search

sigp / beacon-fuzz

Differential Fuzzer for Ethereum 2.0
MIT License
157 stars 25 forks source link

Teku fuzzing does not work #38

Open JustinDrake opened 4 years ago

JustinDrake commented 4 years ago

A little birdy suggested I do the following:

make teku
docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

The second command is not working:

Justins-MBP:eth2fuzz justin$ docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing
[eth2fuzz] Testing FuzzerJavaJQFAfl is available
Performing pilot run....  Pilot run success! Launching AFL now...
[+] Loaded environment variable AFL_SKIP_BIN_CHECK with value 1
[+] Loaded environment variable AFL_AUTORESUME with value 1
[+] Loaded environment variable AFL_SKIP_CPUFREQ with value 1
[+] Loaded environment variable AFL_SKIP_CRASHES with value 1
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
[+] Loaded environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
afl-fuzz++2.65d based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] Power schedules from github.com/mboehme/aflfast
[+] Python Mutator and llvm_mode whitelisting from github.com/choller/afl
[+] afl-tmin fork server patch from github.com/nccgroup/TriforceAFL
[+] MOpt Mutator from github.com/puppet-meteor/MOpt-AFL
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE, default)
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/eth2fuzz/workspace/corpora/attester_slashing'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:00000000000000000000000000000000.00000002.honggfuzz.cov'...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (adjusting -t may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:682

[eth2fuzz] Fuzzer quit
pventuzelo commented 4 years ago

Look like a default timeout issue, I just published a fix https://github.com/sigp/beacon-fuzz/commit/1b5cfd978afc35285a60ec8c365663d071cc2ee8

Please, do the following:

$ git pull
$ make teku

Let me know if it is not working.

JustinDrake commented 4 years ago

Nope, still not working. Screenshot 2020-07-13 at 11 39 38

pventuzelo commented 4 years ago

Can you give me more info about your specs? because I suppose the fuzzer is not "running fast enough". Teku fuzzing is really slow for now because it is running inside the JVM...

zedt3ster commented 4 years ago

Yep, Teku's fuzzers are the slowest we have. Here's @JustinDrake 's laptop specs:

zedt3ster commented 4 years ago

Hey @JustinDrake - we're pretty sure this is a timeout related issue, most likely due to the slowness of Teku's fuzzer.

I've created a dedicated branch that should hopefully address this problem. Could you please follow these steps (from the beacon-fuzz folder):

  1. git pull
  2. git checkout teku-timeout-fix
  3. cd eth2fuzz && make teku CACHE=--no-cache
  4. docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

Let us know if this fixes the problem for you. Cheers!

JustinDrake commented 4 years ago

Nope, still not working :) I performed all the steps above.

Justins-MBP:eth2fuzz justin$ docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing
[eth2fuzz] Testing FuzzerJavaJQFAfl is available
Performing pilot run....  Pilot run success! Launching AFL now...
[+] Loaded environment variable AFL_SKIP_BIN_CHECK with value 1
[+] Loaded environment variable AFL_AUTORESUME with value 1
[+] Loaded environment variable AFL_SKIP_CPUFREQ with value 1
[+] Loaded environment variable AFL_SKIP_CRASHES with value 1
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
[+] Loaded environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
afl-fuzz++2.65d based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] Power schedules from github.com/mboehme/aflfast
[+] Python Mutator and llvm_mode whitelisting from github.com/choller/afl
[+] afl-tmin fork server patch from github.com/nccgroup/TriforceAFL
[+] MOpt Mutator from github.com/puppet-meteor/MOpt-AFL
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE, default)
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/eth2fuzz/workspace/corpora/attester_slashing'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:00000000000000000000000000000000.00000002.honggfuzz.cov'...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (adjusting -t may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:682

[eth2fuzz] Fuzzer quit
zedt3ster commented 4 years ago

Interesting, you seem to be the only person with this issue (we confirmed with other MacOS users that they're able to run this fuzzer).

After [*] Spinning up the fork server..., did it hang for 5 minutes before the next error message? Asking since I changed the timeout value to 5 minutes on the teku-timeout-fix branch. Thanks!

JustinDrake commented 4 years ago

After [*] Spinning up the fork server..., did it hang for 5 minutes before the next error message?

Nope, it does not. It fails immediately after this message.

JustinDrake commented 4 years ago

I'm on the correct branch and I did recompile teku as above:

Justins-MBP:eth2fuzz justin$ git branch
  master
* teku-timeout-fix
zedt3ster commented 4 years ago

Ok, turns out an environment variable used within AFL might be overriding the timeout value. We just (hopefully) fixed this in the latest commit on teku-timeout-fix (commit 753b00a4). If this doesn't work, I suspect it'll most likely be related to something else (perhaps an OS limitation on Mojave).

Please follow these steps, assuming you're on the teku-timeout-fix branch (it should take you at least 30+ minutes to rebuild the docker):

  1. git pull
  2. cd eth2fuzz && make teku CACHE=--no-cache
  3. docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

If this doesn't work, we'll have to investigate further.