Hybrid fuzzing (SymCC + AFL) does not work
thuanpv opened this issue · comments
Hi,
I set up SymCC using the given Dockerfile and I followed this video to test its hybrid fuzzing mode : https://www.youtube.com/watch?v=zmC-ptp3W3k.
I used the same example program and the commands but SymCC did not generate new test cases.
mkdir in; printf "xxxx" > in/seed
afl-fuzz -i in -o out -S fuzzer1 -- afl-sample-afl @@
symcc_fuzzing_helper -o out -a fuzzer1 -n symcc -- afl-sample-symcc @@ SymCC outputted something as below
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000001,src:000000,op:havoc,rep:64,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000007,src:000000,op:havoc,rep:8,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000006,src:000000,op:havoc,rep:8,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000002,src:000000,op:havoc,rep:4,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000008,src:000000,op:havoc,rep:16,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000005,src:000000,op:havoc,rep:64,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000004,src:000000,op:havoc,rep:16,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000003,src:000000,op:havoc,rep:32,+cov
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000000,orig:seed
[2021-10-11T01:04:41Z INFO symcc_fuzzing_helper] Generated 0 test cases (0 new)
I was thinking that my setup might be incorrect so I ran SymCC alone and it worked. Specifically, I ran the following command
SYMCC_INPUT_FILE=in/seed ./afl-sample-symcc in/seedSymCC generated 5 test cases in this setup including a crash-triggering one.
This is SymCC running with the QSYM backend
Making data read from in/seed as symbolic
[STAT] SMT: { "solving_time": 0, "total_time": 658 }
[STAT] SMT: { "solving_time": 378 }
[INFO] New testcase: /home/ubuntu/results/000000
[STAT] SMT: { "solving_time": 378, "total_time": 1599 }
[STAT] SMT: { "solving_time": 630 }
[INFO] New testcase: /home/ubuntu/results/000001
[STAT] SMT: { "solving_time": 630, "total_time": 2347 }
[STAT] SMT: { "solving_time": 909 }
[INFO] New testcase: /home/ubuntu/results/000002
[STAT] SMT: { "solving_time": 909, "total_time": 3130 }
[STAT] SMT: { "solving_time": 1154 }
[INFO] New testcase: /home/ubuntu/results/000003
[STAT] SMT: { "solving_time": 1154, "total_time": 4057 }
[STAT] SMT: { "solving_time": 1539 }
[INFO] New testcase: /home/ubuntu/results/000004
Does anyone know the reason(s)? I suspect that in my hybrid fuzzing setup somehow SymCC could not symbolize the input file(s). Another reason could be that somehow the constraint solver did not work.
Thanks,
Thuan
I met the same problem. Did you solve this problem?
Hi, you have to use Afl 2.56
Your file path cannot contain "-".