Skip to content

5c4lar/unifuzz_runner

Repository files navigation

unifuzz_runner

Driver code for UNIFUZZ configured with Hydra and logged with wandb.

Features

  • Dockerized fuzzing
  • afl-cov integration (including func_cov and line_cov)
  • wandb logging and visualization
  • hydra configuration for Multi-run

Supported Fuzzers

  • afl
  • afl++
  • aflfast
  • mopt

Theoretically all afl-based fuzzers can be suported by adding a few lines to config.py.

Todo

  • Add CVE match code.

How to use

Preparation

git clone --recurse-submodules git@github.com:ucasqsl/unifuzz_runner.git
cd unifuzz_runner
pip3 install -r requirements.txt
python3 run.py # Run with the basic configuration, run afl on exiv for 24 hours with 30 repetitions.

Override default settings

Available targets and fuzzers are listed under conf/target and conf/fuzzer seperately. Override params in command line:

python3 run.py fuzzer=aflfast target=lame repeat_times=1 time_interval=360 # Run aflfast on lame for 360s with only one instance.

Or you can modify the config file at conf/config.py.

Multi-run

Specify the fuzzers or targets in one line is enough.

python3 run.py --multirun repeat_times=1 fuzzer=aflpp-aflasan,afl-aflasan,aflpp-justafl,afl-justafl,mopt,aflfast target=lame,exiv2

this will run 2x6=12 experiments and launch 24 containers (12 additional for afl-cov).

Clean up

If the scripts finished successfully, all containers will be removed. Otherwise you might need to delete them manually.

docker stop $(docker ps | grep unifuzz | awk '{print $1}')

Outputs

The outputs are located at outputs/{date}/{time}/{output}/{target}/{fuzzer}/{run_id} or multirun/{date}/{time}/{job_id}/{output}/{target}/{fuzzer}/{run_id} if it's a multirun. The files under cov are generated by afl-cov. In additional to original outputs of the official afl-cov, the cov_plot.csv is the plot_data for line_cov and func_cov, the time specified there is the last change time of the corresponding input file. You can find the wandb link in afl-cov-status, and the total functions/lines in meta.log. afl-cov will also generate a coverage report under the folder cov/web.

Wandb logged data

  • Data in afl plot_data, in addition to fuzzer_rel_time, which is the unix time relative to the first logged time in plot_data.
  • line_cov, func_cov, file_id(of the input_file) and time (ctime of the input file)

Add your own fuzzer!

  1. Compile your afl-based fuzzer into an docker image. (Example Docker files are at unifuzz/dockerized_fuzzing).

  2. Compile the targets with your fuzzer. (Example Docker files are at unibench_build, Note its possible that you can just copy the compiled files from other images like aflfast_dockerfile. Or you can choose a proper existing docker file and modify it).

  3. Add your fuzzer into the FUZZER dict in config.py. e.g.:

     "mopt": {
         "bin_dir": "justafl",
         "image": "unifuzz/unibench:mopt",
         "pacemaker_time": "1",
         "cmd_temp": "afl-fuzz -L {pacemaker_time} -i {seeds} -o {output_path} -- {prefix}/{target} {fuzz_args}"
     }

    you can add any configuration in the dict and write the corresponding place holder in cmd_temp. This will also be a customizable configuration in the run.py command line. e.g.:

    python3 run.py repeat_times=1 fuzzer=mopt fuzzer.pacemaker_time=2 target=exiv2
  4. Update the conf folder.

    python3 confgen.py
  5. Run the experiment with your own fuzzer!

  6. Visit your wandb page and customize the plots.

    Demo Report

Reference

UNIFUZZ

About

Driver code for unifuzz

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published