wtf icon indicating copy to clipboard operation
wtf copied to clipboard
verified publisher icon 0vercl0k

Added experimental Compcov/LAF support for the Bochs backend

Open m4drat opened this issue 2 years ago • 1 comments

Hi! This summer I've worked on adding LAF/Compcov support for WTF. This pull-request is the essence of this experiment. I tried to make the code as "production"-ready as possible but I'm sure there is still a long way to go. I'm sending this PR because at the moment I don't have any time to work on it any further.

LAF/Compcov mode allows to solve some basic CMP-related fuzz-blockers by splitting them into multiple comparisons of smaller sizes. With the proposed implementation of the LAF/Compcov mode, WTF was able to solve all the challenges from this "benchmark": fuzzy_goat.cc and crash the program: wtf-laf-found-crash

An alternative implementations of this technique can be found in the qemuafl's source code: qemuafl/cpu-translate.h

I did some basic evaluation of the proposed approach (only on one target - rizin), and it kinda works but honestly speaking I was expecting a little bit more :) (maybe if it's tested on other targets it will show better results but who knows).

All the experimental-evaluation stuff can be found in the ./scripts/ folder. The experiment I've conducted consisted of running a bunch of WTF instances with and w/o the LAF/Compcov mode. To be precise, I had 2 instances running with LAF/Compcov support (Bochs backend), and 6 instances running on the KVM backend. The experiment was repeated 5 times each one was running for 6 hours on a PC with Ubuntu, and Intel I5 processor (don't remember the exact model).

Coverage mean:

coverage

Execs/sec:

execs-sec

Corpus size:

corpus-size

The error bands here show +-1 std from the mean.

The conclusion I get from this evaluation is that it's not possible to say whether the LAF/Compcov mode really helps to fuzz Rizin, however it might show drastically better results on other targets.

Changes summary:

  • Added LAF/Compcov mode for the WTF (options: --laf, --compcov, --laf-allowed-ranges)
  • Added some basics scripts to run the experiments
  • Fixes for the gen_coverage_* scripts
  • Added basic logging functionality for the master instance

m4drat avatar Oct 12 '23 10:10 m4drat

Damn, this is looking awesome 😳🔥Thank you for sending this in!

I am currently traveling so it'll take me more time than usual to review this, bear with me 🙏

Cheers

0vercl0k avatar Oct 15 '23 07:10 0vercl0k