[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 11/14] fuzz/x86_emulate: Make input more compact

On 25/08/17 17:43, George Dunlap wrote:
> At the moment, AFL reckons that for any given input, 87% of it is
> completely irrelevant: that is, it can change it as much as it wants
> but have no impact on the result of the test; and yet it can't remove
> it.
> This is largely because we interpret the blob handed to us as a large
> struct, including CR values, MSR values, segment registers, and a full
> cpu_user_regs.
> Instead, modify our interpretation to have a "set state" stanza at the
> front.  Begin by reading a byte; if it is lower than a certain
> threshold, set some state according to what byte it is, and repeat.
> Continue until the byte is above a certain threshold.
> This allows AFL to compact any given test case much smaller; to the
> point where now it reckons there is not a single byte of the test file
> which becomes irrelevant.  Testing have shown that this option both
> allows AFL to reach coverage much faster, and to have a total coverage
> higher than with the old format.
> Make this an option (rather than a unilateral change) to enable
> side-by-side performance comparison of the old and new formats.
> Signed-off-by: George Dunlap <george.dunlap@xxxxxxxxxx>

I continue to think this is a bad idea.  You are taking a genuine
problem and adding a complicated algorithm to try and fool alf, rather
than fixing the problem.

The reason 87% of input is irrelevant is because it really is.  The
input state is full of 64bit values being used for a one or two bits
which we ever look at.

The solution to this problem is remove the irrelevant information from
fuzz_corpus.  I already started doing this with the alf-fast work for
the Xen 4.9 release, but I've basically been doing security work ever
since and haven't had time to continue it.

For the record, this hunk is how I intended to continue the work:

diff --git a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
index 74e8c85..dafe435 100644
--- a/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
+++ b/tools/fuzz/x86_instruction_emulator/fuzz-emul.c
@@ -24,7 +24,27 @@
 /* Layout of data expected as fuzzing input. */
 struct fuzz_corpus
-    unsigned long cr[5];
+    /* %cr0 */
+    bool pe:1;
+    bool mp:1;
+    bool em:1;
+    bool ts:1;
+    bool pg:1;
+    /* %cr4 */
+    bool vme:1;
+    bool pvi:1;
+    bool tsd:1;
+    bool osfxsr:1;
+    bool osxmmexcpt:1;
+    bool umip:1;
+    bool fsgsbase:1;
+    bool osxsave:1;
+    /* EFER */
+    bool sce:1;
+    bool lme:1;
     uint64_t msr[MSR_INDEX_MAX];
     struct cpu_user_regs regs;
     struct segment_register segments[SEG_NUM];
@@ -50,6 +70,9 @@ struct fuzz_state
     /* Emulation ops, some of which are disabled based on
corpus->options. */
     struct x86_emulate_ops ops;
+    unsigned long cr0, cr2, cr3, cr4, cr8;
+    uint64_t efer;

Which drops loads of useless bits out of AFLs view.


Xen-devel mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.