def build(): """Build an AFL version and SymCC version of the benchmark""" print("Step 1: Building with AFL and SymCC") build_directory = os.environ['OUT'] # First build with AFL. src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. aflplusplus_fuzzer.build("tracepc", "symcc") print("Step 2: Completed AFL build") # Copy over AFL artifacts needed by SymCC. shutil.copy("/afl/afl-fuzz", build_directory) shutil.copy("/afl/afl-showmap", build_directory) # Copy over symcc artifacts and symbolic libc++. print("Step 3: Copying SymCC files") symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) shutil.copy( "/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so", symcc_build_dir) shutil.copy("/usr/lib/libz3.so", os.path.join(symcc_build_dir, "libz3.so")) shutil.copy("/libcxx_native_build/lib/libc++.so.1", symcc_build_dir) shutil.copy("/libcxx_native_build/lib/libc++abi.so.1", symcc_build_dir) shutil.copy("/rust/bin/symcc_fuzzing_helper", symcc_build_dir)
def build(): """Build an AFL version and SymCC version of the benchmark""" print("Step 1: Building with AFL") build_directory = os.environ['OUT'] # Save the environment for use in SymCC new_env = os.environ.copy() # First build with AFL. src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. aflplusplus_fuzzer.build() print("Step 2: Completed AFL build") # Copy over AFL artifacts needed by SymCC. shutil.copy("/afl/afl-fuzz", build_directory) shutil.copy("/afl/afl-showmap", build_directory) # Build the SymCC-instrumented target. print("Step 3: Building the benchmark with SymCC") symcc_build_dir = get_symcc_build_dir(os.environ['OUT']) os.mkdir(symcc_build_dir) # Set flags to ensure compilation with SymCC. new_env['CC'] = "/symcc/build/symcc" new_env['CXX'] = "/symcc/build/sym++" new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace("-stlib=libc++", "") new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' new_env['OUT'] = symcc_build_dir new_env['CXXFLAGS'] += " -fno-sanitize=all " new_env['CFLAGS'] += " -fno-sanitize=all " # Setting this environment variable instructs SymCC to use the # libcxx library compiled with SymCC instrumentation. new_env['SYMCC_LIBCXX_PATH'] = "/libcxx_native_build" # Instructs SymCC to consider no symbolic inputs at runtime. This is needed # if, for example, some tests are run during compilation of the benchmark. new_env['SYMCC_NO_SYMBOLIC_INPUT'] = "1" # Build benchmark. utils.build_benchmark(env=new_env) # Copy over symcc artifacts and symbolic libc++. shutil.copy( "/symcc/build//SymRuntime-prefix/src/SymRuntime-build/libSymRuntime.so", symcc_build_dir) shutil.copy("/usr/lib/libz3.so", os.path.join(symcc_build_dir, "libz3.so")) shutil.copy("/libcxx_native_build/lib/libc++.so.1", symcc_build_dir) shutil.copy("/libcxx_native_build/lib/libc++abi.so.1", symcc_build_dir) shutil.copy("/rust/bin/symcc_fuzzing_helper", symcc_build_dir)
def build(): """Build benchmark.""" # Backup the environment. new_env = os.environ.copy() src = os.getenv('SRC') work = os.getenv('WORK') out = os.getenv('OUT') # First, build an instrumented binary for AFL. os.environ['CC'] = '/out/AFLplusplus/afl-clang-fast' os.environ['CXX'] = '/out/AFLplusplus/afl-clang-fast++' os.environ['FUZZER_LIB'] = '/libAFLDriver.a' os.environ['AFL_PATH'] = '/out/AFLplusplus/' os.environ['AFL_LLVM_DICT2FILE'] = out + '/afl++.dict' #afl_fuzzer.prepare_build_environment() with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. utils.build_benchmark() print('[build] Copying afl-fuzz to $OUT directory') shutil.copy('/out/AFLplusplus/afl-fuzz', os.environ['OUT']) # Next, build an uninstrumented binary for Fuzzolic. new_env['CC'] = 'clang' new_env['CXX'] = 'clang++' new_env['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' # Ensure to compile with NO_SANITIZER_COMPAT* flags even for bug benchmarks, # as QEMU is incompatible with sanitizers. Also, Fuzzolic prefers clean and # unoptimized binaries. We leave fast random fuzzing as AFL's job. new_env['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS new_env['CXXFLAGS'] = ' '.join(cxxflags) uninstrumented_outdir = get_uninstrumented_outdir(os.environ['OUT']) os.mkdir(uninstrumented_outdir) new_env['OUT'] = uninstrumented_outdir fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: targ_name = os.path.basename(fuzz_target) new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_outdir, targ_name) print('[build] Re-building benchmark for uninstrumented fuzzing target') with utils.restore_directory(src), utils.restore_directory(work): utils.build_benchmark(env=new_env)
def build(): """Build fuzzer.""" afl_fuzzer.prepare_build_environment() # Override AFL's FUZZER_LIB with QSYM's. os.environ['FUZZER_LIB'] = '/libQSYM.a' src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. utils.build_benchmark() # QSYM requires an uninstrumented build as well. new_env = os.environ.copy() utils.set_no_sanitizer_compilation_flags(new_env) cflags = ['-O2', '-fno-omit-frame-pointer', '-gline-tables-only'] utils.append_flags('CFLAGS', cflags, new_env) utils.append_flags('CXXFLAGS', cflags, new_env) # For uninstrumented build, set the OUT and FUZZ_TARGET environment # variable to point to the new uninstrumented build directory. build_directory = os.environ['OUT'] uninstrumented_build_directory = get_uninstrumented_build_directory( build_directory) os.mkdir(uninstrumented_build_directory) new_env['OUT'] = uninstrumented_build_directory fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: new_env['FUZZ_TARGET'] = os.path.join(uninstrumented_build_directory, os.path.basename(fuzz_target)) print('Re-building benchmark for uninstrumented fuzzing target') utils.build_benchmark(env=new_env) print('[post_build] Copying afl-fuzz to $OUT directory') # Copy out the afl-fuzz binary as a build artifact. shutil.copy('/afl/afl-fuzz', build_directory) # QSYM also requires afl-showmap. print('[post_build] Copying afl-showmap to $OUT directory') shutil.copy('/afl/afl-showmap', build_directory)
def build(*args): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide # a default configuration. build_modes = list(args) if 'BUILD_MODES' in os.environ: build_modes = os.environ['BUILD_MODES'].split(',') build_directory = os.environ['OUT'] # If nothing was set this is the default: if not build_modes: build_modes = ['tracepc', 'nozero'] # Instrumentation coverage modes: if 'lto' in build_modes: os.environ['CC'] = '/afl/afl-clang-lto' os.environ['CXX'] = '/afl/afl-clang-lto++' os.environ['RANLIB'] = 'llvm-ranlib-11' os.environ['AR'] = 'llvm-ar-11' elif 'qemu' in build_modes: os.environ['CC'] = 'clang' os.environ['CXX'] = 'clang++' else: os.environ['CC'] = '/afl/afl-clang-fast' os.environ['CXX'] = '/afl/afl-clang-fast++' if 'instrim' in build_modes: # We dont set AFL_LLVM_INSTRIM_LOOPHEAD for better coverage os.environ['AFL_LLVM_INSTRIM'] = 'CFG' elif 'tracepc' in build_modes: os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' elif 'classic' in build_modes: os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' # Instrumentation coverage options: # Do not use a fixed map location (LTO only) if 'dynamic' in build_modes: os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' # Skip over single block functions if 'skipsingle' in build_modes: os.environ['AFL_LLVM_SKIPSINGLEBLOCK'] = '1' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' # Enable N-gram coverage for LLVM mode (non LTO only) if 'ngram2' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' elif 'ngram3' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' elif 'ngram4' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' elif 'ngram5' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' elif 'ngram6' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' elif 'ngram7' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' elif 'ngram8' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' elif 'ngram16' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' # Further instrumentation options: # Disable neverZero implementation if 'nozero' in build_modes: os.environ['AFL_LLVM_SKIP_NEVERZERO'] = '1' # Only one of the following OR cmplog # enable laf-intel compare splitting if 'laf' in build_modes: os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' if 'autodict' not in build_modes: os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' # enable auto dictionary for LTO if 'autodict' in build_modes: os.environ['AFL_LLVM_LTO_AUTODICTIONARY'] = '1' os.environ['FUZZER_LIB'] = '/libAFLDriver.a' # Some benchmarks like lcms # (see: https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) # fail to compile if the compiler outputs things to stderr in unexpected # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast # from writing AFL specific messages to stderr. os.environ['AFL_QUIET'] = '1' src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. utils.build_benchmark() if 'cmplog' in build_modes and 'qemu' not in build_modes: # CmpLog requires an build with different instrumentation. new_env = os.environ.copy() new_env['AFL_LLVM_CMPLOG'] = '1' # For CmpLog build, set the OUT and FUZZ_TARGET environment # variable to point to the new CmpLog build directory. cmplog_build_directory = get_cmplog_build_directory(build_directory) os.mkdir(cmplog_build_directory) new_env['OUT'] = cmplog_build_directory fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: new_env['FUZZ_TARGET'] = os.path.join( cmplog_build_directory, os.path.basename(fuzz_target)) print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) shutil.copy('/afl/afl-fuzz', build_directory)
def build(*args): # pylint: disable=too-many-branches,too-many-statements """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide # a default configuration. build_modes = list(args) if 'BUILD_MODES' in os.environ: build_modes = os.environ['BUILD_MODES'].split(',') # Placeholder comment. build_directory = os.environ['OUT'] # If nothing was set this is the default: if not build_modes: build_modes = ['tracepc', 'cmplog', 'dict2file'] # For bug type benchmarks we have to instrument via native clang pcguard :( build_flags = os.environ['CFLAGS'] if build_flags.find( 'array-bounds' ) != -1 and 'qemu' not in build_modes and 'classic' not in build_modes: build_modes[0] = 'native' # Instrumentation coverage modes: if 'lto' in build_modes: os.environ['CC'] = '/afl/afl-clang-lto' os.environ['CXX'] = '/afl/afl-clang-lto++' edge_file = build_directory + '/aflpp_edges.txt' os.environ['AFL_LLVM_DOCUMENT_IDS'] = edge_file if os.path.isfile('/usr/local/bin/llvm-ranlib-13'): os.environ['RANLIB'] = 'llvm-ranlib-13' os.environ['AR'] = 'llvm-ar-13' os.environ['AS'] = 'llvm-as-13' elif os.path.isfile('/usr/local/bin/llvm-ranlib-12'): os.environ['RANLIB'] = 'llvm-ranlib-12' os.environ['AR'] = 'llvm-ar-12' os.environ['AS'] = 'llvm-as-12' else: os.environ['RANLIB'] = 'llvm-ranlib' os.environ['AR'] = 'llvm-ar' os.environ['AS'] = 'llvm-as' elif 'qemu' in build_modes: os.environ['CC'] = 'clang' os.environ['CXX'] = 'clang++' elif 'gcc' in build_modes: os.environ['CC'] = 'afl-gcc-fast' os.environ['CXX'] = 'afl-g++-fast' else: os.environ['CC'] = '/afl/afl-clang-fast' os.environ['CXX'] = '/afl/afl-clang-fast++' print('AFL++ build: ') print(build_modes) if 'qemu' in build_modes or 'symcc' in build_modes: os.environ['CFLAGS'] = ' '.join(utils.NO_SANITIZER_COMPAT_CFLAGS) cxxflags = [utils.LIBCPLUSPLUS_FLAG] + utils.NO_SANITIZER_COMPAT_CFLAGS os.environ['CXXFLAGS'] = ' '.join(cxxflags) if 'tracepc' in build_modes or 'pcguard' in build_modes: os.environ['AFL_LLVM_USE_TRACE_PC'] = '1' elif 'classic' in build_modes: os.environ['AFL_LLVM_INSTRUMENT'] = 'CLASSIC' elif 'native' in build_modes: os.environ['AFL_LLVM_INSTRUMENT'] = 'LLVMNATIVE' # Instrumentation coverage options: # Do not use a fixed map location (LTO only) if 'dynamic' in build_modes: os.environ['AFL_LLVM_MAP_DYNAMIC'] = '1' # Use a fixed map location (LTO only) if 'fixed' in build_modes: os.environ['AFL_LLVM_MAP_ADDR'] = '0x10000' # Generate an extra dictionary. if 'dict2file' in build_modes or 'native' in build_modes: os.environ['AFL_LLVM_DICT2FILE'] = build_directory + '/afl++.dict' # Enable context sentitivity for LLVM mode (non LTO only) if 'ctx' in build_modes: os.environ['AFL_LLVM_CTX'] = '1' # Enable N-gram coverage for LLVM mode (non LTO only) if 'ngram2' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '2' elif 'ngram3' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '3' elif 'ngram4' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '4' elif 'ngram5' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '5' elif 'ngram6' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '6' elif 'ngram7' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '7' elif 'ngram8' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '8' elif 'ngram16' in build_modes: os.environ['AFL_LLVM_NGRAM_SIZE'] = '16' if 'ctx1' in build_modes: os.environ['AFL_LLVM_CTX_K'] = '1' elif 'ctx2' in build_modes: os.environ['AFL_LLVM_CTX_K'] = '2' elif 'ctx3' in build_modes: os.environ['AFL_LLVM_CTX_K'] = '3' elif 'ctx4' in build_modes: os.environ['AFL_LLVM_CTX_K'] = '4' # Only one of the following OR cmplog # enable laf-intel compare splitting if 'laf' in build_modes: os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' os.environ['AFL_LLVM_LAF_SPLIT_FLOATS'] = '1' if 'autodict' not in build_modes: os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' if 'eclipser' in build_modes: os.environ['FUZZER_LIB'] = '/libStandaloneFuzzTarget.a' else: os.environ['FUZZER_LIB'] = '/libAFLDriver.a' # Some benchmarks like lcms # (see: https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) # fail to compile if the compiler outputs things to stderr in unexpected # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast # from writing AFL specific messages to stderr. os.environ['AFL_QUIET'] = '1' os.environ['AFL_MAP_SIZE'] = '2621440' src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. utils.build_benchmark() if 'cmplog' in build_modes and 'qemu' not in build_modes: # CmpLog requires an build with different instrumentation. new_env = os.environ.copy() new_env['AFL_LLVM_CMPLOG'] = '1' # For CmpLog build, set the OUT and FUZZ_TARGET environment # variable to point to the new CmpLog build directory. cmplog_build_directory = get_cmplog_build_directory(build_directory) os.mkdir(cmplog_build_directory) new_env['OUT'] = cmplog_build_directory fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: new_env['FUZZ_TARGET'] = os.path.join( cmplog_build_directory, os.path.basename(fuzz_target)) print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) if 'symcc' in build_modes: symcc_build_directory = get_uninstrumented_build_directory( build_directory) os.mkdir(symcc_build_directory) # symcc requires an build with different instrumentation. new_env = os.environ.copy() new_env['CC'] = '/symcc/build/symcc' new_env['CXX'] = '/symcc/build/sym++' new_env['SYMCC_OUTPUT_DIR'] = '/tmp' new_env['CXXFLAGS'] = new_env['CXXFLAGS'].replace("-stlib=libc++", "") new_env['FUZZER_LIB'] = '/libfuzzer-harness.o' new_env['OUT'] = symcc_build_directory new_env['SYMCC_LIBCXX_PATH'] = "/libcxx_native_build" new_env['SYMCC_NO_SYMBOLIC_INPUT'] = "1" new_env['SYMCC_SILENT'] = "1" # For CmpLog build, set the OUT and FUZZ_TARGET environment # variable to point to the new CmpLog build directory. new_env['OUT'] = symcc_build_directory fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: new_env['FUZZ_TARGET'] = os.path.join( symcc_build_directory, os.path.basename(fuzz_target)) print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) shutil.copy('/afl/afl-fuzz', build_directory) if os.path.exists('/afl/afl-qemu-trace'): shutil.copy('/afl/afl-qemu-trace', build_directory) if os.path.exists('/aflpp_qemu_driver_hook.so'): shutil.copy('/aflpp_qemu_driver_hook.so', build_directory) if os.path.exists('/get_frida_entry.sh'): shutil.copy('/afl/afl-frida-trace.so', build_directory) shutil.copy('/get_frida_entry.sh', build_directory)
def build(): """Build benchmark.""" # BUILD_MODES is not already supported by fuzzbench, meanwhile we provide # a default configuration. build_modes = ['instrim'] if 'BUILD_MODES' in os.environ: build_modes = os.environ['BUILD_MODES'].split(',') if 'qemu' in build_modes: os.environ['CC'] = 'clang' os.environ['CXX'] = 'clang++' else: os.environ['CC'] = '/afl/afl-clang-fast' os.environ['CXX'] = '/afl/afl-clang-fast++' if 'laf' in build_modes: os.environ['AFL_LLVM_LAF_SPLIT_SWITCHES'] = '1' os.environ['AFL_LLVM_LAF_TRANSFORM_COMPARES'] = '1' os.environ['AFL_LLVM_LAF_SPLIT_COMPARES'] = '1' if 'instrim' in build_modes: # I avoid to put also AFL_LLVM_INSTRIM_LOOPHEAD os.environ['AFL_LLVM_INSTRIM'] = '1' os.environ['AFL_LLVM_INSTRIM_SKIPSINGLEBLOCK'] = '1' os.environ['FUZZER_LIB'] = '/libAFLDriver.a' # Some benchmarks like lcms # (see: https://github.com/mm2/Little-CMS/commit/ab1093539b4287c233aca6a3cf53b234faceb792#diff-f0e6d05e72548974e852e8e55dffc4ccR212) # fail to compile if the compiler outputs things to stderr in unexpected # cases. Prevent these failures by using AFL_QUIET to stop afl-clang-fast # from writing AFL specific messages to stderr. os.environ['AFL_QUIET'] = '1' src = os.getenv('SRC') work = os.getenv('WORK') with utils.restore_directory(src), utils.restore_directory(work): # Restore SRC to its initial state so we can build again without any # trouble. For some OSS-Fuzz projects, build_benchmark cannot be run # twice in the same directory without this. utils.build_benchmark() if 'cmplog' in build_modes and 'qemu' not in build_modes: # CmpLog requires an build with different instrumentation. new_env = os.environ.copy() new_env['AFL_LLVM_CMPLOG'] = '1' # For CmpLog build, set the OUT and FUZZ_TARGET environment # variable to point to the new CmpLog build directory. build_directory = os.environ['OUT'] cmplog_build_directory = get_cmplog_build_directory(build_directory) os.mkdir(cmplog_build_directory) new_env['OUT'] = cmplog_build_directory fuzz_target = os.getenv('FUZZ_TARGET') if fuzz_target: new_env['FUZZ_TARGET'] = os.path.join(cmplog_build_directory, os.path.basename(fuzz_target)) print('Re-building benchmark for CmpLog fuzzing target') utils.build_benchmark(env=new_env) shutil.copy('/afl/afl-fuzz', os.environ['OUT'])