Port random fuzzing parameters to AFLplusplus by jiradeto · Pull Request #1 · Practical-Formal-Methods/AFLplusplus

jiradeto · 2021-09-02T05:39:58Z

This PR ports the idea of randomizing fuzzing parameters (i.e. random weight selection, uniformly random selection, etc.) implemented in Practical-Formal-Methods/AFL-public#6 to afl++.

jiradeto · 2021-09-02T05:55:31Z

The experiment result is available:

Configurations:

app_frozen: AFLplusplus with stable branch (353d402aaf9296c7dbd47e66fbbc6e59179c4e44)
afl_wrs_rf_rp:
afl_wrs_rp: AFL_DISABLE_RF=1
app_rf_u_wrs: AFL_ENABLE_UF=1, AFL_DISABLE_RP=1

wuestholz · 2021-09-03T08:08:06Z

@jiradeto Thanks! Looks like afl_wrs_rp is the most competitive, but it's only better than the baseline for bloaty.... I should probably take a closer look at the code.

As discussed, something might be off with the RF option. Let's try to tweak the parameters for AFL first.

include/afl-fuzz.h

src/afl-fuzz.c

jiradeto · 2021-09-27T07:48:31Z

@wuestholz the experiment result of the recent fix is available. I compare the buggy version app_wrs_rf_old against the fixed version app_wrs_rf_new to highlight the difference. The statistics of the experiment is also recored in this sheet.

The fewer executions we previously had is clearly due to the uninitialized fuzzing parameters as we expected :) Thank you for noticing this strange behaviour in the first place.

wuestholz · 2021-09-27T15:42:48Z

@jiradeto Great! Thanks for the update! That looks much better. We actually seem to outperform vanilla AFL++ for some benchmarks.

On the other hand, for some benchmarks we're still something like 2x slower. I wonder what that might be due to. Any ideas? Did you by any chance measure the overhead for specific code we added?

jiradeto · 2021-09-28T13:54:08Z

On the other hand, for some benchmarks we're still something like 2x slower. I wonder what that might be due to. Any ideas? Did you by any chance measure the overhead for specific code we added?

This experiment setting does not include the afl++ variant that measures the overhead. I am starting another experiment to collect this information and will keep you updated.

wuestholz · 2021-09-28T19:49:33Z

Great! Thanks a lot! 👍

jiradeto · 2021-10-01T16:29:40Z

@wuestholz I pushed the latest implementation that changes how we compute the favored inputs as we discussed. This PR is ready for further review. Thank you in advance.

src/afl-fuzz-queue.c

wuestholz · 2021-10-04T13:16:41Z

@jiradeto Thanks! I left some comments. Have you already tried this for sqlite?

jiradeto · 2021-10-04T16:20:39Z

@jiradeto Thanks! I left some comments. Have you already tried this for sqlite?

@wuestholz Thank you for your feedback. I haven't started any experiment yet as I was unsure about my implementation. Now I think it's ready for the fuzzbench experiment.

wuestholz · 2021-10-04T16:30:06Z

@jiradeto Great! Thanks! Yeah, looks ready to run some experiments.

jiradeto · 2021-10-07T15:54:12Z

As discussed I would merge this PR and request the fuzzbench experiment with the following fuzzers that are inspired by our previous experiment:

aflplusplus (vanilla AFL++)
app_no_favs: DISABLE_WRS && DISABLE_RF && !ENABLE_UF && DISABLE_FAVS
app_wrs_rf: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS
app_rf: DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS
app_rf_u: DISABLE_WRS && !DISABLE_RF && ENABLE_UF && !DISABLE_FAVS
app_wrs: !DISABLE_WRS && DISABLE_RF && !ENABLE_UF && !DISABLE_FAVS

What do you think? @wuestholz

wuestholz · 2021-10-07T20:07:57Z

@jiradeto Thanks! Yeah, please merge this.

I think we should also consider the AFL_DISABLE_RP option. Or did we somehow determine that it's not useful?

What do you think about the following?

aflplusplus (vanilla AFL++)
app_no_favs: DISABLE_WRS && DISABLE_RF && !ENABLE_UF && DISABLE_RP && DISABLE_FAVS
app_wrs_rf_rp: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && !DISABLE_RP && !DISABLE_FAVS
app_wrs_rf: !DISABLE_WRS && !DISABLE_RF && !ENABLE_UF && DISABLE_RP && !DISABLE_FAVS
app_wrs_rp: !DISABLE_WRS && DISABLE_RF && !ENABLE_UF && !DISABLE_RP && !DISABLE_FAVS
app_wrs: !DISABLE_WRS && DISABLE_RF && !ENABLE_UF && DISABLE_RP && !DISABLE_FAVS

jiradeto · 2021-10-08T15:20:41Z

@wuestholz, seem like I missed those essential configurations. Thank you for your suggestion.

BTW, I think I don't have permission on this repository. Could you please merge this PR?

wuestholz · 2021-10-08T16:09:17Z

@jiradeto Now that I think about it, we don't need to merge after all. :) I thought there was a separate PR for the optimization, but it's already in this PR. We can just keep this one open.

port random fuzzing parameters into afl++

4f1f4e3

adjust default parameter

b960042

jiradeto commented Sep 22, 2021

View reviewed changes

include/afl-fuzz.h Show resolved Hide resolved

initialize fuzzing params

0a2111b

wuestholz reviewed Sep 23, 2021

View reviewed changes

src/afl-fuzz.c Show resolved Hide resolved

initialize fuzzing params using function

3d9cf95

jiradeto added 2 commits October 1, 2021 23:20

remove struct that stores potential favored inputs

7eb9fb0

skip mini map elimination

2910361

fix typo

65ce02b

wuestholz reviewed Oct 4, 2021

View reviewed changes