Skip to content

Latest commit

 

History

History
94 lines (80 loc) · 4.29 KB

README.md

File metadata and controls

94 lines (80 loc) · 4.29 KB

unifuzz_runner

Driver code for UNIFUZZ configured with Hydra and logged with wandb.

Features

  • Dockerized fuzzing
  • afl-cov integration (including func_cov and line_cov)
  • wandb logging and visualization
  • hydra configuration for Multi-run

Supported Fuzzers

  • afl
  • afl++
  • aflfast
  • mopt

Theoretically all afl-based fuzzers can be suported by adding a few lines to config.py.

Todo

  • Add CVE match code.

How to use

Preparation

git clone --recurse-submodules [email protected]:ucasqsl/unifuzz_runner.git
cd unifuzz_runner
pip3 install -r requirements.txt
python3 run.py # Run with the basic configuration, run afl on exiv for 24 hours with 30 repetitions.

Override default settings

Available targets and fuzzers are listed under conf/target and conf/fuzzer seperately. Override params in command line:

python3 run.py fuzzer=aflfast target=lame repeat_times=1 time_interval=360 # Run aflfast on lame for 360s with only one instance.

Or you can modify the config file at conf/config.py.

Multi-run

Specify the fuzzers or targets in one line is enough.

python3 run.py --multirun repeat_times=1 fuzzer=aflpp-aflasan,afl-aflasan,aflpp-justafl,afl-justafl,mopt,aflfast target=lame,exiv2

this will run 2x6=12 experiments and launch 24 containers (12 additional for afl-cov).

Clean up

If the scripts finished successfully, all containers will be removed. Otherwise you might need to delete them manually.

docker stop $(docker ps | grep unifuzz | awk '{print $1}')

Outputs

The outputs are located at outputs/{date}/{time}/{output}/{target}/{fuzzer}/{run_id} or multirun/{date}/{time}/{job_id}/{output}/{target}/{fuzzer}/{run_id} if it's a multirun. The files under cov are generated by afl-cov. In additional to original outputs of the official afl-cov, the cov_plot.csv is the plot_data for line_cov and func_cov, the time specified there is the last change time of the corresponding input file. You can find the wandb link in afl-cov-status, and the total functions/lines in meta.log. afl-cov will also generate a coverage report under the folder cov/web.

Wandb logged data

  • Data in afl plot_data, in addition to fuzzer_rel_time, which is the unix time relative to the first logged time in plot_data.
  • line_cov, func_cov, file_id(of the input_file) and time (ctime of the input file)

Add your own fuzzer!

  1. Compile your afl-based fuzzer into an docker image. (Example Docker files are at unifuzz/dockerized_fuzzing).

  2. Compile the targets with your fuzzer. (Example Docker files are at unibench_build, Note its possible that you can just copy the compiled files from other images like aflfast_dockerfile. Or you can choose a proper existing docker file and modify it).

  3. Add your fuzzer into the FUZZER dict in config.py. e.g.:

     "mopt": {
     "bin_dir": "justafl",
     "image": "unifuzz/unibench:mopt",
     "pacemaker_time": "1",
     "cmd_temp": "afl-fuzz -L {pacemaker_time} -i {seeds} -o {output_path} -- {prefix}/{target} {fuzz_args}"
 }

    you can add any configuration in the dict and write the corresponding place holder in cmd_temp. This will also be a customizable configuration in the run.py command line. e.g.:

    python3 run.py repeat_times=1 fuzzer=mopt fuzzer.pacemaker_time=2 target=exiv2

  4. Update the conf folder.

    python3 confgen.py

  5. Run the experiment with your own fuzzer!

  6. Visit your wandb page and customize the plots.

    Demo Report

Reference

UNIFUZZ