Stateful minimization (awslabs#35)

* (Re)introduce stateful minimization and now with support for custom input types beyond `Vec<u8>`
Updated `minimize` command line handling. fixed up examples to conform to new minimization API.

* Refactoring to remove `BTreeMap` usage in favor of `FxIndexMap` when dealing with addresses as keys and requiring fast iteration.

* Update examples to use Makefiles
---------

Co-authored-by: Michael Rodler <[email protected]>

Cargo.toml

@@ -55,6 +55,6 @@ incremental = true
 
 [features]
 default = []
+# default = ["redqueen", "custom_feedback"]
 redqueen = []
 custom_feedback = []
-bb_range = []

docker/Dockerfile.snapshot

@@ -1,4 +1,5 @@
-FROM ubuntu:22.04
+ARG UBUNTU_VERSION=22.04
+FROM ubuntu:$UBUNTU_VERSION
 
 # Install prereqs
 ARG DEBIAN_FRONTEND=noninteractive 

docker/coverage_scripts/angr_snapchange.py

@@ -718,10 +718,15 @@ def add_memory(op, memlen=STR_LEN_THRESHOLD, null_term=False):
 
 
 dict_path = cliargs.dict_path
+logger.info(f"writing auto-dict entries to {dict_path}")
 dict_path.mkdir(parents=True, exist_ok=True)
+written = 0
 for fname, content in auto_dict_files.items():
     with (dict_path / fname).open("wb") as f:
         f.write(content)
+        written += 1
+
+logger.info(f"wrote {written} auto-dict entries")
 
 
 sys.exit(0)

docker/utils/snapshot.sh

@@ -292,7 +292,7 @@ if [[ "$GENERATE_COVERAGE_BREAKPOINTS" -eq 1 ]]; then
     # Use ghidra to find the coverage basic blocks
     python3 $SNAPCHANGE_ROOT/coverage_scripts/ghidra_basic_blocks.py --base-addr "$BASE" "$OUTPUT/$BIN_NAME.bin" > "$OUTPUT/ghidra.log" 2>&1
   elif [[ "$COVERAGE_BREAKPOINT_COMMAND" == "angr" ]]; then
-    python3 $SNAPCHANGE_ROOT/coverage_scripts/angr_snapchange.py --auto-dict --base-addr "$BASE" "$OUTPUT/$BIN_NAME.bin" > "$OUTPUT/angr.log" 2>&1
+    python3 $SNAPCHANGE_ROOT/coverage_scripts/angr_snapchange.py --dict-path "$OUTPUT/dict" --auto-dict --base-addr "$BASE" "$OUTPUT/$BIN_NAME.bin" > "$OUTPUT/angr.log" 2>&1
   elif [[ "$COVERAGE_BREAKPOINT_COMMAND" == "rizin" ]]; then
     python3 $SNAPCHANGE_ROOT/coverage_scripts/rz_snapchange.py --base-addr "$BASE" "$OUTPUT/$BIN_NAME.bin" > "$OUTPUT/rizin.log" 2>&1
   elif [[ "$COVERAGE_BREAKPOINT_COMMAND" == "binaryninja" ]]; then

examples/.gitignore

@@ -0,0 +1,3 @@
+**/snapshot_image
+**/target_image
+**/Cargo.lock

examples/01_getpid/.dockerignore

@@ -0,0 +1 @@
+.gitignore

examples/01_getpid/.gitignore

@@ -2,3 +2,8 @@ dockers/snapshot_image
 dockers/target_image
 *.min
 fuzzer.log
+snapshot
+snapshot/
+target
+harness/example1
+harness/report.info

examples/01_getpid/Makefile

@@ -1,27 +1,28 @@
 DOCKER ?= docker
 FUZZ_CORES ?= /2
 
+DOCKER_IMAGE_NAME ?= snapchange_example1
+
 all: test
 
 base_images:
 	# Build the base snapchange image used for snapshotting
 	cd ../../docker && make
 
-dockers/target_image:
-	$(DOCKER) build -q -t snapchange_example1:target . -f dockers/Dockerfile.target | tee dockers/target_image
+dockers/target_image: dockers/Dockerfile.target
+	$(DOCKER) build -q -t $(DOCKER_IMAGE_NAME):target . -f $< > $@ || { rm $@; exit 1; }
 
-dockers/snapshot_image: dockers/target_image
-	$(DOCKER) build -q -t snapchange_example1:snapshot . -f dockers/Dockerfile.snapshot | tee dockers/snapshot_image
+dockers/snapshot_image: dockers/Dockerfile.snapshot dockers/target_image
+	$(DOCKER) build -q -t $(DOCKER_IMAGE_NAME):snapshot . -f $< > $@ || { rm $@; exit 1; }
 
 snapshot: dockers/snapshot_image harness/example1.c
-	# mkdir -p snapshot/
 	$(DOCKER) run --rm -i \
 		-v $(shell realpath -m ./snapshot):/snapshot \
 		-e SNAPSHOT_IMGTYPE=initramfs \
-		$(shell cat dockers/snapshot_image)
+		$$(cat dockers/snapshot_image) >/dev/null 2>&1
 
 fuzzer:
-	cargo build -r
+	cargo build -r >/dev/null 2>&1
 
 fuzz: snapshot
 	cargo run -r -- -p ./snapshot fuzz -c $(FUZZ_CORES)
@@ -31,19 +32,21 @@ fuzz-%: snapshot
 # .PHONY: fuzz-1 fuzz-2 fuzz-3 fuzz-4 fuzz-5
 
 
-test: base_images snapshot fuzzer reset
+test: snapshot fuzzer reset
 	./test.sh
 
 reset: snapshot
 	cd snapshot && ./reset.sh
 
 clean: clean-docker
-	-$(RM) -rf snapshot
+	-$(RM) -rf snapshot target
 
 clean-docker:
+	-$(DOCKER) rmi $(DOCKER_IMAGE_NAME):snapshot
+	-$(DOCKER) rmi $(DOCKER_IMAGE_NAME):target
 	-$(DOCKER) rmi `cat ./dockers/snapshot_image`
-	-rm ./dockers/snapshot_image
 	-$(DOCKER) rmi `cat ./dockers/target_image`
+	-rm ./dockers/snapshot_image
 	-rm ./dockers/target_image
 
 .PHONY: fuzzer all base_images test reset fuzz

examples/01_getpid/dockers/Dockerfile.target

@@ -1,4 +1,4 @@
 FROM snapchange_base_target
 
-COPY harness/* /opt/
-RUN cd /opt/ && make
+COPY harness/ /opt/
+RUN cd /opt/ && ls && make

examples/01_getpid/test.sh

@@ -1,43 +1,11 @@
 #!/usr/bin/env bash
 
-if [[ -z "$FUZZ_CORES" ]]; then
-    FUZZ_CORES="/2"
-fi
-
-if [[ -z "$FUZZ_TIMEOUT" ]]; then 
-    FUZZ_TIMEOUT="1m"
-fi
-
-EX="$(basename $PWD)"
-
-COLOR_CLEAR='\e[0m'
-COLOR_RED='\e[0;31m'
-COLOR_GREEN='\e[0;32m'
-
-function err {
-    echo -e "${COLOR_RED}ERROR: $EX - $* $COLOR_CLEAR"
-    exit 1
-}
-
-function log_success {
-    echo -e "${COLOR_GREEN}SUCCESS: $EX - $* $COLOR_CLEAR"
-}
-
-if ! test -d snapshot; then
-    err "require snapshot"
-fi
-
-# Reset the snapshot from a previous run
-pushd snapshot > /dev/null
-./reset.sh
-popd > /dev/null
+source ../test.include.sh
 
-# Rebuild the fuzzer
-echo "Building Example 01"
-cargo build -r >/dev/null 2>/dev/null || err "build failed"
+setup_build
 
 # Seed the input with an easier input
-echo "Begin fuzzing!"
+log_info "start fuzzing"
 mkdir -p snapshot/input
 echo -n fuzzmetosolvem11 > snapshot/input/test
 cargo run -r -- fuzz -c "$FUZZ_CORES" --ascii-stats --stop-after-first-crash --stop-after-time "$FUZZ_TIMEOUT" >/dev/null 2>/dev/null

examples/02_libtiff/.dockerignore

@@ -0,0 +1 @@
+.gitignore

examples/02_libtiff/.gitignore

@@ -0,0 +1,4 @@
+target
+snapshot
+*.log
+Cargo.lock