def __perform_havoc(self, payload_array, payload):
log_master("Havoc...")
self.kafl_state.progress_bitflip = self.kafl_state.progress_bitflip_amount
self.kafl_state.progress_arithmetic = self.kafl_state.progress_arithmetic_amount
self.kafl_state.progress_interesting = self.kafl_state.progress_interesting_amount
if payload and payload.node_type == KaflNodeType.favorite:
self.kafl_state.progress_havoc_amount = havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0)
self.kafl_state.progress_specific_amount = havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0)
else:
self.kafl_state.progress_havoc_amount = havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state.progress_specific_amount = havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state.technique = "HAVOC"
mutate_seq_havoc_array(payload_array, self.__havoc_handler,
self.kafl_state.progress_havoc_amount)
self.__buffered_handler(None, last_payload=True)
self.kafl_state.progress_havoc_amount = self.kafl_state.progress_havoc
self.kafl_state.technique = "SPLICING"
mutate_seq_splice_array(payload_array, self.__splicing_handler,
self.kafl_state.progress_havoc_amount,
self.kafl_state)
self.__buffered_handler(None, last_payload=True)
def loop(self):
while True:
for conn, msg in self.comm.wait(self.statistics.plot_thres):
if msg["type"] == MSG_NODE_DONE:
# Slave execution done, update queue item + send new task
log_master("Received results, sending next task..")
if msg["node_id"]:
self.queue.update_node_results(msg["node_id"],
msg["results"],
msg["new_payload"])
self.send_next_task(conn)
elif msg["type"] == MSG_NEW_INPUT:
# Slave reports new interesting input
log_master("Received new input (exit=%s): %s" %
(msg["input"]["info"]["exit_reason"],
repr(msg["input"]["payload"][:24])))
node_struct = {
"info": msg["input"]["info"],
"state": {
"name": "initial"
}
}
self.maybe_insert_node(msg["input"]["payload"],
msg["input"]["bitmap"], node_struct)
elif msg["type"] == MSG_READY:
# Initial slave hello, send first task...
# log_master("Slave is ready..")
self.send_next_task(conn)
else:
raise ValueError("unknown message type {}".format(msg))
self.statistics.event_slave_poll()
self.statistics.maybe_write_stats()
def __master_handler(self, methods):
if (time.time() - self.start) >= self.refresh_rate:
end = time.time()
self.kafl_state.update_performance(
int(((self.counter * 1.0) / (end - self.start))))
self.start = time.time()
self.counter = 0
while True:
msg = recv_msg(self.comm.to_master_queue)
if msg.tag == KAFL_TAG_REQ:
self.__task_send(self.payload_buffer,
[None] * len(self.payload_buffer), msg.data,
self.comm.to_slave_queues[int(msg.data)],
methods)
self.abortion_counter += len(self.payload_buffer)
self.counter += len(self.payload_buffer)
self.round_counter += len(self.payload_buffer)
break
elif msg.tag == KAFL_TAG_ABORT_REQ:
log_master("Abortion request received...")
self.stage_abortion = True
self.payload_buffer = []
self.byte_map = []
return
else:
raise Exception(
"Unknown msg-tag received in master process...")
def __get_bitmap_hash_robust(self, payload_array):
self.__get_bitmap_hash(payload_array)
hashes = [self.__get_bitmap_hash(payload_array) for i in xrange(3)]
if len(set(hashes)) == 1:
return hashes[0]
log_master("Hash Doesn't seem Stable")
return None
def __init__(self, comm):
self.comm = comm
self.kafl_state = State()
self.payload = ""
self.counter = 0
self.round_counter = 0
self.start = time.time()
self.benchmark_time = time.time()
self.counter_offset = 0
self.payload_buffer = []
self.byte_map = []
self.stage_abortion = False
self.abortion_counter = 0
self.mapserver_status_pending = False
self.config = FuzzerConfiguration()
self.skip_zero = self.config.argument_values['s']
self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
self.use_effector_map = self.config.argument_values['d']
self.arith_max = FuzzerConfiguration().config_values["ARITHMETIC_MAX"]
if not self.config.argument_values['D']:
self.use_effector_map = False
if self.config.load_old_state:
self.load_data()
log_master("Use effector maps: " + str(self.use_effector_map))
def __init__(self, config):
self.config = config
self.comm = ServerConnection(self.config)
self.debug_mode = config.argument_values['debug']
self.task_count = 0
self.task_paused = False
self.busy_events = 0
self.empty_hash = mmh3.hash(
("\x00" * self.config.config_values['BITMAP_SHM_SIZE']),
signed=False)
self.statistics = MasterStatistics(self.config)
self.queues = CycleQueue(self.config)
for _ in range(interface_manager.size()):
self.queues.append(InputQueue(self.config, self.statistics))
#self.queue = InputQueue(self.config, self.statistics)
self.bitmap_storage = BitmapStorage(
config,
config.config_values['BITMAP_SHM_SIZE'],
"master",
read_only=False)
redqueen_global_config(
redq_hammering=self.config.argument_values['hammer_jmp_tables'],
redq_do_simple=self.config.argument_values['redq_do_simple'],
afl_arith_max=self.config.config_values['ARITHMETIC_MAX'])
self.imports = list(interface_manager.to_corpus())
log_master("Starting (pid: %d)" % os.getpid())
log_master("Configuration dump:\n%s" %
pformat(config.argument_values, indent=4, compact=True))
def __master_handler(self):
if (time.time() - self.start
) >= self.refresh_rate and not self.mapserver_status_pending:
self.mapserver_status_pending = True
send_msg(KAFL_TAG_MAP_INFO, None, self.comm.to_mapserver_queue)
end = time.time()
self.kafl_state.performance = ((self.counter * 1.0) /
(end - self.start))
self.kafl_state.performance_rb.append(
((self.counter * 1.0) / (end - self.start)))
self.kafl_state.max_performance_rb.append(
((self.counter * 1.0) / (end - self.start)))
self.start = time.time()
self.counter = 0
while not self.stopped():
msg = recv_msg(self.comm.to_master_queue, timeout=0.1)
if msg == None:
continue
if msg.tag == KAFL_TAG_REQ:
if len(self.concolic_payloads) > 0:
self.__task_send([self.concolic_payloads[0]],
msg.data,
self.comm.to_slave_queues[int(msg.data)],
imported=True)
self.concolic_payloads.pop(0)
# Continue until the queue is consumed
# send_msg(KAFL_TAG_OUTPUT, self.kafl_state, self.comm.to_update_queue)
if (
time.time() - self.start
) >= self.refresh_rate and not self.mapserver_status_pending:
self.mapserver_status_pending = True
send_msg(KAFL_TAG_MAP_INFO, None,
self.comm.to_mapserver_queue)
self.start = time.time()
continue
else:
self.__task_send(self.payload_buffer, msg.data,
self.comm.to_slave_queues[int(msg.data)])
self.abortion_counter += len(self.payload_buffer)
self.counter += len(self.payload_buffer)
self.round_counter += len(self.payload_buffer)
break
elif msg.tag == KAFL_TAG_ABORT_REQ:
log_master("Abortion request received...")
self.stage_abortion = True
self.payload_buffer = []
self.byte_map = []
return
elif msg.tag == KAFL_TAG_MAP_INFO:
self.__process_mapserver_state(msg)
self.mapserver_status_pending = False
send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
self.comm.to_update_queue)
elif msg.tag == DRIFUZZ_NEW_INPUT:
self.concolic_payloads += [msg.data]
else:
raise Exception(
"Unknown msg-tag received in master process...")
def __sync_verification(self, verification_amoun):
send_msg(KAFL_TAG_REQ_VERIFY_SYNC, verification_amoun,
self.comm.to_mapserver_queue)
while True:
data = recv_msg(self.comm.to_master_from_mapserver_queue)
if KAFL_TAG_REQ_VERIFY_SYNC == data.tag:
return
else:
log_master("__sync_verification error?!")
def __perform_post_sync(self, finished):
self.kafl_state["technique"] = "POST-SYNC"
payload, finished_state = self.__recv_next(finished,
self.__stop_benchmark())
log_master("finished_state -> " + str(finished_state))
self.payload = payload.load_payload()
self.round_counter = 0
self.stage_abortion = False
self.abortion_counter = 0
return payload, finished_state
def __get_num_of_finds(self):
if self.stage_abortion:
send_msg(KAFL_TAG_UNTOUCHED_NODES, self.abortion_counter,
self.comm.to_mapserver_queue)
else:
send_msg(KAFL_TAG_UNTOUCHED_NODES, self.round_counter,
self.comm.to_mapserver_queue)
result = recv_msg(self.comm.to_master_from_mapserver_queue).data
log_master("Current findings: " + str(result))
return result
def __perform_post_sync(self, finished):
self.kafl_state.technique = "POST-SYNC"
send_msg(KAFL_TAG_OUTPUT, self.kafl_state, self.comm.to_update_queue)
payload, finished_state = self.__recv_next(finished,
self.__stop_benchmark())
log_master("finished_state -> " + str(finished_state))
self.payload = payload.load_payload()
self.round_counter = 0
self.stage_abortion = False
self.abortion_counter = 0
return payload, finished_state
def __calc_stage_iterations(self):
self.kafl_state["progress_redqueen"] = 0
self.kafl_state["progress_bitflip"] = 0
self.kafl_state["progress_arithmetic"] = 0
self.kafl_state["progress_interesting"] = 0
self.kafl_state["progress_havoc"] = 0
self.kafl_state["progress_specific"] = 0
self.kafl_state["payload_size"] = len(self.payload)
self.kafl_state["payload"] = self.payload
limiter_map = []
for i in range(len(self.payload)):
limiter_map.append(True)
if self.config.argument_values['i']:
for ignores in self.config.argument_values['i']:
log_master("Ignore-range 0: " + str(ignores[0]) + " " +
str(min(ignores[0], len(self.payload))))
log_master("Ignore-range 1: " + str(ignores[1]) + " " +
str(min(ignores[1], len(self.payload))))
for i in range(min(ignores[0], len(self.payload)),
min(ignores[1], len(self.payload))):
limiter_map[i] = False
if self.config.argument_values['D']:
self.kafl_state["progress_bitflip_amount"] = bitflip_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map)
self.kafl_state["progress_arithmetic_amount"] = arithmetic_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map,
set_arith_max=self.arith_max)
self.kafl_state["progress_interesting_amount"] = interesting_range(
self.payload,
skip_null=self.skip_zero,
effector_map=limiter_map)
else:
self.kafl_state["progress_bitflip_amount"] = 0
self.kafl_state["progress_arithmetic_amount"] = 0
self.kafl_state["progress_interesting_amount"] = 0
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV
self.__start_benchmark(self.round_counter)
return limiter_map
def __perform_coloring(self, payload_array):
if self.config.argument_values['r']:
self.kafl_state["technique"] = "COLORING"
log_master("Initial Redqueen Colorize...")
hash = self.__get_bitmap_hash_robust(payload_array)
if hash == None:
return None
log_master("Orig Redqueen Colorize...(" + str(hash) + ")")
colored_arrays = []
for i in xrange(COLORIZATION_COUNT):
if len(colored_arrays) >= COLORIZATION_COUNT:
break
arr = array("B", payload_array)
self.__colorize_payload(hash, arr)
new_hash = self.__get_bitmap_hash(arr)
if (new_hash == hash):
colored_arrays.append(arr)
log_master("found good hash")
else:
log_master("found bad hash: " + repr(new_hash) + " retry")
return None
colored_arrays.append(payload_array)
return colored_arrays
def __get_num_of_finds(self):
if self.stage_abortion:
send_msg(KAFL_TAG_UNTOUCHED_NODES, self.abortion_counter,
self.comm.to_mapserver_queue)
else:
send_msg(KAFL_TAG_UNTOUCHED_NODES, self.round_counter,
self.comm.to_mapserver_queue)
msg = None
while not msg and not self.stopped():
msg = recv_msg(self.comm.to_master_from_mapserver_queue,
timeout=0.1)
result = msg.data
log_master("Current findings: " + str(result))
return result
def __init_fuzzing_loop(self):
self.kafl_state["cycles"] = 0
self.__start_processes()
if self.config.load_old_state:
log_master("State exists!")
else:
log_master("State does not exist!")
payloads = get_seed_files(self.config.argument_values['work_dir'] +
"/corpus")
data = []
for payload in payloads:
bitmap = self.__request_bitmap(payload)
data.append((payload, bitmap))
send_msg(KAFL_INIT_BITMAP, data, self.comm.to_mapserver_queue)
self.payload = payloads[0]
def __colorize_payload(self, hash, payload_array):
c = ColorizerStrategy(
len(payload_array), lambda min, max: self.__check_colorization(
hash, payload_array, min, max))
t = time.time()
i = 0
while True:
if i >= COLORIZATION_STEPS and time.time(
) - t > COLORIZATION_TIMEOUT: #TODO add to config
break
if i % 20 == 0:
log_master("colorizing step %d," % (i))
if len(c.unknown_ranges) == 0:
break
c.colorize_step()
i += 1
def __perform_import(self):
import_count = len(
glob.glob(self.config.argument_values['work_dir'] + "/imports/*"))
if import_count == 0:
return
self.kafl_state["technique"] = "IMPORT"
log_master("Sync...(" + str(self.round_counter) + " inputs)")
self.__sync_verification(self.round_counter)
log_master("Importing...(" + str(import_count) + " inputs)")
i = 0
for path in glob.glob(self.config.argument_values['work_dir'] +
"/imports/*"):
if (time.time() - self.start) >= self.refresh_rate:
end = time.time()
self.kafl_state.update_performance(
int(((self.counter * 1.0) / (end - self.start))))
self.start = time.time()
self.counter = 0
while True:
msg = recv_msg(self.comm.to_master_queue)
if msg.tag == KAFL_TAG_REQ:
payload = read_binary_file(path)
self.__task_send(
[payload[:(64 << 10)]],
[self.redqueen_state.get_candidate_hash_addrs()],
msg.data,
self.comm.to_slave_queues[int(msg.data)],
[fuzz_methode(METHODE_IMPORT)],
tag=KAFL_TAG_REQ_VERIFY)
os.remove(path)
i += 1
self.counter += 1
self.round_counter += 1
break
else:
log_master("Unknown Tag (" + str(msg.tag) +
") received during verification...")
log_master("Sync...(" + str(self.round_counter) + " inputs)")
self.__sync_verification(self.round_counter)
log_master("Import done!")
def __perform_verification(self, input_count):
self.kafl_state["technique"] = "VERIFICATION"
log_master("Sync...(" + str(self.round_counter) + " inputs)")
self.__sync_verification(self.round_counter)
log_master("Verification...(" + str(input_count) + " inputs)")
i = 0
for path in glob.glob(self.config.argument_values['work_dir'] +
"/preliminary/preliminary_*"):
if (time.time() - self.start) >= self.refresh_rate:
end = time.time()
self.kafl_state.update_performance(
int(((self.counter * 1.0) / (end - self.start))))
self.start = time.time()
self.counter = 0
while True:
msg = recv_msg(self.comm.to_master_queue)
if msg.tag == KAFL_TAG_REQ:
payload = read_binary_file(path)
methode = fuzz_methode()
methode.read_from_file(
self.config.argument_values['work_dir'],
i + 1,
preliminary=True)
self.__task_send(
[payload[:(64 << 10)]],
[self.redqueen_state.get_candidate_hash_addrs()],
msg.data,
self.comm.to_slave_queues[int(msg.data)], [methode],
tag=KAFL_TAG_REQ_VERIFY)
i += 1
self.counter += 1
self.round_counter += 1
break
else:
log_master("Unknown Tag (" + str(msg.tag) +
") received during verification...")
log_master("Sync...(" + str(self.round_counter) + " inputs)")
self.__sync_verification(self.round_counter)
log_master("Verification done!")
def maybe_insert_node(self, payload, bitmap_array, node_struct):
bitmap = ExecutionResult.bitmap_from_bytearray(bitmap_array, node_struct["info"]["exit_reason"],
node_struct["info"]["performance"])
bitmap.lut_applied = True # since we received the bitmap from the slave, the lut was already applied
backup_data = bitmap.copy_to_array()
should_store, new_bytes, new_bits = self.bitmap_storage.should_store_in_queue(bitmap)
new_data = bitmap.copy_to_array()
if should_store:
node = QueueNode(payload, bitmap_array, node_struct, write=False)
node.set_new_bytes(new_bytes, write=False)
node.set_new_bits(new_bits, write=False)
self.queue.insert_input(node, bitmap)
elif self.debug_mode:
if node_struct["info"]["exit_reason"] != "regular":
log_master("Payload found to be boring, not saved (exit=%s)" % node_struct["info"]["exit_reason"])
for i in range(len(bitmap_array)):
if backup_data[i] != new_data[i]:
assert(False), "Bitmap mangled at {} {} {}".format(i, repr(backup_data[i]), repr(new_data[i]))
def loop(self):
finished_state = False
finished = False
payload = None
self.__init_fuzzing_loop()
self.__perform_bechmark()
while True:
#self.wipe()
payload_array = array('B', self.payload)
limiter_map = self.__calc_stage_iterations()
if not finished_state:
self.__perform_sampling()
self.__perform_deterministic(payload_array, limiter_map)
finished = False
num_of_finds = self.__get_num_of_finds()
if num_of_finds == 0 or finished_state:
while True:
self.__perform_havoc(payload_array, payload)
finished = True
num_of_finds_tmp = self.__get_num_of_finds()
if num_of_finds == num_of_finds_tmp or self.stage_abortion:
break
else:
num_of_finds = num_of_finds_tmp
log_master("Repeat!")
self.kafl_state.progress_havoc = 0
self.kafl_state.progress_specific = 0
self.kafl_state.progress_havoc_amount = havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER)
self.kafl_state.progress_specific_amount = havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER)
self.kafl_state.technique = "HAVOC"
send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
self.comm.to_update_queue)
payload, finished_state = self.__perform_post_sync(finished)
def handle_msg(self, conn, msg):
if msg["type"] == MSG_NODE_DONE:
# Slave execution done, update queue item + send new task
self.task_count -= 1
log_master("Received results, sending next task..")
if msg["node_id"]:
self.queues.update_node_results(msg["node_id"], msg["results"],
msg["new_payload"])
self.send_next_task(conn)
elif msg["type"] == MSG_NEW_INPUT:
# Slave reports new interesting input
if self.debug_mode:
log_master("Received new input (exit=%s): %s" %
(msg["input"]["info"]["exit_reason"],
repr(msg["input"]["payload"][:24])))
node_struct = {
"info": msg["input"]["info"],
"state": {
"name": "initial"
}
}
self.maybe_insert_node(msg["input"]["payload"],
msg["input"]["bitmap"], node_struct)
elif msg["type"] == MSG_READY:
# Initial slave hello, send first task...
# log_master("Slave is ready..")
self.send_next_task(conn)
elif msg["type"] == MSG_NEXT_QUEUE:
# Flush slave message to switch queue.
self.task_paused = True
while self.task_count:
for conn, msg in self.comm.wait(self.statistics.plot_thres):
self.handle_msg(conn, msg)
self.task_paused = False
# Switch to next queue.
self.queues.next()
# Inputs placed to imports/ folder have priority.
if self.imports:
self.send_import(conn)
self.send_next_task(conn)
else:
raise ValueError("unknown message type {}".format(msg))
def __perform_redqueen(self, payload_array, colored_alternatives):
if self.config.argument_values['r']:
t = time.time()
rq_info = RedqueenInfoGatherer()
rq_info.make_paths(RedqueenWorkdir(0))
rq_info.verbose = False
for payload in colored_alternatives:
if self.__redqueen(payload):
self.__sync_redqueen(0)
self.kafl_state["technique"] = "REDQUEEN"
rq_info.get_info(payload)
if not self.mode_se_only:
rq_info.get_proposals()
self.kafl_state[
"progress_requeen_amount"] = rq_info.get_num_mutations()
log_master("Redqueen Stage...(" +
str(self.kafl_state["progress_requeen_amount"]) +
")")
rq_info.run_mutate_redqueen(payload_array,
self.__redqueen_handler,
kafl_state=self.kafl_state,
skip_null=True)
if self.mode_fix_checksum:
for addr in rq_info.get_hash_candidates():
self.redqueen_state.add_candidate_hash_addr(addr)
self.__buffered_handler(None, last_payload=True)
log_master("Redqueen Sync...")
tmp_progress_redqueen = self.kafl_state["progress_redqueen"]
self.kafl_state["progress_redqueen"] = self.kafl_state[
"progress_requeen_amount"]
self.__sync_redqueen(tmp_progress_redqueen)
self.__update_redqueen_slaves()
duration = time.time() - t
self.kafl_state[
"time_redqueen"] = self.kafl_state["time_redqueen"] + duration
log_redq("TIME IN REDQUEEN: %fs" %
self.kafl_state["time_redqueen"])
def __perform_havoc(self, payload_array, payload, use_splicing):
log_master("Havoc...")
self.kafl_state["progress_bitflip"] = self.kafl_state[
"progress_bitflip_amount"]
self.kafl_state["progress_arithmetic"] = self.kafl_state[
"progress_arithmetic_amount"]
self.kafl_state["progress_interesting"] = self.kafl_state[
"progress_interesting_amount"]
self.kafl_state["progress_redqueen"] = self.kafl_state[
"progress_requeen_amount"]
if payload and payload.node_type == KaflNodeType.favorite:
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
2.0) / self.RADAMSA_DIV
else:
self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
self.kafl_state.get_performance() *
self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV
if not use_splicing:
self.kafl_state["technique"] = "HAVOC"
havoc.mutate_seq_havoc_array(
payload_array, self.__havoc_handler,
self.kafl_state["progress_havoc_amount"])
else:
self.kafl_state["technique"] = "SPLICING"
havoc.mutate_seq_splice_array(
payload_array, self.__splicing_handler,
self.kafl_state["progress_havoc_amount"], self.kafl_state)
self.__buffered_handler(None, last_payload=True)
mutate_seq_radamsa_array(payload_array,
self.__radamsa_handler,
self.kafl_state["progress_specific_amount"],
kafl_state=self.kafl_state)
self.__buffered_handler(None, last_payload=True)
def __task_send(self, tasks, qid, dest, imported=False):
fs_shm = self.comm.get_master_payload_shm(int(qid))
size = self.comm.get_master_payload_shm_size()
fs_shm.seek(0)
assert len(tasks) > 0
# input_len = to_string_32(len(tasks[i]))
fs_shm.write(struct.pack('<I', len(tasks[0])))
fs_shm.write(tasks[0])
if self.byte_map:
data = self.byte_map
else:
data = []
for i in range(len(tasks)):
data.append(None)
if imported:
log_master(f"IMPORT task sent to slave {qid}")
send_msg(DRIFUZZ_CONC_BITMAP, data, dest)
else:
send_msg(KAFL_TAG_JOB, data, dest)
log_master(f"task sent to slave {qid}")
def __init__(self, comm):
self.comm = comm
self.kafl_state = GlobalState()
self.redqueen_state = RedqueenState()
self.payload = ""
self.counter = 0
self.round_counter = 0
self.start = time.time()
self.benchmark_time = time.time()
self.counter_offset = 0
self.payload_buffer = []
self.methode_buffer = []
self.byte_map = []
self.stage_abortion = False
self.abortion_counter = 0
self.mapserver_status_pending = False
self.config = FuzzerConfiguration()
self.skip_zero = self.config.argument_values['s']
self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
self.use_effector_map = self.config.argument_values['d']
self.arith_max = FuzzerConfiguration().config_values["ARITHMETIC_MAX"]
self.seen_addr_to_value = {}
self.mode_se_only = False
self.mode_fix_checksum = self.config.argument_values["fix_hashes"]
if not self.config.argument_values['D']:
self.use_effector_map = False
self.havoc_on_demand = False
if FuzzerConfiguration().argument_values['hammer_jmp_tables']:
enable_hammering()
log_master("havoc_on_demand: " + str(self.havoc_on_demand))
log_master("Use effector maps: " + str(self.use_effector_map))
def __benchmarking(self, payload):
c = 0
runs = 3
log_master("Initial benchmark...")
start_run = time.time()
send_msg(KAFL_TAG_REQ_BENCHMARK, [payload, runs],
self.comm.to_slave_queues[0])
recv_tagged_msg(self.comm.to_master_from_slave_queue,
KAFL_TAG_REQ_BENCHMARK)
multiplier = int(5 / (time.time() - start_run))
if multiplier == 0:
multiplier = 1
log_master("Initial benchmark multiplier: " + str(multiplier))
self.__start_benchmark(0)
for slave in self.comm.to_slave_queues:
send_msg(KAFL_TAG_REQ_BENCHMARK, [payload, multiplier * runs],
slave)
c += 1
for i in range(c):
recv_tagged_msg(self.comm.to_master_from_slave_queue,
KAFL_TAG_REQ_BENCHMARK)
self.round_counter += multiplier * runs
value = self.__stop_benchmark()
self.round_counter = 0
log_master("Initial benchmark result: " + str(value) + " t/s")
for i in range(2):
self.kafl_state.update_performance(value)
def __init__(self, config):
self.config = config
self.comm = ServerConnection(self.config)
self.busy_events = 0
self.empty_hash = mmh3.hash(
("\x00" * self.config.config_values['BITMAP_SHM_SIZE']))
self.statistics = MasterStatistics(self.config)
self.queue = InputQueue(self.config, self.statistics)
self.bitmap_storage = BitmapStorage(
config,
config.config_values['BITMAP_SHM_SIZE'],
"master",
read_only=False)
if self.config.argument_values['hammer_jmp_tables']:
enable_hammering()
log_master("Starting (pid: %d)" % os.getpid())
log_master("Configuration dump:\n%s" %
pformat(config.argument_values, indent=4, compact=True))
def __init__(self, config):
self.config = config
self.comm = ServerConnection(self.config)
self.scheduler = Scheduler()
self.statistics = MasterStatistics(self.config)
self.queue = InputQueue(self.config, self.scheduler, self.statistics)
self.skip_zero = self.config.argument_values['s']
self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
self.use_effector_map = self.config.argument_values['d']
self.arith_max = self.config.config_values["ARITHMETIC_MAX"]
self.mode_fix_checksum = self.config.argument_values["fix_hashes"]
if not self.config.argument_values['D']:
self.use_effector_map = False
if self.config.argument_values['hammer_jmp_tables']:
enable_hammering()
print("Master PID: %d\n", os.getpid())
log_master("Use effector maps: " + str(self.use_effector_map))
def __perform_dict(self, payload_array, payload):
self.kafl_state["technique"] = "DICT-BF"
log_master("Dict on %s" % repr(payload_array.tostring()))
dict = havoc.get_redqueen_dict()
log_redq("using %s" % repr(dict))
counter = 0
if len(payload_array) < 256:
for addr in dict:
for repl in dict[addr]:
if addr in self.seen_addr_to_value and (
len(self.seen_addr_to_value[addr]) > 32
or repl in self.seen_addr_to_value[addr]):
continue
if not addr in self.seen_addr_to_value:
self.seen_addr_to_value[addr] = set()
self.seen_addr_to_value[addr].add(repl)
for i in range(len(payload_array)):
counter += 1
mutated = havoc.apply_dict_to_data(
payload_array, repl, i).tostring()
self.__dict_bf_handler(mutated)
log_redq("have performed %d iters" % counter)
self.__buffered_handler(None, last_payload=True)
def __master_handler(self):
if (time.time() - self.start
) >= self.refresh_rate and not self.mapserver_status_pending:
send_msg(KAFL_TAG_MAP_INFO, None, self.comm.to_mapserver_queue)
end = time.time()
#self.kafl_state.performance = int(((self.counter * 1.0) / (end - self.start)))
self.kafl_state.performance_rb.append(
int(((self.counter * 1.0) / (end - self.start))))
self.kafl_state.max_performance_rb.append(
int(((self.counter * 1.0) / (end - self.start))))
self.start = time.time()
self.counter = 0
self.mapserver_status_pending = True
while True:
msg = recv_msg(self.comm.to_master_queue)
if msg.tag == KAFL_TAG_REQ:
self.__task_send(self.payload_buffer, msg.data,
self.comm.to_slave_queues[int(msg.data)])
self.abortion_counter += len(self.payload_buffer)
self.counter += len(self.payload_buffer)
self.round_counter += len(self.payload_buffer)
break
elif msg.tag == KAFL_TAG_ABORT_REQ:
log_master("Abortion request received...")
self.stage_abortion = True
self.payload_buffer = []
self.byte_map = []
return
elif msg.tag == KAFL_TAG_MAP_INFO:
self.__process_mapserver_state(msg)
self.mapserver_status_pending = False
send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
self.comm.to_update_queue)
else:
raise Exception(
"Unknown msg-tag received in master process...")