Introduction

I worked with AFLplusplus team in Google Summer of Code 2021 this summer. This is the final report on my project “Scheduler for LibAFL”. LibAFL is a new fuzzing framework for customizable fuzzers. I have ported two well-known scheduling algorithms into LibAFL.

Schedulers

The two schedulers I’ve ported are “AFL Fast scheduler” and “MOpt scheduler”. If you are interested, you can check out the original thesis to find out more.

• AFLFast
• MOpt

In short, AFLFast scheduler favors inputs that exercise a less frequent program path, and MOpt scheduler utilizes the particle swarm optimization algorithm (some fancy magic xD) to select the optimal mutation operator (MOpt is implemented as a mutator in LibAFL).
These two schedulers were already incorporated into AFLplusplus, so my job is mainly to port that code in a Rust way.

AFLFast

AFL already uses the average exec time, the average bitmap size, and various stuff to calculate the perf_score. If the score is high, then we fuzz that corpus entry more. (this is called power schedule by the way). Therefore, this score is used to decide how hard we fuzz a corpus entry. Conceptually this is something like this code.

let perf_score = calculate_score(corpus_entry)
for i in 0..perf_score {
    let input = mutate(corpus_entry);
    execute(input);
}

AFLFast additionally looks at how many times each program path has been taken for calculating the perf_score. Roughly speaking, I have to add three components to LibAFL.

• Calibration stage for collecting metadata from each queue corpus entry
• PowerSchedule stage for actually calculating the perf_score
• Extending the testcase and the queue corpus entry for PowerSchedule stage.

MOpt

There are plenty of mutation logics in fuzzing, such as byteflip, bitflip, etc. In havoc mode, which mutation to apply to the corpus entry is usually random. Here in LibAFL, MOpt mutator optimizes on the distribution each mutation logic is chosen based on the number of new paths and crashes each mutation operator has found.
As mentioned above, my work on MOpt scheduler is implemented as a single Mutator.

• MOpt Mutator

Others

Schedulers are not the only things I worked on during the GSoC period. Besides the two schedulers, I have also worked on other improvements for LibAFL, which includes,

• Forkserver executor: This allows users to fuzz an instrumented binary compiled with afl_cc.
• Timeout executor: This allows the fuzzers to set a timeout to check the hangs.
• LoggerScheduledMutator: A Mutator that can track down what mutations were used if the mutated input turns out to be interesting (triggering crashes/hangs, finding new paths).
• Llmp compression: LibAFL employs LLMP(low level message passing) to pass data between the broker and the client via shared memory, making it possible for LibAFL to run on multiple cores. I added a scheme to compress/decompress the LLMP message to reduce the memory usage.

  Contributions

  You can see all the pull requests that I’ve submitted here. Merged pull requests