test: Fuzz execution of a single instruction with afl-fuzz #37

joonazan · 2024-05-25T14:38:45Z

Replaces stack, program and heap with mocks that just contain one value and crash if multiple addresses are accessed. Fuzzes the execution of a single instruction.

The default settings of libFuzzer don't work for me and it doesn't tell what is going wrong, so I wrote this for afl-fuzz instead.

Afl explores lots of instructions in a matter of seconds, though the crashes it finds are not real ones yet because the test is still missing a state validity check.

The validity check should check that fat pointers are well-formed etc. The test should not be run if the initial state is invalid. The test should panic if the state is no longer valid after running an instruction.

…slot

afl-fuzz/Cargo.toml

src/addressing_modes.rs

src/single_instruction_test/callframe.rs

src/single_instruction_test/print_mock_info.rs

afl-fuzz/Cargo.toml

src/addressing_modes.rs

src/single_instruction_test/stack.rs

src/single_instruction_test/callframe.rs

src/single_instruction_test/vm.rs

joonazan added 2 commits May 25, 2024 16:28

compiles under 2023-1 nightly

4cca5c3

afl-fuzz fuzzes a single instruction

5ce1dde

joonazan force-pushed the symbolic-execution branch from 172cc0f to 5ce1dde Compare May 25, 2024 16:07

joonazan added 8 commits May 25, 2024 18:32

make clippy happy

b019a8f

Don't run tests with mocked VM. Run clippy on mocked VM

31d2649

add first validation rule

ca8cf5b

fix bug where stack value and stack pointer flag were from different …

a632397

…slot

script for quickly looking at one crash

cdd6aac

validate pointer flags in registers, too

760d9aa

decommit a garbage program

867e440

abstract heaps to be able to write a fuzzing-friendly heap

a788895

joonazan marked this pull request as ready for review May 25, 2024 21:37

joonazan added 8 commits May 25, 2024 23:56

fix bug where stackpool could generate with no available stacks

81d8bc1

print information about touched mocks

fced351

ban precompiles from fuzzing because the mocks are not enough for them

6c8553d

have a near or far call below the current call sometimes

4f3ee93

improve info print

d3009b8

better fuzz.sh

26beac1

clippy is being silly but whatever

78a7d6c

make validity check thorough even when a callframe is pushed

6293591

montekki reviewed May 27, 2024

View reviewed changes

afl-fuzz/Cargo.toml Show resolved Hide resolved

src/addressing_modes.rs Show resolved Hide resolved

src/single_instruction_test/callframe.rs Outdated Show resolved Hide resolved

src/single_instruction_test/print_mock_info.rs Outdated Show resolved Hide resolved

montekki reviewed May 27, 2024

View reviewed changes

joonazan added 2 commits May 27, 2024 17:30

print more info

94fef86

fix nits

db8e97a

joonazan force-pushed the symbolic-execution branch from 1e53af6 to db8e97a Compare May 27, 2024 15:30

joonazan enabled auto-merge (squash) May 29, 2024 10:48

montekki approved these changes May 29, 2024

View reviewed changes

Merge branch 'master' into symbolic-execution

dfe7701

joonazan merged commit 4dd0671 into master May 29, 2024
7 checks passed

joonazan deleted the symbolic-execution branch May 29, 2024 12:47

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test: Fuzz execution of a single instruction with afl-fuzz #37

test: Fuzz execution of a single instruction with afl-fuzz #37

joonazan commented May 25, 2024 •

edited

Loading

test: Fuzz execution of a single instruction with afl-fuzz #37

test: Fuzz execution of a single instruction with afl-fuzz #37

Conversation

joonazan commented May 25, 2024 • edited Loading

joonazan commented May 25, 2024 •

edited

Loading