add seek power schedule, remove update stats in calibration, fix help output

Author: vanhauser-thc

docs/Changelog.md

@@ -24,6 +24,8 @@ sending a mail to <[email protected]>.
      - Ensure that the targets are killed on exit
      - fix/update to MOpt (thanks to arnow117)
      - added MOpt dictionary support from repo
+     - added experimental SEEK power schedule. It is EXPLORE with ignoring
+       the runtime and less focus on the length of the test case
   - llvm_mode:
     - the default instrumentation is now PCGUARD if the llvm version is >= 7,
       as it is faster and provides better coverage. The original afl

docs/power_schedules.md

@@ -21,6 +21,7 @@ We find that AFL's exploitation-based constant schedule assigns **too much energ
 | `-p exploit` (AFL) | ![LIN](http://latex.codecogs.com/gif.latex?p%28i%29%20%3D%20%5Calpha%28i%29) |
 | `-p mmopt` | Experimental: `explore` with no weighting to runtime and increased weighting on the last 5 queue entries |
 | `-p rare` | Experimental: `rare` puts focus on queue entries that hit rare edges |
+| `-p seek` | Experimental: `seek` is EXPLORE but ignoring the runtime of the queue input and less focus on the size |
 where *α(i)* is the performance score that AFL uses to compute for the seed input *i*, *β(i)>1* is a constant, *s(i)* is the number of times that seed *i* has been chosen from the queue, *f(i)* is the number of generated inputs that exercise the same path as seed *i*, and *μ* is the average number of generated inputs exercising a path.
 
 More details can be found in the paper that was accepted at the [23rd ACM Conference on Computer and Communications Security (CCS'16)](https://www.sigsac.org/ccs/CCS2016/accepted-papers/).

include/afl-fuzz.h

@@ -233,6 +233,7 @@ enum {
   /* 05 */ QUAD,    /* Quadratic schedule               */
   /* 06 */ RARE,    /* Rare edges                       */
   /* 07 */ MMOPT,   /* Modified MOPT schedule           */
+  /* 08 */ SEEK,    /* EXPLORE that ignores timings     */
 
   POWER_SCHEDULES_NUM
 

src/afl-fuzz-queue.c

@@ -201,8 +201,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
   else
     fuzz_p2 = q->fuzz_level;
 
-  if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) ||
-      unlikely(afl->fixed_seed)) {
+  if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
 
     fav_factor = q->len << 2;
 
@@ -228,8 +227,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
         else
           top_rated_fuzz_p2 = afl->top_rated[i]->fuzz_level;
 
-        if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) ||
-            unlikely(afl->fixed_seed)) {
+        if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
 
           top_rated_fav_factor = afl->top_rated[i]->len << 2;
 
@@ -250,8 +248,7 @@ void update_bitmap_score(afl_state_t *afl, struct queue_entry *q) {
 
         }
 
-        if (unlikely(afl->schedule == MMOPT || afl->schedule == RARE) ||
-            unlikely(afl->fixed_seed)) {
+        if (unlikely(afl->schedule >= RARE) || unlikely(afl->fixed_seed)) {
 
           if (fav_factor > afl->top_rated[i]->len << 2) { continue; }
 
@@ -396,8 +393,7 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
   // Longer execution time means longer work on the input, the deeper in
   // coverage, the better the fuzzing, right? -mh
 
-  if (afl->schedule != MMOPT && afl->schedule != RARE &&
-      likely(!afl->fixed_seed)) {
+  if (afl->schedule >= RARE && likely(!afl->fixed_seed)) {
 
     if (q->exec_us * 0.1 > avg_exec_us) {
 
@@ -509,6 +505,9 @@ u32 calculate_score(afl_state_t *afl, struct queue_entry *q) {
     case EXPLORE:
       break;
 
+    case SEEK:
+      break;
+
     case EXPLOIT:
       factor = MAX_FACTOR;
       break;

src/afl-fuzz-run.c

@@ -286,12 +286,6 @@ u8 calibrate_case(afl_state_t *afl, struct queue_entry *q, u8 *use_mem,
 
     u64 cksum;
 
-    if (!first_run && !(afl->stage_cur % afl->stats_update_freq)) {
-
-      show_stats(afl);
-
-    }
-
     write_to_testcase(afl, use_mem, q->len);
 
     fault = fuzz_run_target(afl, &afl->fsrv, use_tmout);

src/afl-fuzz-state.c

@@ -30,9 +30,9 @@ s8  interesting_8[] = {INTERESTING_8};
 s16 interesting_16[] = {INTERESTING_8, INTERESTING_16};
 s32 interesting_32[] = {INTERESTING_8, INTERESTING_16, INTERESTING_32};
 
-char *power_names[POWER_SCHEDULES_NUM] = {
-
-    "explore", "exploit", "fast", "coe", "lin", "quad", "rare", "mmopt"};
+char *power_names[POWER_SCHEDULES_NUM] = {"explore", "exploit", "fast",
+                                          "coe",     "lin",     "quad",
+                                          "rare",    "mmopt",   "seek"};
 
 /* Initialize MOpt "globals" for this afl state */
 

src/afl-fuzz-stats.c

@@ -194,7 +194,8 @@ void maybe_update_plot_file(afl_state_t *afl, double bitmap_cvg, double eps) {
                afl->plot_prev_uc == afl->unique_crashes &&
                afl->plot_prev_uh == afl->unique_hangs &&
                afl->plot_prev_md == afl->max_depth) ||
-      unlikely(!afl->queue_cycle) || unlikely(get_cur_time() - afl->start_time <= 60)) {
+      unlikely(!afl->queue_cycle) ||
+      unlikely(get_cur_time() - afl->start_time <= 60)) {
 
     return;
 

src/afl-fuzz.c

@@ -115,12 +115,13 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
       "  -o dir        - output directory for fuzzer findings\n\n"
 
       "Execution control settings:\n"
-      "  -p schedule   - power schedules recompute a seed's performance "
-      "score.\n"
-      "                  <explore(default), fast, coe, lin, quad, exploit, "
-      "mmopt, rare>\n"
+      "  -p schedule   - power schedules compute a seed's performance score. "
+      "<explore\n"
+      "                  (default), fast, coe, lin, quad, exploit, mmopt, "
+      "rare, seek>\n"
       "                  see docs/power_schedules.md\n"
-      "  -f file       - location read by the fuzzed program (stdin)\n"
+      "  -f file       - location read by the fuzzed program (default: stdin "
+      "or @@)\n"
       "  -t msec       - timeout for each run (auto-scaled, 50-%d ms)\n"
       "  -m megs       - memory limit for child process (%d MB)\n"
       "  -Q            - use binary-only instrumentation (QEMU mode)\n"
@@ -146,7 +147,7 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
       "devices etc.!)\n"
       "  -d            - quick & dirty mode (skips deterministic steps)\n"
       "  -n            - fuzz without instrumentation (non-instrumented mode)\n"
-      "  -x dir        - optional fuzzer dictionary (see README.md, its really "
+      "  -x dict_file  - optional fuzzer dictionary (see README.md, its really "
       "good!)\n\n"
 
       "Testing settings:\n"
@@ -164,11 +165,11 @@ static void usage(afl_state_t *afl, u8 *argv0, int more_help) {
       "fuzzing\n"
       "  -I command    - execute this command/script when a new crash is "
       "found\n"
-      "  -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap "
-      "file\n"
+      //"  -B bitmap.txt - mutate a specific test case, use the out/fuzz_bitmap
+      //" "file\n"
       "  -C            - crash exploration mode (the peruvian rabbit thing)\n"
-      "  -e ext        - file extension for the temporarily generated test "
-      "case\n\n",
+      "  -e ext        - file extension for the fuzz test case case (if "
+      "needed)\n\n",
       argv0, EXEC_TIMEOUT, MEM_LIMIT);
 
   if (more_help > 1) {
@@ -349,6 +350,10 @@ int main(int argc, char **argv_orig, char **envp) {
 
           afl->schedule = RARE;
 
+        } else if (!stricmp(optarg, "seek")) {
+
+          afl->schedule = SEEK;
+
         } else if (!stricmp(optarg, "explore") || !stricmp(optarg, "default") ||
 
                    !stricmp(optarg, "normal") || !stricmp(optarg, "afl")) {
@@ -954,6 +959,9 @@ int main(int argc, char **argv_orig, char **envp) {
     case RARE:
       OKF("Using rare edge focus power schedule (RARE)");
       break;
+    case SEEK:
+      OKF("Using seek power schedule (SEEK)");
+      break;
     case EXPLORE:
       OKF("Using exploration-based constant power schedule (EXPLORE, default)");
       break;