def main(_): """Constructs the fuzzer and fuzzes.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # Set up initial seed inputs image, label = fuzz_utils.basic_mnist_input_corpus( choose_randomly=FLAGS.random_seed_corpus) seed_inputs = [[image, label]] image_copy = image[:] with tf.Session() as sess: # Specify input, coverage, and metadata tensors input_tensors, coverage_tensors, metadata_tensors = \ fuzz_utils.get_tensors_from_checkpoint( sess, FLAGS.checkpoint_dir ) # Construct and run fuzzer fuzzer = Fuzzer( sess=sess, seed_inputs=seed_inputs, input_tensors=input_tensors, coverage_tensors=coverage_tensors, metadata_tensors=metadata_tensors, coverage_function=sum_coverage_function, metadata_function=metadata_function, objective_function=objective_function, mutation_function=mutation_function, sample_function=recent_sample_function, threshold=FLAGS.ann_threshold, ) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: # Double check that there is persistent disagreement for idx in range(10): logits, quantized_logits = sess.run( [coverage_tensors[0], coverage_tensors[1]], feed_dict={ input_tensors[0]: np.expand_dims(result.data[0], 0) }, ) if np.argmax(logits, 1) != np.argmax(quantized_logits, 1): tf.logging.info("disagreement confirmed: idx %s", idx) else: tf.logging.info("SPURIOUS DISAGREEMENT!!!") tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) max_diff = np.max(result.data[0] - image_copy) tf.logging.info( "Max difference between perturbation and original: %s.", max_diff, ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_debug(self): mock_device = MockDevice() base_dir = tempfile.mkdtemp() try: fuzzer = Fuzzer( mock_device, u'mock-package1', u'mock-target2', output=base_dir, debug=True) fuzzer.start(['-some-lf-arg=value']) finally: shutil.rmtree(base_dir) self.assertIn( ' '.join( mock_device.get_ssh_cmd( [ 'ssh', '::1', 'run', fuzzer.url(), '-artifact_prefix=data/', '-some-lf-arg=value', '-jobs=1', '-dict=pkg/data/mock-target2/dictionary', 'data/corpus/', '-handle_segv=0', '-handle_bus=0', '-handle_ill=0', '-handle_fpe=0', '-handle_abrt=0', ])), mock_device.host.history)
def test_symbolize_log_no_mutation_sequence(self): mock_device = MockDevice() base_dir = tempfile.mkdtemp() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2', output=base_dir) os.mkdir(fuzzer.results()) with tempfile.TemporaryFile() as tmp_out: with tempfile.TemporaryFile() as tmp_in: tmp_in.write(""" A line Another line Yet another line """) tmp_in.flush() tmp_in.seek(0) fuzzer.symbolize_log(tmp_in, tmp_out) tmp_out.flush() tmp_out.seek(0) self.assertEqual(tmp_out.read(), """ A line Another line Yet another line """)
def test_list_artifacts(self): fuzzer = Fuzzer(MockDevice(), u'mock-package1', u'mock-target1') artifacts = fuzzer.list_artifacts() self.assertEqual(len(artifacts), 3) self.assertTrue('crash-deadbeef' in artifacts) self.assertTrue('leak-deadfa11' in artifacts) self.assertTrue('oom-feedface' in artifacts) self.assertFalse('fuzz-0.log' in artifacts)
def test_run(self): mock_device = MockDevice() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2') fuzzer.run(['-some-lf-arg=value']) self.assertEqual( mock_device.last, 'ssh -F ' + mock_device.host.ssh_config + ' ::1 run ' + fuzzer.url() + ' -artifact_prefix=data -some-lf-arg=value')
def test_merge(self): mock_device = MockDevice() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2') fuzzer.merge(['-some-lf-arg=value']) self.assertEqual( mock_device.last, 'ssh -F ' + mock_device.host.ssh_config + ' ::1 run ' + fuzzer.url() + ' -artifact_prefix=data -merge=1' + ' -merge_control_file=data/.mergefile -some-lf-arg=value data/corpus' + ' data/corpus.prev')
def test_is_running(self): mock_device = MockDevice() fuzzer1 = Fuzzer(mock_device, u'mock-package1', u'mock-target1') fuzzer2 = Fuzzer(mock_device, u'mock-package1', u'mock-target2') fuzzer3 = Fuzzer(mock_device, u'mock-package1', u'mock-target3') self.assertTrue(fuzzer1.is_running()) self.assertTrue(fuzzer2.is_running()) self.assertFalse(fuzzer2.is_running()) self.assertFalse(fuzzer3.is_running())
def test_from_args(self): mock_device = MockDevice() parser = Args.make_parser('description') with self.assertRaises(Fuzzer.NameError): args = parser.parse_args(['target']) fuzzer = Fuzzer.from_args(mock_device, args) with self.assertRaises(Fuzzer.NameError): args = parser.parse_args(['target4']) fuzzer = Fuzzer.from_args(mock_device, args)
def test_start(self): mock_device = MockDevice() base_dir = tempfile.mkdtemp() try: fuzzer = Fuzzer( mock_device, u'mock-package1', u'mock-target2', output=base_dir) fuzzer.start(['-some-lf-arg=value']) self.assertTrue(os.path.exists(fuzzer.results('symbolized.log'))) finally: shutil.rmtree(base_dir)
def test_run(self): mock_device = MockDevice() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2') fuzzer.run(['-some-lf-arg=value']) self.assertIn( ' '.join( mock_device.get_ssh_cmd([ 'ssh', '::1', 'run', fuzzer.url(), '-artifact_prefix=data', '-some-lf-arg=value' ])), mock_device.history)
def test_start(self): mock_device = MockDevice() base_dir = tempfile.mkdtemp() try: fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2', output=base_dir) fuzzer.start(['-some-lf-arg=value']) finally: shutil.rmtree(base_dir)
def test_merge(self): mock_device = MockDevice() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2') fuzzer.merge(['-some-lf-arg=value']) self.assertIn( ' '.join( mock_device.get_ssh_cmd([ 'ssh', '::1', 'run', fuzzer.url(), '-artifact_prefix=data/', '-merge=1', '-merge_control_file=data/.mergefile', '-some-lf-arg=value data/corpus/', 'data/corpus.prev/' ])), mock_device.history)
def main(_): """Configures and runs the fuzzer.""" # Log more and return how logging output will be produced tf.logging.set_verbosity(tf.logging.INFO) coverage_function = raw_logit_coverage_function # change function name target_seed = np.random.uniform(low=0.0, high=1.0, size=(1, )) # 语料库,随机值 numpy_arrays = [[target_seed]] targets_tensor = tf.placeholder(tf.float32, [64, 1]) coverage_tensor = tf.identity(targets_tensor) loss_batch_tensor, _ = binary_cross_entropy_with_logits( tf.zeros_like(targets_tensor), tf.nn.sigmoid(targets_tensor)) grads_tensor = tf.gradients(loss_batch_tensor, targets_tensor)[0] tensor_map = { "input": [targets_tensor], "coverage": [coverage_tensor], "metadata": [loss_batch_tensor, grads_tensor], } with tf.Session() as sess: fetch_function = build_fetch_function(sess, tensor_map) size = FLAGS.mutations_per_corpus_item mutation_function = lambda elt: do_basic_mutations( elt, size, a_min=-1000, a_max=1000) # 从语料库选择种子 seed_corpus = seed_corpus_from_numpy_arrays(numpy_arrays, coverage_function, metadata_function, fetch_function) # corpus: mutations_processed, corpus, time, sample_function, updater corpus = InputCorpus(seed_corpus, uniform_sample_function, FLAGS.ann_threshold, "kdtree") fuzzer = Fuzzer( corpus, coverage_function, metadata_function, objective_function, mutation_function, fetch_function, ) # fuzzer run result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_pull(self): mock = MockDevice() fuzzer = Fuzzer(mock, u'mock-package1', u'mock-target3') parser = Args.make_parser('description') args = parser.parse_args(['1/3']) corpus = Corpus.from_args(fuzzer, args) corpus.pull() self.assertIn( ' '.join( mock.get_ssh_cmd([ 'scp', '[::1]:' + fuzzer.data_path('corpus/*'), corpus.root ])), mock.host.history)
def main(_): """Constructs the fuzzer and performs fuzzing.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # 为将要被记录的日志设置开始入口 # Set the seeds! if FLAGS.seed: random.seed(FLAGS.seed) np.random.seed(FLAGS.seed) coverage_function = all_logit_coverage_function # 覆盖计算方法,所有logit的绝对值之和 image, label = fuzz_utils.basic_mnist_input_corpus( choose_randomly=FLAGS. random_seed_corpus # 这里为False, 返回第一张图片和标签, 图片为28*28*1 ) numpy_arrays = [[image, label]] with tf.Session() as sess: tensor_map = fuzz_utils.get_tensors_from_checkpoint( # 载入checkpoints sess, FLAGS.checkpoint_dir) fetch_function = fuzz_utils.build_fetch_function( sess, tensor_map) # =============== size = FLAGS.mutations_per_corpus_item # 每次变异数量 mutation_function = lambda elt: do_basic_mutations(elt, size) # 变异方法 seed_corpus = seed_corpus_from_numpy_arrays( # 建立seed corpus,输入集 numpy_array是一张图片,返回的 seedcorpus包含一个元素,有metada和coverage信息 numpy_arrays, coverage_function, metadata_function, fetch_function) corpus = InputCorpus( # 建立input corpus seed_corpus, recent_sample_function, FLAGS.ann_threshold, "kdtree" # recent_sample_function用于选择下一个元素 ) fuzzer = Fuzzer( corpus, coverage_function, metadata_function, objective_function, mutation_function, fetch_function, ) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_push(self): mock = MockDevice() fuzzer = Fuzzer(mock, u'mock-package1', u'mock-target3') parser = Args.make_parser('description') args = parser.parse_args(['1/3']) corpus = Corpus.from_args(fuzzer, args) with tempfile.NamedTemporaryFile(dir=corpus.root) as f: corpus.push() self.assertIn( ' '.join( mock.get_ssh_cmd([ 'scp', f.name, '[::1]:' + fuzzer.data_path('corpus') ])), mock.host.history)
def test_filter(self): host = MockHost() fuzzers = host.fuzzers self.assertEqual(len(Fuzzer.filter(fuzzers, '')), 5) self.assertEqual(len(Fuzzer.filter(fuzzers, '/')), 5) self.assertEqual(len(Fuzzer.filter(fuzzers, 'mock')), 5) self.assertEqual(len(Fuzzer.filter(fuzzers, 'package1')), 3) self.assertEqual(len(Fuzzer.filter(fuzzers, 'target1')), 2) self.assertEqual(len(Fuzzer.filter(fuzzers, '1/2')), 1) self.assertEqual(len(Fuzzer.filter(fuzzers, 'target4')), 0) with self.assertRaises(Fuzzer.NameError): Fuzzer.filter(fuzzers, 'a/b/c')
def main(_): """Constructs the fuzzer and performs fuzzing.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # Set the seeds! if FLAGS.seed: random.seed(FLAGS.seed) np.random.seed(FLAGS.seed) coverage_function = all_logit_coverage_function # a function to compute coverage image, label = fuzz_utils.basic_mnist_input_corpus( choose_randomly=FLAGS.random_seed_corpus) numpy_arrays = [[image, label]] with tf.Graph().as_default() as g: # change codes and it works sess = tf.Session() # here tensor_map = fuzz_utils.get_tensors_from_checkpoint( sess, FLAGS.checkpoint_dir) fetch_function = fuzz_utils.build_fetch_function(sess, tensor_map) size = FLAGS.mutations_per_corpus_item mutation_function = lambda elt: do_basic_mutations(elt, size) # pram 1 seed_corpus = seed_corpus_from_numpy_arrays(numpy_arrays, coverage_function, metadata_function, fetch_function) corpus = InputCorpus(seed_corpus, recent_sample_function, FLAGS.ann_threshold, "kdtree") # pram 2 fuzzer = Fuzzer( corpus, coverage_function, metadata_function, objective_function, mutation_function, fetch_function, ) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) # iterations if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) tf.logging.info("Elements for Crashes: {0}".format(result)) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def main(): parser = Args.make_parser( 'Starts the named fuzzer. Additional arguments are passed through.') args, fuzzer_args = parser.parse_known_args() host = Host() device = Device.from_args(host, args) fuzzer = Fuzzer.from_args(device, args) with Cipd.from_args(fuzzer, args) as cipd: if cipd.install(): device.store(os.path.join(cipd.root, '*'), fuzzer.data_path('corpus')) print('\n****************************************************************') print(' Starting ' + str(fuzzer) + '.') print(' Outputs will be written to:') print(' ' + fuzzer.results()) if not args.foreground: print(' You should be notified when the fuzzer stops.') print(' To check its progress, use `fx fuzz check ' + str(fuzzer) + '`.') print(' To stop it manually, use `fx fuzz stop ' + str(fuzzer) + '`.') print('****************************************************************\n') fuzzer.start(fuzzer_args) title = str(fuzzer) + ' has stopped.' body = 'Output written to ' + fuzzer.results() + '.' print(title) print(body) host.notify_user(title, body) return 0
def main(_): """Constructs the fuzzer and performs fuzzing.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # Set the seeds! if FLAGS.seed: random.seed(FLAGS.seed) np.random.seed(FLAGS.seed) # Set up seed images image, label = fuzz_utils.basic_mnist_input_corpus( choose_randomly=FLAGS.random_seed_corpus) seed_inputs = [[image, label]] with tf.Session() as sess: # Specify input, coverage, and metadata tensors input_tensors, coverage_tensors, metadata_tensors = \ fuzz_utils.get_tensors_from_checkpoint( sess, FLAGS.checkpoint_dir ) # Construct and run fuzzer fuzzer = Fuzzer( sess=sess, seed_inputs=seed_inputs, input_tensors=input_tensors, coverage_tensors=coverage_tensors, metadata_tensors=metadata_tensors, coverage_function=sum_coverage_function, metadata_function=metadata_function, objective_function=objective_function, mutation_function=mutation_function, sample_function=recent_sample_function, threshold=FLAGS.ann_threshold, ) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def main(_): """Constructs the fuzzer and performs fuzzing.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # Set the seeds! if FLAGS.seed: random.seed(FLAGS.seed) np.random.seed(FLAGS.seed) # Set up seed inputs sz = 16 # target_seed = np.random.uniform(low=0.0, high=1.0, size=(sz,)) target_seed = np.ones(sz, dtype=np.uint32) * 4 seed_inputs = [[target_seed]] # Specify input, coverage, and metadata tensors input_tensor = tf.placeholder(tf.int32, [None, sz]) op_tensor = tf.cumprod(input_tensor) grad_tensors = tf.gradients(op_tensor, input_tensor) with tf.Session() as sess: # Construct and run fuzzer fuzzer = Fuzzer( sess=sess, seed_inputs=seed_inputs, input_tensors=[input_tensor], coverage_tensors=grad_tensors, metadata_tensors=grad_tensors, coverage_function=raw_coverage_function, metadata_function=metadata_function, objective_function=objective_function, mutation_function=mutation_function, sample_function=recent_sample_function, threshold=FLAGS.ann_threshold, ) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def test_stop(self): mock_device = MockDevice() pids = mock_device.getpids() fuzzer1 = Fuzzer(mock_device, u'mock-package1', u'mock-target1') fuzzer1.stop() self.assertEqual( mock_device.last, 'ssh -F ' + mock_device.host.ssh_config + ' ::1 kill ' + str(pids[fuzzer1.tgt])) fuzzer3 = Fuzzer(mock_device, u'mock-package1', u'mock-target3') fuzzer3.stop()
def test_stop(self): mock_device = MockDevice() pids = mock_device.getpids() fuzzer1 = Fuzzer(mock_device, u'mock-package1', u'mock-target1') fuzzer1.stop() self.assertIn( ' '.join( mock_device.get_ssh_cmd( ['ssh', '::1', 'kill', str(pids[fuzzer1.tgt])])), mock_device.host.history) fuzzer3 = Fuzzer(mock_device, u'mock-package1', u'mock-target3') fuzzer3.stop()
def main(): parser = ArgParser('Lists corpus instances in CIPD for the named fuzzer') args = parser.parse_args() host = Host.from_build() device = Device.from_args(host, args) fuzzer = Fuzzer.from_args(device, args) with Corpus.from_args(fuzzer, args) as corpus: cipd = Cipd(corpus) print(cipd.instances()) return 0
def main(_): """Configures and runs the fuzzer.""" # Log more tf.logging.set_verbosity(tf.logging.INFO) # Set up initial seed inputs target_seed = np.random.uniform(low=0.0, high=1.0, size=(1, )) seed_inputs = [[target_seed]] # Specify input, coverage, and metadata tensors targets_tensor = tf.placeholder(tf.float32, [64, 1]) coverage_tensor = tf.identity(targets_tensor) loss_batch_tensor, _ = binary_cross_entropy_with_logits( tf.zeros_like(targets_tensor), tf.nn.sigmoid(targets_tensor)) grads_tensor = tf.gradients(loss_batch_tensor, targets_tensor)[0] # Construct and run fuzzer with tf.Session() as sess: fuzzer = Fuzzer(sess=sess, seed_inputs=seed_inputs, input_tensors=[targets_tensor], coverage_tensors=[coverage_tensor], metadata_tensors=[loss_batch_tensor, grads_tensor], coverage_function=raw_coverage_function, metadata_function=metadata_function, objective_function=objective_function, mutation_function=mutation_function, sample_function=uniform_sample_function, threshold=FLAGS.ann_threshold) result = fuzzer.loop(FLAGS.total_inputs_to_fuzz) if result is not None: tf.logging.info("Fuzzing succeeded.") tf.logging.info( "Generations to make satisfying element: %s.", result.oldest_ancestor()[1], ) else: tf.logging.info("Fuzzing failed to satisfy objective function.")
def main(): parser = Args.make_parser( 'Lists the fuzzing corpus instances in CIPD for a named fuzzer') args = parser.parse_args() host = Host() device = Device.from_args(host, args) fuzzer = Fuzzer.from_args(device, args) cipd = Cipd(fuzzer) if not cipd.list(): return 1 return 0
def main(): parser = Args.make_parser('Stops the named fuzzer.') args = parser.parse_args() host = Host.from_build() device = Device.from_args(host, args) fuzzer = Fuzzer.from_args(device, args) if fuzzer.is_running(): print('Stopping ' + str(fuzzer) + '.') fuzzer.stop() else: print(str(fuzzer) + ' is already stopped.') return 0
def test_repro(self): mock_device = MockDevice() fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2') artifacts = ['data/' + artifact for artifact in fuzzer.list_artifacts()] fuzzer.repro(['-some-lf-arg=value']) self.assertEqual( mock_device.last, 'ssh -F ' + mock_device.host.ssh_config + ' ::1 run ' + fuzzer.url() + ' -artifact_prefix=data ' + '-some-lf-arg=value ' + ' '.join(artifacts))
def main(): parser = Args.make_parser( 'Runs the named fuzzer on provided test units, or all current test ' + 'units for the fuzzer. Use \'check-fuzzer\' to see current tests units.' ) args, fuzzer_args = parser.parse_known_args() host = Host.from_build() device = Device.from_args(host, args) fuzzer = Fuzzer.from_args(device, args) if fuzzer.repro(fuzzer_args) == 0: print('No matching artifacts found.') return 1 return 0
def test_start(self): mock_device = MockDevice() base_dir = tempfile.mkdtemp() try: fuzzer = Fuzzer(mock_device, u'mock-package1', u'mock-target2', output=base_dir) fuzzer.start(['-some-lf-arg=value']) finally: shutil.rmtree(base_dir) self.assertIn( ' '.join( mock_device.get_ssh_cmd([ 'ssh', '::1', 'run', fuzzer.url(), '-artifact_prefix=data/', '-some-lf-arg=value', '-jobs=1', 'data/corpus/', ])), mock_device.host.history)