From 01245c5385c29567787dd643d1d807e9c33d3146 Mon Sep 17 00:00:00 2001 From: Addison Crump Date: Tue, 26 Sep 2023 23:44:20 +0200 Subject: [PATCH] document and update libafl_libfuzzer --- libafl/src/mutators/string.rs | 3 +- libafl/src/stages/string.rs | 6 ++++ .../libafl_libfuzzer_runtime/src/lib.rs | 34 ++++++++++--------- 3 files changed, 26 insertions(+), 17 deletions(-) diff --git a/libafl/src/mutators/string.rs b/libafl/src/mutators/string.rs index 4f24960a0a7..534e0bbbc5a 100644 --- a/libafl/src/mutators/string.rs +++ b/libafl/src/mutators/string.rs @@ -13,9 +13,10 @@ use crate::{ mutational::{MutatedTransform, MutatedTransformPost}, StringIdentificationMetadata, }, - state::{HasCorpus, HasMaxSize, HasMetadata, HasRand, UsesState}, + state::{HasCorpus, HasMaxSize, HasMetadata, HasRand}, }; +/// Input which contains the context necessary to perform unicode mutations pub type UnicodeInput = (BytesInput, StringIdentificationMetadata); impl MutatedTransform for UnicodeInput diff --git a/libafl/src/stages/string.rs b/libafl/src/stages/string.rs index 724af34e977..78dba8d4c01 100644 --- a/libafl/src/stages/string.rs +++ b/libafl/src/stages/string.rs @@ -1,3 +1,5 @@ +//! Stages which analysis common to Unicode-style mutations + use alloc::{rc::Rc, vec::Vec}; use core::marker::PhantomData; use std::collections::VecDeque; @@ -13,6 +15,7 @@ use crate::{ state::{HasCorpus, HasMetadata, UsesState}, }; +/// Metadata which stores the list of pre-computed string-like ranges in the input #[derive(Debug, Default, Serialize, Deserialize, Clone)] pub struct StringIdentificationMetadata { ranges: Rc>, @@ -21,6 +24,7 @@ pub struct StringIdentificationMetadata { impl_serdeany!(StringIdentificationMetadata); impl StringIdentificationMetadata { + /// The list of pre-computed string-like ranges in the input pub fn ranges(&self) -> &Vec<(usize, BitVec)> { self.ranges.as_ref() } @@ -64,12 +68,14 @@ pub(crate) fn extract_metadata(bytes: &[u8]) -> StringIdentificationMetadata { } } +/// Stage which identifies potential strings in the provided input #[derive(Debug)] pub struct StringIdentificationStage { phantom: PhantomData, } impl StringIdentificationStage { + /// Create a new instance of the string identification stage pub fn new() -> Self { Self { phantom: PhantomData, diff --git a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs index b710740f1a3..cadb746566a 100644 --- a/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs +++ b/libafl_libfuzzer/libafl_libfuzzer_runtime/src/lib.rs @@ -161,8 +161,8 @@ macro_rules! fuzz_with { mutators::{ GrimoireExtensionMutator, GrimoireRecursiveReplacementMutator, GrimoireRandomDeleteMutator, GrimoireStringReplacementMutator, havoc_crossover, havoc_mutations, havoc_mutations_no_crossover, - I2SRandReplace, StdScheduledMutator, StringCategoryPreservingMutator, StringSubcategoryPreservingMutator, - StringCategoryReplaceMutator, StringSubcategoryReplaceMutator, Tokens, tokens_mutations + I2SRandReplace, StdScheduledMutator, StringCategoryRandMutator, StringSubcategoryRandMutator, + StringCategoryTokenReplaceMutator, StringSubcategoryTokenReplaceMutator, Tokens, tokens_mutations }, observers::{stacktrace::BacktraceObserver, TimeObserver}, schedulers::{ @@ -170,7 +170,7 @@ macro_rules! fuzz_with { }, stages::{ CalibrationStage, GeneralizationStage, IfStage, StdMutationalStage, - StdPowerMutationalStage, TracingStage, + StdPowerMutationalStage, StringIdentificationStage, TracingStage, }, state::{HasCorpus, StdState}, StdFuzzer, @@ -301,25 +301,27 @@ macro_rules! fuzz_with { let unicode_used = $options.unicode(); let string_mutator = StdScheduledMutator::new( tuple_list!( - StringCategoryPreservingMutator, - StringSubcategoryPreservingMutator, - StringSubcategoryPreservingMutator, - StringSubcategoryPreservingMutator, - StringSubcategoryPreservingMutator, + StringCategoryRandMutator, + StringSubcategoryRandMutator, + StringSubcategoryRandMutator, + StringSubcategoryRandMutator, + StringSubcategoryRandMutator, ) ); let string_replace_mutator = StdScheduledMutator::new( tuple_list!( - StringCategoryReplaceMutator, - StringSubcategoryReplaceMutator, - StringSubcategoryReplaceMutator, - StringSubcategoryReplaceMutator, - StringSubcategoryReplaceMutator, + StringCategoryTokenReplaceMutator, + StringSubcategoryTokenReplaceMutator, + StringSubcategoryTokenReplaceMutator, + StringSubcategoryTokenReplaceMutator, + StringSubcategoryTokenReplaceMutator, ) ); - let string_power = StdMutationalStage::new(string_mutator); - let string_replace_power = StdMutationalStage::new(string_replace_mutator); - let string_analysis = IfStage::new(|_, _, _, _, _| Ok((unicode_used && mutator_status.std_mutational).into()), tuple_list!(string_power, string_replace_power)); + let string_power = StdMutationalStage::transforming(string_mutator); + let string_replace_power = StdMutationalStage::transforming(string_replace_mutator); + + let string_analysis = StringIdentificationStage::new(); + let string_analysis = IfStage::new(|_, _, _, _, _| Ok((unicode_used && mutator_status.std_mutational).into()), tuple_list!(string_analysis, string_power, string_replace_power)); // Attempt to use tokens from libfuzzer dicts if !state.has_metadata::() {