The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing"

Overview

Seed Selection for Successful Fuzzing

The artifact associated with our ISSTA 2021 paper "Seed Selection for Successful Fuzzing". While our primary artifact is the OptiMin corpus minimizer, we also provide the necessary infrastructure to reproduce our fuzzing experiments.

Getting Started

Setup your environment

Set up your environment (assumes a modern Ubuntu OS, >= 18.04 && <= 20.04, and Python, >= 3.6 && <= 3.8):

# Install prerequisites
sudo apt update
sudo apt install -y git docker.io python3-venv 

# Add yourself to the docker group (don't forget to log out and log back in so
# that the group changes take effect)
sudo usermod -aG docker $USER

# Setup virtualenv
python3 -m venv seed_selection
source seed_selection/bin/activate
pip3 install wheel

# Get this repo
git clone https://github.com/HexHive/fuzzing-seed-selection
pip3 install fuzzing-seed-selection/scripts

Build OptiMin

OptiMin is our SAT-based corpus minimization tool. It supports coverage generated by both AFL and llvm-cov (only AFL is used in the paper). Similarly, OptiMin can back out to both Z3 or EvalMaxSAT (only EvalMaxSAT is used in the paper). To build:

docker build -t seed-selection/optimin fuzzing-seed-selection/optimin

Run OptiMin

OptiMin takes a large "collection corpus" and selects a subset of seeds that are used for fuzzing. This is based on the code coverage for each seed in the collection corpus.

While we provide tools to generate code coverage information for a given corpus (based on afl-showmap), this can be time consuming (depending on the size of the corpus). Thus, we provide seed traces in HDF5 archives.

For example, to perform a corpus minimization base on Google FTS FreeType2 coverage:

  1. Download the coverage HDF5 from here.

    wget https://datacommons.anu.edu.au/DataCommons/rest/records/anudc:6106/data/afl-showmap-coverage/fts/freetype2.hdf5
  2. Expand the HDF5 using the expand_hdf5_coverage.py script

    expand_hdf5_coverage.py -i freetype2.hdf5 -o /tmp/freetype2
    
    # Expected output:
    #
    # 466 seeds to extract
    # Expanding freetype2.hdf5: 100%
  3. Perform an unweighted minimization based on edges only (not hit counts)

    docker run -v /tmp/freetype2:/tmp/freetype2   \
      seed-selection/optimin -e /tmp/freetype2
    
    # Expected output:
    #
    # afl-showmap corpus minimization
    #
    # [############################################################] 100% Reading seed coverage
    # [############################################################] 100% Generating clauses
    # [*] Running Optimin on /tmp/freetype2
    # [*] Running EvalMaxSAT on WCNF
    # [+] EvalMaxSAT completed
    # [*] Parsing EvalMaxSAT output
    # [+] Solution found for /tmp/freetype2
    # 
    # [+] Total time: 0.01 sec
    # [+] Num. seeds: 37
    #
    # ...
  4. Perform an unweighted minimization including edge hit counts

    docker run -v /tmp/freetype2:/tmp/freetype2  \
      seed-selection/optimin /tmp/freetype2
    
    # Expected output:
    #
    # afl-showmap corpus minimization
    #
    # [############################################################] 100% Reading seed coverage
    # [############################################################] 100% Generating clauses
    # [*] Running Optimin on /tmp/freetype2
    # [*] Running EvalMaxSAT on WCNF
    # [+] EvalMaxSAT completed
    # [*] Parsing EvalMaxSAT output
    # [+] Solution found for /tmp/freetype2
    #
    # [+] Total time: 0.01 sec
    # [+] Num. seeds: 53
    #
    # ...
  5. Download the file weights (i.e., sizes) from here.

    wget https://datacommons.anu.edu.au/DataCommons/rest/records/anudc:6106/data/weights/ttf.csv
  6. Perform a weighted minimization based on file size and edges only

    docker run -v /tmp/freetype2:/tmp/freetype2 -v $(pwd):/tmp   \
      seed-selection/optimin -e -w /tmp/ttf.csv /tmp/freetype2
    
    # Expected output:
    #
    # afl-showmap corpus minimization
    #
    # [*] Reading weights from `/tmp/ttf.csv`... 0s
    # [############################################################] 100% Calculating top
    # [############################################################] 100% Reading seed coverage
    # [############################################################] 100% Generating clauses
    # [*] Running Optimin on /tmp/freetype2
    # [*] Running EvalMaxSAT on WCNF
    # [+] EvalMaxSAT completed
    # [*] Parsing EvalMaxSAT output
    # [+] Solution found for /tmp/freetype2
    #
    # [+] Total time: 0.01 sec
    # [+] Num. seeds: 37
    #
    # ...

Detailed Description

Additional Files

The sizes of our collection corpora mean that we cannot store them in a Git repo. Instead, we store ancillary data at ANU's DataCommons repository, available here.

Tracing Code Coverage

Corpus minimization is typically based on some notion of "code coverage". To ensure a fair and uniform comparison across the three corpus minimization tools (afl-cmin, MinSet, and OptiMin), we use AFL's notion of edge coverage. This coverage information can be generated as follows

  1. Compile your target with AFL instrumentation. See the AFL documentation for instructions on how to do this.
  2. Run replay_seeds.py with your target program and your collection corpus. This will generate an HDF5 archive containing coverage information that can then be minimized.

Corpus Minimization

Our paper surveys a number of corpus minimization tools: OptiMin, afl-cmin, and MinSet. A more detailed explanation on how to use these tools and reproduce our results is given below.

OptiMin

Instructions for running OptiMin are given above. As described previously, a weighted minimization can be performed by supplying a weights CSV file to OptiMin's -w option. This weights file has the following format:

FILE_1,WEIGHT
FILE_2,WEIGHT
FILE_3,WEIGHT
FILE_4,WEIGHT
FILE_5,WEIGHT

Where FILE_1, FILE_2, ... corresponds to the name of a file within the corpus directory (only the filename needs to be provided: the corpus directory path should not be provided), and WEIGHT is an unsigned integer >= 1. We provide weights for our collection corpora here.

afl-cmin

afl-cmin is AFL's inbuilt corpus minimization tool. afl_cmin.py wraps afl-cmin so that it outputs the names of the seeds in the minimized corpus (rather than copying the seeds and wasting storage).

MinSet

MinSet is the tool developed by Rebert et al. in their paper Optimizing Seed Selection for Fuzzing. While we were able to obtain the tool from the authors, it is not open source and thus we are unable to provide it here. Please contact the authors if you would like to obtain the source code.

If you have access to the source code, you can perform a MinSet minimization by:

  1. Generate code coverage as described here
  2. Expand the generated HDF5 archive using expand_hdf5_coverage.py
  3. Convert the expanded coverage to a set of bitvector traces using MoonBeam
  4. Run the qminset.py wrapper on the bitvector traces

Fuzzing Experiments

In addition to the OptiMin tool, we also provide the necessary infrastructure to reproduce our fuzzing experiments. Detailed instructions are provided here.

Releases(issta-ae-response)
Owner
HexHive
Enforcing memory safety guarantees and type safety guarantees at the compiler and runtime level
HexHive
Code accompanying our SIGGRAPH 2021 Technical Communications paper "Transition Motion Tensor: A Data-Driven Approach for Versatile and Controllable Agents in Physically Simulated Environments"

SIGGRAPH ASIA 2021 Technical Communications Transition Motion Tensor: A Data-Driven Framework for Versatile and Controllable Agents in Physically Simu

null 10 Apr 21, 2022
FlexOS: Towards Flexible OS Isolation (ASPLOS'22) Artifact Evaluation Repository

FlexOS ASPLOS'22 Artifact Evaluation This repository contains the artifacts, including experiments and graphs, for the paper: FlexOS: Towards Flexible

null 9 Apr 15, 2022
This repo contains source code of our paper presented in IROS2021 "Single-Shot is Enough: Panoramic Infrastructure Based Calibration of Multiple Cameras and 3D LiDARs"

Single-Shot is Enough: Panoramic Infrastructure Based Calibration of Multiple Cameras and 3D LiDARs Updates [2021/09/01] first commit, source code of

Alibaba 57 Jun 21, 2022
This is our take on the digitalisation of the board game "b00le0", where you can play versus our AI, or against one of your friends in an online match.

This is our take on the digitalisation of the board game "b00le0", where you can play versus our AI, or against one of your friends in an online match.

valko purzalko 21 Jun 13, 2022
AssociatedEnum: header-only library for C++ for enumerations with associated values

asenum AssociatedEnum is a header-only library for C++ for enumerations with associated values asenum is C++ implementation of very neat enums from Sw

Vladimir (Alkenso) 17 Mar 9, 2022
A BOF for enumerating version information for DLLs associated for a Beacon process.

DLL Image Resource Version Enumeration BOF What is this? This is a Cobalt Strike BOF file (a mildly massaged port of @N4k3dTurtl3's existing PoC , mea

null 8 May 30, 2022
A BOF to interact with COM objects associated with the Windows software firewall.

Firewall_Enumerator_BOF What is this? This is meant as a supplement to interact with the Windows firewall via COM interfaces. Did you derive inspirati

null 82 Jun 15, 2022
Supplementary code for SIGGRAPH 2021 paper: Discovering Diverse Athletic Jumping Strategies

SIGGRAPH 2021: Discovering Diverse Athletic Jumping Strategies project page paper demo video Prerequisites Important Notes We suspect there are bugs i

null 50 Jun 21, 2022
A customizable hardware prefetching framework using online reinforcement learning as described in the MICRO 2021 paper by Bera and Kanellopoulos et al.

A Customizable Hardware Prefetching Framework Using Online Reinforcement Learning Table of Contents What is Pythia? About the Framework Prerequisites

SAFARI Research Group at ETH Zurich and Carnegie Mellon University 37 Jun 17, 2022
Repository for the taproot-based rewrite of our 2021 development platform

taproot-mdev2021 This is a blank project fully configured for use of Taproot. It is designed to be a starting point for your own RoboMaster software p

TAMU Robomasters 26 Jun 18, 2022
Proof-of-concept implementation for the paper "Osiris: Automated Discovery of Microarchitectural Side Channels" (USENIX Security'21)

Osiris This repository contains the implementation of the Osiris framework discussed in the research paper "Osiris: Automated Discovery of Microarchit

CISPA 35 Jun 16, 2022
DIY Zigbee CC2530 Motion sensor (AM312/ AM412/ BS312/ BS412), Temperature /Humidity /Pressure sensor (BME280), Ambient Light sensor (BH1750), 2.9inch e-Paper Module

How to join: If device in FN(factory new) state: Press and hold button (1) for 2-3 seconds, until device start flashing led Wait, in case of successfu

Sergey Koptyakov 5 Feb 13, 2022
Next gen. of NekoCal: An open-source hackable and programmable e-paper display

NekoInk NekoInk is an open-source, programmable, and versatile E-paper display platform. It offers connectivity options to various type of E-paper scr

Wenting Zhang 39 Jun 25, 2022
DIY Zigbee CC2530 Motion sensor (AM312/ AM412/ BS312/ BS412), Temperature /Humidity /Pressure sensor (BME280), Ambient Light sensor (BH1750), 2.9/2.13/1.54 inch e-Paper Module

How to join: If device in FN(factory new) state: Press and hold button (1) for 2-3 seconds, until device start flashing led Wait, in case of successfu

Sergey Koptyakov 24 Jun 28, 2022
Custom BLE firmware for Hanshow E-Paper Shelf Labels / Price Tags

ATC_TLSR_Paper Custom BLE firmware for Hanshow E-Paper Shelf Labels / Price Tags using the TLSR8359 ARM SOC You can support my work via PayPal: https:

null 51 Jun 18, 2022
lib release of paper [TopoTag: A Robust and Scalable Topological Fiducial Marker System]

Library release of paper TopoTag: A Robust and Scalable Topological Fiducial Marker System. Project page: https://herohuyongtao.github.io/research/pub

Yongtao Hu 7 Apr 25, 2022
Sandbox binary and source code for the Siggraph 2017 paper "Water Wave Packets" by Stefan Jeschke (NVIDIA) and Chris Wojtan (IST Austria)

----------------------------- Manual for wave packet viewer ----------------------------- System requirements: Windows8/8.1/10 with DirectX runtime e

Stefan Jeschke 35 Feb 10, 2022
Example code for the research paper "Masked Software Occlusion Culling"; implements an efficient alternative to the hierarchical depth buffer algorithm.

MaskedOcclusionCulling This code accompanies the research paper "Masked Software Occlusion Culling", and implements an efficient alternative to the hi

null 528 Jun 10, 2022