Пример #1
0
    def __perform_havoc(self, payload_array, payload):
        log_master("Havoc...")
        self.kafl_state.progress_bitflip = self.kafl_state.progress_bitflip_amount
        self.kafl_state.progress_arithmetic = self.kafl_state.progress_arithmetic_amount
        self.kafl_state.progress_interesting = self.kafl_state.progress_interesting_amount

        if payload and payload.node_type == KaflNodeType.favorite:
            self.kafl_state.progress_havoc_amount = havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
                2.0)
            self.kafl_state.progress_specific_amount = havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
                2.0)
        else:
            self.kafl_state.progress_havoc_amount = havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
            self.kafl_state.progress_specific_amount = havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)

        self.kafl_state.technique = "HAVOC"
        mutate_seq_havoc_array(payload_array, self.__havoc_handler,
                               self.kafl_state.progress_havoc_amount)
        self.__buffered_handler(None, last_payload=True)
        self.kafl_state.progress_havoc_amount = self.kafl_state.progress_havoc

        self.kafl_state.technique = "SPLICING"
        mutate_seq_splice_array(payload_array, self.__splicing_handler,
                                self.kafl_state.progress_havoc_amount,
                                self.kafl_state)
        self.__buffered_handler(None, last_payload=True)
Пример #2
0
 def loop(self):
     while True:
         for conn, msg in self.comm.wait(self.statistics.plot_thres):
             if msg["type"] == MSG_NODE_DONE:
                 # Slave execution done, update queue item + send new task
                 log_master("Received results, sending next task..")
                 if msg["node_id"]:
                     self.queue.update_node_results(msg["node_id"],
                                                    msg["results"],
                                                    msg["new_payload"])
                 self.send_next_task(conn)
             elif msg["type"] == MSG_NEW_INPUT:
                 # Slave reports new interesting input
                 log_master("Received new input (exit=%s): %s" %
                            (msg["input"]["info"]["exit_reason"],
                             repr(msg["input"]["payload"][:24])))
                 node_struct = {
                     "info": msg["input"]["info"],
                     "state": {
                         "name": "initial"
                     }
                 }
                 self.maybe_insert_node(msg["input"]["payload"],
                                        msg["input"]["bitmap"], node_struct)
             elif msg["type"] == MSG_READY:
                 # Initial slave hello, send first task...
                 # log_master("Slave is ready..")
                 self.send_next_task(conn)
             else:
                 raise ValueError("unknown message type {}".format(msg))
         self.statistics.event_slave_poll()
         self.statistics.maybe_write_stats()
Пример #3
0
    def __master_handler(self, methods):
        if (time.time() - self.start) >= self.refresh_rate:
            end = time.time()

            self.kafl_state.update_performance(
                int(((self.counter * 1.0) / (end - self.start))))
            self.start = time.time()
            self.counter = 0

        while True:
            msg = recv_msg(self.comm.to_master_queue)
            if msg.tag == KAFL_TAG_REQ:
                self.__task_send(self.payload_buffer,
                                 [None] * len(self.payload_buffer), msg.data,
                                 self.comm.to_slave_queues[int(msg.data)],
                                 methods)
                self.abortion_counter += len(self.payload_buffer)
                self.counter += len(self.payload_buffer)
                self.round_counter += len(self.payload_buffer)
                break
            elif msg.tag == KAFL_TAG_ABORT_REQ:
                log_master("Abortion request received...")
                self.stage_abortion = True
                self.payload_buffer = []
                self.byte_map = []
                return
            else:
                raise Exception(
                    "Unknown msg-tag received in master process...")
Пример #4
0
 def __get_bitmap_hash_robust(self, payload_array):
     self.__get_bitmap_hash(payload_array)
     hashes = [self.__get_bitmap_hash(payload_array) for i in xrange(3)]
     if len(set(hashes)) == 1:
         return hashes[0]
     log_master("Hash Doesn't seem Stable")
     return None
Пример #5
0
    def __init__(self, comm):
        self.comm = comm
        self.kafl_state = State()
        self.payload = ""

        self.counter = 0
        self.round_counter = 0
        self.start = time.time()
        self.benchmark_time = time.time()
        self.counter_offset = 0
        self.payload_buffer = []
        self.byte_map = []
        self.stage_abortion = False
        self.abortion_counter = 0

        self.mapserver_status_pending = False

        self.config = FuzzerConfiguration()
        self.skip_zero = self.config.argument_values['s']
        self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
        self.use_effector_map = self.config.argument_values['d']
        self.arith_max = FuzzerConfiguration().config_values["ARITHMETIC_MAX"]

        if not self.config.argument_values['D']:
            self.use_effector_map = False

        if self.config.load_old_state:
            self.load_data()

        log_master("Use effector maps: " + str(self.use_effector_map))
Пример #6
0
    def __init__(self, config):
        self.config = config
        self.comm = ServerConnection(self.config)
        self.debug_mode = config.argument_values['debug']
        self.task_count = 0
        self.task_paused = False

        self.busy_events = 0
        self.empty_hash = mmh3.hash(
            ("\x00" * self.config.config_values['BITMAP_SHM_SIZE']),
            signed=False)

        self.statistics = MasterStatistics(self.config)
        self.queues = CycleQueue(self.config)
        for _ in range(interface_manager.size()):
            self.queues.append(InputQueue(self.config, self.statistics))

        #self.queue = InputQueue(self.config, self.statistics)
        self.bitmap_storage = BitmapStorage(
            config,
            config.config_values['BITMAP_SHM_SIZE'],
            "master",
            read_only=False)

        redqueen_global_config(
            redq_hammering=self.config.argument_values['hammer_jmp_tables'],
            redq_do_simple=self.config.argument_values['redq_do_simple'],
            afl_arith_max=self.config.config_values['ARITHMETIC_MAX'])

        self.imports = list(interface_manager.to_corpus())
        log_master("Starting (pid: %d)" % os.getpid())
        log_master("Configuration dump:\n%s" %
                   pformat(config.argument_values, indent=4, compact=True))
Пример #7
0
    def __master_handler(self):
        if (time.time() - self.start
            ) >= self.refresh_rate and not self.mapserver_status_pending:
            self.mapserver_status_pending = True
            send_msg(KAFL_TAG_MAP_INFO, None, self.comm.to_mapserver_queue)
            end = time.time()
            self.kafl_state.performance = ((self.counter * 1.0) /
                                           (end - self.start))
            self.kafl_state.performance_rb.append(
                ((self.counter * 1.0) / (end - self.start)))
            self.kafl_state.max_performance_rb.append(
                ((self.counter * 1.0) / (end - self.start)))
            self.start = time.time()
            self.counter = 0

        while not self.stopped():
            msg = recv_msg(self.comm.to_master_queue, timeout=0.1)
            if msg == None:
                continue
            if msg.tag == KAFL_TAG_REQ:
                if len(self.concolic_payloads) > 0:
                    self.__task_send([self.concolic_payloads[0]],
                                     msg.data,
                                     self.comm.to_slave_queues[int(msg.data)],
                                     imported=True)
                    self.concolic_payloads.pop(0)
                    # Continue until the queue is consumed
                    # send_msg(KAFL_TAG_OUTPUT, self.kafl_state, self.comm.to_update_queue)
                    if (
                            time.time() - self.start
                    ) >= self.refresh_rate and not self.mapserver_status_pending:
                        self.mapserver_status_pending = True
                        send_msg(KAFL_TAG_MAP_INFO, None,
                                 self.comm.to_mapserver_queue)
                        self.start = time.time()
                    continue
                else:
                    self.__task_send(self.payload_buffer, msg.data,
                                     self.comm.to_slave_queues[int(msg.data)])
                    self.abortion_counter += len(self.payload_buffer)
                    self.counter += len(self.payload_buffer)
                    self.round_counter += len(self.payload_buffer)
                    break
            elif msg.tag == KAFL_TAG_ABORT_REQ:
                log_master("Abortion request received...")
                self.stage_abortion = True
                self.payload_buffer = []
                self.byte_map = []
                return
            elif msg.tag == KAFL_TAG_MAP_INFO:
                self.__process_mapserver_state(msg)
                self.mapserver_status_pending = False
                send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
                         self.comm.to_update_queue)
            elif msg.tag == DRIFUZZ_NEW_INPUT:
                self.concolic_payloads += [msg.data]
            else:
                raise Exception(
                    "Unknown msg-tag received in master process...")
Пример #8
0
 def __sync_verification(self, verification_amoun):
     send_msg(KAFL_TAG_REQ_VERIFY_SYNC, verification_amoun,
              self.comm.to_mapserver_queue)
     while True:
         data = recv_msg(self.comm.to_master_from_mapserver_queue)
         if KAFL_TAG_REQ_VERIFY_SYNC == data.tag:
             return
         else:
             log_master("__sync_verification error?!")
Пример #9
0
 def __perform_post_sync(self, finished):
     self.kafl_state["technique"] = "POST-SYNC"
     payload, finished_state = self.__recv_next(finished,
                                                self.__stop_benchmark())
     log_master("finished_state -> " + str(finished_state))
     self.payload = payload.load_payload()
     self.round_counter = 0
     self.stage_abortion = False
     self.abortion_counter = 0
     return payload, finished_state
Пример #10
0
 def __get_num_of_finds(self):
     if self.stage_abortion:
         send_msg(KAFL_TAG_UNTOUCHED_NODES, self.abortion_counter,
                  self.comm.to_mapserver_queue)
     else:
         send_msg(KAFL_TAG_UNTOUCHED_NODES, self.round_counter,
                  self.comm.to_mapserver_queue)
     result = recv_msg(self.comm.to_master_from_mapserver_queue).data
     log_master("Current findings: " + str(result))
     return result
Пример #11
0
 def __perform_post_sync(self, finished):
     self.kafl_state.technique = "POST-SYNC"
     send_msg(KAFL_TAG_OUTPUT, self.kafl_state, self.comm.to_update_queue)
     payload, finished_state = self.__recv_next(finished,
                                                self.__stop_benchmark())
     log_master("finished_state -> " + str(finished_state))
     self.payload = payload.load_payload()
     self.round_counter = 0
     self.stage_abortion = False
     self.abortion_counter = 0
     return payload, finished_state
Пример #12
0
    def __calc_stage_iterations(self):
        self.kafl_state["progress_redqueen"] = 0
        self.kafl_state["progress_bitflip"] = 0
        self.kafl_state["progress_arithmetic"] = 0
        self.kafl_state["progress_interesting"] = 0
        self.kafl_state["progress_havoc"] = 0
        self.kafl_state["progress_specific"] = 0
        self.kafl_state["payload_size"] = len(self.payload)
        self.kafl_state["payload"] = self.payload

        limiter_map = []
        for i in range(len(self.payload)):
            limiter_map.append(True)
        if self.config.argument_values['i']:
            for ignores in self.config.argument_values['i']:
                log_master("Ignore-range 0: " + str(ignores[0]) + " " +
                           str(min(ignores[0], len(self.payload))))
                log_master("Ignore-range 1: " + str(ignores[1]) + " " +
                           str(min(ignores[1], len(self.payload))))
                for i in range(min(ignores[0], len(self.payload)),
                               min(ignores[1], len(self.payload))):
                    limiter_map[i] = False

        if self.config.argument_values['D']:
            self.kafl_state["progress_bitflip_amount"] = bitflip_range(
                self.payload,
                skip_null=self.skip_zero,
                effector_map=limiter_map)
            self.kafl_state["progress_arithmetic_amount"] = arithmetic_range(
                self.payload,
                skip_null=self.skip_zero,
                effector_map=limiter_map,
                set_arith_max=self.arith_max)
            self.kafl_state["progress_interesting_amount"] = interesting_range(
                self.payload,
                skip_null=self.skip_zero,
                effector_map=limiter_map)
        else:
            self.kafl_state["progress_bitflip_amount"] = 0
            self.kafl_state["progress_arithmetic_amount"] = 0
            self.kafl_state["progress_interesting_amount"] = 0

        self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
            self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
        self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
            self.kafl_state.get_performance() *
            self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV

        self.__start_benchmark(self.round_counter)
        return limiter_map
Пример #13
0
    def __perform_coloring(self, payload_array):
        if self.config.argument_values['r']:
            self.kafl_state["technique"] = "COLORING"
            log_master("Initial Redqueen Colorize...")
            hash = self.__get_bitmap_hash_robust(payload_array)
            if hash == None:
                return None
            log_master("Orig Redqueen Colorize...(" + str(hash) + ")")

            colored_arrays = []
            for i in xrange(COLORIZATION_COUNT):
                if len(colored_arrays) >= COLORIZATION_COUNT:
                    break
                arr = array("B", payload_array)
                self.__colorize_payload(hash, arr)
                new_hash = self.__get_bitmap_hash(arr)
                if (new_hash == hash):
                    colored_arrays.append(arr)
                    log_master("found good hash")
                else:
                    log_master("found bad hash: " + repr(new_hash) + " retry")
                    return None

            colored_arrays.append(payload_array)
            return colored_arrays
Пример #14
0
 def __get_num_of_finds(self):
     if self.stage_abortion:
         send_msg(KAFL_TAG_UNTOUCHED_NODES, self.abortion_counter,
                  self.comm.to_mapserver_queue)
     else:
         send_msg(KAFL_TAG_UNTOUCHED_NODES, self.round_counter,
                  self.comm.to_mapserver_queue)
     msg = None
     while not msg and not self.stopped():
         msg = recv_msg(self.comm.to_master_from_mapserver_queue,
                        timeout=0.1)
     result = msg.data
     log_master("Current findings: " + str(result))
     return result
Пример #15
0
    def __init_fuzzing_loop(self):
        self.kafl_state["cycles"] = 0
        self.__start_processes()

        if self.config.load_old_state:
            log_master("State exists!")
        else:
            log_master("State does not exist!")
            payloads = get_seed_files(self.config.argument_values['work_dir'] +
                                      "/corpus")
            data = []
            for payload in payloads:
                bitmap = self.__request_bitmap(payload)
                data.append((payload, bitmap))
            send_msg(KAFL_INIT_BITMAP, data, self.comm.to_mapserver_queue)
            self.payload = payloads[0]
Пример #16
0
 def __colorize_payload(self, hash, payload_array):
     c = ColorizerStrategy(
         len(payload_array), lambda min, max: self.__check_colorization(
             hash, payload_array, min, max))
     t = time.time()
     i = 0
     while True:
         if i >= COLORIZATION_STEPS and time.time(
         ) - t > COLORIZATION_TIMEOUT:  #TODO add to config
             break
         if i % 20 == 0:
             log_master("colorizing step %d," % (i))
         if len(c.unknown_ranges) == 0:
             break
         c.colorize_step()
         i += 1
Пример #17
0
    def __perform_import(self):

        import_count = len(
            glob.glob(self.config.argument_values['work_dir'] + "/imports/*"))

        if import_count == 0:
            return

        self.kafl_state["technique"] = "IMPORT"

        log_master("Sync...(" + str(self.round_counter) + " inputs)")
        self.__sync_verification(self.round_counter)
        log_master("Importing...(" + str(import_count) + " inputs)")

        i = 0
        for path in glob.glob(self.config.argument_values['work_dir'] +
                              "/imports/*"):
            if (time.time() - self.start) >= self.refresh_rate:
                end = time.time()
                self.kafl_state.update_performance(
                    int(((self.counter * 1.0) / (end - self.start))))
                self.start = time.time()
                self.counter = 0
            while True:
                msg = recv_msg(self.comm.to_master_queue)
                if msg.tag == KAFL_TAG_REQ:
                    payload = read_binary_file(path)

                    self.__task_send(
                        [payload[:(64 << 10)]],
                        [self.redqueen_state.get_candidate_hash_addrs()],
                        msg.data,
                        self.comm.to_slave_queues[int(msg.data)],
                        [fuzz_methode(METHODE_IMPORT)],
                        tag=KAFL_TAG_REQ_VERIFY)
                    os.remove(path)
                    i += 1
                    self.counter += 1
                    self.round_counter += 1
                    break
                else:
                    log_master("Unknown Tag (" + str(msg.tag) +
                               ") received during verification...")

        log_master("Sync...(" + str(self.round_counter) + " inputs)")
        self.__sync_verification(self.round_counter)
        log_master("Import done!")
Пример #18
0
    def __perform_verification(self, input_count):

        self.kafl_state["technique"] = "VERIFICATION"

        log_master("Sync...(" + str(self.round_counter) + " inputs)")
        self.__sync_verification(self.round_counter)
        log_master("Verification...(" + str(input_count) + " inputs)")

        i = 0
        for path in glob.glob(self.config.argument_values['work_dir'] +
                              "/preliminary/preliminary_*"):
            if (time.time() - self.start) >= self.refresh_rate:
                end = time.time()
                self.kafl_state.update_performance(
                    int(((self.counter * 1.0) / (end - self.start))))
                self.start = time.time()
                self.counter = 0
            while True:
                msg = recv_msg(self.comm.to_master_queue)
                if msg.tag == KAFL_TAG_REQ:
                    payload = read_binary_file(path)

                    methode = fuzz_methode()
                    methode.read_from_file(
                        self.config.argument_values['work_dir'],
                        i + 1,
                        preliminary=True)

                    self.__task_send(
                        [payload[:(64 << 10)]],
                        [self.redqueen_state.get_candidate_hash_addrs()],
                        msg.data,
                        self.comm.to_slave_queues[int(msg.data)], [methode],
                        tag=KAFL_TAG_REQ_VERIFY)
                    i += 1
                    self.counter += 1
                    self.round_counter += 1
                    break
                else:
                    log_master("Unknown Tag (" + str(msg.tag) +
                               ") received during verification...")

        log_master("Sync...(" + str(self.round_counter) + " inputs)")
        self.__sync_verification(self.round_counter)
        log_master("Verification done!")
Пример #19
0
 def maybe_insert_node(self, payload, bitmap_array, node_struct):
     bitmap = ExecutionResult.bitmap_from_bytearray(bitmap_array, node_struct["info"]["exit_reason"],
                                                    node_struct["info"]["performance"])
     bitmap.lut_applied = True  # since we received the bitmap from the slave, the lut was already applied
     backup_data = bitmap.copy_to_array()
     should_store, new_bytes, new_bits = self.bitmap_storage.should_store_in_queue(bitmap)
     new_data = bitmap.copy_to_array()
     if should_store:
         node = QueueNode(payload, bitmap_array, node_struct, write=False)
         node.set_new_bytes(new_bytes, write=False)
         node.set_new_bits(new_bits, write=False)
         self.queue.insert_input(node, bitmap)
     elif self.debug_mode:
         if node_struct["info"]["exit_reason"] != "regular":
             log_master("Payload found to be boring, not saved (exit=%s)" % node_struct["info"]["exit_reason"])
         for i in range(len(bitmap_array)):
             if backup_data[i] != new_data[i]:
                 assert(False), "Bitmap mangled at {} {} {}".format(i, repr(backup_data[i]), repr(new_data[i]))
Пример #20
0
    def loop(self):
        finished_state = False
        finished = False
        payload = None

        self.__init_fuzzing_loop()
        self.__perform_bechmark()

        while True:

            #self.wipe()

            payload_array = array('B', self.payload)
            limiter_map = self.__calc_stage_iterations()

            if not finished_state:
                self.__perform_sampling()
                self.__perform_deterministic(payload_array, limiter_map)
                finished = False

            num_of_finds = self.__get_num_of_finds()
            if num_of_finds == 0 or finished_state:
                while True:
                    self.__perform_havoc(payload_array, payload)
                    finished = True
                    num_of_finds_tmp = self.__get_num_of_finds()
                    if num_of_finds == num_of_finds_tmp or self.stage_abortion:
                        break
                    else:
                        num_of_finds = num_of_finds_tmp
                        log_master("Repeat!")
                        self.kafl_state.progress_havoc = 0
                        self.kafl_state.progress_specific = 0
                        self.kafl_state.progress_havoc_amount = havoc_range(
                            self.kafl_state.get_performance() *
                            self.HAVOC_MULTIPLIER)
                        self.kafl_state.progress_specific_amount = havoc_range(
                            self.kafl_state.get_performance() *
                            self.HAVOC_MULTIPLIER)
                        self.kafl_state.technique = "HAVOC"
                        send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
                                 self.comm.to_update_queue)

            payload, finished_state = self.__perform_post_sync(finished)
Пример #21
0
    def handle_msg(self, conn, msg):
        if msg["type"] == MSG_NODE_DONE:
            # Slave execution done, update queue item + send new task
            self.task_count -= 1
            log_master("Received results, sending next task..")
            if msg["node_id"]:
                self.queues.update_node_results(msg["node_id"], msg["results"],
                                                msg["new_payload"])
            self.send_next_task(conn)
        elif msg["type"] == MSG_NEW_INPUT:
            # Slave reports new interesting input
            if self.debug_mode:
                log_master("Received new input (exit=%s): %s" %
                           (msg["input"]["info"]["exit_reason"],
                            repr(msg["input"]["payload"][:24])))
            node_struct = {
                "info": msg["input"]["info"],
                "state": {
                    "name": "initial"
                }
            }
            self.maybe_insert_node(msg["input"]["payload"],
                                   msg["input"]["bitmap"], node_struct)
        elif msg["type"] == MSG_READY:
            # Initial slave hello, send first task...
            # log_master("Slave is ready..")
            self.send_next_task(conn)
        elif msg["type"] == MSG_NEXT_QUEUE:
            # Flush slave message to switch queue.
            self.task_paused = True
            while self.task_count:
                for conn, msg in self.comm.wait(self.statistics.plot_thres):
                    self.handle_msg(conn, msg)
            self.task_paused = False

            # Switch to next queue.
            self.queues.next()

            # Inputs placed to imports/ folder have priority.
            if self.imports:
                self.send_import(conn)
            self.send_next_task(conn)
        else:
            raise ValueError("unknown message type {}".format(msg))
Пример #22
0
    def __perform_redqueen(self, payload_array, colored_alternatives):
        if self.config.argument_values['r']:
            t = time.time()
            rq_info = RedqueenInfoGatherer()
            rq_info.make_paths(RedqueenWorkdir(0))
            rq_info.verbose = False
            for payload in colored_alternatives:
                if self.__redqueen(payload):
                    self.__sync_redqueen(0)
                    self.kafl_state["technique"] = "REDQUEEN"
                    rq_info.get_info(payload)

            if not self.mode_se_only:
                rq_info.get_proposals()

                self.kafl_state[
                    "progress_requeen_amount"] = rq_info.get_num_mutations()
                log_master("Redqueen Stage...(" +
                           str(self.kafl_state["progress_requeen_amount"]) +
                           ")")
                rq_info.run_mutate_redqueen(payload_array,
                                            self.__redqueen_handler,
                                            kafl_state=self.kafl_state,
                                            skip_null=True)

                if self.mode_fix_checksum:
                    for addr in rq_info.get_hash_candidates():
                        self.redqueen_state.add_candidate_hash_addr(addr)

                self.__buffered_handler(None, last_payload=True)
                log_master("Redqueen Sync...")
                tmp_progress_redqueen = self.kafl_state["progress_redqueen"]
                self.kafl_state["progress_redqueen"] = self.kafl_state[
                    "progress_requeen_amount"]

                self.__sync_redqueen(tmp_progress_redqueen)
            self.__update_redqueen_slaves()

            duration = time.time() - t
            self.kafl_state[
                "time_redqueen"] = self.kafl_state["time_redqueen"] + duration
            log_redq("TIME IN REDQUEEN: %fs" %
                     self.kafl_state["time_redqueen"])
Пример #23
0
    def __perform_havoc(self, payload_array, payload, use_splicing):
        log_master("Havoc...")
        self.kafl_state["progress_bitflip"] = self.kafl_state[
            "progress_bitflip_amount"]
        self.kafl_state["progress_arithmetic"] = self.kafl_state[
            "progress_arithmetic_amount"]
        self.kafl_state["progress_interesting"] = self.kafl_state[
            "progress_interesting_amount"]
        self.kafl_state["progress_redqueen"] = self.kafl_state[
            "progress_requeen_amount"]

        if payload and payload.node_type == KaflNodeType.favorite:
            self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
                2.0)
            self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER *
                2.0) / self.RADAMSA_DIV
        else:
            self.kafl_state["progress_havoc_amount"] = havoc.havoc_range(
                self.kafl_state.get_performance() * self.HAVOC_MULTIPLIER)
            self.kafl_state["progress_specific_amount"] = havoc.havoc_range(
                self.kafl_state.get_performance() *
                self.HAVOC_MULTIPLIER) / self.RADAMSA_DIV

        if not use_splicing:
            self.kafl_state["technique"] = "HAVOC"
            havoc.mutate_seq_havoc_array(
                payload_array, self.__havoc_handler,
                self.kafl_state["progress_havoc_amount"])
        else:
            self.kafl_state["technique"] = "SPLICING"
            havoc.mutate_seq_splice_array(
                payload_array, self.__splicing_handler,
                self.kafl_state["progress_havoc_amount"], self.kafl_state)
        self.__buffered_handler(None, last_payload=True)

        mutate_seq_radamsa_array(payload_array,
                                 self.__radamsa_handler,
                                 self.kafl_state["progress_specific_amount"],
                                 kafl_state=self.kafl_state)
        self.__buffered_handler(None, last_payload=True)
Пример #24
0
 def __task_send(self, tasks, qid, dest, imported=False):
     fs_shm = self.comm.get_master_payload_shm(int(qid))
     size = self.comm.get_master_payload_shm_size()
     fs_shm.seek(0)
     assert len(tasks) > 0
     # input_len = to_string_32(len(tasks[i]))
     fs_shm.write(struct.pack('<I', len(tasks[0])))
     fs_shm.write(tasks[0])
     if self.byte_map:
         data = self.byte_map
     else:
         data = []
         for i in range(len(tasks)):
             data.append(None)
     if imported:
         log_master(f"IMPORT task sent to slave {qid}")
         send_msg(DRIFUZZ_CONC_BITMAP, data, dest)
     else:
         send_msg(KAFL_TAG_JOB, data, dest)
     log_master(f"task sent to slave {qid}")
Пример #25
0
    def __init__(self, comm):
        self.comm = comm
        self.kafl_state = GlobalState()
        self.redqueen_state = RedqueenState()
        self.payload = ""

        self.counter = 0
        self.round_counter = 0
        self.start = time.time()
        self.benchmark_time = time.time()
        self.counter_offset = 0
        self.payload_buffer = []
        self.methode_buffer = []
        self.byte_map = []
        self.stage_abortion = False
        self.abortion_counter = 0

        self.mapserver_status_pending = False

        self.config = FuzzerConfiguration()
        self.skip_zero = self.config.argument_values['s']
        self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
        self.use_effector_map = self.config.argument_values['d']
        self.arith_max = FuzzerConfiguration().config_values["ARITHMETIC_MAX"]

        self.seen_addr_to_value = {}

        self.mode_se_only = False
        self.mode_fix_checksum = self.config.argument_values["fix_hashes"]

        if not self.config.argument_values['D']:
            self.use_effector_map = False

        self.havoc_on_demand = False

        if FuzzerConfiguration().argument_values['hammer_jmp_tables']:
            enable_hammering()

        log_master("havoc_on_demand: " + str(self.havoc_on_demand))
        log_master("Use effector maps: " + str(self.use_effector_map))
Пример #26
0
    def __benchmarking(self, payload):
        c = 0
        runs = 3
        log_master("Initial benchmark...")
        start_run = time.time()
        send_msg(KAFL_TAG_REQ_BENCHMARK, [payload, runs],
                 self.comm.to_slave_queues[0])
        recv_tagged_msg(self.comm.to_master_from_slave_queue,
                        KAFL_TAG_REQ_BENCHMARK)

        multiplier = int(5 / (time.time() - start_run))
        if multiplier == 0:
            multiplier = 1

        log_master("Initial benchmark multiplier: " + str(multiplier))

        self.__start_benchmark(0)
        for slave in self.comm.to_slave_queues:
            send_msg(KAFL_TAG_REQ_BENCHMARK, [payload, multiplier * runs],
                     slave)
            c += 1
        for i in range(c):
            recv_tagged_msg(self.comm.to_master_from_slave_queue,
                            KAFL_TAG_REQ_BENCHMARK)
            self.round_counter += multiplier * runs

        value = self.__stop_benchmark()
        self.round_counter = 0
        log_master("Initial benchmark result: " + str(value) + " t/s")
        for i in range(2):
            self.kafl_state.update_performance(value)
Пример #27
0
    def __init__(self, config):
        self.config = config
        self.comm = ServerConnection(self.config)

        self.busy_events = 0
        self.empty_hash = mmh3.hash(
            ("\x00" * self.config.config_values['BITMAP_SHM_SIZE']))

        self.statistics = MasterStatistics(self.config)
        self.queue = InputQueue(self.config, self.statistics)
        self.bitmap_storage = BitmapStorage(
            config,
            config.config_values['BITMAP_SHM_SIZE'],
            "master",
            read_only=False)

        if self.config.argument_values['hammer_jmp_tables']:
            enable_hammering()

        log_master("Starting (pid: %d)" % os.getpid())
        log_master("Configuration dump:\n%s" %
                   pformat(config.argument_values, indent=4, compact=True))
Пример #28
0
    def __init__(self, config):
        self.config = config
        self.comm = ServerConnection(self.config)

        self.scheduler = Scheduler()
        self.statistics = MasterStatistics(self.config)
        self.queue = InputQueue(self.config, self.scheduler, self.statistics)

        self.skip_zero = self.config.argument_values['s']
        self.refresh_rate = self.config.config_values['UI_REFRESH_RATE']
        self.use_effector_map = self.config.argument_values['d']
        self.arith_max = self.config.config_values["ARITHMETIC_MAX"]

        self.mode_fix_checksum = self.config.argument_values["fix_hashes"]

        if not self.config.argument_values['D']:
            self.use_effector_map = False

        if self.config.argument_values['hammer_jmp_tables']:
            enable_hammering()

        print("Master PID: %d\n", os.getpid())
        log_master("Use effector maps: " + str(self.use_effector_map))
Пример #29
0
 def __perform_dict(self, payload_array, payload):
     self.kafl_state["technique"] = "DICT-BF"
     log_master("Dict on %s" % repr(payload_array.tostring()))
     dict = havoc.get_redqueen_dict()
     log_redq("using %s" % repr(dict))
     counter = 0
     if len(payload_array) < 256:
         for addr in dict:
             for repl in dict[addr]:
                 if addr in self.seen_addr_to_value and (
                         len(self.seen_addr_to_value[addr]) > 32
                         or repl in self.seen_addr_to_value[addr]):
                     continue
                 if not addr in self.seen_addr_to_value:
                     self.seen_addr_to_value[addr] = set()
                 self.seen_addr_to_value[addr].add(repl)
                 for i in range(len(payload_array)):
                     counter += 1
                     mutated = havoc.apply_dict_to_data(
                         payload_array, repl, i).tostring()
                     self.__dict_bf_handler(mutated)
     log_redq("have performed %d iters" % counter)
     self.__buffered_handler(None, last_payload=True)
Пример #30
0
    def __master_handler(self):
        if (time.time() - self.start
            ) >= self.refresh_rate and not self.mapserver_status_pending:
            send_msg(KAFL_TAG_MAP_INFO, None, self.comm.to_mapserver_queue)
            end = time.time()
            #self.kafl_state.performance = int(((self.counter * 1.0) / (end - self.start)))
            self.kafl_state.performance_rb.append(
                int(((self.counter * 1.0) / (end - self.start))))
            self.kafl_state.max_performance_rb.append(
                int(((self.counter * 1.0) / (end - self.start))))
            self.start = time.time()
            self.counter = 0
            self.mapserver_status_pending = True

        while True:
            msg = recv_msg(self.comm.to_master_queue)
            if msg.tag == KAFL_TAG_REQ:
                self.__task_send(self.payload_buffer, msg.data,
                                 self.comm.to_slave_queues[int(msg.data)])
                self.abortion_counter += len(self.payload_buffer)
                self.counter += len(self.payload_buffer)
                self.round_counter += len(self.payload_buffer)
                break
            elif msg.tag == KAFL_TAG_ABORT_REQ:
                log_master("Abortion request received...")
                self.stage_abortion = True
                self.payload_buffer = []
                self.byte_map = []
                return
            elif msg.tag == KAFL_TAG_MAP_INFO:
                self.__process_mapserver_state(msg)
                self.mapserver_status_pending = False
                send_msg(KAFL_TAG_OUTPUT, self.kafl_state,
                         self.comm.to_update_queue)
            else:
                raise Exception(
                    "Unknown msg-tag received in master process...")