I am a master's student working on replicating the results of the paper : https://www.microsoft.com/en-us/research/publication/not-all-bytes-are-equal-neural-byte-sieve-for-fuzzing/
I want to create an augmented fuzzer which rejects the modifications to seeds which it finds not useful. Any help in achieving this will be very much helpful.
I have created a simple python function for the augmented fuzzer. To test the implementation, I took the trivial "deadbeef" program and wrote the python function such that whenever the seed is modified to "deadbeef", the function sends a "not useful" return to the 'common_fuzz_stuff()' function of the AFL-fuzz code. It should mean that the fuzzer should not be able to find the crash. But it still is able to find the crash and I'm not able to determine where I have gone wrong.
Here is the python function for AFL:
def check_useful(seed):
my_string = str.encode('deadbeef')
file = open(seed, 'rb')
value = file.read()
if (value == my_string):
print('[*] Crash Found!')
return True
else:
return False
And here is the afl-fuzz.c code snippet:
/* Write a modified test case, run program, process results. Handle
error conditions, returning 1 if it's time to bail out. This is
a helper function for fuzz_one(). */
EXP_ST u8 common_fuzz_stuff(char** argv, u8* out_buf, u32 len) {
if (PyCallable_Check(pFuncCheckModel)){
pArgs = PyTuple_New(1);
PyTuple_SetItem(pArgs, 0, PyUnicode_FromString(queue_cur->fname));
pFuncReturn = PyObject_CallObject(pFuncCheckModel, pArgs);
if (PyObject_IsTrue(pFuncReturn)){
skip_requested = 1;
return 1;
}
} else
{
PyErr_Print();
}
How is my program still able to find the crash even if the return value is 1 from the common_fuzz_stuff() function for the seed "deadbeef"?
To answer my own question:
I had to send out_file to the Python function instead of queue_cur->fname.
PyTuple_SetItem(pArgs, 0, PyUnicode_FromString(out_file));
Also skip_requested = 1; in the above code is redundant.
Now the fuzzer will run and will not find the crash