Xen project Mailing List

Re: [Xen-devel] [PATCH 11/14] fuzz/x86_emulate: Make input more compact

To: George Dunlap <george.dunlap@xxxxxxxxxx>, <xen-devel@xxxxxxxxxxxxxxxxxxxx>

From: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>

Date: Fri, 25 Aug 2017 18:59:43 +0100

Cc: Ian Jackson <ian.jackson@xxxxxxxxxx>, Wei Liu <wei.liu2@xxxxxxxxxx>, Jan Beulich <jbeulich@xxxxxxxx>

Delivery-date: Fri, 25 Aug 2017 18:00:26 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On 25/08/17 17:43, George Dunlap wrote: > At the moment, AFL reckons that for any given input, 87% of it is > completely irrelevant: that is, it can change it as much as it wants > but have no impact on the result of the test; and yet it can't remove > it. > > This is largely because we interpret the blob handed to us as a large > struct, including CR values, MSR values, segment registers, and a full > cpu_user_regs. > > Instead, modify our interpretation to have a "set state" stanza at the > front. Begin by reading a byte; if it is lower than a certain > threshold, set some state according to what byte it is, and repeat. > Continue until the byte is above a certain threshold. > > This allows AFL to compact any given test case much smaller; to the > point where now it reckons there is not a single byte of the test file > which becomes irrelevant. Testing have shown that this option both > allows AFL to reach coverage much faster, and to have a total coverage > higher than with the old format. > > Make this an option (rather than a unilateral change) to enable > side-by-side performance comparison of the old and new formats. > > Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx> I continue to think this is a bad idea. You are taking a genuine problem and adding a complicated algorithm to try and fool alf, rather than fixing the problem. The reason 87% of input is irrelevant is because it really is. The input state is full of 64bit values being used for a one or two bits which we ever look at. The solution to this problem is remove the irrelevant information from fuzz_corpus. I already started doing this with the alf-fast work for the Xen 4.9 release, but I've basically been doing security work ever since and haven't had time to continue it. For the record, this hunk is how I intended to continue the work: diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c index 74e8c85..dafe435 100644 --- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c +++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c @@ -24,7 +24,27 @@ /* Layout of data expected as fuzzing input. */ struct fuzz_corpus { - unsigned long cr[5]; + /* %cr0 */ + bool pe:1; + bool mp:1; + bool em:1; + bool ts:1; + bool pg:1; + + /* %cr4 */ + bool vme:1; + bool pvi:1; + bool tsd:1; + bool osfxsr:1; + bool osxmmexcpt:1; + bool umip:1; + bool fsgsbase:1; + bool osxsave:1; + + /* EFER */ + bool sce:1; + bool lme:1; + uint64_t msr[MSR_INDEX_MAX]; struct cpu_user_regs regs; struct segment_register segments[SEG_NUM]; @@ -50,6 +70,9 @@ struct fuzz_state /* Emulation ops, some of which are disabled based on corpus->options. */ struct x86_emulate_ops ops; + + unsigned long cr0, cr2, cr3, cr4, cr8; + uint64_t efer; }; /* Which drops loads of useless bits out of AFLs view. ~Andrew _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx https://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.