MOpt-AFL provided by the paper "MOPT: Optimized Mutation Scheduling for Fuzzers"

Overview

MOpt-AFL

1. Description

MOpt-AFL is a AFL-based fuzzer that utilizes a customized Particle Swarm Optimization (PSO) algorithm to find the optimal selection probability distribution of operators with respect to fuzzing effectiveness. More details can be found in the technical report. The installation of MOpt-AFL is the same as AFL's.

2. Cite Information

Chenyang Lyu, Shouling Ji, Chao Zhang, Yuwei Li, Wei-Han Lee, Yu Song and Raheem Beyah, MOPT: Optimized Mutation Scheduling for Fuzzers, USENIX Security 2019.

3. Seed Sets

We open source all the seed sets used in the paper "MOPT: Optimized Mutation Scheduling for Fuzzers".

4. Experiment Results

The experiment results can be found in https://drive.google.com/drive/folders/184GOzkZGls1H2NuLuUfSp9gfqp1E2-lL?usp=sharing. We only open source the crash files since the space is limited.

5. Technical Report

MOpt_TechReport.pdf is the technical report of the paper "MOPT: Optimized Mutation Scheduling for Fuzzers", which contains more deatails.

6. Parameter Introduction

Most important, you must add the parameter -L (e.g., -L 0) to launch the MOpt scheme.


-L controls the time to move on to the pacemaker fuzzing mode.
-L t: when MOpt-AFL finishes the mutation of one input, if it has not discovered any new unique crash or path for more than t min, MOpt-AFL will enter the pacemaker fuzzing mode.


Setting 0 will enter the pacemaker fuzzing mode at first, which is recommended in a short time-scale evaluation (like 2 hours).
For instance, it may take three or four days for MOpt-AFL to enter the pacemaker fuzzing mode when -L 30.

Hey guys, I realize that most experiments may last no longer than 24 hours. You may have trouble selecting a suitable value of 'L' without testing. So I modify the code in order to employ '-L 1' as the default setting. This means you do not have to add the parameter 'L' to launch the MOpt scheme. If you wish, provide a parameter '-L t' in the cmd can adjust the time when MOpt will enter the pacemaker fuzzing mode as aforementioned. Whether MOpt enters the pacemaker fuzzing mode has a great influence on the fuzzing performance in some cases as shown in our paper.
'-L 1' may not be the best choice but will be acceptable in most cases. I may provide several experiment results to show this situation.

The unique paths found by different fuzzing settings in 24 hours.
Fuzzing setting infotocap @@ -o /dev/null objdump -S @@ sqlite3
MOpt -L 0 3629 5106 10498
MOpt -L 1 3983 5499 9975
MOpt -L 5 3772 2512 9332
MOpt -L 10 4062 4741 9465
MOpt -L 30 3162 1991 6337
AFL 1821 1099 4949

Other important parameters can be found in afl-fuzz.c, for instance,
swarm_num: the number of the PSO swarms used in the fuzzing process.
period_pilot: how many times MOpt-AFL will execute the target program in the pilot fuzzing module, then it will enter the core fuzzing module.
period_core: how many times MOpt-AFL will execute the target program in the core fuzzing module, then it will enter the PSO updating module.
limit_time_bound: control how many interesting test cases need to be found before MOpt-AFL quits the pacemaker fuzzing mode and reuses the deterministic stage. 0 < limit_time_bound < 1, MOpt-AFL-tmp. limit_time_bound >= 1, MOpt-AFL-ever.

Having fun with MOpt-AFL.

Citation:

@inproceedings {236282,
author = {Chenyang Lyu and Shouling Ji and Chao Zhang and Yuwei Li and Wei-Han Lee and Yu Song and Raheem Beyah},
title = {{MOPT}: Optimized Mutation Scheduling for Fuzzers},
booktitle = {28th {USENIX} Security Symposium ({USENIX} Security 19)},
year = {2019},
isbn = {978-1-939133-06-9},
address = {Santa Clara, CA},
pages = {1949--1966},
url = {https://www.usenix.org/conference/usenixsecurity19/presentation/lyu},
publisher = {{USENIX} Association},
month = aug,
}
Comments
  • There may be a potential bug in havoc stage.

    There may be a potential bug in havoc stage.

    case 1:
    	if (temp_len < 2) break;
    	temp_len_puppet = UR(temp_len << 3);
    	FLIP_BIT(out_buf, temp_len_puppet);
    	FLIP_BIT(out_buf, temp_len_puppet + 1);
    	stage_cycles_puppet_v2[swarm_now][STAGE_FLIP2] += 1;
    	break;
    case 2:
    	if (temp_len < 2) break;
    	temp_len_puppet = UR(temp_len << 3);
    	FLIP_BIT(out_buf, temp_len_puppet);
    	FLIP_BIT(out_buf, temp_len_puppet + 1);
    	FLIP_BIT(out_buf, temp_len_puppet + 2);
    	FLIP_BIT(out_buf, temp_len_puppet + 3);
    	stage_cycles_puppet_v2[swarm_now][STAGE_FLIP4] += 1;
    	break;
    

    When the temp_len_puppet == (temp_len << 3) -1, FLIP_BIT will flip a bit out of out_buf.

    And When ck_free(out_buf), It will cause an error.

    Here is my test code

    #define FLIP_BIT(_ar, _b)                                                      \
        do {                                                                       \
            u8 *_arf = (u8 *)(_ar);                                                \
            u32 _bf = (_b);                                                        \
            _arf[(_bf) >> 3] ^= (128 >> ((_bf)&7));                                \
        } while (0)
    
    int main() {
        u8 *a = ck_alloc_nozero(10);
        memset(a, 0xff, 10);
        FLIP_BIT(a, 77);
        FLIP_BIT(a, 78);
        FLIP_BIT(a, 79);
        FLIP_BIT(a, 80);
        ck_free(a);
        return 0;
    }
    

    And the result is

    [-] PROGRAM ABORT : Corrupted tail alloc canary.         
        Stop location : DFL_ck_free(), /home/xx/project/AFLTest/alloc-inl.h:150  
    

    In deterministic stage, the stage_max = (len << 3) -3. So FLIP_BIT will not flip a bit out of out_buf.

    stage_name = "bitflip 4/1";
    stage_short = "flip4";
    stage_max = (len << 3) - 3;
    
    orig_hit_cnt = new_hit_cnt;
    
    for (stage_cur = 0; stage_cur < stage_max; stage_cur++) {
    
       stage_cur_byte = stage_cur >> 3;
    
       FLIP_BIT(out_buf, stage_cur);
       FLIP_BIT(out_buf, stage_cur + 1);
       FLIP_BIT(out_buf, stage_cur + 2);
       FLIP_BIT(out_buf, stage_cur + 3);
    
        if (common_fuzz_stuff(argv, out_buf, len))
           goto abandon_entry;
    
        FLIP_BIT(out_buf, stage_cur);
        FLIP_BIT(out_buf, stage_cur + 1);
        FLIP_BIT(out_buf, stage_cur + 2);
        FLIP_BIT(out_buf, stage_cur + 3);
    }
    

    However, I have not seen such error when I use MOPT. But this may be a potential problem. Or maybe you did something else to avoid such problem?

    opened by LimbicSys 5
  • fuzz w3m with MOpt timeout

    fuzz w3m with MOpt timeout

    When I fuzz w3m with MOpt and also AFL, it always timeout, do you meet the same problem? please help, thank you! the commond I use is shown above, and my os is Ubuntu 18.04

    git clone https://github.com/tats/w3m.git
    cd w3m
    ./configure
    make
    afl-fuzz -Q -i path/to/input/dir -o path/to/output/dir path/to/w3m @@
    

    then the output is

    [-] The program took more than 1000 ms to process one of the initial test cases.
        This is bad news; raising the limit with the -t option is possible, but
        will probably make the fuzzing process extremely slow.
    
        If this test case is just a fluke, the other option is to just avoid it
        altogether, and find one that is less of a CPU hog.
    
    [-] PROGRAM ABORT : Test case 'id:000000,orig:0.txt' results in a timeout
             Location : perform_dry_run(), afl-fuzz.c:2823
    
    opened by imbawenzi 4
  • SmartSeed source code missing

    SmartSeed source code missing

    In the paper "SmartSeed: Smart Seed Generation for EfficientFuzzing", it is stated that

    We also make our system publicly available to facilitate the research in this area, which is available at: https://github.com/puppet-meteor/SmartSeed

    However, this still has not been done. Do you still plan to do so?

    opened by BinaryResearch 4
  • Can not find any crash in LAVA-M base64 in 5 hours.

    Can not find any crash in LAVA-M base64 in 5 hours.

    Hello, I try to run the experiment in the paper and run MOpt-AFL in LAVA-M, and I run base64 in 5 hours, but I can not find any crash. Here is the instruction I ues: MOpt-AFL/MOpt/afl-fuzz -m none -i fuzzer_input/ -o output4 -Q coreutils-8.24-lava-safe/lava-install/bin/base64 -d @@ Here is the run result: 1 Thanks for your help!!!

    opened by liuliqaz 2
  • Compilation fails when using LLVM 9

    Compilation fails when using LLVM 9

    When compiling with LLVM 9, the post build tests contained in llvm_mode/Makefile are failing. It is a known problem that has been fixed in the AFL repository.

    Comment explaining the problem: https://github.com/google/AFL/issues/30#issuecomment-530716446 Commit fixing the problem: https://github.com/google/AFL/commit/1f414d53535ea470bba3858bc1324081baf22c75

    I hope this helps, I can make a pull request if needed.

    opened by lromerio 2
  • AFLplusplus wants you

    AFLplusplus wants you

    Hi guys, you have done a very cool work congratulations. I'm here to ask if you want to contribute to https://github.com/vanhauser-thc/AFLplusplus and submit a pull request including your changes to AFL. AFL++ is a the son of AFL (the lastest change to AFL is at least 2 years ago) which merges all the best features independently added to AFL in recent years in a single implementation. The results in the paper are awesome and I'd like to see this technique merged so that all the best of the AFL family can live in a single repo and avoid fragmentation.

    Thanks, Andrea

    opened by andreafioraldi 2
  • Run with

    Run with "-d" parameter?

    Hi, I looked into the code and noticed that MOpt changes no codes in the deterministic mutation stage. Is it true that we should run MOpt with "-d" that skip the deterministic stage? Thanks

    opened by zhanggenex 1
  • key_puppet never goes back to 0

    key_puppet never goes back to 0

    https://github.com/puppet-meteor/MOpt-AFL/blob/a9a5dc5c0c291c1cdb09b2b7b27d7cbf1db7ce7b/MOpt/afl-fuzz.c#L8689

    I formatted the code a bit, and it reads:

    ...
    if (unlikely(
            queued_paths + unique_crashes >
          ((queued_paths + unique_crashes) * 1.1 + orig_hit_cnt_puppet))) {
    key_puppet = 0;
    ...
    

    If I understand correctly, key_puppet never goes back to 0 (due to the factor of 1.1 and the addition of u64 orig_hit_cnt_puppet). Could you please explain the design behind? Thanks in advance!

    opened by hghwng 2
Owner
null
FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware.

FIRM-AFL FIRM-AFL is the first high-throughput greybox fuzzer for IoT firmware. FIRM-AFL addresses two fundamental problems in IoT fuzzing. First, it

null 356 Dec 23, 2022
Fuzzing the Kernel Using Unicornafl and AFL++

Unicorefuzz Fuzzing the Kernel using UnicornAFL and AFL++. For details, skim through the WOOT paper or watch this talk at CCCamp19. Is it any good? ye

Security in Telecommunications 283 Dec 26, 2022
Driller: augmenting AFL with symbolic execution!

Driller Driller is an implementation of the driller paper. This implementation was built on top of AFL with angr being used as a symbolic tracer. Dril

Shellphish 791 Jan 6, 2023
FairFuzz: AFL extension targeting rare branches

FairFuzz An AFL extension to increase code coverage by targeting rare branches. FairFuzz has a particular advantage on programs with highly nested str

Caroline Lemieux 222 Nov 16, 2022
IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL.

IJON SPACE EXPLORER IJON is an annotation mechanism that analysts can use to guide fuzzers such as AFL. Using only a small (usually one line) annotati

Chair for Sys­tems Se­cu­ri­ty 146 Dec 16, 2022
Directed Greybox Fuzzing with AFL

AFLGo: Directed Greybox Fuzzing AFLGo is an extension of American Fuzzy Lop (AFL). Given a set of target locations (e.g., folder/file.c:582), AFLGo ge

null 380 Nov 24, 2022
AFLFast (extends AFL with Power Schedules)

AFLFast Power schedules implemented by Marcel Böhme <[email protected]>. AFLFast is an extension of AFL which is written and maintained by Michal

Marcel Böhme 380 Jan 3, 2023
AFL binary instrumentation

E9AFL --- Binary AFL E9AFL inserts American Fuzzy Lop (AFL) instrumentation into x86_64 Linux binaries. This allows binaries to be fuzzed without the

null 242 Dec 12, 2022
Provided is code that demonstrates the training and evaluation of the work presented in the paper: "On the Detection of Digital Face Manipulation" published in CVPR 2020.

FFD Source Code Provided is code that demonstrates the training and evaluation of the work presented in the paper: "On the Detection of Digital Face M

null 88 Nov 22, 2022
This script runs neural style transfer against the provided content image.

Neural Style Transfer Content Style Output Description: This script runs neural style transfer against the provided content image. The content image m

Martynas Subonis 0 Nov 25, 2021
A deep learning based semantic search platform that computes similarity scores between provided query and documents

semanticsearch This is a deep learning based semantic search platform that computes similarity scores between provided query and documents. Documents

null 1 Nov 30, 2021
A task Provided by A respective Artenal Ai and Ml based Company to complete it

A task Provided by A respective Alternal Ai and Ml based Company to complete it .

Parth Madan 1 Jan 25, 2022
Automatically measure the facial Width-To-Height ratio and get facial analysis results provided by Microsoft Azure

fwhr-calc-website This project is to automatically measure the facial Width-To-Height ratio and get facial analysis results provided by Microsoft Azur

SoohyunPark 1 Feb 7, 2022
The LaTeX and Python code for generating the paper, experiments' results and visualizations reported in each paper is available (whenever possible) in the paper's directory

This repository contains the software implementation of most algorithms used or developed in my research. The LaTeX and Python code for generating the

João Fonseca 3 Jan 3, 2023
Inference code for "StylePeople: A Generative Model of Fullbody Human Avatars" paper. This code is for the part of the paper describing video-based avatars.

NeuralTextures This is repository with inference code for paper "StylePeople: A Generative Model of Fullbody Human Avatars" (CVPR21). This code is for

Visual Understanding Lab @ Samsung AI Center Moscow 18 Oct 6, 2022
Code for paper ECCV 2020 paper: Who Left the Dogs Out? 3D Animal Reconstruction with Expectation Maximization in the Loop.

Who Left the Dogs Out? Evaluation and demo code for our ECCV 2020 paper: Who Left the Dogs Out? 3D Animal Reconstruction with Expectation Maximization

Benjamin Biggs 29 Dec 28, 2022
Fast image augmentation library and easy to use wrapper around other libraries. Documentation: https://albumentations.ai/docs/ Paper about library: https://www.mdpi.com/2078-2489/11/2/125

Albumentations Albumentations is a Python library for image augmentation. Image augmentation is used in deep learning and computer vision tasks to inc

null 11.4k Jan 9, 2023
The project is an official implementation of our CVPR2019 paper "Deep High-Resolution Representation Learning for Human Pose Estimation"

Deep High-Resolution Representation Learning for Human Pose Estimation (CVPR 2019) News [2020/07/05] A very nice blog from Towards Data Science introd

Leo Xiao 3.9k Jan 5, 2023
Home repository for the Regularized Greedy Forest (RGF) library. It includes original implementation from the paper and multithreaded one written in C++, along with various language-specific wrappers.

Regularized Greedy Forest Regularized Greedy Forest (RGF) is a tree ensemble machine learning method described in this paper. RGF can deliver better r

RGF-team 364 Dec 28, 2022