split into the "ch" binary, and libChakraCore.so. Could you post your build steps in a reproducible way?

I build ChakraCore with ./build.sh --cc=/path/to/afl-clang-fast --cxx=/path/to/afl-clang-fast++ --static -j=30. Then fuzz "ch" with nautilus.

eqv commented 4 years ago

Cool, looking into it. Didn't see the --static flag.

eqv commented 4 years ago

Ok I can reproduce this. Looking into it.

eqv commented 4 years ago

Should be fixed by a132369adf694620a8f8527359ce4a1b955cb393, when porting the Forkserver we forgot to add the program path to the argument list, resulting in ch not receiving the input file path. Please verify and close this issue.

zr950624 commented 4 years ago

Thanks for fixing! It works well now.

zr950624 commented 4 years ago

Just a notification lol. https://github.com/nautilus-fuzz/nautilus/blob/master/fuzzer/src/fuzzer.rs#L339

eqv commented 4 years ago

Yeah, that's the "stability score" of AFL expressed... well... less optimally^^ If you see lots of these (with ch you will), that means the bitmap target is pretty nondeterministic.