perf_stats->instrospection; merged dev; moved back to x86 stable

Author: domenukk

.github/workflows/build_and_test.yml

@@ -1,73 +1,83 @@
-name: Build and Test
-
-on:
-  push:
-    branches: [ main, dev ]
-  pull_request:
-    branches: [ main, dev ]
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  lint:
-    strategy:
-      matrix:
-          os: [ubuntu-latest, windows-latest]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v2
-      - name: Cache cargo registry
-        uses: actions/cache@v2
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-          key: clippy-cargo-${{ hashFiles('**/Cargo.toml') }}
-      - name: Add clippy
-        run: rustup component add clippy
-      - name: Run clippy
-        uses: actions-rs/cargo@v1
-        with:
-          command: clippy
-          args: --all
-  ubuntu:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Default Build
-      run: cargo build --verbose
-    - name: Default Test
-      run: cargo test --verbose
-    - name: Build all features
-      run: cd libafl && cargo build --all-features --verbose
-    - name: Test all features
-      run: cd libafl && cargo test --all-features --verbose
-    - name: Build no_std
-      run: cd libafl && cargo build --no-default-features --verbose
-    - name: Test no_std
-      run: cd libafl && cargo test --no-default-features --verbose
-    - name: Build examples
-      run: cargo build --examples --verbose
-    - uses: actions/checkout@v2
-    - name: Format
-      run: cargo fmt -- --check
-    - uses: actions/checkout@v2
-    - name: Build Docs
-      run: cargo doc
-    - name: Test Docs
-      run: cargo test --doc
-  windows:
-    runs-on: windows-latest
-    steps:
-    - uses: actions/checkout@v2
-    - name: Windows Build
-      run: cargo build --verbose
-    # TODO: Figure out how to properly build stuff with clang
-    #- name: Add clang path to $PATH env
-    #  if: runner.os == 'Windows'
-    #  run: echo "C:\msys64\mingw64\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
-    #- name: Try if clang works
-    #  run: clang -v
-    #- name: Windows Test
-    #  run: C:\Rust\.cargo\bin\cargo.exe test --verbose
+name: Build and Test
+
+on:
+  push:
+    branches: [ main, dev ]
+  pull_request:
+    branches: [ main, dev ]
+
+env:
+  CARGO_TERM_COLOR: always
+
+jobs:
+  lint:
+    strategy:
+      matrix:
+          os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Cache cargo registry
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+          key: clippy-cargo-${{ hashFiles('**/Cargo.toml') }}
+      - name: Add clippy
+        run: rustup component add clippy
+      #- name: Run clippy
+      #  uses: actions-rs/cargo@v1
+      #  with:
+      #    command: clippy
+      #    args: --all
+
+  ubuntu:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Default Build
+      run: cargo build --verbose
+    - name: Default Test
+      run: cargo test --verbose
+    - name: Build all features
+      run: cd libafl && cargo build --all-features --verbose
+    - name: Test all features
+      run: cd libafl && cargo test --all-features --verbose
+    - name: Build no_std
+      run: cd libafl && cargo build --no-default-features --verbose
+    - name: Test no_std
+      run: cd libafl && cargo test --no-default-features --verbose
+    - name: Build examples
+      run: cargo build --examples --verbose
+    - uses: actions/checkout@v2
+    - name: Format
+      run: cargo fmt -- --check
+    - uses: actions/checkout@v2
+    - name: Build Docs
+      run: cargo doc
+    - name: Test Docs
+      run: cargo test --doc
+    - name: Run clippy
+      uses: actions-rs/cargo@v1
+      with:
+        command: clippy
+        args: --all
+  windows:
+    runs-on: windows-latest
+    steps:
+    - uses: actions/checkout@v2
+    - name: Windows Build
+      run: cargo build --verbose
+    - name: Run clippy
+      uses: actions-rs/cargo@v1
+      with:
+        command: clippy
+    # TODO: Figure out how to properly build stuff with clang
+    #- name: Add clang path to $PATH env
+    #  if: runner.os == 'Windows'
+    #  run: echo "C:\msys64\mingw64\bin" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8
+    #- name: Try if clang works
+    #  run: clang -v
+    #- name: Windows Test
+    #  run: C:\Rust\.cargo\bin\cargo.exe test --verbose

Cargo.toml

@@ -10,11 +10,14 @@ members = [
     "libafl_derive",
     "libafl_cc",
     "libafl_targets",
+    "libafl_frida",
+]
+default-members = [
+    "libafl",
+    "libafl_derive",
+    "libafl_cc",
+    "libafl_targets",
 ]
 exclude = [
-    "fuzzers/libfuzzer_libpng",
-    "fuzzers/libfuzzer_stb_image",
-    "fuzzers/libfuzzer_libmozjpeg",
-    "fuzzers/frida_libpng",
-    "fuzzers/baby_fuzzer",
+    "fuzzers",
 ]

README.md

@@ -1,44 +1,73 @@
 # LibAFL, the fuzzer library.
 
+ <img align="right" src="https://github.com/AFLplusplus/Website/raw/master/static/logo_256x256.png" alt="AFL++ Logo">
+
 Advanced Fuzzing Library - Slot your own fuzzers together and extend their features using Rust.
 
 LibAFL is written and maintained by Andrea Fioraldi <andreafioraldi@gmail.com> and Dominik Maier <mail@dmnk.co>.
 
-## What
+## Why LibAFL?
+
+LibAFL gives you many of the benefits of an off-the-shelf fuzzer, while being completely customizable.
+Some highlight features currently include:
+- `fast`: We do everything we can at compile time, keeping runtime overhead minimal. Users reach 120k execs/sec in frida-mode on a phone (using all cores).
+- `scalable`: `Low Level Message Passing`, `LLMP` for short, allows LibAFL to scale almost linearly over cores, and via TCP to multiple machines soon!
+- `adaptable`: You can replace each part of LibAFL. For example, `BytesInput` is just one potential form input:
+feel free to add an AST-based input for structured fuzzing, and more.
+- `multi platform`: LibAFL was confirmed to work on *Windows*, *MacOS*, *Linux*, and *Android* on *x86_64* and *aarch64*. `LibAFL` can be built in `no_std` mode to inject LibAFL into obscure targets like embedded devices and hypervisors.
+- `bring your own target`: We support binary-only modes, like Frida-Mode, as well as multiple compilation passes for sourced-based instrumentation. Of course it's easy to add custom instrumentation backends.
+
+## Overview
 
 LibAFL is a collection of reusable pieces of fuzzers, written in Rust.
+It is fast, multi-platform, no_std compatible, and scales over cores and machines.
 
 It offers a main crate that provide building blocks for custom fuzzers, [libafl](./libafl), a library containing common code that can be used for targets instrumentation, [libafl_targets](./libafl_targets), and a library providing facilities to wrap compilers, [libafl_cc](./libafl_cc).
 
-LibAFL is fast, multi-platform, no_std compatible, and scales over cores (and machines in the near future!).
+LibAFL offers integrations with popular instrumentation frameworks. At the moment, the supported backends are:
+
++ SanitizerCoverage, in [libafl_targets](./libafl_targets)
++ Frida, in [libafl_frida](./libafl_frida), by s1341 <github@shmarya.net> (Windows support is broken atm, it relies on [this upstream issue](https://github.com/meme/frida-rust/issues/9) to be fixed.)
++ More to come (QEMU-mode, ...)
 
 ## Getting started
 
-Clone the LibAFL repository with
+1. Install the Rust development language. We highly recommend *not* to use e.g.
+your Linux distribution package as this is likely outdated. So rather install
+Rust directly, instructions can be found [here](https://www.rust-lang.org/tools/install).
+
+2. Clone the LibAFL repository with
 
 ```
 git clone https://github.com/AFLplusplus/LibAFL
 ```
 
+If you want to get the latest and greatest features,
+```
+git checkout dev
+```
+
 Build the library using
 
 ```
 cargo build --release
 ```
 
-Build the API documentation with
+4. Build the API documentation with
 
 ```
 cargo doc
 ```
 
-Browse the LibAFL book with (requires [mdbook](https://github.com/rust-lang/mdBook))
+5. Browse the LibAFL book (WIP!) with (requires [mdbook](https://github.com/rust-lang/mdBook))
 
 ```
 cd docs && mdbook serve
 ```
 
-We collect example fuzzers in [`./fuzzers`](./fuzzers/).
+
+We collect all example fuzzers in [`./fuzzers`](./fuzzers/).
+Be sure to read their documentation (and source), this is *the natural way to get started!*
 
 The best-tested fuzzer is [`./fuzzers/libfuzzer_libpng`](./fuzzers/libfuzzer_libpng), a multicore libfuzzer-like fuzzer using LibAFL for a libpng harness.
 

TODO.md

@@ -1,5 +1,6 @@
 # TODOs
 
+- [ ] Conditional composition of feedbacks (issue #24)
 - [ ] Other objectives examples (e.g. execution of a given program point)
 - [ ] Objective-Specific Corpuses (named per objective)
 - [ ] Good documentation
@@ -12,11 +13,14 @@
 - [ ] LLMP Cross Machine Link (2 brokers connected via TCP)
 - [ ] "Launcher" example that spawns broker + n clients
 - [ ] Heap for signal handling (bumpallo or llmp directly?)
-- [x] ~~Minset corpus scheduler~~ still doc missing
+- [ ] Frida support for Windows
+- [ ] QEMU based instrumentation
+- [ ] AFL++ LLVM passes in libafl_cc
+- [x] Minset corpus scheduler
 - [x] Win32 shared mem and crash handler to have Windows in-process executor
 - [x] Other feedbacks examples (e.g. maximize allocations to spot OOMs)
 - [x] A macro crate with derive directives (e.g. for SerdeAny impl).
-- [x] Restarting EventMgr could use forks on unix
+- [x] Restarting EventMgr could use forks on Unix
 - [x] Android Ashmem support
 - [x] Errors in the Fuzzer should exit the fuzz run
-- [x] Timeouts for executors
+- [x] Timeouts for executors (WIP on Windows)

docs/src/design/architecture.md

@@ -2,7 +2,7 @@
 
 The LibAFL architecture is built around some entities to allow code reuse and low-cost abstractions.
 
-Initially, we started thinking to implement LibAFL in an Object Oriented language, such C++. When we landed to Rust, we immediately changed our idea as we realized that, while Rust allow a sort of OOP pattern, we can build the library using a more sane approach like the one described in [this blogpost](https://kyren.github.io/2018/09/14/rustconf-talk.html) about game design in Rust.
+Initially, we started thinking to implement LibAFL in an Object Oriented language, such C++. When we landed to Rust, we immediately changed our idea as we realized that, while Rust allows a sort of OOP pattern, we can build the library using a more sane approach like the one described in [this blogpost](https://kyren.github.io/2018/09/14/rustconf-talk.html) about game design in Rust.
 
 The LibAFL code reuse meachanism is so based on components rather than sub-classes, but there are still some OOP patterns in the library.
 

docs/src/getting_started/setup.md

@@ -37,17 +37,17 @@ In addition, if you want to perform source-level fuzz testing of C/C++ applicati
 you will likely need Clang with its instrumentation options to compile the programs
 under test.
 
-You can download and build the LLVM source tree, Clang included, following the steps
-explained [here](https://clang.llvm.org/get_started.html).
-
-Alternatively, on Linux, you can use your distro's package manager to get Clang,
+On Linux you can use your distro's package manager to get Clang,
 but these packages are not always updated, so we suggest you to use the
 Debian/Ubuntu prebuilt packages from LLVM that are available using their [official repository](https://apt.llvm.org/).
 
-For Miscrosoft Windows, you can download the [installer package](https://llvm.org/builds/) that LLVM generates periodically.
+For Microsoft Windows, you can download the [installer package](https://llvm.org/builds/) that LLVM generates periodically.
 
 Despite that Clang is the default C compiler on macOS, we discourage the use of the build shipped by Apple and encourage
-the installation from `brew` or direclty a fresh build from the source code.
+the installation from `brew` or directly a fresh build from the source code.
+
+Alternatively you can download and build the LLVM source tree - Clang included - following the steps
+explained [here](https://clang.llvm.org/get_started.html).
 
 ## Rust installation
 

docs/src/libafl.md

@@ -6,4 +6,4 @@ This version of the LibAFL book is coupled with the release 1.0 beta of the libr
 
 This document is still work-in-progress and incomplete. The structure and the concepts explained here are subject to change in future revisions, as the structure of LibAFL itself will evolve.
 
-The HTML version of this book is available online at PLACEHOLDER and offline from the LibAFL repository in the docs/ folder.
+The HTML version of this book is available online at https://aflplus.plus/libafl-book/ and offline from the LibAFL repository in the docs/ folder.

docs/src/medatata/definition.md

@@ -14,6 +14,6 @@ pub struct MyMetadata {
 }
 ```
 
-The struct must be static, so it cannot holds references to borrowed objects.
+The struct must be static, so it cannot hold references to borrowed objects.
 
 

fuzzers/frida_libpng/Cargo.toml

@@ -22,9 +22,14 @@ num_cpus = "1.0"
 which = "4.1"
 
 [target.'cfg(unix)'.dependencies]
-libafl = { path = "../../libafl/" }
-frida-gum = { version = "0.3.2", optional = true, features = ["auto-download", "event-sink", "invocation-listener"] }
-frida-gum-sys = { version = "0.2.2", optional = true, features = ["auto-download", "event-sink", "invocation-listener"] }
+libafl = { path = "../../libafl/", features = [ "std" ] } #,  "llmp_small_maps", "llmp_debug"]}
+capstone = "0.8.0"
+frida-gum = { version = "0.4", optional = true, features = [ "auto-download", "event-sink", "invocation-listener"] }
+frida-gum-sys = { version = "0.2.4", optional = true, features = [ "auto-download", "event-sink", "invocation-listener"] }
+libafl_frida = { path = "../../libafl_frida", version = "0.1.0" }
 lazy_static = "1.4.0"
 libc = "0.2"
 libloading = "0.7.0"
+num-traits = "0.2.14"
+rangemap = "0.1.10"
+seahash = "4.1.0"

fuzzers/frida_libpng/build.rs

@@ -119,6 +119,8 @@ fn main() {
         //.arg("HAS_DUMMY_CRASH=1")
         .arg("-fPIC")
         .arg("-shared")
+        .arg("-O3")
+        //.arg("-fomit-frame-pointer")
         .arg(if env::var("CARGO_CFG_TARGET_OS").unwrap() == "android" {
             "-static-libstdc++"
         } else {