Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Delay sync stage for new runs #2057

sagamusix started this conversation in General
Delay sync stage for new runs #2057
@sagamusix sagamusix
Apr 14, 2024 · 2 comments
Return to top
Discussion options

sagamusix
Apr 14, 2024

I'm running a bunch of fuzzers on my library (libopenmpt). Occasionally, when adding support for a new file format which requires some additional attention, I add a new fuzzer to the bunch which initial test cases just covering that new file format. I do add this fuzzer to my existing pool since the cross-pollination between different fuzzer instances is pretty useful in general, but I think it would be nice if the strategy when the sync stage is executed could be improved a bit for new fuzzing instances that haven't been running for a long time.

In general my observation is that afl++ spends some time on fuzzing the first test case that I provided, and then after a few minutes changes to syncing files from other fuzzers. I think it would be beneficial if at least a couple more of the initial test files were considered before the sync stage is reached for the first time - let the fuzzer first spend some time on the material it was provided before files from other fuzzers are considered. Do you think changing the fuzzing strategy in this regard would be feasible?
You must be logged in to vote

Replies: 2 comments

Comment options

vanhauser-thc
Apr 15, 2024
Maintainer

Do you think changing the fuzzing strategy in this regard would be feasible?

yes it is feasible. but it would not be the optimal approach, for you or anyone else (unless you can convince me otherwise) :-)

here is what should work better for you:

step 1

for a new feature, run 1-x instances of afl-fuzz independent to the general fuzzing campaign. this way there is no cross pollination.

This is still not optimal because AFL++ will still at once find other supported formats and fuzz these two, making it loosing concentration on your new feature, so we want:

Focus fuzzing

when you compile for fuzzing your new feature, use selective instrumentation (AFL_LLVM_ALLOWLIST) for the functions on the path to your target functions plus your target functions themselves.

This way you only fuzz the feature that you want.

Merging to the general fuzzing campaign

once you are satisfied with fuzzing the new feature just add that corpus to the general fuzzing campaign, e.g. afl-addseeds -i focus_fuzz/main/queue -o general_fuzz
You must be logged in to vote
0 replies
Comment options

sagamusix
Apr 15, 2024
Author

Ah, I wasn't aware of afl-addseeds, I see that's a recent addition. I think that takes the main pain points away from running a separate fuzzing campaign in paralle, so I will stick to that. Thanks for the suggestion!
You must be logged in to vote
0 replies
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
discussion Discuss a strategy, feature or goal
2 participants
@sagamusix @vanhauser-thc
Converted from issue

This discussion was converted from issue #2055 on April 15, 2024 20:13.

Morty Proxy This is a proxified and sanitized view of the page, visit original site.