Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow for interleaving of harness and fuzzer #2667

Open
domenukk opened this issue Nov 7, 2024 · 0 comments
Open

Allow for interleaving of harness and fuzzer #2667

domenukk opened this issue Nov 7, 2024 · 0 comments

Comments

@domenukk
Copy link
Member

domenukk commented Nov 7, 2024

Right now, the executors are written with atomic harnesses in mind -- the observers are prepared, then the harness is executed, then the observers are processed. This may not be optimal for e.g. network or filesystem fuzzing where resources are dynamically requested by the target, situations where we want to observe multiple parts of the harness separately (such as in differential- or property-fuzzing), or where using atomic harnesses may not be as efficient due to the allocation of shared resources (e.g. differential fuzzing PCRE2, we would want to avoid compiling the regex twice for the interpreter and the JIT). This also simplifies the job of the fuzzer developer, as they can reuse existing harnesses and only add callbacks to delineate the stages of the harness execution.

With that in mind, we should probably implement the infrastructure to easily implement harness/fuzzer interactions. This is most relevant for in-process executor, where we need to stash the fuzzer/state/executor/etc., do mutability checks, potentially pause/cancel timeouts, etc. in a way that is likely non-obvious for developers that aren't us 🙂

We can implement this as part of the executor changes originally discussed in #1341 s.t. we have a global representing the current state to be used by more than just the signal handlers.

To implement this, I suggest we extract the global used by the signal handler to a global that is more widely available, then define a HarnessCallback<E> trait, generic over executor E. Individual support for different executor variants can then be implemented by the executor developers and blanket implemented for the callbacks. The specific callback functions can then be defined by the fuzzer developer + some common ones we can implement by default.

Originally posted by @addisoncrump in https://github.com/AFLplusplus/LibAFL/discussions/1787

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant