VirtualBox

Changeset 77482 in vbox for trunk/include/iprt


Ignore:
Timestamp:
Feb 27, 2019 1:17:24 PM (6 years ago)
Author:
vboxsync
Message:

Runtime/fuzz: Rewriting the core fuzzed input generator.

The new implementation stores only changes between mutations and not the
complete input. This saves memory (at the cost of a bit of increased complexity
when generating the input) and allows to generate mutations when no initial corpus
data is available which is useful when trying to fuzz data streams like network connections.

There are two modes when creating a new fuzzing context:

  • BLOB is used for input data like files where an initial corpus is available
  • STREAM is used for data streams like network connections
Location:
trunk/include/iprt
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/include/iprt/fuzz.h

    r76585 r77482  
    6363
    6464
     65/**
     66 * Fuzzing context type.
     67 */
     68typedef enum RTFUZZCTXTYPE
     69{
     70    /** Invalid type. */
     71    RTFUZZCTXTYPE_INVALID = 0,
     72    /** Original input data is a single binary large object (BLOB), from a file or similar. */
     73    RTFUZZCTXTYPE_BLOB,
     74    /** Original input data is from a data stream like a network connection. */
     75    RTFUZZCTXTYPE_STREAM,
     76    /** 32bit hack. */
     77    RTFUZZCTXTYPE_32BIT_HACK = 0x7fffffff
     78} RTFUZZCTXTYPE;
     79
    6580/** @name RTFUZZCTX_F_XXX - Flags for RTFuzzCtxCfgSetBehavioralFlags
    6681 * @{ */
     
    7691 * @returns IPRT status code.
    7792 * @param   phFuzzCtx           Where to store the handle to the fuzzing context on success.
    78  */
    79 RTDECL(int) RTFuzzCtxCreate(PRTFUZZCTX phFuzzCtx);
     93 * @param   enmType             Fuzzing context data type.
     94 */
     95RTDECL(int) RTFuzzCtxCreate(PRTFUZZCTX phFuzzCtx, RTFUZZCTXTYPE enmType);
    8096
    8197/**
     
    242258RTDECL(int) RTFuzzCtxInputGenerate(RTFUZZCTX hFuzzCtx, PRTFUZZINPUT phFuzzInput);
    243259
    244 /**
    245  * Mutates a raw buffer.
    246  *
    247  * @returns IPRT status code.
    248  * @param   hFuzzCtx            The fuzzing context handle.
    249  * @param   pvBuf               Pointer to the buffer to mutate.
    250  * @param   cbBuf               Size of the buffer iny bytes to mutate.
    251  * @param   phFuzzInput         Where to store the handle to the fuzzed input on success.
    252  */
    253 RTDECL(int) RTFuzzCtxMutateBuffer(RTFUZZCTX hFuzzCtx, void *pvBuf, size_t cbBuf,
    254                                   PRTFUZZINPUT phFuzzInput);
    255 
    256260
    257261/**
     
    272276
    273277/**
    274  * Queries the data pointer and size of the given fuzzing input.
     278 * Queries the data pointer and size of the given fuzzed input blob.
    275279 *
    276280 * @returns IPRT status code
     
    279283 * @param   pcb                 Where to store the size of the input data on success.
    280284 */
    281 RTDECL(int) RTFuzzInputQueryData(RTFUZZINPUT hFuzzInput, void **ppv, size_t *pcb);
     285RTDECL(int) RTFuzzInputQueryBlobData(RTFUZZINPUT hFuzzInput, void **ppv, size_t *pcb);
     286
     287/**
     288 * Processes the given data stream for a streamed fuzzing context.
     289 *
     290 * @returns IPRT status code.
     291 * @param   hFuzzInput          The fuzzing input handle.
     292 * @param   pvBuf               The data buffer.
     293 * @param   cbBuf               Size of the buffer.
     294 */
     295RTDECL(int) RTFuzzInputMutateStreamData(RTFUZZINPUT hFuzzInput, void *pvBuf, size_t cbBuf);
    282296
    283297/**
     
    368382 * @returns IPRT status code.
    369383 * @param   phFuzzObs           Where to store the fuzzing observer handle on success.
    370  */
    371 RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs);
     384 * @param   enmType             Fuzzing context data type.
     385 */
     386RTDECL(int) RTFuzzObsCreate(PRTFUZZOBS phFuzzObs, RTFUZZCTXTYPE enmType);
    372387
    373388/**

  • trunk/include/iprt/mangling.h

    r77256 r77482  
    10381038# define RTFuzzCtxCreateFromStateFile                   RT_MANGLER(RTFuzzCtxCreateFromStateFile)
    10391039# define RTFuzzCtxInputGenerate                         RT_MANGLER(RTFuzzCtxInputGenerate)
    1040 # define RTFuzzCtxMutateBuffer                          RT_MANGLER(RTFuzzCtxMutateBuffer)
    10411040# define RTFuzzCtxRelease                               RT_MANGLER(RTFuzzCtxRelease)
    10421041# define RTFuzzCtxReseed                                RT_MANGLER(RTFuzzCtxReseed)
     
    10451044# define RTFuzzCtxStateExportToFile                     RT_MANGLER(RTFuzzCtxStateExportToFile)
    10461045# define RTFuzzInputAddToCtxCorpus                      RT_MANGLER(RTFuzzInputAddToCtxCorpus)
    1047 # define RTFuzzInputQueryData                           RT_MANGLER(RTFuzzInputQueryData)
     1046# define RTFuzzInputMutateStreamData                    RT_MANGLER(RTFuzzInputMutateStreamData)
     1047# define RTFuzzInputQueryBlobData                       RT_MANGLER(RTFuzzInputQueryBlobData)
    10481048# define RTFuzzInputQueryDigestString                   RT_MANGLER(RTFuzzInputQueryDigestString)
    10491049# define RTFuzzInputRelease                             RT_MANGLER(RTFuzzInputRelease)
Note: See TracChangeset for help on using the changeset viewer.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette