Driver code for UNIFUZZ configured with Hydra and logged with wandb.
- Dockerized fuzzing
- afl-cov integration (including func_cov and line_cov)
- wandb logging and visualization
- hydra configuration for Multi-run
- afl
- afl++
- aflfast
- mopt
Theoretically all afl-based fuzzers can be suported by adding a few lines to config.py
.
- Add CVE match code.
git clone --recurse-submodules git@github.com:ucasqsl/unifuzz_runner.git
cd unifuzz_runner
pip3 install -r requirements.txt
python3 run.py # Run with the basic configuration, run afl on exiv for 24 hours with 30 repetitions.
Available targets and fuzzers are listed under conf/target
and conf/fuzzer
seperately.
Override params in command line:
python3 run.py fuzzer=aflfast target=lame repeat_times=1 time_interval=360 # Run aflfast on lame for 360s with only one instance.
Or you can modify the config file at conf/config.py
.
Specify the fuzzers or targets in one line is enough.
python3 run.py --multirun repeat_times=1 fuzzer=aflpp-aflasan,afl-aflasan,aflpp-justafl,afl-justafl,mopt,aflfast target=lame,exiv2
this will run 2x6=12 experiments and launch 24 containers (12 additional for afl-cov).
If the scripts finished successfully, all containers will be removed. Otherwise you might need to delete them manually.
docker stop $(docker ps | grep unifuzz | awk '{print $1}')
The outputs are located at outputs/{date}/{time}/{output}/{target}/{fuzzer}/{run_id}
or multirun/{date}/{time}/{job_id}/{output}/{target}/{fuzzer}/{run_id}
if it's a multirun.
The files under cov
are generated by afl-cov
. In additional to original outputs of the official afl-cov, the cov_plot.csv
is the plot_data for line_cov
and func_cov
, the time specified there is the last change time of the corresponding input file. You can find the wandb link in afl-cov-status
, and the total functions/lines in meta.log
. afl-cov will also generate a coverage report under the folder cov/web
.
- Data in afl plot_data, in addition to fuzzer_rel_time, which is the unix time relative to the first logged time in
plot_data
. - line_cov, func_cov, file_id(of the input_file) and time (ctime of the input file)
-
Compile your afl-based fuzzer into an docker image. (Example Docker files are at unifuzz/dockerized_fuzzing).
-
Compile the targets with your fuzzer. (Example Docker files are at unibench_build, Note its possible that you can just copy the compiled files from other images like aflfast_dockerfile. Or you can choose a proper existing docker file and modify it).
-
Add your fuzzer into the
FUZZER
dict inconfig.py
. e.g.:"mopt": { "bin_dir": "justafl", "image": "unifuzz/unibench:mopt", "pacemaker_time": "1", "cmd_temp": "afl-fuzz -L {pacemaker_time} -i {seeds} -o {output_path} -- {prefix}/{target} {fuzz_args}" }
you can add any configuration in the dict and write the corresponding place holder in
cmd_temp
. This will also be a customizable configuration in therun.py
command line. e.g.:python3 run.py repeat_times=1 fuzzer=mopt fuzzer.pacemaker_time=2 target=exiv2
-
Update the conf folder.
python3 confgen.py
-
Run the experiment with your own fuzzer!
-
Visit your wandb page and customize the plots.