deploy assets

Author: duytai

libfuzzer/Dictionary.cpp

@@ -7,7 +7,13 @@ using namespace std;
 using namespace eth;
 
 namespace fuzzer {
-  Dictionary::Dictionary(bytes code) {
+  void Dictionary::fromAddress(bytes data) {
+    ExtraData d;
+    d.data = data;
+    extras.push_back(d);
+  }
+  
+  void Dictionary::fromCode(bytes code) {
     int pc = 0;
     int size = code.size();
     struct bytesComparation {
@@ -30,7 +36,6 @@ namespace fuzzer {
     for (auto value : values) {
       ExtraData d;
       d.data = value;
-      d.hitCount = 0;
       extras.push_back(d);
     }
   }

libfuzzer/Dictionary.h

@@ -16,7 +16,7 @@ namespace fuzzer {
   class Dictionary {
     public:
       vector<ExtraData> extras;
-      Dictionary() {};
-      Dictionary(bytes code);
+      void fromCode(bytes code);
+      void fromAddress(bytes address);
   };
 }

libfuzzer/Fuzzer.cpp

@@ -101,8 +101,9 @@ void Fuzzer::showStats(Mutation mutation) {
   auto int2 = to_string(fuzzStat.stageFinds[STAGE_INTEREST16]) + "/" + to_string(mutation.stageCycles[STAGE_INTEREST16]);
   auto int4 = to_string(fuzzStat.stageFinds[STAGE_INTEREST32]) + "/" + to_string(mutation.stageCycles[STAGE_INTEREST32]);
   auto knownInts = padStr(int1 + ", " + int2 + ", " + int4, 30);
+  auto addrDict1 = to_string(fuzzStat.stageFinds[STAGE_EXTRAS_AO]) + "/" + to_string(mutation.stageCycles[STAGE_EXTRAS_AO]);
   auto dict1 = to_string(fuzzStat.stageFinds[STAGE_EXTRAS_UO]) + "/" + to_string(mutation.stageCycles[STAGE_EXTRAS_UO]);
-  auto dictionary = padStr(dict1, 30);
+  auto dictionary = padStr(dict1 + ", " + addrDict1, 30);
   auto hav1 = to_string(fuzzStat.stageFinds[STAGE_HAVOC]) + "/" + to_string(mutation.stageCycles[STAGE_HAVOC]);
   auto havoc = padStr(hav1, 30);
   auto random1 = to_string(fuzzStat.stageFinds[STAGE_RANDOM]) + "/" + to_string(mutation.stageCycles[STAGE_RANDOM]);
@@ -193,6 +194,7 @@ FuzzItem Fuzzer::saveIfInterest(TargetExecutive& te, bytes data, int depth) {
 /* Start fuzzing */
 void Fuzzer::start() {
   TargetContainer container;
+  Dictionary codeDict, addressDict;
   for (auto contractInfo : fuzzParam.contractInfo) {
     ContractABI ca(contractInfo.abiJson);
     auto bin = fromHex(contractInfo.bin);
@@ -202,17 +204,18 @@ void Fuzzer::start() {
       auto data = ca.randomTestcase();
       auto revisedData = ContractABI::postprocessTestData(data);
       executive.deploy(revisedData);
+      addressDict.fromAddress(executive.addr.asBytes());
     } else {
       auto contractName = contractInfo.contractName;
       boost::filesystem::remove_all(contractName);
       boost::filesystem::create_directory(contractName);
-      Dictionary dict(bin);
+      codeDict.fromCode(bin);
 
       saveIfInterest(executive, ca.randomTestcase(), 0);
       int origHitCount = queues.size();
       while (true) {
         FuzzItem curItem = queues[fuzzStat.idx];
-        Mutation mutation(curItem, dict);
+        Mutation mutation(curItem, make_tuple(codeDict, addressDict));
         auto save = [&](bytes data) {
           auto item = saveIfInterest(executive, data, curItem.depth);
           if (fuzzStat.totalExecs % REFRESH_RATE == 0) showStats(mutation);
@@ -229,45 +232,63 @@ void Fuzzer::start() {
               mutation.singleWalkingBit(save);
               fuzzStat.stageFinds[STAGE_FLIP1] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.twoWalkingBit(save);
               fuzzStat.stageFinds[STAGE_FLIP2] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.fourWalkingBit(save);
               fuzzStat.stageFinds[STAGE_FLIP4] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.singleWalkingByte(save);
               fuzzStat.stageFinds[STAGE_FLIP8] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.twoWalkingByte(save);
               fuzzStat.stageFinds[STAGE_FLIP16] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.fourWalkingByte(save);
               fuzzStat.stageFinds[STAGE_FLIP32] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.singleArith(save);
               fuzzStat.stageFinds[STAGE_ARITH8] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.twoArith(save);
               fuzzStat.stageFinds[STAGE_ARITH16] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.fourArith(save);
               fuzzStat.stageFinds[STAGE_ARITH32] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.singleInterest(save);
               fuzzStat.stageFinds[STAGE_INTEREST8] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.twoInterest(save);
               fuzzStat.stageFinds[STAGE_INTEREST16] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.fourInterest(save);
               fuzzStat.stageFinds[STAGE_INTEREST32] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               mutation.overwriteWithDictionary(save);
               fuzzStat.stageFinds[STAGE_EXTRAS_UO] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
+              mutation.overwriteWithAddressDictionary(save);
+              fuzzStat.stageFinds[STAGE_EXTRAS_AO] += queues.size() - origHitCount;
+              origHitCount = queues.size();
+              
               mutation.havoc(tracebits, save);
               fuzzStat.stageFinds[STAGE_HAVOC] += queues.size() - origHitCount;
               origHitCount = queues.size();
+              
               queues[fuzzStat.idx].wasFuzzed = true;
             } else {
               mutation.havoc(tracebits, save);

libfuzzer/Mutation.cpp

@@ -9,7 +9,7 @@ using namespace fuzzer;
 
 int Mutation::stageCycles[32] = {};
 
-Mutation::Mutation(FuzzItem item, Dictionary dict): curFuzzItem(item), dict(dict), dataSize(item.data.size()) {
+Mutation::Mutation(FuzzItem item, Dicts dicts): curFuzzItem(item), dicts(dicts), dataSize(item.data.size()) {
   effCount = 0;
   eff = bytes(effALen(dataSize), 0);
   eff[0] = 1;
@@ -369,6 +369,7 @@ void Mutation::fourInterest(OnMutateFunc cb) {
 void Mutation::overwriteWithDictionary(OnMutateFunc cb) {
   stageShort = "ext_UO";
   stageName = "dict (over)";
+  auto dict = get<0>(dicts);
   stageMax = dataSize * dict.extras.size();
   stageCur = 0;
   /* Start fuzzing */
@@ -409,6 +410,37 @@ void Mutation::overwriteWithDictionary(OnMutateFunc cb) {
   }
   stageCycles[STAGE_EXTRAS_UO] += stageMax;
 }
+
+void Mutation::overwriteWithAddressDictionary(OnMutateFunc cb) {
+  stageShort = "ext_AO";
+  stageName = "address (over)";
+  auto dict = get<1>(dicts);
+  
+  stageMax = (dataSize / 32) * dict.extras.size();
+  stageCur = 0;
+  /* Start fuzzing */
+  byte *outBuf = curFuzzItem.data.data();
+  byte inBuf[curFuzzItem.data.size()];
+  memcpy(inBuf, outBuf, curFuzzItem.data.size());
+  u32 extrasCount = dict.extras.size();
+  u32 extrasLen = 20;
+  for (u32 i = 0; i < (u32)dataSize; i += 32) {
+    for (u32 j = 0; j < extrasCount; j += 1) {
+      byte *extrasBuf = dict.extras[j].data.data();
+      if (!memcmp(extrasBuf, outBuf + i + 12, extrasLen)) {
+        stageMax --;
+        continue;
+      }
+      memcpy(outBuf + i + 12, extrasBuf, extrasLen);
+      cb(curFuzzItem.data);
+      stageCur ++;
+    }
+    /* Restore all the clobbered memory. */
+    memcpy(outBuf + i, inBuf + i, 32);
+  }
+  stageCycles[STAGE_EXTRAS_AO] += stageMax;
+}
+
 /* Calculate score */
 double Mutation::calculateScore(const FuzzItem& item, unordered_set<uint64_t> tracebits) {
   double score = 0;
@@ -428,6 +460,7 @@ void Mutation::havoc(unordered_set<uint64_t> tracebits, OnMutateFunc cb) {
   stageCur = 0;
   int idx = 0;
   float perfScore = 1;
+  auto dict = get<0>(dicts);
   vector<FuzzItem> workingQueue;
   vector<FuzzItem> candidateQueue;
   workingQueue.push_back(curFuzzItem);

libfuzzer/Mutation.h

@@ -17,14 +17,15 @@ using namespace eth;
 using namespace std;
 
 namespace fuzzer {
+  using Dicts = tuple<Dictionary/* code */, Dictionary/* address */>;
   class Mutation {
     FuzzItem curFuzzItem;
-    Dictionary dict;
+    Dicts dicts;
     int effCount;
     bytes eff;
     void flipbit(int pos);
     public:
-      Mutation(FuzzItem item, Dictionary dict);
+      Mutation(FuzzItem item, Dicts dicts);
       void singleWalkingBit(OnMutateFunc cb);
       void twoWalkingBit(OnMutateFunc cb);
       void fourWalkingBit(OnMutateFunc cb);
@@ -37,6 +38,7 @@ namespace fuzzer {
       void singleInterest(OnMutateFunc cb);
       void twoInterest(OnMutateFunc cb);
       void fourInterest(OnMutateFunc cb);
+      void overwriteWithAddressDictionary(OnMutateFunc cb);
       void overwriteWithDictionary(OnMutateFunc cb);
       void insertWithDictionary(OnMutateFunc cb);
       void overwriteWithAutoDictionary(OnMutateFunc cb);

libfuzzer/TargetContainer.h

@@ -37,8 +37,8 @@ namespace fuzzer {
     TargetProgram *program;
     ContractABI ca;
     bytes code;
-    Address addr;
     public:
+      Address addr;
       TargetExecutive(TargetProgram *program, Address addr, ContractABI ca, bytes code) {
         this->code = code;
         this->ca = ca;

libfuzzer/Util.h

@@ -73,8 +73,9 @@ namespace fuzzer {
   static int STAGE_INTEREST32 = 11;
   static int STAGE_EXTRAS_UO = 12;
   static int STAGE_EXTRAS_UI = 13;
-  static int STAGE_HAVOC = 14;
-  static int STAGE_RANDOM = 15;
+  static int STAGE_EXTRAS_AO = 14;
+  static int STAGE_HAVOC = 15;
+  static int STAGE_RANDOM = 16;
   static int HAVOC_STACK_POW2 = 7;
   static int HAVOC_CYCLES_INIT = 1024;
   static int HAVOC_CYCLES = 256;
@@ -118,6 +119,5 @@ namespace fuzzer {
   /* Data struct */
   struct ExtraData {
     bytes data;
-    u32 hitCount;
   };
 }