LibAFL icon indicating copy to clipboard operation
LibAFL copied to clipboard

Published 20 hours ago verified publisher icon AFLplusplus

Add MutatedTransform to the input type for tmin & push mutational stage

Open tokatoka opened this issue 1 year ago • 3 comments

like this https://github.com/AFLplusplus/LibAFL/blob/c8c5d89f336208112ff91889865e6bedb62aa23d/libafl/src/stages/mutational.rs#L97 in mutational stage

tokatoka avatar May 03 '23 17:05 tokatoka

I would like to contribute to it. Can you please explain to me in some detail, what you need me to do, and provide any starting references/resources that can help in contributing, if any?

tejas012321011 avatar May 23 '23 06:05 tejas012321011

Sorry , But I could not find Input types in the files you mentioned , instead I found the other types which were not generics as it is in the file you mentioned. <Self::State as UsesInput>::Input: HasLen + Hash how do I add MutatedTransform here ? @tokatoka

gerceboss avatar Mar 03 '24 20:03 gerceboss

I have been investigating this issue and reading related codes these days.

The MutatedTransform is introduced in this commit along with the Grimoire. Grimoire is a new fuzzing technique that can efficiently fuzz programs that require highly structured inputs (e.g., a programming language).

The modifications to the mutational stage in the commit serves as a good reference. Previously, you get the testcase from the corpus, then convert it into input, mutate it using mutators, and execute it. Now with MutatedTransform, you use try_transform_from to convert from testcase to MutatedTransform<Input, State>, then pass it to mutators (mutators now mutate over a brand new type), and convert back to input using try_transform_into before execution. try_transform_into also returns a MutatedTransformPost callback that is called after new testcase is inserted into the corpus.

For example, type UnicodeInput = (BytesInput, StringIdentificationMetadata) implemented MutatedTransform<BytesInput, S>. Besides byte array, it also contains additional metadata (StringIdentificationMetadata). When it is transformed from a Testcase (using try_transform_from), the metadata is fetched from the testcase and UnicodeInput is constructed. Then UnicodeInput is passed to mutators. Mutators can leverage the metadata to perform better mutations. After mutation and before execution, UnicodeInput is transformed back into BytesInput (using try_transform_into), and StringIdentificationMetadata is returned as MutatedTransformPost. When the new mutated input is interesting and is inserted into the corpus as a testcase, the post-callback is called to insert the corresponding metadata for the testcase.

For any other types that do not need such a mechanism, there is a reflexive definition that implements MutatedTransform<I, S> for I. It makes try_transform_into a no-operation, and mutators still mutate over I because now I is doubled as MutatedTransform<I, S>.

am009 avatar Mar 25 '24 16:03 am009