frida + qemu variants

fuzzers/aflplusplus_frida_perf/builder.Dockerfile

@@ -0,0 +1,42 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG parent_image
+FROM $parent_image
+
+# Install the necessary packages.
+RUN apt-get update && \
+    apt-get install -y \
+        build-essential \
+        git \
+        flex \
+        bison \
+        libglib2.0-dev \
+        libpixman-1-dev \
+        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
+
+# Download afl++
+RUN git clone -b frida-perf https://github.com/WorksButNotTested/AFLplusplus /afl && \
+    cd /afl && git checkout 6e80109 || true
+
+# Build afl++ without Python support as we don't need it.
+# Set AFL_NO_X86 to skip flaky tests.
+RUN cd /afl && \
+    unset CFLAGS && unset CXXFLAGS && \
+    AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \
+    make -C utils/aflpp_driver && \
+    cd frida_mode && make && cd .. && \
+    cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a
+
+COPY get_frida_entry.sh /

fuzzers/aflplusplus_frida_perf/description.md

@@ -0,0 +1,15 @@
+# aflplusplus_qemu
+
+AFL++ fuzzer instance for binary-only fuzzing with frida_mode.
+The following config active for all benchmarks:
+  - qemu_mode with:
+    - entrypoint set to LLVMFuzzerTestOneInput
+    - persisten mode set to LLVMFuzzerTestOneInput
+    - shared memory testcases
+    - cmplog
+
+Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/)
+
+[builder.Dockerfile](builder.Dockerfile)
+[fuzzer.py](fuzzer.py)
+[runner.Dockerfile](runner.Dockerfile)

fuzzers/aflplusplus_frida_perf/fuzzer.py

@@ -0,0 +1,67 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Integration code for AFLplusplus fuzzer."""
+
+import os
+import subprocess
+import shutil
+# import resource
+
+from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer
+
+
+def build():
+    """Build benchmark."""
+    aflplusplus_fuzzer.build('qemu')
+    shutil.copy('/afl/frida_mode/build/frida_hook.so', os.environ['OUT'])
+
+
+def fuzz(input_corpus, output_corpus, target_binary):
+    """Run fuzzer."""
+    # Get LLVMFuzzerTestOneInput address.
+    nm_proc = subprocess.run([
+        'sh', '-c',
+        'get_frida_entry.sh \'' + target_binary + '\' LLVMFuzzerTestOneInput'
+    ],
+                             stdout=subprocess.PIPE,
+                             check=True)
+    target_func = nm_proc.stdout.split()[0].decode('utf-8')
+    print('[fuzz] LLVMFuzzerTestOneInput() address =', target_func)
+
+    # Fuzzer options for qemu_mode.
+    flags = ['-O', '-c0']
+
+    os.environ['AFL_FRIDA_PERSISTENT_ADDR'] = target_func
+    os.environ['AFL_ENTRYPOINT'] = target_func
+    os.environ['AFL_FRIDA_PERSISTENT_CNT'] = '1000000'
+    os.environ['AFL_FRIDA_PERSISTENT_HOOK'] = '/out/frida_hook.so'
+    os.environ['AFL_PATH'] = '/out'
+    os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1'
+
+    # resource.setrlimit(resource.RLIMIT_CORE,
+    #                    (resource.RLIM_INFINITY, resource.RLIM_INFINITY))
+
+    # The systemd benchmark fails without full library instrumentation :(
+    benchmark_name = os.environ['BENCHMARK']
+    if benchmark_name == 'systemd_fuzz-link-parser':
+        os.environ['AFL_INST_LIBS'] = '1'
+
+    aflplusplus_fuzzer.fuzz(input_corpus,
+                            output_corpus,
+                            target_binary,
+                            flags=flags)
+
+    # sts = os.system('cp -v *core* corpus')
+    # if sts == 0:
+    #     print('Copied cores')

fuzzers/aflplusplus_frida_perf/get_frida_entry.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+test -z "$1" -o -z "$2" -o '!' -e "$1" && exit 0
+
+file "$1" | grep -q executable && {
+  nm "$1" | grep -i "T $2" | awk '{print"0x"$1}'
+  exit 0
+}
+
+nm "$1" | grep -i "T $2" | '{print$1}' | tr a-f A-F | \
+  xargs echo "ibase=16;obase=10;555555554000 + " | bc | tr A-F a-f
+exit 0

fuzzers/aflplusplus_frida_perf/runner.Dockerfile

@@ -0,0 +1,27 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM gcr.io/fuzzbench/base-image
+
+RUN apt update -y && apt-get upgrade -y && \
+    apt-get install -y python3-pyelftools bc
+
+# This makes interactive docker run painless:
+ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out"
+#ENV AFL_MAP_SIZE=2621440
+ENV PATH="$PATH:/out"
+ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+ENV AFL_TESTCACHE_SIZE=2
+

fuzzers/aflplusplus_qemu_tcgcov/builder.Dockerfile

@@ -0,0 +1,43 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+ARG parent_image
+FROM $parent_image
+
+# Install the necessary packages.
+RUN apt-get update && \
+    apt-get install -y \
+        build-essential \
+        git \
+        flex \
+        bison \
+        libglib2.0-dev \
+        libpixman-1-dev \
+        ninja-build \
+        libstdc++-$(gcc --version|head -n1|sed 's/\..*//'|sed 's/.* //')-dev
+
+
+# Download afl++
+RUN git clone -b tcg_cov https://github.com/WorksButNotTested/AFLplusplus /afl && \
+    cd /afl && git checkout 54fb2d0 || true
+
+# Build afl++ without Python support as we don't need it.
+# Set AFL_NO_X86 to skip flaky tests.
+RUN cd /afl && \
+    unset CFLAGS && unset CXXFLAGS && \
+    AFL_NO_X86=1 CC=clang PYTHON_INCLUDE=/ make && \
+    cd qemu_mode && ./build_qemu_support.sh && cd .. && \
+    make -C utils/aflpp_driver && \
+    cp utils/aflpp_driver/libAFLQemuDriver.a /libAFLDriver.a && \
+    cp utils/aflpp_driver/aflpp_qemu_driver_hook.so /

fuzzers/aflplusplus_qemu_tcgcov/description.md

@@ -0,0 +1,14 @@
+# aflplusplus_qemu
+
+AFL++ fuzzer instance for binary-only fuzzing with qemu_mode.
+The following config active for all benchmarks:
+  - qemu_mode with:
+    - entrypoint set to afl_qemu_driver_stdin_input
+    - persisten mode set to afl_qemu_driver_stdin_input
+    - cmplog
+
+Repository: [https://github.com/AFLplusplus/AFLplusplus/](https://github.com/AFLplusplus/AFLplusplus/)
+
+[builder.Dockerfile](builder.Dockerfile)
+[fuzzer.py](fuzzer.py)
+[runner.Dockerfile](runner.Dockerfile)

fuzzers/aflplusplus_qemu_tcgcov/fuzzer.py

@@ -0,0 +1,51 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+"""Integration code for AFLplusplus fuzzer."""
+
+import os
+import subprocess
+
+from fuzzers.aflplusplus import fuzzer as aflplusplus_fuzzer
+
+
+def build():
+    """Build benchmark."""
+    aflplusplus_fuzzer.build('qemu')
+
+
+def fuzz(input_corpus, output_corpus, target_binary):
+    """Run fuzzer."""
+    # Get LLVMFuzzerTestOneInput address.
+    nm_proc = subprocess.run([
+        'sh', '-c',
+        'nm \'' + target_binary + '\' | grep -i \'T afl_qemu_driver_stdin\''
+    ],
+                             stdout=subprocess.PIPE,
+                             check=True)
+    target_func = '0x' + nm_proc.stdout.split()[0].decode('utf-8')
+    print('[fuzz] afl_qemu_driver_stdin_input() address =', target_func)
+
+    # Fuzzer options for qemu_mode.
+    flags = ['-Q', '-c0']
+
+    os.environ['AFL_QEMU_PERSISTENT_ADDR'] = target_func
+    os.environ['AFL_ENTRYPOINT'] = target_func
+    os.environ['AFL_QEMU_PERSISTENT_CNT'] = '1000000'
+    os.environ['AFL_QEMU_DRIVER_NO_HOOK'] = '1'
+    os.environ['AFL_IGNORE_SEED_PROBLEMS'] = '1'
+
+    aflplusplus_fuzzer.fuzz(input_corpus,
+                            output_corpus,
+                            target_binary,
+                            flags=flags)

fuzzers/aflplusplus_qemu_tcgcov/runner.Dockerfile

@@ -0,0 +1,23 @@
+# Copyright 2020 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+FROM gcr.io/fuzzbench/base-image
+
+# This makes interactive docker runs painless:
+ENV LD_LIBRARY_PATH="$LD_LIBRARY_PATH:/out"
+#ENV AFL_MAP_SIZE=2621440
+ENV PATH="$PATH:/out"
+ENV AFL_SKIP_CPUFREQ=1
+ENV AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES=1
+ENV AFL_TESTCACHE_SIZE=2