Skip to content

Implement CanTrack - tracking enforcement through rust types #1886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 46 commits into from
Apr 12, 2024
Merged

Implement CanTrack - tracking enforcement through rust types #1886

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
46 commits
Select commit Hold shift + click to select a range
7419394
sample implementation of tracking enforcement (incomplete)
domenukk Apr 11, 2024
f8bae96
helpful compiler output
addisoncrump Feb 28, 2024
8b70f01
make it look like a real compiler output
addisoncrump Feb 28, 2024
2429378
ensure that the macro may be used outside of libafl
addisoncrump Feb 28, 2024
eb595b1
separate index/novelty tracking funcs
addisoncrump Feb 28, 2024
7133283
default const generic values so that we don't need to change this eve…
addisoncrump Feb 28, 2024
71266f9
fix tests
addisoncrump Feb 28, 2024
6dccdb9
rollback unnecessary specification of stdmapobserver
addisoncrump Feb 28, 2024
bee6109
register metadata in doc tests
addisoncrump Feb 28, 2024
52f0fd9
doc fixes
addisoncrump Feb 28, 2024
56da47a
doc cleanup
addisoncrump Feb 28, 2024
3c3f0c8
doc cleanup 2
addisoncrump Feb 28, 2024
f2dc4d5
reduce implementor overhead to zero
addisoncrump Feb 29, 2024
cbbe658
renaming/docs fixes
addisoncrump Feb 29, 2024
8c7f681
asref isn't reflexive??
addisoncrump Feb 29, 2024
b60dc7c
generalization stage updates
addisoncrump Mar 4, 2024
cfe2c25
add better documentation about require_{indices,novelties}_tracking
addisoncrump Mar 4, 2024
d8459c9
remaining generic updates
addisoncrump Mar 5, 2024
91e31d4
round one CI pass (knowingly introduces breaking changes)
addisoncrump Mar 5, 2024
47969fa
typo
addisoncrump Mar 5, 2024
888cb7f
round 2 clippy
addisoncrump Mar 5, 2024
87f813d
rollback: libafl_frida changes
addisoncrump Mar 5, 2024
e895353
fmt
addisoncrump Mar 5, 2024
b49d67c
moar porting
addisoncrump Mar 5, 2024
b9bcab4
fix remaining fuzzers
addisoncrump Mar 6, 2024
f649819
fix windows build, maybe
addisoncrump Mar 6, 2024
8c25c19
fixup libafl_libfuzzer
addisoncrump Mar 11, 2024
d95c573
fmt nighlty all the things
domenukk Mar 13, 2024
df5abb0
attempt to fix some broken additions
addisoncrump Apr 3, 2024
4868c6e
fix fmt
addisoncrump Apr 3, 2024
8a9501d
oops
addisoncrump Apr 4, 2024
45d7c9b
fix new invocation
addisoncrump Apr 4, 2024
d418cba
minimizer scheduler fixes
addisoncrump Apr 4, 2024
9b1fcf9
fix accounting
addisoncrump Apr 4, 2024
d10237e
rename
domenukk Apr 9, 2024
b4cdb82
fix
domenukk Apr 11, 2024
6d3cdbd
Fix build
domenukk Apr 11, 2024
7673144
Sort generics
domenukk Apr 11, 2024
39399ed
Move more generics into the right place
domenukk Apr 11, 2024
565c3d9
Rename A -> C
domenukk Apr 12, 2024
6d37e59
Fix test
domenukk Apr 12, 2024
8bbcba3
Fix test some more
domenukk Apr 12, 2024
8aade5c
Fix doc some more
domenukk Apr 12, 2024
b0fdeba
critical formatting
domenukk Apr 12, 2024
b6ffb90
More A->C
domenukk Apr 12, 2024
5940a44
CanTrack harder
domenukk Apr 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,7 +117,7 @@ For bugs, feel free to open issues or contact us directly. Thank you for your su

Even though we will gladly assist you in finishing up your PR, try to
- keep all the crates compiling with *stable* rust (hide the eventual non-stable code under [`cfg`s](https://github.com/AFLplusplus/LibAFL/blob/main/libafl/build.rs#L26))
- run `cargo fmt` on your code before pushing
- run `cargo +nightly fmt` on your code before pushing
- check the output of `cargo clippy --all` or `./clippy.sh`
- run `cargo build --no-default-features` to check for `no_std` compatibility (and possibly add `#[cfg(feature = "std")]`) to hide parts of your code.

Expand Down
8 changes: 5 additions & 3 deletions fuzzers/baby_fuzzer_grimoire/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ use libafl::{
GrimoireRandomDeleteMutator, GrimoireRecursiveReplacementMutator,
GrimoireStringReplacementMutator, Tokens,
},
observers::StdMapObserver,
observers::{CanTrack, StdMapObserver},
schedulers::QueueScheduler,
stages::{mutational::StdMutationalStage, GeneralizationStage},
state::StdState,
Expand Down Expand Up @@ -83,9 +83,11 @@ pub fn main() {
};

// Create an observation channel using the signals map
let observer = unsafe { StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()) };
let observer = unsafe {
StdMapObserver::from_mut_ptr("signals", SIGNALS_PTR, SIGNALS.len()).track_novelties()
};
// Feedback to rate the interestingness of an input
let mut feedback = MaxMapFeedback::tracking(&observer, false, true);
let mut feedback = MaxMapFeedback::new(&observer);

// A feedback to choose if an input is a solution or not
let mut objective = CrashFeedback::new();
Expand Down
5 changes: 4 additions & 1 deletion fuzzers/baby_fuzzer_swap_differential/Makefile.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ command = "cargo"
args = ["build" , "--profile", "${PROFILE}", "--bin", "${FUZZER_NAME}"]
dependencies = [ "cc" ]

[tasks.build]
alias = "fuzzer"

# Run the fuzzer
[tasks.run]
command = "${CARGO_TARGET_DIR}/${PROFILE_DIR}/${FUZZER_NAME}"
Expand Down Expand Up @@ -50,4 +53,4 @@ clear = true
script_runner="@shell"
script='''
cargo clean
'''
'''
2 changes: 1 addition & 1 deletion fuzzers/backtrace_baby_fuzzers/forkserver_executor/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@ pub fn main() {

// Feedback to rate the interestingness of an input
// This one is composed by two Feedbacks in OR
let mut feedback = MaxMapFeedback::tracking(&edges_observer, true, false);
let mut feedback = MaxMapFeedback::new(&edges_observer);

// A feedback to choose if an input is a solution or not
// We want to do the same crash deduplication that AFL does
Expand Down
11 changes: 6 additions & 5 deletions fuzzers/forkserver_libafl_cc/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use libafl::{
inputs::BytesInput,
monitors::SimpleMonitor,
mutators::{scheduled::havoc_mutations, tokens_mutations, StdScheduledMutator, Tokens},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, StdState},
Expand Down Expand Up @@ -101,8 +101,9 @@ pub fn main() {
let shmem_buf = shmem.as_mut_slice();

// Create an observation channel using the signals map
let edges_observer =
unsafe { HitcountsMapObserver::new(StdMapObserver::new("shared_mem", shmem_buf)) };
let edges_observer = unsafe {
HitcountsMapObserver::new(StdMapObserver::new("shared_mem", shmem_buf)).track_indices()
};

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -111,7 +112,7 @@ pub fn main() {
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -151,7 +152,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down
11 changes: 6 additions & 5 deletions fuzzers/forkserver_simple/src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ use libafl::{
inputs::BytesInput,
monitors::SimpleMonitor,
mutators::{scheduled::havoc_mutations, tokens_mutations, StdScheduledMutator, Tokens},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::mutational::StdMutationalStage,
state::{HasCorpus, StdState},
Expand Down Expand Up @@ -101,8 +101,9 @@ pub fn main() {
let shmem_buf = shmem.as_mut_slice();

// Create an observation channel using the signals map
let edges_observer =
unsafe { HitcountsMapObserver::new(StdMapObserver::new("shared_mem", shmem_buf)) };
let edges_observer = unsafe {
HitcountsMapObserver::new(StdMapObserver::new("shared_mem", shmem_buf)).track_indices()
};

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -111,7 +112,7 @@ pub fn main() {
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -151,7 +152,7 @@ pub fn main() {
let mut mgr = SimpleEventManager::new(monitor);

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler = IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down
38 changes: 22 additions & 16 deletions fuzzers/frida_executable_libpng/src/fuzzer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,5 @@
//! A libfuzzer-like fuzzer with llmp-multithreading support and restarts
//! The example harness is built for libpng.
use mimalloc::MiMalloc;
#[global_allocator]
static GLOBAL: MiMalloc = MiMalloc;

use std::{path::PathBuf, ptr::null};

use frida_gum::Gum;
Expand All @@ -20,7 +16,7 @@ use libafl::{
scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
token_mutations::{I2SRandReplace, Tokens},
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, StdState},
Expand All @@ -39,7 +35,7 @@ use libafl_bolts::{
#[cfg(unix)]
use libafl_frida::asan::{
asan_rt::AsanRuntime,
errors::{AsanErrorsFeedback, AsanErrorsObserver},
errors::{AsanErrorsFeedback, AsanErrorsObserver, ASAN_ERRORS},
};
use libafl_frida::{
cmplog_rt::CmpLogRuntime,
Expand All @@ -48,6 +44,10 @@ use libafl_frida::{
helper::FridaInstrumentationHelper,
};
use libafl_targets::cmplog::CmpLogObserver;
use mimalloc::MiMalloc;

#[global_allocator]
static GLOBAL: MiMalloc = MiMalloc;

pub unsafe fn lib(main: extern "C" fn(i32, *const *const u8, *const *const u8) -> i32) {
color_backtrace::install();
Expand Down Expand Up @@ -104,7 +104,7 @@ unsafe fn fuzz(

let coverage = CoverageRuntime::new();
#[cfg(unix)]
let asan = AsanRuntime::new(options);
let asan = AsanRuntime::new(&options);

#[cfg(unix)]
let mut frida_helper =
Expand All @@ -118,7 +118,8 @@ unsafe fn fuzz(
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -127,7 +128,7 @@ unsafe fn fuzz(
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -177,7 +178,8 @@ unsafe fn fuzz(
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down Expand Up @@ -233,7 +235,8 @@ unsafe fn fuzz(
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -242,7 +245,7 @@ unsafe fn fuzz(
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -290,7 +293,8 @@ unsafe fn fuzz(
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down Expand Up @@ -361,7 +365,8 @@ unsafe fn fuzz(
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -370,7 +375,7 @@ unsafe fn fuzz(
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -418,7 +423,8 @@ unsafe fn fuzz(
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down
26 changes: 16 additions & 10 deletions fuzzers/frida_gdiplus/src/fuzzer.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ use libafl::{
scheduled::{havoc_mutations, tokens_mutations, StdScheduledMutator},
token_mutations::{I2SRandReplace, Tokens},
},
observers::{HitcountsMapObserver, StdMapObserver, TimeObserver},
observers::{CanTrack, HitcountsMapObserver, StdMapObserver, TimeObserver},
schedulers::{IndexesLenTimeMinimizerScheduler, QueueScheduler},
stages::{ShadowTracingStage, StdMutationalStage},
state::{HasCorpus, StdState},
Expand Down Expand Up @@ -113,7 +113,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -122,7 +123,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -171,7 +172,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down Expand Up @@ -227,7 +229,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -236,7 +239,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -284,7 +287,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down Expand Up @@ -356,7 +360,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
"edges",
frida_helper.map_mut_ptr().unwrap(),
MAP_SIZE,
));
))
.track_indices();

// Create an observation channel to keep track of the execution time
let time_observer = TimeObserver::new("time");
Expand All @@ -365,7 +370,7 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
// This one is composed by two Feedbacks in OR
let mut feedback = feedback_or!(
// New maximization map feedback linked to the edges observer and the feedback state
MaxMapFeedback::tracking(&edges_observer, true, false),
MaxMapFeedback::new(&edges_observer),
// Time feedback, this one does not need a feedback state
TimeFeedback::with_observer(&time_observer)
);
Expand Down Expand Up @@ -413,7 +418,8 @@ unsafe fn fuzz(options: &FuzzerOptions) -> Result<(), Error> {
let mutator = StdScheduledMutator::new(havoc_mutations().merge(tokens_mutations()));

// A minimization+queue policy to get testcasess from the corpus
let scheduler = IndexesLenTimeMinimizerScheduler::new(QueueScheduler::new());
let scheduler =
IndexesLenTimeMinimizerScheduler::new(&edges_observer, QueueScheduler::new());

// A fuzzer with feedbacks and a corpus scheduler
let mut fuzzer = StdFuzzer::new(scheduler, feedback, objective);
Expand Down
Loading
Loading