Merge pull request #59 from KTH/wasm-fuzzer

WIP: support the real coverage in fuzzer

Author: olapiv

.gitignore

@@ -31,6 +31,7 @@ traces
 utils/reports
 
 ### Wasm-Fuzzer ###
-wasm-fuzzer/fuzzing-client-afl/afl_out
-wasm-fuzzer/fuzzing-client-afl/cpp_out
-wasm-fuzzer/logs/*
+wasm-fuzzer/wafl-temp/*
+
+*.log
+*.log.txt

.gitmodules

@@ -10,7 +10,3 @@
     path = llvm
     url = https://github.com/Jacarte/llvm-project
     branch = master
-[submodule "wasm-fuzzer/fuzzing-server-swam"]
-	path = wasm-fuzzer/fuzzing-server-swam
-	url = https://github.com/KTH/swam
-	branch = feature/swam-server

wasm-fuzzer/.dockerignore

@@ -1,2 +1,4 @@
 *.out
-*.dat
+*.dat
+./fuzzing-server-swam/out
+./wafl-temp

wasm-fuzzer/.env

@@ -7,34 +7,21 @@ LOG_LEVEL=INFO
 # Set True if AFL should always continue where it left off (and not delete old findings). Useful if AFL/SWAM may crash and auto-restart.
 REUSE_DATA_AFL=True
 
-# Path to the parent directory of our local .wasm/.wat executable
-LOCAL_WASM=/tmp/fuzzer-wat_files
-
-# Name of our local .wasm/.wat executable
-WASM_EXECUTABLE=fibo.wat
-
-# Path on our local machine for us to read AFL's output
-LOCAL_AFL_OUTPUT=/tmp/afl_out
-
-# Path on our local machine for us to read our own logs
-LOCAL_LOGS=/tmp/fuzzer/fuzzerlogs
-
-# Path on our local machine for us to read SWAM's output (if any)
-# SWAM_OUTPUT_LOCAL=/tmp/swam-out
-
-# Function to be executed in .wasm/.wat ("_start" is default)
-TARGET_FUNCTION=clever
+# Filter out WASI coverage
+WASI_FILTER=True
 
-# Parameter types for target function. Comma-separated list of types Int32, Int64, Float32, Float64.
-WASM_ARG_TYPES_LIST=Int64
+########################################
+##### Necessary for Docker volumes #####
+########################################
 
-# Sample input for target function. Comma-separated list of numbers.
-WASM_ARG_LIST=14
+# Path on our local machine where wasm/wat file is located
+LOCAL_WASM_DIR=/tmp/wasm
 
-# Executable has wasi format
-WASI=False
+#############################
+##### No need to change #####
+#############################
 
-##### No need to change: #####
+SWAM_SOCKET_HOST=localhost
 SWAM_SOCKET_PORT=9999
 
 # Filter out WASI

wasm-fuzzer/.gitignore

@@ -0,0 +1,4 @@
+aflpp
+wafl
+out*
+fuzzing-server-swam

wasm-fuzzer/Dockerfile

@@ -9,6 +9,7 @@ FROM aflplusplus/aflplusplus
 RUN yes | apt-get install curl
 RUN apt-get update
 RUN DEBIAN_FRONTEND="noninteractive" apt-get -y install tzdata wget
+RUN apt-get update
 RUN yes | apt-get install software-properties-common
 RUN apt-get update
 RUN yes | add-apt-repository ppa:openjdk-r/ppa
@@ -30,58 +31,64 @@ WORKDIR /root
 ##### fuzzing-server-swam ######
 ################################
 
-ENV DOCKER_SWAM_SRC=/home/server/src
-ENV DOCKER_WASM=/home/server/wasm
+ENV SRC_SWAM_DIR=/home/server/src
+ENV WASM_DIR=/home/server/wasm
 
 # Create the appropriate directories
-RUN mkdir -p $DOCKER_SWAM_SRC
-RUN mkdir -p $DOCKER_WASM
+RUN mkdir -p $SRC_SWAM_DIR
+RUN mkdir -p $WASM_DIR
 
-WORKDIR $DOCKER_SWAM_SRC
+WORKDIR $SRC_SWAM_DIR
 
 # TODO: Find way of installing dependencies with Mill without copying over entire repo
 # See: https://stackoverflow.com/questions/62834693/mill-build-tool-install-dependencies-without-compiling-source-code
 
-ADD ./fuzzing-server-entry/entrypoint_mill_server.sh $DOCKER_SWAM_SRC
-
 # DOWNLOAD latest version of SWAM cli jar file
-ADD https://github.com/KTH/swam/releases/download/v0.6.0-RC3/cli-0.6.0-RC3.jar $DOCKER_SWAM_SRC
-
+ADD https://github.com/KTH/swam/releases/download/v0.6.0-RC3/cli-0.6.0-RC3.jar $SRC_SWAM_DIR
 
-RUN chmod +x $DOCKER_SWAM_SRC/entrypoint_mill_server.sh
+ADD entrypoint_mill_server.sh /home
+RUN chmod +x /home/entrypoint_mill_server.sh
 
 #############################
 #### fuzzing-client-afl #####
 #############################
 
-ENV DOCKER_INTERFACE_SRC=/home/client/interface
-ENV DOCKER_AFL_INPUT=/home/client/in
-ENV DOCKER_AFL_OUTPUT=/home/client/out
+ENV SRC_INTERFACE_DIR=/home/client/interface
+ENV OUT_INTERFACE_DIR=/home/client/interface/cpp_out
+ENV INPUT_AFL_DIR=/home/client/in
+ENV OUTPUT_AFL_DIR=/home/client/out
 
 # Create the appropriate directories
-RUN mkdir -p $DOCKER_INTERFACE_SRC
-RUN mkdir -p $DOCKER_AFL_INPUT
-RUN mkdir -p $DOCKER_AFL_OUTPUT
-WORKDIR $DOCKER_INTERFACE_SRC
+RUN mkdir -p $SRC_INTERFACE_DIR
+RUN mkdir -p $OUT_INTERFACE_DIR
+RUN mkdir -p $INPUT_AFL_DIR
+RUN mkdir -p $OUTPUT_AFL_DIR
+WORKDIR $SRC_INTERFACE_DIR
 
-ADD ./fuzzing-client-afl $DOCKER_INTERFACE_SRC
+ADD ./fuzzing-client-afl $SRC_INTERFACE_DIR
 
-RUN g++ -o ./prepare_wasm_input.out ./prepare_wasm_input.cpp ./utils.cpp
-RUN g++ -o ./getFileSize.out ./getFileSize.cpp ./utils.cpp
-RUN g++ -o ./wait_for_server.out ./wait_for_server.cpp ./utils.cpp ./socket_client.cpp
-RUN g++ -o ./interface.out ./interface.cpp ./socket_client.cpp ./utils.cpp
+RUN g++ -o $OUT_INTERFACE_DIR/prepare_wasm_input.out ./prepare_wasm_input.cpp ./utils.cpp
+RUN g++ -o $OUT_INTERFACE_DIR/getFileSize.out ./getFileSize.cpp ./utils.cpp
+RUN g++ -o $OUT_INTERFACE_DIR/wait_for_server.out ./wait_for_server.cpp ./utils.cpp ./socket_client.cpp
+RUN g++ -o $OUT_INTERFACE_DIR/interface.out ./interface.cpp ./socket_client.cpp ./utils.cpp
 
-RUN chmod +x $DOCKER_INTERFACE_SRC/entrypoint_afl.sh
+RUN chmod +x $SRC_INTERFACE_DIR/entrypoint_afl.sh
 
 #########################
 ######## Shared #########
 #########################
 
-ADD supervisord.conf /etc/supervisor/conf.d/supervisord.conf 
+WORKDIR /home
+
+ENV LOGS_DIR=/home/shared/logs
+
+RUN mkdir -p $LOGS_DIR
 
-ENV DOCKER_SHARED=/home/shared
-ENV DOCKER_LOGS=$DOCKER_SHARED/logs
+ADD supervisord.conf /home/supervisord.conf
+ADD wafl.sh /home/wafl.sh
+ADD prepare_env.sh /home/prepare_env.sh
 
-RUN mkdir -p $DOCKER_LOGS
+RUN chmod +x /home/wafl.sh
+RUN chmod +x /home/prepare_env.sh
 
-ENTRYPOINT ["/usr/bin/supervisord"]
+ENTRYPOINT ["/home/wafl.sh"]

wasm-fuzzer/README.md

@@ -19,7 +19,7 @@ Right now, we support fuzzing of four data types as function parameter:
 * int32
 * int64
 * float32
-* float 64
+* float64
 
 Reference documentation in (see part 1, Coverage Measurements): https://github.com/google/AFL/blob/master/docs/technical_details.txt
 
@@ -112,14 +112,14 @@ docker build -t wafl .
 3. Run the Docker image.
 
     ```bash
-    docker run -it --rm --env-file=./.env \
-        -e SWAM_SOCKET_HOST=localhost \
+    docker run --env-file=./.env \
         -v maven_data:/root/.cache/coursier/v1/https/repo1.maven.org/maven2 \
         -v compiled_sources:/home/server/src/out/ \
-        -v ${LOCAL_WASM:?err}:/home/server/wasm/ \
-        -v ${LOCAL_AFL_OUTPUT:?err}:/home/client/out/ \
-        -v ${LOCAL_LOGS:?err}:/home/shared/logs/ \
-        wafl:latest
+        -v ${LOCAL_WASM_DIR:?err}:/home/server/wasm/ \
+        -v ${PWD}/wafl-temp/afl-out:/home/client/out/ \
+        -v ${PWD}/wafl-temp/logs:/home/shared/logs/ \
+        wafl:latest \
+        <.wasm/.wat filename> <target function> <seed arguments csv>
     ```
 
 ### Multi-processing
@@ -128,7 +128,7 @@ AFLplusplus is encouraged to be run with multiple instances if multiple cores ar
 
 ```bash
 # 3 for the number of AFL instances.
-./multi-processing.sh 3
+./multi-processing.sh 3 <.wasm/.wat filename> <target function> <seed arguments csv>
 ```
 
 ## Building & running without Docker

wasm-fuzzer/build.sh

@@ -0,0 +1,44 @@
+#!/bin/bash
+
+CURRENT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
+
+echo "Cloning SWAM"
+if [ ! -d fuzzing-server-swam ]; then
+	git clone --single-branch --branch master https://github.com/KTH/swam.git fuzzing-server-swam
+fi
+
+echo "Building SWAM"
+cd fuzzing-server-swam
+git pull
+./millw cli.assembly
+export SWAM_JAR=$(CURRENT_DIR)/fuzzing-server-swam/out/cli/assembly/dest/out.jar
+echo $SWAM_JAR
+cd ..
+
+
+# Download afl plus plus
+if [ ! -d aflpp ]; then
+	echo "Downloading aflplusplus..."
+	git clone https://github.com/AFLplusplus/AFLplusplus.git aflpp
+
+	echo "Building aflplusplus..."
+	cd aflpp
+	make distrib
+	sudo make install
+	cd ..
+fi
+
+
+echo "Building the wafl interface..."
+
+mkdir -p $CURRENT_DIR/wafl-temp
+CPP_OUT_DIR=$CURRENT_DIR/wafl-temp/cpp-out
+mkdir -p $CPP_OUT_DIR
+
+g++ -o $CPP_OUT_DIR/prepare_wasm_input.out ./fuzzing-client-afl/prepare_wasm_input.cpp ./fuzzing-client-afl/utils.cpp
+g++ -o $CPP_OUT_DIR/getFileSize.out ./fuzzing-client-afl/getFileSize.cpp ./fuzzing-client-afl/utils.cpp
+g++ -o $CPP_OUT_DIR/wait_for_server.out ./fuzzing-client-afl/wait_for_server.cpp ./fuzzing-client-afl/utils.cpp ./fuzzing-client-afl/socket_client.cpp
+g++ -o $CPP_OUT_DIR/run_client.out ./fuzzing-client-afl/run_client.cpp ./fuzzing-client-afl/socket_client.cpp ./fuzzing-client-afl/utils.cpp
+g++ -o $CPP_OUT_DIR/interface.out ./fuzzing-client-afl/interface.cpp ./fuzzing-client-afl/socket_client.cpp ./fuzzing-client-afl/utils.cpp
+
+echo "DONE !" 

wasm-fuzzer/docker-compose.base.yml

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+# TODO: Put this file back into the SWAM repo
+
+# TODO: Put this into entrypoint_afl.sh as well as soon as the server infers the signature itself.
+# So that this script can be run by itself as 
+# well (same commands as wafl.sh)
+if [[ $ENV_PREPARED != "True" ]]; then
+    echo "Preparing environment!"
+    source ../prepare_env.sh $@
+fi
+
+# Get wasm/wat from $WASM_DIR directory
+echo "WASM_OR_WAT_FILE: $WASM_OR_WAT_FILE"
+
+# Parse WASM_ARG_TYPES_CSV: "Int64,Int32" to "--argType Int64 --argType Int32"
+ALL_ARG_TYPES=""
+IFS=',' read -r -a WASM_ARG_TYPES_ARRAY <<<"$WASM_ARG_TYPES_CSV"
+for element in "${WASM_ARG_TYPES_ARRAY[@]}"; do
+    ALL_ARG_TYPES="$ALL_ARG_TYPES --argType $element"
+done
+echo "ALL_ARG_TYPES: $ALL_ARG_TYPES"
+
+if [[ $WASM_OR_WAT_FILE == *.wat ]]; then WAT_ARG="--wat"; fi
+if [[ $WASI == "True" ]]; then WASI_ARG="--wasi"; fi
+if [[ $WASI_FILTER == "True" ]]; then WASI_ARG="$WASI_ARG -r"; fi
+
+cd $SRC_SWAM_DIR
+
+LOGGING_ARG="1> $LOGS_DIR/swam.std.txt 2> $LOGS_DIR/swam.err.txt &"
+
+echo "$SWAM_CMD run_server $WASM_OR_WAT_FILE --main $TARGET_FUNCTION $WAT_ARG $WASI_ARG $ALL_ARG_TYPES $LOGGING_ARG"
+exec $SWAM_CMD run_server $WASM_OR_WAT_FILE --main $TARGET_FUNCTION $WAT_ARG $WASI_ARG $ALL_ARG_TYPES 1> $LOGS_DIR/swam.std.txt 2> $LOGS_DIR/swam.err.txt