Port random fuzzing parameters to AFLplusplus

include/afl-fuzz.h

@@ -165,7 +165,8 @@ struct queue_entry {
       favored,                          /* Currently favored?               */
       fs_redundant,                     /* Marked as redundant in the fs?   */
       is_ascii,                         /* Is the input just ascii text?    */
-      disabled;                         /* Is disabled from fuzz selection  */
+      disabled,                         /* Is disabled from fuzz selection  */
+      is_selected;
 
   u32 bitmap_size,                      /* Number of bits set in bitmap     */
       fuzz_level,                       /* Number of fuzzing iterations     */
@@ -174,7 +175,9 @@ struct queue_entry {
   u64 exec_us,                          /* Execution time (us)              */
       handicap,                         /* Number of queue cycles behind    */
       depth,                            /* Path depth                       */
-      exec_cksum;                       /* Checksum of the execution trace  */
+      exec_cksum,                       /* Checksum of the execution trace  */
+      rand,
+      num_fuzzed;
 
   u8 *trace_mini;                       /* Trace bytes, if kept             */
   u32 tc_ref;                           /* Trace bytes ref count            */
@@ -519,7 +522,12 @@ typedef struct afl_state {
       expand_havoc,                /* perform expensive havoc after no find */
       cycle_schedules,                  /* cycle power schedules?           */
       old_seed_selection,               /* use vanilla afl seed selection   */
-      reinit_table;                     /* reinit the queue weight table    */
+      reinit_table,                     /* reinit the queue weight table    */
+      disable_weighted_random_selection,
+      disable_random_favorites,
+      enable_uniformly_random_favorites,
+      disable_afl_default_favorites,
+      disable_randomized_fuzzing_params;
 
   u8 *virgin_bits,                      /* Regions yet untouched by fuzzing */
       *virgin_tmout,                    /* Bits we haven't seen in tmouts   */
@@ -751,6 +759,17 @@ typedef struct afl_state {
    * is too large) */
   struct queue_entry **q_testcase_cache;
 
+  int  randomize_parameters_prob;
+
+  /* list of fuzzing parameter constants found in config.h */
+  u32 custom_havoc_cycles;
+  u32 custom_havoc_stack_pow2;
+  u32 custom_havoc_blk_small;
+  u32 custom_havok_blk_medium;
+  u32 custom_havoc_blk_large;
+  u32 custom_splice_cycles;
+  u32 custom_splice_havoc;
+
 #ifdef INTROSPECTION
   char  mutation[8072];
   char  m_tmp[4096];
@@ -1038,6 +1057,10 @@ void update_bitmap_score(afl_state_t *, struct queue_entry *);
 void cull_queue(afl_state_t *);
 u32  calculate_score(afl_state_t *, struct queue_entry *);
 
+/* random_params */
+u32 rand_int_in_range(afl_state_t * afl, int low, int high);
+double rand_double(afl_state_t * afl) ;
+
 /* Bitmap */
 
 void write_bitmap(afl_state_t *);
@@ -1104,6 +1127,8 @@ u8   pilot_fuzzing(afl_state_t *);
 u8   core_fuzzing(afl_state_t *);
 void pso_updating(afl_state_t *);
 u8   fuzz_one(afl_state_t *);
+void reset_fuzzing_params(afl_state_t * afl);
+void randomize_fuzzing_params(afl_state_t * afl);
 
 /* Init */
 

src/afl-fuzz-one.c

@@ -84,24 +84,24 @@ static inline u32 choose_block_len(afl_state_t *afl, u32 limit) {
 
     case 0:
       min_value = 1;
-      max_value = HAVOC_BLK_SMALL;
+      max_value = afl->custom_havoc_blk_small;
       break;
 
     case 1:
-      min_value = HAVOC_BLK_SMALL;
-      max_value = HAVOC_BLK_MEDIUM;
+      min_value = afl->custom_havoc_blk_small;
+      max_value = afl->custom_havok_blk_medium;
       break;
 
     default:
 
       if (likely(rand_below(afl, 10))) {
 
-        min_value = HAVOC_BLK_MEDIUM;
-        max_value = HAVOC_BLK_LARGE;
+        min_value = afl->custom_havok_blk_medium;
+        max_value = afl->custom_havoc_blk_large;
 
       } else {
 
-        min_value = HAVOC_BLK_LARGE;
+        min_value = afl->custom_havoc_blk_large;
         max_value = HAVOC_BLK_XL;
 
       }
@@ -1798,7 +1798,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
   afl->stage_name = "custom mutator";
   afl->stage_short = "custom";
-  afl->stage_max = HAVOC_CYCLES * perf_score / afl->havoc_div / 100;
+  afl->stage_max = afl->custom_havoc_cycles * perf_score / afl->havoc_div / 100;
   afl->stage_val_type = STAGE_VAL_NONE;
   bool has_custom_fuzz = false;
 
@@ -1954,7 +1954,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
     afl->stage_name = "havoc";
     afl->stage_short = "havoc";
-    afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
+    afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
                      perf_score / afl->havoc_div / 100;
 
   } else {
@@ -1964,7 +1964,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
     snprintf(afl->stage_name_buf, STAGE_BUF_SIZE, "splice %u", splice_cycle);
     afl->stage_name = afl->stage_name_buf;
     afl->stage_short = "splice";
-    afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
+    afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;
 
   }
 
@@ -2029,7 +2029,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
   for (afl->stage_cur = 0; afl->stage_cur < afl->stage_max; ++afl->stage_cur) {
 
-    u32 use_stacking = 1 << (1 + rand_below(afl, afl->havoc_stack_pow2));
+    u32 use_stacking = 1 << (1 + rand_below(afl, afl->custom_havoc_stack_pow2));
 
     afl->stage_cur_val = use_stacking;
 
@@ -2786,7 +2786,7 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
 retry_splicing:
 
-  if (afl->use_splicing && splice_cycle++ < SPLICE_CYCLES &&
+  if (afl->use_splicing && splice_cycle++ < afl->custom_splice_cycles &&
       afl->ready_for_splicing_count > 1 && afl->queue_cur->len >= 4) {
 
     struct queue_entry *target;
@@ -2881,6 +2881,26 @@ u8 fuzz_one_original(afl_state_t *afl) {
 
 }
 
+void reset_fuzzing_params(afl_state_t * afl) {
+  afl->custom_havoc_cycles       = HAVOC_CYCLES;
+  afl->custom_havoc_stack_pow2   = HAVOC_STACK_POW2;
+  afl->custom_havoc_blk_small    = HAVOC_BLK_SMALL;
+  afl->custom_havok_blk_medium   = HAVOC_BLK_MEDIUM;
+  afl->custom_havoc_blk_large    = HAVOC_BLK_LARGE;
+  afl->custom_splice_cycles      = SPLICE_CYCLES;
+  afl->custom_splice_havoc       = SPLICE_HAVOC;
+}
+
+void randomize_fuzzing_params(afl_state_t * afl) {
+  afl->custom_havoc_cycles       = rand_int_in_range(afl, 192, 320);
+  afl->custom_havoc_stack_pow2   = rand_int_in_range(afl, 4, 10);
+  afl->custom_havoc_blk_small    = rand_int_in_range(afl, 24, 40);
+  afl->custom_havok_blk_medium   = rand_int_in_range(afl, 96, 160);
+  afl->custom_havoc_blk_large    = rand_int_in_range(afl, 1000, 2000);
+  afl->custom_splice_cycles      = rand_int_in_range(afl, 10, 20);
+  afl->custom_splice_havoc       = rand_int_in_range(afl, 24, 40);
+}
+
 /* MOpt mode */
 static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
@@ -2907,6 +2927,10 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
   u8  a_collect[MAX_AUTO_EXTRA];
   u32 a_len = 0;
 
+  // only fuzz selected inputs from our custom selection algorithm 
+  if (!afl->disable_weighted_random_selection && !afl->queue_cur->is_selected)
+    return 1;
+
 #ifdef IGNORE_FINDS
 
   /* In IGNORE_FINDS mode, skip any entries that weren't in the
@@ -2961,6 +2985,18 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
   }
 
+
+  // assign probability based on frequncy that the seed was chosen
+  if (!afl->disable_randomized_fuzzing_params) {
+    // randomize fuzzing params with probabilities
+    int multiplier = afl->queue_cur->num_fuzzed ? ((int)(afl->queue_cur->num_fuzzed/5000.0)) + 1: 0;
+    afl->randomize_parameters_prob = MIN(MAX(multiplier * 5, 5), 75);
+    if (rand_below(afl, 100) < afl->randomize_parameters_prob)
+      randomize_fuzzing_params(afl);
+    else
+      reset_fuzzing_params(afl);
+  }
+
   /* Map the test case into memory. */
   orig_in = in_buf = queue_testcase_get(afl, afl->queue_cur);
   len = afl->queue_cur->len;
@@ -4298,7 +4334,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
     afl->stage_name = MOpt_globals.havoc_stagename;
     afl->stage_short = MOpt_globals.havoc_stagenameshort;
-    afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
+    afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
                      perf_score / afl->havoc_div / 100;
 
   } else {
@@ -4309,7 +4345,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
              MOpt_globals.splice_stageformat, splice_cycle);
     afl->stage_name = afl->stage_name_buf;
     afl->stage_short = MOpt_globals.splice_stagenameshort;
-    afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
+    afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;
 
   }
 
@@ -4349,7 +4385,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
 
         afl->stage_name = MOpt_globals.havoc_stagename;
         afl->stage_short = MOpt_globals.havoc_stagenameshort;
-        afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : HAVOC_CYCLES) *
+        afl->stage_max = (doing_det ? HAVOC_CYCLES_INIT : afl->custom_havoc_cycles) *
                          perf_score / afl->havoc_div / 100;
 
       } else {
@@ -4359,7 +4395,7 @@ static u8 mopt_common_fuzzing(afl_state_t *afl, MOpt_globals_t MOpt_globals) {
                  MOpt_globals.splice_stageformat, splice_cycle);
         afl->stage_name = afl->stage_name_buf;
         afl->stage_short = MOpt_globals.splice_stagenameshort;
-        afl->stage_max = SPLICE_HAVOC * perf_score / afl->havoc_div / 100;
+        afl->stage_max = afl->custom_splice_havoc * perf_score / afl->havoc_div / 100;
 
       }