Hybrid fuzzing (SymCC + AFL) does not work

[thuanpv]

Hi,

I set up SymCC using the given Dockerfile and I followed this video to test its hybrid fuzzing mode : https://www.youtube.com/watch?v=zmC-ptp3W3k.

I used the same example program and the commands but SymCC did not generate new test cases.

mkdir in; printf "xxxx" > in/seed
afl-fuzz -i in -o out -S fuzzer1 -- afl-sample-afl @@
symcc_fuzzing_helper -o out -a fuzzer1 -n symcc -- afl-sample-symcc @@ 

SymCC outputted something as below

[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000001,src:000000,op:havoc,rep:64,+cov                                                         
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)                                                                                                       
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000007,src:000000,op:havoc,rep:8,+cov                                                          
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000006,src:000000,op:havoc,rep:8,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000002,src:000000,op:havoc,rep:4,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000008,src:000000,op:havoc,rep:16,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000005,src:000000,op:havoc,rep:64,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000004,src:000000,op:havoc,rep:16,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000003,src:000000,op:havoc,rep:32,+cov
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Running on input out/fuzzer1/queue/id:000000,orig:seed
[2021-10-11T01:04:41Z INFO  symcc_fuzzing_helper] Generated 0 test cases (0 new)

I was thinking that my setup might be incorrect so I ran SymCC alone and it worked. Specifically, I ran the following command

SYMCC_INPUT_FILE=in/seed ./afl-sample-symcc in/seed

SymCC generated 5 test cases in this setup including a crash-triggering one.

This is SymCC running with the QSYM backend
Making data read from in/seed as symbolic
[STAT] SMT: { "solving_time": 0, "total_time": 658 }
[STAT] SMT: { "solving_time": 378 }
[INFO] New testcase: /home/ubuntu/results/000000
[STAT] SMT: { "solving_time": 378, "total_time": 1599 }
[STAT] SMT: { "solving_time": 630 }
[INFO] New testcase: /home/ubuntu/results/000001
[STAT] SMT: { "solving_time": 630, "total_time": 2347 }
[STAT] SMT: { "solving_time": 909 }
[INFO] New testcase: /home/ubuntu/results/000002
[STAT] SMT: { "solving_time": 909, "total_time": 3130 }
[STAT] SMT: { "solving_time": 1154 }
[INFO] New testcase: /home/ubuntu/results/000003
[STAT] SMT: { "solving_time": 1154, "total_time": 4057 }
[STAT] SMT: { "solving_time": 1539 }
[INFO] New testcase: /home/ubuntu/results/000004

Does anyone know the reason(s)? I suspect that in my hybrid fuzzing setup somehow SymCC could not symbolize the input file(s). Another reason could be that somehow the constraint solver did not work.

Thanks,

Thuan

[Dumpling222]

I met the same problem. Did you solve this problem？

[stasos24]

Hi, you have to use Afl 2.56

[Ljfanny]

Your file path cannot contain "-".