def __perform_grimoire(self, payload, metadata):
perf = 1 / metadata["performance"]
grimoire_input = None
if "grimoire" in metadata:
if "generalized_input" in metadata["grimoire"]:
grimoire_input = metadata["grimoire"]["generalized_input"]
if grimoire_input:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER *
2.0)
if len(self.grimoire.generalized_inputs) < havoc_amount / 4:
havoc_amount = len(self.grimoire.generalized_inputs) * 2
grimoire.havoc(tuple(grimoire_input),
self.execute,
self.grimoire,
havoc_amount,
generalized=True)
else:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER)
if len(self.grimoire.generalized_inputs) < havoc_amount / 4:
havoc_amount = len(self.grimoire.generalized_inputs)
generalized_input = tuple([b''] + [bytes([c])
for c in payload] + [b''])
grimoire.havoc(generalized_input,
self.execute,
self.grimoire,
havoc_amount,
generalized=False)
def __perform_grimoire(self, payload, metadata, grimoire_info,
default_info):
perf = 1 / metadata["info"]["performance"]
if grimoire_info and "generalized_input" in grimoire_info:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER *
2.0)
if len(self.grimoire.generalized_inputs) < havoc_amount / 4:
havoc_amount = len(self.grimoire.generalized_inputs) * 2
grimoire.havoc(tuple(grimoire_info["generalized_input"]),
self.execute,
default_info,
self.grimoire,
havoc_amount,
generalized=True)
else:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER)
if len(self.grimoire.generalized_inputs) < havoc_amount / 4:
havoc_amount = len(self.grimoire.generalized_inputs)
generalized_input = tuple(["gap"] + [c for c in payload] + ["gap"])
grimoire.havoc(generalized_input,
self.execute,
default_info,
self.grimoire,
havoc_amount,
generalized=False)
def __calc_stage_iterations(self):
self.kafl_state["progress_redqueen"] = 0
self.kafl_state["progress_bitflip"] = 0
self.kafl_state["progress_arithmetic"] = 0
self.kafl_state["progress_interesting"] = 0
self.kafl_state["progress_havoc"] = 0
self.kafl_state["progress_specific"] = 0
self.kafl_state["payload_size"] = len(self.payload)
self.kafl_state["payload"] = self.payload
limiter_map = []
for i in range(len(self.payload)):
limiter_map.append(True)
if self.config.argument_values['i']:
for ignores in self.config.argument_values['i']:
log_master("Ignore-range 0: " + str(ignores[0]) + " " +
str(min(ignores[0], len(self.payload))))
log_master("Ignore-range 1: " + str(ignores[1]) + " " +
str(min(ignores[1], len(self.payload))))
for i in range(min(ignores[0], len(self.payload)),
min(ignores[1], len(self.payload))):
limiter_map[i] = False
if self.config.argument_values['D']:
self.kafl_state["progress_bitflip_amount"] = bitflip_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map)
self.kafl_state["progress_arithmetic_amount"] = arithmetic_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map,
set_arith_max=self.arith_max)
self.kafl_state["progress_interesting_amount"] = interesting_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map)
else:
self.kafl_state["progress_bitflip_amount"] = 0
self.kafl_state["progress_arithmetic_amount"] = 0
self.kafl_state["progress_interesting_amount"] = 0
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV
self.__start_benchmark(self.round_counter)
return limiter_map
def __perform_radamsa(self, payload_array, metadata):
perf = metadata["performance"]
radamsa_amount = havoc.havoc_range(
self.HAVOC_MULTIPLIER / perf) // self.RADAMSA_DIV
self.stage_update_label("radamsa")
radamsa.mutate_seq_radamsa_array(payload_array, self.execute,
radamsa_amount)
def __perform_havoc(self, payload_array, metadata, use_splicing):
# log_master("Havoc...")
default_info = {"method": "havoc", "parent": metadata["id"]}
perf = 1 / metadata["info"]["performance"]
if metadata and len(metadata["fav_bits"]) > 0:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER *
2.0)
# radamsa_amount = havoc.havoc_range(
# perf * self.HAVOC_MULTIPLIER * 2.0) / self.RADAMSA_DIV
else:
havoc_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER)
# radamsa_amount = havoc.havoc_range(perf * self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV
if not use_splicing:
havoc.mutate_seq_havoc_array(payload_array, self.execute,
default_info, havoc_amount)
else:
havoc.mutate_seq_splice_array(payload_array, self.execute,
default_info, havoc_amount)
def __perform_havoc(self, payload_array, payload, use_splicing):
log_master("Havoc...")
self.kafl_state["progress_bitflip"] = self.kafl_state[
"progress_bitflip_amount"]
self.kafl_state["progress_arithmetic"] = self.kafl_state[
"progress_arithmetic_amount"]
self.kafl_state["progress_interesting"] = self.kafl_state[
"progress_interesting_amount"]
self.kafl_state["progress_redqueen"] = self.kafl_state[
"progress_requeen_amount"]
if payload and payload.node_type == KaflNodeType.favorite:
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0) / self.RADAMSA_DIV
else:
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV
if not use_splicing:
self.kafl_state["technique"] = "HAVOC"
havoc.mutate_seq_havoc_array(
payload_array, self.__havoc_handler,
self.kafl_state["progress_havoc_amount"])
else:
self.kafl_state["technique"] = "SPLICING"
havoc.mutate_seq_splice_array(
payload_array, self.__splicing_handler,
self.kafl_state["progress_havoc_amount"], self.kafl_state)
self.__buffered_handler(None, last_payload=True)
mutate_seq_radamsa_array(payload_array,
self.__radamsa_handler,
self.kafl_state["progress_specific_amount"],
kafl_state=self.kafl_state)
self.__buffered_handler(None, last_payload=True)
def __perform_havoc(self, payload_array, metadata, use_splicing):
perf = metadata["performance"]
havoc_amount = havoc.havoc_range(self.HAVOC_MULTIPLIER / perf)
if use_splicing:
self.stage_update_label("afl_splice")
havoc.mutate_seq_splice_array(payload_array, self.execute,
havoc_amount)
else:
self.stage_update_label("afl_havoc")
havoc.mutate_seq_havoc_array(payload_array, self.execute,
havoc_amount)
def loop(self):
finished_state = False
finished = False
payload = None
self.__init_fuzzing_loop()
self.__perform_bechmark()
while True:
self.__toggle_preliminary_mode(True)
payload_array = array('B', self.payload)
limiter_map = self.__calc_stage_iterations()
if not finished_state:
self.__perform_sampling()
if self.config.argument_values['r']:
colored_alternatives = self.__perform_coloring(
array('B', payload_array))
if colored_alternatives:
havoc.clear_redqueen_dict()
payload_array = array('B', colored_alternatives[0])
self.__perform_redqueen(payload_array,
colored_alternatives)
else:
log_master("input is not stable, skip redqueen")
self.__perform_deterministic(payload_array, limiter_map)
finished = False
preliminary_results = self.__toggle_preliminary_mode(False)
log_master("Number of preliminary findings: " +
str(preliminary_results))
self.__perform_verification(preliminary_results)
self.__perform_import()
if self.havoc_on_demand:
apply_havoc = (self.kafl_state["fav_pending"] < 2)
else:
apply_havoc = True
if apply_havoc:
num_of_finds = self.__get_num_of_finds()
if True:
use_splicing = False
self.__perform_dict(payload_array, payload)
for i in range(16):
self.__toggle_preliminary_mode(True)
self.__perform_havoc(payload_array,
payload,
use_splicing=use_splicing)
finished = True
preliminary_results = self.__toggle_preliminary_mode(
False)
log_master("Number of preliminary findings: " +
str(preliminary_results))
self.__perform_verification(preliminary_results)
self.__perform_import()
num_of_finds_tmp = self.__get_num_of_finds()
if num_of_finds == num_of_finds_tmp or self.stage_abortion:
if i == 0:
use_splicing = True
else:
break
else:
num_of_finds = num_of_finds_tmp
log_master("Repeat!")
self.kafl_state["progress_havoc"] = 0
self.kafl_state["progress_specific"] = 0
self.kafl_state[
"progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER * 4)
self.kafl_state[
"progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER *
4) / self.RADAMSA_DIV
self.kafl_state["technique"] = "HAVOC"
payload, finished_state = self.__perform_post_sync(finished)