def test_repro(self):
mock_device = MockDevice()
fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2')
artifacts = ['data/' + artifact for artifact in fuzzer.list_artifacts()]
fuzzer.repro(['-some-lf-arg=value'])
self.assertIn(
' '.join(
mock_device.get_ssh_cmd(
[
'ssh', '::1', 'run',
fuzzer.url(), '-artifact_prefix=data/',
'-some-lf-arg=value'
] + artifacts)), mock_device.host.history)
def test_merge(self):
mock_device = MockDevice()
fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2')
fuzzer.merge(['-some-lf-arg=value'])
self.assertIn(
' '.join(
mock_device.get_ssh_cmd(
[
'ssh', '::1', 'run',
fuzzer.url(), '-artifact_prefix=data/', '-merge=1',
'-merge_control_file=data/.mergefile',
'-some-lf-arg=value data/corpus/', 'data/corpus.prev/'
])), mock_device.host.history)
def test_pull(self):
mock = MockDevice()
fuzzer = Fuzzer(mock, u'mock-package1', u'mock-target3')
parser = Args.make_parser('description')
args = parser.parse_args(['1/3'])
corpus = Corpus.from_args(fuzzer, args)
corpus.pull()
self.assertIn(
' '.join(
mock.get_ssh_cmd([
'scp', '[::1]:' + fuzzer.data_path('corpus/*'), corpus.root
])), mock.host.history)
def main(_):
"""Constructs the fuzzer and performs fuzzing."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO) # 为将要被记录的日志设置开始入口
# Set the seeds!
if FLAGS.seed:
random.seed(FLAGS.seed)
np.random.seed(FLAGS.seed)
coverage_function = all_logit_coverage_function # 覆盖计算方法,所有logit的绝对值之和
image, label = fuzz_utils.basic_mnist_input_corpus(
choose_randomly=FLAGS.
random_seed_corpus # 这里为False, 返回第一张图片和标签, 图片为28*28*1
)
numpy_arrays = [[image, label]]
with tf.Session() as sess:
tensor_map = fuzz_utils.get_tensors_from_checkpoint( # 载入checkpoints
sess, FLAGS.checkpoint_dir)
fetch_function = fuzz_utils.build_fetch_function(
sess, tensor_map) # ===============
size = FLAGS.mutations_per_corpus_item # 每次变异数量
mutation_function = lambda elt: do_basic_mutations(elt, size) # 变异方法
seed_corpus = seed_corpus_from_numpy_arrays( # 建立seed corpus,输入集 numpy_array是一张图片,返回的 seedcorpus包含一个元素,有metada和coverage信息
numpy_arrays, coverage_function, metadata_function, fetch_function)
corpus = InputCorpus( # 建立input corpus
seed_corpus,
recent_sample_function,
FLAGS.ann_threshold,
"kdtree" # recent_sample_function用于选择下一个元素
)
fuzzer = Fuzzer(
corpus,
coverage_function,
metadata_function,
objective_function,
mutation_function,
fetch_function,
)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz)
if result is not None:
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_push(self):
mock = MockDevice()
fuzzer = Fuzzer(mock, u'mock-package1', u'mock-target3')
parser = Args.make_parser('description')
args = parser.parse_args(['1/3'])
corpus = Corpus.from_args(fuzzer, args)
with tempfile.NamedTemporaryFile(dir=corpus.root) as f:
corpus.push()
self.assertIn(
' '.join(
mock.get_ssh_cmd([
'scp', f.name, '[::1]:' + fuzzer.data_path('corpus')
])), mock.host.history)
def test_from_args(self):
fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target3')
parser = Args.make_parser('description')
args = parser.parse_args(['1/3'])
corpus = Corpus.from_args(fuzzer, args)
self.assertTrue(os.path.exists(corpus.root))
tmp_dir = tempfile.mkdtemp()
try:
args = parser.parse_args(['1/3', '--staging', tmp_dir])
corpus = Corpus.from_args(fuzzer, args)
self.assertEqual(tmp_dir, corpus.root)
finally:
shutil.rmtree(tmp_dir)
def main(_):
"""Constructs the fuzzer and performs fuzzing."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO)
# Set the seeds!
if FLAGS.seed:
random.seed(FLAGS.seed)
np.random.seed(FLAGS.seed)
coverage_function = all_logit_coverage_function # a function to compute coverage
image, label = fuzz_utils.basic_mnist_input_corpus(
choose_randomly=FLAGS.random_seed_corpus)
numpy_arrays = [[image, label]]
with tf.Graph().as_default() as g: # change codes and it works
sess = tf.Session() # here
tensor_map = fuzz_utils.get_tensors_from_checkpoint(
sess, FLAGS.checkpoint_dir)
fetch_function = fuzz_utils.build_fetch_function(sess, tensor_map)
size = FLAGS.mutations_per_corpus_item
mutation_function = lambda elt: do_basic_mutations(elt, size) # pram 1
seed_corpus = seed_corpus_from_numpy_arrays(numpy_arrays,
coverage_function,
metadata_function,
fetch_function)
corpus = InputCorpus(seed_corpus, recent_sample_function,
FLAGS.ann_threshold, "kdtree") # pram 2
fuzzer = Fuzzer(
corpus,
coverage_function,
metadata_function,
objective_function,
mutation_function,
fetch_function,
)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) # iterations
if result is not None:
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
tf.logging.info("Elements for Crashes: {0}".format(result))
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def main(_):
"""Constructs the fuzzer and performs fuzzing."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO)
# Set the seeds!
if FLAGS.seed:
random.seed(FLAGS.seed)
np.random.seed(FLAGS.seed)
# Set up seed images
image, label = fuzz_utils.basic_mnist_input_corpus(
choose_randomly=FLAGS.random_seed_corpus)
seed_inputs = [[image, label]]
with tf.Session() as sess:
# Specify input, coverage, and metadata tensors
input_tensors, coverage_tensors, metadata_tensors = \
fuzz_utils.get_tensors_from_checkpoint(
sess, FLAGS.checkpoint_dir
)
# Construct and run fuzzer
fuzzer = Fuzzer(
sess=sess,
seed_inputs=seed_inputs,
input_tensors=input_tensors,
coverage_tensors=coverage_tensors,
metadata_tensors=metadata_tensors,
coverage_function=sum_coverage_function,
metadata_function=metadata_function,
objective_function=objective_function,
mutation_function=mutation_function,
sample_function=recent_sample_function,
threshold=FLAGS.ann_threshold,
)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz)
if result is not None:
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def main(_):
"""Constructs the fuzzer and performs fuzzing."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO)
# Set the seeds!
if FLAGS.seed:
random.seed(FLAGS.seed)
np.random.seed(FLAGS.seed)
# Set up seed inputs
sz = 16
# target_seed = np.random.uniform(low=0.0, high=1.0, size=(sz,))
target_seed = np.ones(sz, dtype=np.uint32) * 4
seed_inputs = [[target_seed]]
# Specify input, coverage, and metadata tensors
input_tensor = tf.placeholder(tf.int32, [None, sz])
op_tensor = tf.cumprod(input_tensor)
grad_tensors = tf.gradients(op_tensor, input_tensor)
with tf.Session() as sess:
# Construct and run fuzzer
fuzzer = Fuzzer(
sess=sess,
seed_inputs=seed_inputs,
input_tensors=[input_tensor],
coverage_tensors=grad_tensors,
metadata_tensors=grad_tensors,
coverage_function=raw_coverage_function,
metadata_function=metadata_function,
objective_function=objective_function,
mutation_function=mutation_function,
sample_function=recent_sample_function,
threshold=FLAGS.ann_threshold,
)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz)
if result is not None:
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_symbolize_log_pid_from_deadly_signal(self):
mock_device = MockDevice()
base_dir = tempfile.mkdtemp()
fuzzer = Fuzzer(
mock_device, u'mock-package1', u'mock-target2', output=base_dir)
os.mkdir(fuzzer.results())
with tempfile.TemporaryFile() as tmp_out:
with tempfile.TemporaryFile() as tmp_in:
tmp_in.write(
"""
A line
Another line
==67890== ERROR: libFuzzer: deadly signal
MS: 1 SomeMutation; base unit: foo
Yet another line
artifact_prefix='data/'; Test unit written to data/crash-cccc
""")
tmp_in.flush()
tmp_in.seek(0)
fuzzer.symbolize_log(tmp_in, tmp_out)
tmp_out.flush()
tmp_out.seek(0)
self.assertIn(
' '.join(
mock_device.get_ssh_cmd(
[
'scp', '[::1]:' + fuzzer.data_path('crash-cccc'),
fuzzer.results()
])), mock_device.host.history)
self.assertEqual(
tmp_out.read(), """
A line
Another line
==67890== ERROR: libFuzzer: deadly signal
Symbolized line 1
Symbolized line 2
Symbolized line 3
MS: 1 SomeMutation; base unit: foo
Yet another line
artifact_prefix='data/'; Test unit written to data/crash-cccc
""")
def main():
parser = Args.make_parser(
description='Reports status for the fuzzer matching NAME if provided, '
+
'or for all running fuzzers. Status includes execution state, corpus '
+ 'size, and number of artifacts.',
name_required=False)
args = parser.parse_args()
host = Host()
device = Device.from_args(host, args)
fuzzers = Fuzzer.filter(host.fuzzers, args.name)
pids = device.getpids()
silent = True
for pkg, tgt in fuzzers:
fuzzer = Fuzzer(device, pkg, tgt)
if not args.name and tgt not in pids:
continue
silent = False
if tgt in pids:
print(str(fuzzer) + ': RUNNING')
else:
print(str(fuzzer) + ': STOPPED')
print(' Output path: ' + fuzzer.data_path())
print(' Corpus size: %d inputs / %d bytes' %
fuzzer.measure_corpus())
artifacts = fuzzer.list_artifacts()
if len(artifacts) == 0:
print(' Artifacts: None')
else:
print(' Artifacts: ' + artifacts[0])
for artifact in artifacts[1:]:
print(' ' + artifact)
if silent:
print(
'No fuzzers are running. Include \'name\' to check specific fuzzers.'
)
return 1
return 0
def main(_):
"""Configures and runs the fuzzer."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO)
# Set up initial seed inputs
target_seed = np.random.uniform(low=0.0, high=1.0, size=(1, ))
seed_inputs = [[target_seed]]
# Specify input, coverage, and metadata tensors
targets_tensor = tf.placeholder(tf.float32, [64, 1])
coverage_tensor = tf.identity(targets_tensor)
loss_batch_tensor, _ = binary_cross_entropy_with_logits(
tf.zeros_like(targets_tensor), tf.nn.sigmoid(targets_tensor))
grads_tensor = tf.gradients(loss_batch_tensor, targets_tensor)[0]
# Construct and run fuzzer
with tf.Session() as sess:
fuzzer = Fuzzer(sess=sess,
seed_inputs=seed_inputs,
input_tensors=[targets_tensor],
coverage_tensors=[coverage_tensor],
metadata_tensors=[loss_batch_tensor, grads_tensor],
coverage_function=raw_coverage_function,
metadata_function=metadata_function,
objective_function=objective_function,
mutation_function=mutation_function,
sample_function=uniform_sample_function,
threshold=FLAGS.ann_threshold)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz)
if result is not None:
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_start(self):
mock_device = MockDevice()
base_dir = tempfile.mkdtemp()
try:
fuzzer = Fuzzer(
mock_device, u'mock-package1', u'mock-target2', output=base_dir)
fuzzer.start(['-some-lf-arg=value'])
finally:
shutil.rmtree(base_dir)
self.assertIn(
' '.join(
mock_device.get_ssh_cmd(
[
'ssh',
'::1',
'run',
fuzzer.url(),
'-artifact_prefix=data/',
'-some-lf-arg=value',
'-jobs=1',
'-dict=pkg/data/mock-target2/dictionary',
'data/corpus/',
])), mock_device.host.history)
def test_symbolize_log_no_mutation_sequence(self):
mock_device = MockDevice()
base_dir = tempfile.mkdtemp()
fuzzer = Fuzzer(
mock_device, u'mock-package1', u'mock-target2', output=base_dir)
os.mkdir(fuzzer.results())
with tempfile.TemporaryFile() as tmp_out:
with tempfile.TemporaryFile() as tmp_in:
tmp_in.write("""
A line
Another line
Yet another line
""")
tmp_in.flush()
tmp_in.seek(0)
fuzzer.symbolize_log(tmp_in, tmp_out)
tmp_out.flush()
tmp_out.seek(0)
self.assertEqual(
tmp_out.read(), """
A line
Another line
Yet another line
""")
def test_measure_corpus(self):
fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target1')
sizes = fuzzer.measure_corpus()
self.assertEqual(sizes[0], 2)
self.assertEqual(sizes[1], 1796 + 124)
def main(_):
"""Constructs the fuzzer and fuzzes."""
# Log more
tf.logging.set_verbosity(tf.logging.INFO) # 为将要被记录的日志设置开始入口
coverage_function = raw_logit_coverage_function
image, label = fuzz_utils.basic_mnist_input_corpus( # 一张图片和对应的标签
choose_randomly=FLAGS.random_seed_corpus)
numpy_arrays = [[image, label]]
image_copy = image[:]
with tf.Session() as sess:
tensor_map = fuzz_utils.get_tensors_from_checkpoint(
sess, FLAGS.checkpoint_dir)
fetch_function = fuzz_utils.build_fetch_function(sess,
tensor_map) # 获取模型信息
size = FLAGS.mutations_per_corpus_item
def mutation_function(elt): # elt为一个元素
"""Mutates the element in question."""
return do_basic_mutations(
elt, size,
FLAGS.perturbation_constraint) # 一个元素多次变异,返回多个变异后的数据
""" numpy_arrays = [[image, label]] 一张图片
coverage_function = raw_logit_coverage_function
fetch_function = fuzz_utils.build_fetch_function(sess, tensor_map)
"""
seed_corpus = seed_corpus_from_numpy_arrays( # 建立seed_corpus
numpy_arrays, coverage_function, metadata_function, fetch_function)
corpus = InputCorpus( # 建立input corpus
seed_corpus, recent_sample_function, FLAGS.ann_threshold, "kdtree")
fuzzer = Fuzzer( # 建立Fuzzer对象
corpus, # InputCorpus(Input Corpus)
coverage_function, # 计算神经网络覆盖
metadata_function, # 获取metadata
objective_function, # 目标方法,检查是否被错误分类
mutation_function, # 变异方法
fetch_function, # 获取模型信息
)
result = fuzzer.loop(FLAGS.total_inputs_to_fuzz)
if result is not None:
# Double check that there is persistent disagreement
for idx in range(10):
logits, quantized_logits = sess.run(
[tensor_map["coverage"][0], tensor_map["coverage"][1]],
feed_dict={
tensor_map["input"][0]:
np.expand_dims(result.data[0], 0)
},
)
if np.argmax(logits, 1) != np.argmax(quantized_logits, 1):
tf.logging.info("disagreement confirmed: idx %s", idx)
else:
tf.logging.info("SPURIOUS DISAGREEMENT!!!") # 假的不一致
tf.logging.info("Fuzzing succeeded.")
tf.logging.info(
"Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
max_diff = np.max(result.data[0] - image_copy)
tf.logging.info(
"Max difference between perturbation and original: %s.",
max_diff,
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def __init__(self): self.fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target3') self.history = [] super(MockCipd, self).__init__(self.fuzzer)
def __init__(self):
fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target3')
self.versions = []
super(MockCipd, self).__init__(Corpus(fuzzer))
def main(_):
"""Constructs the fuzzer and fuzzes."""
# Sets the threshold for what messages will be logged.
# Log more
tf.logging.set_verbosity(tf.logging.INFO)
# all works
# coverage_function = raw_logit_coverage_function
coverage_function = all_logit_coverage_function
# get inputs corpus data
image, label = fuzz_utils.basic_mnist_input_corpus(
choose_randomly=FLAGS.random_seed_corpus)
numpy_arrays = [[image, label]]
image_copy = image[:]
with tf.Graph().as_default() as g:
sess = tf.Session()
tensor_map = fuzz_utils.get_tensors_from_checkpoint(
sess, FLAGS.checkpoint_dir)
fetch_function = fuzz_utils.build_fetch_function(sess, tensor_map)
size = FLAGS.mutations_per_corpus_item # 100
def mutation_function(elt):
"""Mutates the element in question."""
return do_basic_mutations(elt, size, FLAGS.perturbation_constraint)
# initialization of seed corpus
seed_corpus = seed_corpus_from_numpy_arrays(numpy_arrays,
coverage_function,
metadata_function,
fetch_function)
corpus = InputCorpus(seed_corpus, recent_sample_function,
FLAGS.ann_threshold, FLAGS.algorithm)
fuzzer = Fuzzer(
corpus,
coverage_function,
metadata_function,
objective_function,
mutation_function,
fetch_function,
)
result = fuzzer.loop(
FLAGS.total_inputs_to_fuzz) # type is CorpusElement
if result is not None:
# Double check that there is persistent disagreement
for idx in range(10):
logits, quantized_logits = sess.run(
[tensor_map["coverage"][0], tensor_map["coverage"][1]],
feed_dict={
tensor_map["input"][0]:
np.expand_dims(result.data[0], 0)
},
) # feed_dict: replace tensor value
if np.argmax(logits, 1) != np.argmax(quantized_logits, 1):
tf.logging.info("disagreement confirmed: idx %s", idx)
else:
tf.logging.info(
"Idx: {0}, SPURIOUS DISAGREEMENT!!! LOGITS: {1}, QUANTIZED_LOGITS: {2}!"
.format(idx, logits, quantized_logits))
tf.logging.info(
"Fuzzing succeeded. Generations to make satisfying element: %s.",
result.oldest_ancestor()[1],
)
max_diff = np.max(result.data[0] - image_copy)
tf.logging.info(
"Max difference between perturbation and original: %s.",
max_diff,
)
else:
tf.logging.info("Fuzzing failed to satisfy objective function.")
def __init__(self):
self.fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target3')
self.last = None
super(MockCipd, self).__init__(self.fuzzer)