Coverage-guided grammar aware fuzzer that uses grammar automatons

Related tags

Miscellaneous Gramatron
Overview

Gramatron

Gramatron is a coverage-guided fuzzer that uses grammar automatons to perform grammar-aware fuzzing. Technical details about our framework are available in our ISSTA'21 paper. The artifact to reproduce the experiments presented in our paper are present in artifact/. Instructions to run a sample campaign and incorporate new grammars is presented below:

Run a sample fuzz campaign

  • Pull the docker image and spawn a shell inside it
docker pull prashast94/gramatron:latest
docker run --security-opt seccomp=unconfined -it gramatron:latest /bin/bash
  • Setup a test target
cd gramfuzz-mutator
./create_sample_target.sh
  • Run a fuzz campaign using Gramatron.
./run_campaign.sh ~/grammars/ruby/source_automata.json test_output "/tmp/mruby/bin/mruby @@"

- You should see the campaign start up with a UI screen displaying the campaign in progress
- Validate that the `new edges on` row  under `findings in depth` has a non-zero number to sanity check 
  that the campaign is progressing as expected
- After validating exit the fuzzing campaign using `Ctrl-C`

Adding and testing a new grammar

  • Specify in a JSON format for CFG. Examples are correspond source.json files
  • Run the automaton generation script (in src/gramfuzz-mutator/preprocess) which will place the generated automaton in the same folder.
./prep_automaton.sh <grammar_file> <start_symbol> [stack_limit]

Eg. ./prep_automaton.sh ~/grammars/ruby/source.json PROGRAM
  • If the grammar has no self-embedding rules then you do not need to pass the stack limit parameter. However, if it does have self-embedding rules then you need to pass the stack limit parameter. We recommend starting with 5 and then increasing it if you need more complexity
  • To sanity-check that the automaton is generating inputs as expected you can use the test binary housed in src/gramfuzz-mutator
./test SanityCheck <automaton_file>

Eg. ./test SanityCheck ~/grammars/ruby/source_automata.json

Installing from scratch

If instead of using the provided Dockerfile you want to install Gramatron from scratch follow the instructions below:

  • Install json-c
git clone https://github.com/json-c/json-c.git
cd json-c && git reset --hard af8dd4a307e7b837f9fa2959549548ace4afe08b && sh autogen.sh && ./configure && make && make install
  • Go into src/ directory and run the setup.sh script
Comments
  • gramatron Segmentation fault on Ubuntu20.04

    gramatron Segmentation fault on Ubuntu20.04

    I installed Gramatron from scratch,and run the ruby test,it has this error: root@test:/home/Gramatron/src/gramfuzz-mutator# ./run_campaign.sh /home/Gramatron/grammars/ruby/source_automata.json test_output "/tmp/mruby/bin/mruby @@" ./run_campaign.sh: line 34: 1026037 Segmentation fault $FUZZ_MAIN -m none -a $AUTOMATON -i $INPUT_DIR -o $OUTPUT_DIR -- $RUNCMD then I use this command to see what happens: ../afl-gf/afl-fuzz -m none -a /home/Gramatron/grammars/ruby/source_automata.json -i /tmp/inputs -o ruby_output -- /tmp/mruby/bin/mruby @@ ... [-] SYSTEM ERROR : Unable to open '/tmp/inputs/001.aut.aut' Stop location : link_or_copy(), src/afl-fuzz-init.c:760 OS message : No such file or directory then I list the inputs folder: root@test:/tmp/inputs# ls 001.aut 004 007 010 013 016 019 022 025 028 031 034 037 040 043 046 049 052 055 058 061 064 067 070 073 076 079 082 085 088 091 094 097 100 002 005 008 011 014 017 020 023 026 029 032 035 038 041 044 047 050 053 056 059 062 065 068 071 074 077 080 083 086 089 092 095 098 003 006 009 012 015 018 021 024 027 030 033 036 039 042 045 048 051 054 057 060 063 066 069 072 075 078 081 084 087 090 093 096 099

    which is not the same as the inputs folder in your docker image: root@fda4e3695b91:/tmp/inputs# ls 001 005.aut 010 014.aut 019 023.aut 028 032.aut 037 041.aut 046 050.aut 055 059.aut 064 068.aut 073 077.aut 082 086.aut 091 095.aut 100 001.aut 006 010.aut 015 019.aut 024 028.aut 033 037.aut 042 046.aut 051 055.aut 060 064.aut 069 073.aut 078 082.aut 087 091.aut 096 100.aut 002 006.aut 011 015.aut 020 024.aut 029 033.aut 038 042.aut 047 051.aut 056 060.aut 065 069.aut 074 078.aut 083 087.aut 092 096.aut 002.aut 007 011.aut 016 020.aut 025 029.aut 034 038.aut 043 047.aut 052 056.aut 061 065.aut 070 074.aut 079 083.aut 088 092.aut 097 003 007.aut 012 016.aut 021 025.aut 030 034.aut 039 043.aut 048 052.aut 057 061.aut 066 070.aut 075 079.aut 084 088.aut 093 097.aut 003.aut 008 012.aut 017 021.aut 026 030.aut 035 039.aut 044 048.aut 053 057.aut 062 066.aut 071 075.aut 080 084.aut 089 093.aut 098 004 008.aut 013 017.aut 022 026.aut 031 035.aut 040 044.aut 049 053.aut 058 062.aut 067 071.aut 076 080.aut 085 089.aut 094 098.aut 004.aut 009 013.aut 018 022.aut 027 031.aut 036 040.aut 045 049.aut 054 058.aut 063 067.aut 072 076.aut 081 085.aut 090 094.aut 099 005 009.aut 014 018.aut 023 027.aut 032 036.aut 041 045.aut 050 054.aut 059 063.aut 068 072.aut 077 081.aut 086 090.aut 095 099.aut

    I just pull the code down,build and run,I don't know why this happens?

    opened by phoenixltx 1
  • How to generate grammar automata for other language

    How to generate grammar automata for other language

    Hi! I think it is a nice tool for fuzzing software requiring structural input. But I have a problem. I noticed that there are only 3 grammar(js, php, ruby) in the directory grammars. I want to know if I can generate grammar.json and grammar_automata.json for other language(ie. json, xml). I find that files in src/gramfuzz_mutator/preprocess seemly generate the files I need. But when I use xml.g4 file from grammar-v4 in Anltr4 repository, it didn't work.

    Traceback (most recent call last):
  File "gnf_converter.py", line 290, in <module>
    main(args.gf, args.out, args.start)
  File "gnf_converter.py", line 21, in main
    grammar = preprocess(data)
  File "gnf_converter.py", line 133, in preprocess
    rules.append(strip_chars(init.split(':')[1]).strip('| '))
IndexError: list index out of range

    Did I get wrong somewhere? Could you give me some suggestion?

    opened by Myse1f 1
  • After the script “run_campaign.sh” is executed, the message

    After the script “run_campaign.sh” is executed, the message "illegal instruction" is displayed

    I followed the how-to guide to install in docker,but something wrong happend as fllow: [GF] Automaton file passed:/root/grammars/ruby/source_automata.json Final=6 Init=0 NumStates=20 [+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier [+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus [+] Power schedules from github.com/mboehme/aflfast [+] Python Mutator and llvm_mode instrument file list from github.com/choller/afl [+] MOpt Mutator from github.com/puppet-meteor/MOpt-AFL [+] Loaded environment variable AFL_DISABLE_TRIM with value 1 [] Getting to work... [+] Using exploration-based constant power schedule (EXPLORE, default) [+] You have 4 CPU cores and 1 runnable tasks (utilization: 25%). [+] Try parallel jobs - see docs/parallel_fuzzing.md. [] Checking CPU core loadout... [+] Found a free CPU core, try binding to #0. [] Checking core_pattern... [!] WARNING: Could not check CPU scaling governor [] Setting up output directories... [+] Output directory exists but deemed OK to reuse. [] Deleting old session data... [+] Output dir cleanup successful. [] Loading custom mutator library from '/root/gramatron_src/afl-gf/custom_mutators/gramfuzz/gramfuzz-mutator.so'... [] optional symbol 'afl_custom_post_process' not found. [] optional symbol 'afl_custom_init_trim' not found. [] optional symbol 'afl_custom_trim' not found. [] optional symbol 'afl_custom_post_trim' not found. [] optional symbol 'afl_custom_havoc_mutation' not found. [] optional symbol 'afl_custom_havoc_mutation_probability' not found. [+] Custom mutator '/root/gramatron_src/afl-gf/custom_mutators/gramfuzz/gramfuzz-mutator.so' installed successfully.

    Read testcases executing[*] Scanning '/tmp/inputs'... [+] No auto-generated dictionary tokens to reuse. [*] Creating hard links for all input files... [*] Validating target binary... [*] Attempting dry run with 'id:000000,time:0,orig:001'...

    Read length:288[*] Spinning up the fork server... [+] All right - fork server is up. [*] Target map size: 15680 ./run_campaign.sh: line 34: 1607 Illegal instruction (core dumped) $FUZZ_MAIN -m none -a $AUTOMATON -i $INPUT_DIR -o $OUTPUT_DIR -- $RUNCMD

    my host OS is Linux ubun2004 5.4.0-92-generic #103-Ubuntu SMP Fri Nov 26 16:13:00 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

    opened by WhereIsOops 4
  • Error in generalizing a terminal into a nonterminal in the gnf_converter script

    Error in generalizing a terminal into a nonterminal in the gnf_converter script

    Hi, looking at the quality of the generated testcases using the Ruby grammar, I noticed that my implementation of gramatron in LibAFL was generating invalid testcases with lines like IDENTIFIER SP VAR. Debugging further, I noticed that the error is in the original Python script that I borrowed from this repo, gnf_converter.py.

    Here https://github.com/HexHive/Gramatron/blob/02ab42d857ff2d3bc8c872f4756e6af9e3baaf0f/src/gramfuzz-mutator/preprocess/gnf_converter.py#L198 you check if a terminal can be replaced with a nonterminal, but this is wrong in case of a terminal repeated two times in two different nonterminals of the grammar.

    For this specific case, I noticed the bug because in the Ruby grammar 'return' is both in IDENTIFIER https://github.com/HexHive/Gramatron/blob/main/grammars/ruby/source.json#L843 and in STATEMENT https://github.com/HexHive/Gramatron/blob/main/grammars/ruby/source.json#L1169

    Ofc replacing 'return' SP VAR with IDENTIFIER SP VAR is wrong. I fixed it just removing the call to terminal_exist but dunno if it is 100% right so I won't open a PR.

    opened by andreafioraldi 0
  • Error install with clang 12

    Error install with clang 12

    I got error when running setup.sh script. I'm on ubuntu 20.04 with clang 12

    Here is the log

    /usr/bin/ld: gramfuzz-helpers.o:(.bss+0x4): multiple definition of `curr_state'; gramfuzz.o:(.bss+0x8): first defined here
/usr/bin/ld: gramfuzz-helpers.o:(.bss+0x8): multiple definition of `final_state'; gramfuzz.o:(.bss+0xc): first defined here
/usr/bin/ld: gramfuzz-helpers.o:(.bss+0x0): multiple definition of `init_state'; gramfuzz.o:(.bss+0x4): first defined here
/usr/bin/ld: gramfuzz-helpers.o:(.bss+0xc): multiple definition of `numstates'; gramfuzz.o:(.bss+0x0): first defined here
/usr/bin/ld: gramfuzz-helpers.o:(.bss+0x10): multiple definition of `potential'; gramfuzz.o:(.bss+0x10): first defined here
/usr/bin/ld: gramfuzz-mutators.o:(.bss+0x0): multiple definition of `curr_state'; gramfuzz.o:(.bss+0x8): first defined here
/usr/bin/ld: gramfuzz-mutators.o:(.bss+0xc): multiple definition of `final_state'; gramfuzz.o:(.bss+0xc): first defined here
/usr/bin/ld: gramfuzz-mutators.o:(.bss+0x8): multiple definition of `init_state'; gramfuzz.o:(.bss+0x4): first defined here
/usr/bin/ld: gramfuzz-mutators.o:(.bss+0x4): multiple definition of `numstates'; gramfuzz.o:(.bss+0x0): first defined here
/usr/bin/ld: gramfuzz-mutators.o:(.bss+0x10): multiple definition of `potential'; gramfuzz.o:(.bss+0x10): first defined here
/usr/bin/ld: gramfuzz-util.o:(.bss+0x4): multiple definition of `curr_state'; gramfuzz.o:(.bss+0x8): first defined here
/usr/bin/ld: gramfuzz-util.o:(.bss+0x8): multiple definition of `final_state'; gramfuzz.o:(.bss+0xc): first defined here
/usr/bin/ld: gramfuzz-util.o:(.bss+0x0): multiple definition of `init_state'; gramfuzz.o:(.bss+0x4): first defined here
/usr/bin/ld: gramfuzz-util.o:(.bss+0xc): multiple definition of `numstates'; gramfuzz.o:(.bss+0x0): first defined here
/usr/bin/ld: gramfuzz-util.o:(.bss+0x10): multiple definition of `potential'; gramfuzz.o:(.bss+0x10): first defined here
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [GNUmakefile:19: gramfuzz-mutator.so] Error 1
src/afl-fuzz-init.c:827:16: warning: variable 'nfn_aut_orig' is used uninitialized whenever 'while' loop exits because its condition is false [-Wsometimes-uninitialized]
        while (src_id-- && s) {
               ^~~~~~~~~~~~~
src/afl-fuzz-init.c:876:18: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                 ^~~~~~~~~~~~
src/afl-fuzz-init.c:827:16: note: remove the condition if it is always true
        while (src_id-- && s) {
               ^~~~~~~~~~~~~
               1
src/afl-fuzz-init.c:827:16: warning: variable 'nfn_aut_orig' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
        while (src_id-- && s) {
               ^~~~~~~~
src/afl-fuzz-init.c:876:18: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                 ^~~~~~~~~~~~
src/afl-fuzz-init.c:827:16: note: remove the '&&' if its condition is always true
        while (src_id-- && s) {
               ^~~~~~~~~~~
src/afl-fuzz-init.c:824:11: warning: variable 'nfn_aut_orig' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/afl-fuzz-init.c:876:18: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                 ^~~~~~~~~~~~
src/afl-fuzz-init.c:824:7: note: remove the 'if' if its condition is always true
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/afl-fuzz-init.c:824:11: warning: variable 'nfn_aut_orig' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~
src/afl-fuzz-init.c:876:18: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                 ^~~~~~~~~~~~
src/afl-fuzz-init.c:824:11: note: remove the '&&' if its condition is always true
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~~~~
src/afl-fuzz-init.c:793:37: note: initialize the variable 'nfn_aut_orig' to silence this warning
    u8 *nfn, *nfn_aut, *nfn_aut_orig, *rsl = strrchr(q->fname, '/');
                                    ^
                                     = NULL
src/afl-fuzz-init.c:827:16: warning: variable 'nfn_aut' is used uninitialized whenever 'while' loop exits because its condition is false [-Wsometimes-uninitialized]
        while (src_id-- && s) {
               ^~~~~~~~~~~~~
src/afl-fuzz-init.c:876:32: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                               ^~~~~~~
src/afl-fuzz-init.c:827:16: note: remove the condition if it is always true
        while (src_id-- && s) {
               ^~~~~~~~~~~~~
               1
src/afl-fuzz-init.c:827:16: warning: variable 'nfn_aut' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
        while (src_id-- && s) {
               ^~~~~~~~
src/afl-fuzz-init.c:876:32: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                               ^~~~~~~
src/afl-fuzz-init.c:827:16: note: remove the '&&' if its condition is always true
        while (src_id-- && s) {
               ^~~~~~~~~~~
src/afl-fuzz-init.c:824:11: warning: variable 'nfn_aut' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized]
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/afl-fuzz-init.c:876:32: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                               ^~~~~~~
src/afl-fuzz-init.c:824:7: note: remove the 'if' if its condition is always true
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/afl-fuzz-init.c:824:11: warning: variable 'nfn_aut' is used uninitialized whenever '&&' condition is false [-Wsometimes-uninitialized]
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~
src/afl-fuzz-init.c:876:32: note: uninitialized use occurs here
    link_or_copy(nfn_aut_orig, nfn_aut);
                               ^~~~~~~
src/afl-fuzz-init.c:824:11: note: remove the '&&' if its condition is always true
      if (src_str && sscanf(src_str + 1, "%06u", &src_id) == 1) {
          ^~~~~~~~~~
src/afl-fuzz-init.c:793:22: note: initialize the variable 'nfn_aut' to silence this warning
    u8 *nfn, *nfn_aut, *nfn_aut_orig, *rsl = strrchr(q->fname, '/');
                     ^
                      = NULL
src/afl-fuzz-init.c:2435:23: warning: unused variable 'ii2' [-Wunused-variable]
    int arraylen, ii, ii2, trigger_len, error;
                      ^
src/afl-fuzz-init.c:2435:9: warning: unused variable 'arraylen' [-Wunused-variable]
    int arraylen, ii, ii2, trigger_len, error;
        ^
src/afl-fuzz-init.c:2435:41: warning: unused variable 'error' [-Wunused-variable]
    int arraylen, ii, ii2, trigger_len, error;
                                        ^
src/afl-fuzz-init.c:2461:20: warning: unused variable 'type' [-Wunused-variable]
    enum json_type type;
                   ^
12 warnings generated.
/usr/bin/ld: /tmp/afl-fuzz-queue-6039a0.o (symbol from plugin): in function `mark_as_det_done':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-queue-6039a0.o (symbol from plugin): in function `mark_as_det_done':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-queue-6039a0.o (symbol from plugin): in function `mark_as_det_done':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-queue-6039a0.o (symbol from plugin): in function `mark_as_det_done':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-queue-6039a0.o (symbol from plugin): in function `mark_as_det_done':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-cmplog-ac8f72.o (symbol from plugin): in function `cmplog_exec_child':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-cmplog-ac8f72.o (symbol from plugin): in function `cmplog_exec_child':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-cmplog-ac8f72.o (symbol from plugin): in function `cmplog_exec_child':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-cmplog-ac8f72.o (symbol from plugin): in function `cmplog_exec_child':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-cmplog-ac8f72.o (symbol from plugin): in function `cmplog_exec_child':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-one-dee6ed.o (symbol from plugin): in function `fuzz_one_original':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-one-dee6ed.o (symbol from plugin): in function `fuzz_one_original':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-one-dee6ed.o (symbol from plugin): in function `fuzz_one_original':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-one-dee6ed.o (symbol from plugin): in function `fuzz_one_original':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-one-dee6ed.o (symbol from plugin): in function `fuzz_one_original':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-python-e8ab8c.o (symbol from plugin): in function `finalize_py_module':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-python-e8ab8c.o (symbol from plugin): in function `finalize_py_module':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-python-e8ab8c.o (symbol from plugin): in function `finalize_py_module':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-python-e8ab8c.o (symbol from plugin): in function `finalize_py_module':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-python-e8ab8c.o (symbol from plugin): in function `finalize_py_module':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-mutators-69a20c.o (symbol from plugin): in function `setup_custom_mutators':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-mutators-69a20c.o (symbol from plugin): in function `setup_custom_mutators':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-mutators-69a20c.o (symbol from plugin): in function `setup_custom_mutators':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-mutators-69a20c.o (symbol from plugin): in function `setup_custom_mutators':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-mutators-69a20c.o (symbol from plugin): in function `setup_custom_mutators':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-stats-f6d207.o (symbol from plugin): in function `write_stats_file':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-stats-f6d207.o (symbol from plugin): in function `write_stats_file':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-stats-f6d207.o (symbol from plugin): in function `write_stats_file':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-stats-f6d207.o (symbol from plugin): in function `write_stats_file':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-stats-f6d207.o (symbol from plugin): in function `write_stats_file':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-state-2a3b9a.o (symbol from plugin): in function `afl_state_init':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-state-2a3b9a.o (symbol from plugin): in function `afl_state_init':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-state-2a3b9a.o (symbol from plugin): in function `afl_state_init':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-state-2a3b9a.o (symbol from plugin): in function `afl_state_init':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-state-2a3b9a.o (symbol from plugin): in function `afl_state_init':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-redqueen-d69bc7.o (symbol from plugin): in function `input_to_state_stage':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-redqueen-d69bc7.o (symbol from plugin): in function `input_to_state_stage':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-redqueen-d69bc7.o (symbol from plugin): in function `input_to_state_stage':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-redqueen-d69bc7.o (symbol from plugin): in function `input_to_state_stage':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-redqueen-d69bc7.o (symbol from plugin): in function `input_to_state_stage':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-init-9af367.o (symbol from plugin): in function `bind_to_free_cpu':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-init-9af367.o (symbol from plugin): in function `bind_to_free_cpu':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-init-9af367.o (symbol from plugin): in function `bind_to_free_cpu':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-init-9af367.o (symbol from plugin): in function `bind_to_free_cpu':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-init-9af367.o (symbol from plugin): in function `bind_to_free_cpu':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-fc19f1.o (symbol from plugin): in function `main':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-fc19f1.o (symbol from plugin): in function `main':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-fc19f1.o (symbol from plugin): in function `main':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-fc19f1.o (symbol from plugin): in function `main':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-fc19f1.o (symbol from plugin): in function `main':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-bitmap-6e8318.o (symbol from plugin): in function `write_bitmap':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-bitmap-6e8318.o (symbol from plugin): in function `write_bitmap':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-bitmap-6e8318.o (symbol from plugin): in function `write_bitmap':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-bitmap-6e8318.o (symbol from plugin): in function `write_bitmap':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-bitmap-6e8318.o (symbol from plugin): in function `write_bitmap':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-run-a32deb.o (symbol from plugin): in function `fuzz_run_target':
(.text+0x0): multiple definition of `init_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-run-a32deb.o (symbol from plugin): in function `fuzz_run_target':
(.text+0x0): multiple definition of `curr_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-run-a32deb.o (symbol from plugin): in function `fuzz_run_target':
(.text+0x0): multiple definition of `final_state'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-run-a32deb.o (symbol from plugin): in function `fuzz_run_target':
(.text+0x0): multiple definition of `numstates'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
/usr/bin/ld: /tmp/afl-fuzz-run-a32deb.o (symbol from plugin): in function `fuzz_run_target':
(.text+0x0): multiple definition of `potential'; /tmp/afl-fuzz-extras-1ec72d.o (symbol from plugin):(.text+0x0): first defined here
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [GNUmakefile:387: afl-fuzz] Error 1
GNUmakefile:56: llvm_mode only supports llvm versions 3.4 up to 11
gramfuzz-util.c:116:12: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    strcpy(unparsed, term_ptr->symbol);
           ^~~~~~~~
/usr/include/string.h:122:39: note: passing argument to parameter '__dest' here
extern char *strcpy (char *__restrict __dest, const char *__restrict __src)
                                      ^
gramfuzz-util.c:120:16: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
        strcat(unparsed, term_ptr->symbol);
               ^~~~~~~~
/usr/include/string.h:130:39: note: passing argument to parameter '__dest' here
extern char *strcat (char *__restrict __dest, const char *__restrict __src)
                                      ^
gramfuzz-util.c:130:17: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    if (access (fn, F_OK) != -1) {
                ^~
/usr/include/unistd.h:287:32: note: passing argument to parameter '__name' here
extern int access (const char *__name, int __type) __THROW __nonnull ((1));
                               ^
gramfuzz-util.c:134:16: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    fp = fopen(fn, "wbx+");
               ^~
/usr/include/stdio.h:246:44: note: passing argument to parameter '__filename' here
extern FILE *fopen (const char *__restrict __filename,
                                           ^
gramfuzz-util.c:160:16: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    fp = fopen(fn, "rb");
               ^~
/usr/include/stdio.h:246:44: note: passing argument to parameter '__filename' here
extern FILE *fopen (const char *__restrict __filename,
                                           ^
5 warnings generated.
test.c:14:41: warning: passing 'u8 *' (aka 'unsigned char *') to parameter of type 'const char *' converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    parsed_json = json_object_from_file(automaton_file);
                                        ^~~~~~~~~~~~~~
/usr/local/include/json-c/json_util.h:43:67: note: passing argument to parameter 'filename' here
JSON_EXPORT struct json_object* json_object_from_file(const char *filename);
                                                                  ^
test.c:86:29: warning: passing 'char *' to parameter of type 'u8 *' (aka 'unsigned char *') converts between pointers to integer types where one is of the unique plain 'char' type and the other is not [-Wpointer-sign]
    state* pda = create_pda(automaton_path);
                            ^~~~~~~~~~~~~~
test.c:6:23: note: passing argument to parameter 'automaton_file' here
state *create_pda(u8* automaton_file) {
                      ^
2 warnings generated.
/usr/bin/ld: /tmp/gramfuzz-mutators-064c8c.o:(.bss+0x0): multiple definition of `curr_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x4): first defined here
/usr/bin/ld: /tmp/gramfuzz-mutators-064c8c.o:(.bss+0xc): multiple definition of `final_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x8): first defined here
/usr/bin/ld: /tmp/gramfuzz-mutators-064c8c.o:(.bss+0x8): multiple definition of `init_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x0): first defined here
/usr/bin/ld: /tmp/gramfuzz-mutators-064c8c.o:(.bss+0x4): multiple definition of `numstates'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0xc): first defined here
/usr/bin/ld: /tmp/gramfuzz-mutators-064c8c.o:(.bss+0x10): multiple definition of `potential'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x10): first defined here
/usr/bin/ld: /tmp/gramfuzz-util-8a26e8.o:(.bss+0x4): multiple definition of `curr_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x4): first defined here
/usr/bin/ld: /tmp/gramfuzz-util-8a26e8.o:(.bss+0x8): multiple definition of `final_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x8): first defined here
/usr/bin/ld: /tmp/gramfuzz-util-8a26e8.o:(.bss+0x0): multiple definition of `init_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x0): first defined here
/usr/bin/ld: /tmp/gramfuzz-util-8a26e8.o:(.bss+0xc): multiple definition of `numstates'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0xc): first defined here
/usr/bin/ld: /tmp/gramfuzz-util-8a26e8.o:(.bss+0x10): multiple definition of `potential'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x10): first defined here
/usr/bin/ld: /tmp/test-b62e22.o:(.bss+0xc): multiple definition of `curr_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x4): first defined here
/usr/bin/ld: /tmp/test-b62e22.o:(.bss+0x0): multiple definition of `final_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x8): first defined here
/usr/bin/ld: /tmp/test-b62e22.o:(.bss+0x4): multiple definition of `init_state'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x0): first defined here
/usr/bin/ld: /tmp/test-b62e22.o:(.bss+0x8): multiple definition of `numstates'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0xc): first defined here
/usr/bin/ld: /tmp/test-b62e22.o:(.bss+0x10): multiple definition of `potential'; /tmp/gramfuzz-helpers-6f952d.o:(.bss+0x10): first defined here
clang: error: linker command failed with exit code 1 (use -v to see invocation)
make: *** [GNUmakefile:25: test] Error 1
    opened by CityOfLight77 2
Owner
HexHive
Enforcing memory safety guarantees and type safety guarantees at the compiler and runtime level
HexHive
GitHub
Next-gen Rowhammer fuzzer that uses non-uniform, frequency-based patterns.

Blacksmith Rowhammer Fuzzer This repository provides the code accompanying the paper Blacksmith: Scalable Rowhammering in the Frequency Domain that is

Computer Security Group @ ETH Zurich 173 Nov 16, 2022
A collection of user-space Linux kernel specific guided fuzzers based on LKL

kBdysch kBdysch is a collection of fast Linux kernel specific fuzzing harnesses supposed to be run in userspace in a guided fuzzing manner. It was des

Anatoly Trosinenko 63 Nov 25, 2022
funky fun fuzzer

FunkyFunFuzzer / fffz FunkyFunFuzzer / fffz is an attempt at a file fuzzer prioritising usability while striving for real-world performance. It is a m

Rory M 11 Oct 8, 2021
American fuzzy lop - a security-oriented fuzzer

american fuzzy lop Originally developed by Michal Zalewski [email protected]. See QuickStartGuide.txt if you don't have time to read this file. 1) Ch

Google 3k Dec 30, 2022
A fast driver IOCTL fuzzer that I wrote.

IOCTL Explosion A fast driver IOCTL fuzzer that I wrote. Disclaimer There is still a lot of work to be made for this fuzzer. Currently, multi-threadin

null 3 May 9, 2022
Header-only library providing unicode aware string support for C++

CsString Introduction CsString is a standalone library which provides unicode aware string support. The CsBasicString class is a templated class which

CopperSpice 91 Dec 8, 2022
Thread aware Signal/Slot library

CsSignal Introduction CsSignal is a library for thread aware Signal/Slot delivery. This library does not depend upon CopperSpice or any other librarie

CopperSpice 57 Oct 18, 2022
Convert LLVM coverage information into HTML reports

llvm-coverage-to-html converter The clang compiler supports source based coverage tracking, but the default reporting options are very basic. This too

Thomas Neumann 2 Oct 11, 2021
Ziggified GLFW bindings with 100% API coverage, zero-fuss installation, cross compilation, and more.

mach/glfw - Ziggified GLFW bindings Ziggified GLFW bindings that Mach engine uses, with 100% API coverage, zero-fuss installation, cross compilation,

Hexops 201 Dec 27, 2022
Official page of MLCPP (IROS'18 @ Barcelona, Spain): Offline Coverage Path Planner

MLCPP: Multi-layer coverage path planner for autonomous structural inspection of high-rise structures The purpose of the algorithm is to inspect high-

Sungwook Jung 14 Nov 2, 2022
Parsing Expression Grammar Template Library

Welcome to the PEGTL The Parsing Expression Grammar Template Library (PEGTL) is a zero-dependency C++ header-only parser combinator library for creati

The Art of C++ 1.6k Jan 8, 2023
Tree-sitter grammar for comment tags like TODO, FIXME(user).

Tree-sitter grammar for comment tags like TODO:, FIXME(user):, etc. Useful to be embedded inside comments.

Santos Gallegos 86 Jan 9, 2023
tree-sitter grammar for emacs lisp

Tree-sitter Grammar for Emacs Lisp A simple tree-sitter grammar for elisp. Syntax supported: Atoms (integers, floats, strings, characters, symbols) Li

Wilfred Hughes 30 Dec 7, 2022
BNFLite is a C++ template library for lightweight flexible grammar parsers

BNFLite is a C++ template library for lightweight flexible grammar parsers. BNFLite offers creative approach when the developer can specify a language for further parsing directly in the C++ code. Moreover, such "specifications" are executable now!

Alexander S 64 Dec 19, 2022
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 Nov 9, 2022
Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environment strings without touching any DLL's.

Cobalt Strike "Where Am I?" Beacon Object File Cobalt Strike Beacon Object File (BOF) that uses handwritten shellcode to return the process Environmen

Bobby Cooke 92 Nov 30, 2022
An OLED gauge for the Speeduino ECU. Uses UART (secondary serial) for communication.

speeduino-ardugauge An OLED gauge for the Speeduino ECU. Uses UART (secondary serial) for communication. See demo video. See screenshots. NOTE: The ga

null 15 Dec 18, 2022
A Smart Watch Project that uses RTL8722DM_MINI

AmebaWatch A Smart Watch Project that uses RTL8722DM_MINI Connection The pin connection to the GC9A01 SPI IPS LCD display is in the sketch code @Line

SimonXI 1 Oct 6, 2021
Project uses an Arduino Leonardo to interface an A1UP Street Fighter Table controller boards with a pc.

Street Fighter Arcade1Up Table Arduino Interface Goal of this project Arcade1Up uses proprietary circuit boards to interface with the game's circuit b

Christopher Perkins 1 Oct 27, 2021