Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WIP: support the real coverage in fuzzer #59

Merged
merged 37 commits into from
Aug 28, 2020
Merged

WIP: support the real coverage in fuzzer #59

merged 37 commits into from
Aug 28, 2020

Conversation

monperrus
Copy link
Collaborator

No description provided.

@olapiv olapiv mentioned this pull request Aug 21, 2020
12 tasks
@monperrus monperrus changed the title WIP: support the real coverage data WIP: support the real coverage in fuzzer Aug 25, 2020
@monperrus
Copy link
Collaborator Author

next steps per today's meeting:

  • refactor (variable names)
  • fix the number of unique crashes

exec afl-fuzz -i $DOCKER_AFL_INPUT -o $DOCKER_AFL_OUTPUT $RANK -d -- "${DOCKER_INTERFACE_SRC}/interface.out" @@ $REQUIRED_BYTES

echo "$AFL -i $DOCKER_AFL_INPUT -o $DOCKER_AFL_OUTPUT $RANK -d -- ${DOCKER_INTERFACE_SRC}/interface.out @@ $REQUIRED_BYTES"
$AFL -i "$DOCKER_AFL_INPUT" -o $DOCKER_AFL_OUTPUT $RANK -t 12000 -d -- "${DOCKER_INTERFACE_SRC}/interface.out" @@ $REQUIRED_BYTES
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "exec" is actually quite important for it to work properly with supervisord in Docker. You can't "supervise" detached processes. If I recall correctly, the script will just start again if the main process exits.

mkdir -p $DOCKER_INTERFACE_SRC/logs-$currentID

pkill -f out.jar
java -jar fuzzing-server-swam/out/cli/assembly/dest/out.jar run_server $1 --main $2 $ALL_ARG_TYPES $WASI_ARG 1> $DOCKER_INTERFACE_SRC/logs-$currentID/swam.std.txt 2> $DOCKER_INTERFACE_SRC/logs-$currentID/swam.err.txt &
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I know this may be a bit fancy and not entirely necessary, but since we already have the functionality built in, can't we just use supervisord here as well? It's quite clean and is going to take care of the restarting any of the two processes in case one of them crashes (which is quite likely imo).

I think running /usr/bin/supervisord -c ./supervisord.conf should work out fine.

For Linux to install:
apt-get install -y supervisor

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, if we do this, we can actually use this as the entrypoint to the Dockerfile.

If we don't use this as an entrypoint to the Dockerfile, the env variables you removed from .env are also going to be missing there, basically breaking the Docker version.

But then we also have to adjust the README on how to run it with Docker like this.

exec afl-fuzz -i $DOCKER_AFL_INPUT -o $DOCKER_AFL_OUTPUT $RANK -d -- "${DOCKER_INTERFACE_SRC}/interface.out" @@ $REQUIRED_BYTES

echo "$AFL -i $DOCKER_AFL_INPUT -o $DOCKER_AFL_OUTPUT $RANK -d -- ${DOCKER_INTERFACE_SRC}/interface.out @@ $REQUIRED_BYTES"
$AFL -i "$DOCKER_AFL_INPUT" -o $DOCKER_AFL_OUTPUT $RANK -t 12000 -d -- "${DOCKER_INTERFACE_SRC}/interface.out" @@ $REQUIRED_BYTES
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This timeout should not be in master imo. According to AFL it really screws the performance. The timeout is a multiple of the time taken of the first test cases anyways, so we shouldn't worry about it.

@olapiv
Copy link
Collaborator

olapiv commented Aug 26, 2020

Since the AFL entrypoint now also potentially relies on the swam.jar to infer the signature, I don't see how it's necessary to keep the docker-compose configuration with two separate containers up and running. This would only be realistic if we do the signature inferring via socket communication using a proper serializer, which would be quite overhead for now I think.

Meaning we can remove the two extra Dockerfiles + the docker-compose.yml file.

Correct me if I'm wrong.


echo "Infering signature for wasm"

echo "java -jar fuzzing-server-swam/out/cli/assembly/dest/out.jar infer $WAT_ARG $1 $2"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be moved into entrypoint_afl.sh. Then we can remove the argument passing into out.jar run_server for SWAM and just call the function again directly in Scala when the server starts up.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And we can remove all of this code: ALL_ARG_TYPES="$ALL_ARG_TYPES --argType $element"; a couple lines down.

sleep 2
echo "Running AFL fuzzing client"

$TIMEOUT bash fuzzing-client-afl/entrypoint_afl.sh
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think any of this timeout code should be in master? What is it for?


$TIMEOUT bash fuzzing-client-afl/entrypoint_afl.sh

pkill -f $swamPid
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not in master?


## Replace env variables
set -a
source .env
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think if you're doing this, you might as well remove half of the export statements above.

@olapiv olapiv merged commit cae222c into master Aug 28, 2020
@monperrus
Copy link
Collaborator Author

That's a new milestone! Thanks for the great team work!

@monperrus monperrus linked an issue Aug 29, 2020 that may be closed by this pull request
12 tasks
@monperrus monperrus deleted the wasm-fuzzer branch September 2, 2020 13:47
Jacarte pushed a commit that referenced this pull request Dec 20, 2020
WIP: support the real coverage in fuzzer
Jacarte pushed a commit that referenced this pull request Mar 23, 2021
WIP: support the real coverage in fuzzer
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Fuzzing tool for WASM
3 participants