feature: extract data that can be used as input to fuzz engines, e.g. dictionaries, prioritised functions, etc

[DavidKorczynski]

libFuzzer has the ability to prioritise fuzzing of certain functions. We should use the data from the reachability and coverage analysis to feed information back to the fuzzer about nice-to-analyse functions.

This heuristic could for example be focused around functions that if-hit will:

• trigger a lot more code execution
• trigger execution of specific user-chosen functions (e.g. production code)

[Navidem]

Additional heuristics to identify interesting functions to fuzz can be:

• Functions where user-controlled (untrusted) data reach critical operations like memory alloc/dealloc, pointer arithmetic, etc. To realize this feature, we may employ taint analysis to track untrusted data propagation in the code. We may need an interface to let developer tag some data/function result as untrusted.

• Generally recommend functions that perform error-prone operations (like the functions that make call to pointer returning functions in hope of capturing errors like null-deref). For this we may need a function profiler.

[DavidKorczynski]

We can generalise this issue and consider it to be improvements focused around "input to fuzz engines". This could for example include features such as automated dictionary generation by way of statically analysing code and data in the target

[DavidKorczynski]

I added a proof-of-concept for this. The focus atm is on dictionary generation by looking at constants used by each fuzzer in its reachable functions. Sample code for extracting strings used in fuzzer-reachable functions is here:

fuzz-introspector/llvm/lib/Transforms/Inspector/Inspector.cpp

Lines 767 to 824 in 28d5ee4

	if (!getenv("FUZZINTRO_CONSTANTS")) {
	continue;
	}
	//I.dump();
	// Check if the operands refer to a global value and extract data.
	for (int opndIdx = 0; opndIdx < I.getNumOperands(); opndIdx++) {
	Value *opndI = I.getOperand(opndIdx);
	//opndI->dump();
	// Is this a global variable?
	if (GlobalVariable *GV = dyn_cast<GlobalVariable>(opndI)) {
	GV->dump();
	if (GV->hasInitializer()) {
	Constant *GVI = GV->getInitializer();
	if (ConstantData *GD = dyn_cast<ConstantData>(GVI)) {
	//logPrintf(L1, "ConstantData\n");
	// Integer case
	if (ConstantInt *GI = dyn_cast<ConstantInt>(GD)) {
	logPrintf(L1, "Constant Int\n");
	uint64_t zext_val = GI->getZExtValue();
	errs() << "Zexct val: " << zext_val << "\n";
	}
	}
	else if (ConstantExpr *GE = dyn_cast<ConstantExpr>(GVI)) {
	logPrintf(L1, "Constant expr: %s\n", GE->getName().str().c_str());
	GE->dump();
	if (GEPOperator* gepo = dyn_cast<GEPOperator>(GE)) {
	errs() << "GEPOperator\n";
	if (GlobalVariable* gv12 = dyn_cast<GlobalVariable>(gepo->getPointerOperand())) {
	errs() << "GV - " << *gv12 << "\n";
	if (gv12->hasInitializer()) {
	errs() << "Has initializer\n";
	Constant *C222 = gv12->getInitializer();
	if (ConstantData *GD23 = dyn_cast<ConstantData>(C222)) {
	errs() << "ConstantData\n";
	if (ConstantDataArray *Carr = dyn_cast<ConstantDataArray>(GD23)) {
	// This is constant data. We should be able to dump it down.
	errs() << "ConstantArray. Type:\n";
	Carr->getElementType()->dump();
	errs() << "Number of elements: " << Carr->getNumElements() << "\n";
	Type *baseType = Carr->getElementType();
	if (baseType->isIntegerTy()) {
	errs() << "Base types\n";
	for (int i = 0; i < Carr->getNumElements(); i++) {
	std::string s1 = toHex(Carr->getElementAsInteger(i));
	errs() << "0x" << s1 << "\n";
	}
	}
	if (Carr->isString()) {
	errs() << "The string: " << Carr->getAsString() << "\n";
	FuncWrap.ConstantsTouched.push_back(Carr->getAsString().str());
	}
	else {
	errs() << "No this is not a string\n";
	}
	}
	}
	}

I have also refactored the code post-processing code so it is easier to develop individual analyses. The goal is to facilitate a plugin-like interface that makes it easy to rapidly develop new analysis techniques that rely on data collected from fuzz-introspector. Sample code in the post processor is here: https://github.com/ossf/fuzz-introspector/blob/main/post-processing/fuzz_html.py#L604-L622

I modified the simple-example-0 to display dictionary generation. For example for the following code:

fuzz-introspector/examples/simple-example-0/fuzzer.c

Lines 9 to 19 in 28d5ee4

	char *global1 = "FUZZCAFE";
	char *global2 = "FUZZKEYWORD";
	int GLB2 = 0xbeef;
	void unreached_target10(char *val) {
	if (strcmp(val, global1) == 0) {
	printf("Compare 1\n");
	}
	if (strcmp(val, global2) == 0) {
	printf("Compare 15\n");
	}

the automatic dictionary generator gives the suggested dictionary:

k0="FUZZCAFE "
k1="FUZZKEYWORD "

This can the be used as explicit input to fuzzers -dict=dictifile. There's more work to be done here