dobin
Support generative fuzzers
Currently FFW only supports mutation fuzzers, which are based on prerecorded data from the interceptor.
It should also support generative fuzzers, which do not have prerecorded data.
- Add fuzzer definition which indicates mutation/generation
- Ignore missing data_*.pickle files if generation
This includes:
Add option "type": "gen"/"mut" to fuzzer definitions:
- https://github.com/dobin/ffw/blob/master/fuzzer/fuzzingiterationdata.py#L11
Handle the type in fuzzingiterationdata::fuzzData(). If "gen":
- e.g. remove _chooseInput(): https://github.com/dobin/ffw/blob/master/fuzzer/fuzzingiterationdata.py#L90
- e.g. ignore "no client message check": https://github.com/dobin/ffw/blob/master/fuzzer/fuzzingiterationdata.py#L92
Remove hardcodet checks to load pickle file if selected fuzzer is "gen":
- https://github.com/dobin/ffw/blob/master/fuzzer/fuzzingmaster.py#L26 (just give None as param to FuzzingSlave)
Do the same also for honggmode in honggmode. But note it re-uses fuzzingiterationdata.py from fuzzer/.
The first idea, as depicted here and implemented in 1bd4393 was not a good idea. 4e9e5b37a686136f32f8fcf47385cac9f8f00738 fixes it partially.
I just created a fake network message structure (data.pickle) in fuzzingmaster.py. This has the advantage that most of the other code can stay the same (for gen/mut fuzzers).
Open tasks:
- [ ] honggmode integration
- [ ] some sort of unit-test (vulnserver?)
- [ ] better usability (1)
(1) Usability is the wrong word, but the user currently has no way of specifying when the generated data is sent. Should FFW read first, and then sent the generated data, or the other way round? Should message nummero 8 be replaced with some generated XML? All this is not possible atm.
Note: Fenrir broke generative fuzzers, i think. I'll either remove it completely, or re-active it later.