Skip to content

Latest commit

 

History

History
74 lines (65 loc) · 2.98 KB

File metadata and controls

74 lines (65 loc) · 2.98 KB

Usage

Basic Mode (without LLM)

/path/to/Bulbasaur/target/release/fuzzer \
    -i /path/to/seeds \
    -o /path/to/output \
    -j 4 \
    -b 0 \
    -M 0 \
    -f targets/<program>_full \
    -t targets/<program>_trace \
    -x dict/<program>.dict \
    -- targets/<program>_fast @@
Parameter Description
-i Initial seed corpus directory
-o Output directory
-j Number of parallel threads
-b CPU core to bind to (optional)
-M Sync mode (0 = primary node) (optional, used for multi-instance coordination)
-f Path to the full-instrumented target binary
-t Path to the trace-instrumented target binary
-x Dictionary file; can be specified multiple times (optional)
-- Separator; everything after is the fast target and its arguments; @@ is the input file placeholder

LLM Mode

source /path/to/Bulbasaur/llm_scripts/.venv/bin/activate

export OPENAI_API_KEY="your-api-key"
export OPENAI_BASE_URL="https://api.openai.com/v1"
export OPENAI_MODEL="gpt-4o"

python3 /path/to/Bulbasaur/llm_scripts/bulbasaur_llm_bridge.py \
    --fuzzer      target/release/fuzzer \
    --fast-target  targets/<program>_fast \
    --full-target  targets/<program>_full \
    --trace-target targets/<program>_trace \
    --debug-target targets/<program>_debug \
    --corpus       seeds/ \
    --output-dir   output/ \
    --branch-mapping targets/branch_loc.csv \
    --source-base-path /path/to/target/src \
    --function-loc targets/function_loc.csv \
    --callgraph    targets/callgraph_final.dot \
    --dict         dict/<program>.dict \
    --jobs 4 --cpu-id 0 \
    --exec-args @@

The bridge script automatically starts the fuzzer, establishes a TCP socket, and handles all LLM mutation requests end-to-end. See llm_scripts/README.md for details.

Parameter Description
--fuzzer Path to the fuzzer executable
--fast-target Path to the fast-instrumented target binary
--full-target Path to the full-instrumented target binary
--trace-target Path to the trace-instrumented target binary
--debug-target Path to the debug-instrumented target binary (contains branch location info)
--corpus Initial seed corpus directory
--output-dir Output directory
--branch-mapping Branch → source location mapping file (branch_loc.csv)
--source-base-path Root directory of the target program's source code
--function-loc Function → source location mapping file (optional, used for callgraph queries)
--callgraph Callgraph file (callgraph_final.dot) (optional, used for caller/callee queries)
--dict Dictionary file (optional)
--jobs Number of parallel threads (optional, default 1)
--cpu-id CPU core to bind to (optional, default 0)
--exec-args Arguments passed to the target program; @@ is the input file placeholder