Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question about cull_queue() #8

Open
andreafioraldi opened this issue Apr 2, 2020 · 1 comment
Open

Question about cull_queue() #8

andreafioraldi opened this issue Apr 2, 2020 · 1 comment

Comments

@andreafioraldi
Copy link

Hi,
I can't fully understand your algorithm for the selection of favored testcases.

In cull_queue I read:

  if (dsf_enabled) {

    for (i = 0; i < dsf_len_actual; i++) {

      if (top_rated[i]) {

        /* if top rated for any i, will be favored */
        u8 was_favored_already = top_rated[i]->favored;

        top_rated[i]->favored = 1;

        /* increments counts only if not also favored for another i */
        if (!was_favored_already){
          queued_favored++;
          if (!top_rated[i]->was_fuzzed) pending_favored++;
        }

      }

    }

  } else {

    // old AFL cull_queue

  }

This takes into account only dsf, why not combine both dsf and edge coverage?

@rohanpadhye
Copy link
Owner

This takes into account only dsf, why not combine both dsf and edge coverage?

That's certainly a reasonable alternative. Usually, in applications such as PerfFuzz, SlowFuzz, etc. the assumption is that the seed inputs already have some reasonable coverage and/or there is a parallel fuzzing session for coverage using master-slave mode; the favoring mechanism therefore focuses only on the domain-specific testing objective. However, I can certainly imagine cases where one would want to simultaneously maximize edge coverage and some other metric (the CMP domain comes to mind).

In FuzzFactory, you can always encode edge coverage itself in the DSF map itself as an additional domain, which gives you the desired result (and turn off AFL's default edge coverage instrumentation to avoid performance overheads). I haven't tried changing the favoring mechanism to always consider edge coverage---that would require maintaining two different data structures for top_rated, where one tracks the coverage and the other tracks the DSF map. Possibly worth a try.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants