Jackalope icon indicating copy to clipboard operation
Jackalope copied to clipboard
verified publisher icon googleprojectzero

All unique samples discarded

Open TwoSevenOneT opened this issue 9 months ago • 3 comments

When I run the fuzzer for a period of time (1-2 days), all the sample files are discarded, resulting in exec/s == 0.

Unique samples: X (X discarded)

At this point, I cannot use the resume mode to continue running the fuzzer (0 exec/s) and have to start over from the beginning.

I tested with about ~500 sample files. These files are the result of running winafl-cmin.py

TwoSevenOneT avatar Mar 23 '25 09:03 TwoSevenOneT

There are 2 reasons why Jackalope might discard the sample:

  • Mutating the sample produces too many crashes
  • Mutating the sample produces too many hangs

This is for performance reasons, as having too many crashes / hangs means having to restart a target process often, which degrades the perfrormance significantly.

You can control this behavior by changing the acceptable_hang_ratio and acceptable_crash_ratio parameters in the source code at https://github.com/googleprojectzero/Jackalope/blob/main/fuzzer.cpp#L42

However, in the interest of performance, a better approach would be to investigate why these frequent crashes and hangs occur for your target and try to remove the root cause.

ifratric avatar Mar 24 '25 10:03 ifratric

I monitored the execution flow of the harness and noticed that it throws an exception and exits when encountering certain input files (which may no longer conform to the correct file format).

I temporarily addressed the issue by using "try ... catch" to prevent exiting and to proceed to the next iteration when an exception occurs. Do you have a way to notify the fuzzer that the current file is in the wrong format and that it should move on to the next file?

TwoSevenOneT avatar Mar 24 '25 23:03 TwoSevenOneT

If your target is using exceptions, you should add -generate_unwind flag, otherwise the exceptions won't be handled correctly under instrumentation and you'll get crashes / hangs like you describe.

There is no way to notify the fuzzer that the current file should be skipped, however you can override OutputFilter function in your fuzzer in order to "fix" a sample before handing it over to the target. See https://github.com/googleprojectzero/Jackalope/blob/main/fuzzer.h#L167 (Note: OutputFilter needs to return true if the sample was modified).

ifratric avatar Mar 25 '25 08:03 ifratric