You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/src/design/core_concepts.md
+22-22Lines changed: 22 additions & 22 deletions
Original file line number
Diff line number
Diff line change
@@ -10,45 +10,45 @@ TODO add links to trait definitions in docs.rs
10
10
11
11
An Observer, or Observation Channel, is an entity that provides an information observed during the execution of the program under test to the fuzzer.
12
12
13
-
The information contained in the Observer is not preserved cross executions.
13
+
The information contained in the Observer is not preserved across executions.
14
14
15
-
As an example, the coverage shared map filled during the execution to report the executed edges used by fuzzers such as AFL and HoggFuzz can be considered an Observation Channel.
16
-
This information is not preserved accros runs and it is an observation of a dynamic property of the program.
15
+
As an example, the coverage shared map filled during the execution to report the executed edges used by fuzzers such as AFL and HonggFuzz can be considered an Observation Channel.
16
+
This information is not preserved across runs and it is an observation of a dynamic property of the program.
17
17
18
18
## Executor
19
19
20
-
In different fuzzers, the concept of executing the program under test each run is now always the same.
21
-
For instance, for in-memory fuzzers like libFuzzer an execution is a call to an harness function, for hypervisor-based fuzzers like [kAFL](https://github.com/IntelLabs/kAFL) instead an entire operating system is started from a snapshot each run.
20
+
In different fuzzers, this concept of executing the program under test means each run is now always the same.
21
+
For instance, for in-memory fuzzers like libFuzzer an execution is a call to an harness function, for hypervisor-based fuzzers like [kAFL](https://github.com/IntelLabs/kAFL) instead an entire operating system is started from a snapshot for each run.
22
22
23
23
In our model, an Executor is the entity that defines not only how to execute the target, but all the volatile operations that are related to just a single run of the target.
24
24
25
-
So the Executor is for instance reponsible to inform the program about the input that the fuzzer wants to use in the run, writing to a memory location for instance or passing it as a parameter to the harness function.
25
+
So the Executor is for instance responsible to inform the program about the input that the fuzzer wants to use in the run, writing to a memory location for instance or passing it as a parameter to the harness function.
26
26
27
-
It also holds a set of Observers, as thay are related to just a single run of the target.
27
+
It also holds a set of Observers, as they are related to just a single run of the target.
28
28
29
29
## Feedback
30
30
31
-
The Feedback is an entity that classify the outcome of an execution of the program under test as interesting or not.
32
-
Tipically, if an exeuction is interesting, the corresponding input used to feed the target program is added to a corpus.
31
+
The Feedback is an entity that classifies the outcome of an execution of the program under test as interesting or not.
32
+
Typically, if an execution is interesting, the corresponding input used to feed the target program is added to a corpus.
33
33
34
34
Most of the times, the notion of Feedback is deeply linked to the Observer, but they are different concepts.
35
35
36
-
The Feedback, in most of the cases, process the information reported by one or more observer to decide if the execution is interesting.
37
-
The concept of "interestingness" is abstract, but tipically it is related to a novelty search (i.e. interesting inputs are those that reach a previosly unseen edge in the control flow graph).
36
+
The Feedback, in most of the cases, processes the information reported by one or more observers to decide if the execution is interesting.
37
+
The concept of "interestingness" is abstract, but typically it is related to a novelty search (i.e. interesting inputs are those that reach a previously unseen edge in the control flow graph).
38
38
39
-
As an example, given an Observer that reports all the size of memory allocations, a maximization Feedback can be used to maximize these sizes to sport patological inputs in terms of memory consumption.
39
+
As an example, given an Observer that reports all the sizes of memory allocations, a maximization Feedback can be used to maximize these sizes to sport pathological inputs in terms of memory consumption.
40
40
41
41
## Input
42
42
43
-
Formally, the input of a program is the data taken from external sources and that affect the program behaviour.
43
+
Formally, the input of a program is the data taken from external sources that affect the program behaviour.
44
44
45
-
In our model of an abstarct fuzzer, we define the Input as the internal representation of the program input (or a part of it).
45
+
In our model of an abstract fuzzer, we define the Input as the internal representation of the program input (or a part of it).
46
46
47
-
In the straightforward case, the input of the program is a byte array and in fuzzers such as AFL we store an manipulate exaclty these byte arrays.
47
+
In the straightforward case, the input of the program is a byte array and in fuzzers such as AFL we store and manipulate exactly these byte arrays.
48
48
49
-
But it is not always the case. A program can expect inputs that are not byte arrays (e.g. a sequence of syscalls) and the fuzzer does not represent the Input in the same way that the program consume it.
49
+
But it is not always the case. A program can expect inputs that are not byte arrays (e.g. a sequence of syscalls) and the fuzzer does not represent the Input in the same way that the program consumes it.
50
50
51
-
In case of a grammar fuzzer for instance, the Input is generally an Abstract Syntax Tree because it is a data structure that can be easily manipulated while maintaining the validity, but the program expects a byte array as input so, just before the execution, the tree is serialized to a sequence of bytes.
51
+
In case of a grammar fuzzer for instance, the Input is generally an Abstract Syntax Tree because it is a data structure that can be easily manipulated while maintaining the validity, but the program expects a byte array as input, so just before the execution, the tree is serialized to a sequence of bytes.
52
52
53
53
## Corpus
54
54
@@ -60,27 +60,27 @@ Usually, a testcase is added to the Corpus when it is considered as interesting.
60
60
61
61
## Mutator
62
62
63
-
The Mutator is an entitiy that takes one or more Inputs and generates a new derived one.
63
+
The Mutator is an entity that takes one or more Inputs and generates a new derived one.
64
64
65
65
Mutators can be composed and they are generally linked to a specific Input type.
66
66
67
-
There can be, for instance, a Mutator that applies more than a single type of mutation on the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the single one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
67
+
There can be, for instance, a Mutator that applies more than a single type of mutation on the input. Consider a generic Mutator for a byte stream, bit flip is just one of the possible mutations but not the only one, there is also, for instance, the random replacement of a byte of the copy of a chunk.
68
68
69
69
This Mutator will simple schedule the application of some other Mutators.
70
70
71
71
## Generator
72
72
73
73
A Generator is a component designed to generate an Input from scratch.
74
74
75
-
Tipically, a random generator is used to generate random inputs.
75
+
Typically, a random generator is used to generate random inputs.
76
76
77
77
Generators are traditionally less used in Feedback-driven Fuzzing, but there are exceptions, like Nautilus, that uses a Grammar generator to create the initial corpus and a sub-tree Generator as a mutation of its grammar Mutator.
78
78
79
79
## Stage
80
80
81
81
A Stage is an entity that operates on a single Input got from the Corpus.
82
82
83
-
For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more time. How many times this has to be done can be scheduled, AFL for instance use a performance score of the input to choose how many times the havoc mutator should be invoked. This can depends also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or be a fixed value.
83
+
For instance, a Mutational Stage, given an input of the corpus, applies a Mutator and executes the generated input one or more time. How many times this has to be done can be scheduled, AFL for instance uses a performance score of the input to choose how many times the havoc mutator should be invoked. This can depend also on other parameters, for instance, the length of the input if we want to just apply a sequential bitflip, or be a fixed value.
84
84
85
-
A stage can be also an analysis stage, for instance, the Colorization stage of Redqueen that aims to introduce more entropy in a testcase or the Trimming stage of AFL that aims to reduce the size of a testcase.
85
+
A stage can also be an analysis stage, for instance, the Colorization stage of Redqueen that aims to introduce more entropy in a testcase or the Trimming stage of AFL that aims to reduce the size of a testcase.
0 commit comments