More effective fuzzing

[vanhauser-thc]

I got a question concerning this afl.rs implementation and reviewed the setup.

What I gathered is that basically afl-fuzz is compiled, but none of the llvm plugins, and instead the vanilla llvm features are used (specifically sancov).
This makes the integration easy, on the other hand cool features are then not available in the project, namely cmplog, auto dictionary/dict2file and faster instrumentation.

a mini cmplog could be done natively by adding sanitizer-coverage-trace-compares (and perhaps trace-div, trace-gep, trace-loads, trace-stores, but unsure about the impact on effectiveness positively or negatively) here:

afl.rs/src/bin/cargo-afl.rs

Line 365 in ab62d59

let mut rustflags = format!(

and then handing afl-fuzz the additional parameters with-c 0 when starting as cargo afl fuzz ...

A better but more complex approach would be to use the rust llvm framework to compile the afl++ llvm plugins and load these.
that would result in full cmplog, faster instrumentation, auto dictionary/dict2file, switch case splitting etc.

[smoelius]

(and perhaps trace-div, trace-gep, trace-loads, trace-stores, ...)

Does it make sense to enable this options if only using mini (not-full) cmplog? Is there an advantage?

[vanhauser-thc]

(and perhaps trace-div, trace-gep, trace-loads, trace-stores, ...)

Does it make sense to enable this options if only using mini (not-full) cmplog? Is there an advantage?

This is only for minicmplog. Afl++‘s own cmplog functions are way better but that require it’s own llvm plugins.

The PR from louis is good, just needs the addition to set -c 0 on cargo run

[smoelius]

#324 includes this line:

         -C llvm-args=-sanitizer-coverage-trace-divs \

Is that line needed for minicmplog?

[vanhauser-thc]

It makes it a bit better

[louismerlin]

I'm also working on full compilation of the plugins, it should be ready in the coming days.

[smoelius]

I'm also working on full compilation of the plugins, it should be ready in the coming days.

Does that affect #324?

[louismerlin]

Yes #324 might not be necessary if full compilation works. But there is a chance that it is not possible or too complex to finish, so I’d keep the PR open until we know.

[louismerlin]

I tried implementing full CmpLog with @brunoproduit, but so far we have been unsuccessful.

@smoelius I think you can already merge mini CmpLog from #324.

We will also publish a draft PR showing where we are stuck next week.

[brunoproduit]

Talking with @vanhauser-thc, it seems rustc is not compiled with llvm plugins activated, meaning we cannot use the cmplog llvm plugins to be used here. Hence #324 is a good compromise

[smoelius]

Thanks, @brunoproduit.

For anyone finding this, #324 was published in version 0.13.0.