Simple brute-force fuzzer (#134)

src/include/deepstate/DeepState.h

@@ -32,6 +32,7 @@
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/wait.h>
+#include <time.h>
 #include <unistd.h>
 
 #include <deepstate/Log.h>
@@ -63,8 +64,12 @@ DECLARE_string(output_test_dir);
 DECLARE_bool(take_over);
 DECLARE_bool(abort_on_fail);
 DECLARE_bool(verbose_reads);
+DECLARE_bool(fuzz);
+DECLARE_bool(fuzz_save_passing);
 
 DECLARE_int(log_level);
+DECLARE_int(seed);
+DECLARE_int(timeout);
 
 enum {
   DeepState_InputSize = 8192
@@ -519,7 +524,9 @@ static void DeepState_RunTest(struct DeepState_TestInfo *test) {
   } else {
     DeepState_LogFormat(DeepState_LogInfo, "Passed: %s", test->test_name);
     if (HAS_FLAG_output_test_dir) {
-      DeepState_SavePassingTest();
+      if (!FLAGS_fuzz || FLAGS_fuzz_save_passing) {
+	DeepState_SavePassingTest();
+      }
     }
     exit(DeepState_TestRunPass);
   }
@@ -588,6 +595,37 @@ DeepState_ForkAndRunTest(struct DeepState_TestInfo *test) {
   return DeepState_TestRunCrash;
 }
 
+/* Run a test case with input initialized by fuzzing. */
+static enum DeepState_TestRunResult
+DeepState_FuzzOneTestCase(struct DeepState_TestInfo *test) {
+  DeepState_InputIndex = 0;
+  
+  for (int i = 0; i < DeepState_InputSize; i++) {
+    DeepState_Input[i] = (char)rand();
+  }
+
+  DeepState_Begin(test);
+
+  enum DeepState_TestRunResult result = DeepState_ForkAndRunTest(test);
+
+  if (result == DeepState_TestRunCrash) {
+    DeepState_LogFormat(DeepState_LogError, "Crashed: %s", test->test_name);
+    
+    if (HAS_FLAG_output_test_dir) {
+      DeepState_SaveCrashingTest();
+    }
+
+    DeepState_Crash();
+  }
+
+  if (FLAGS_abort_on_fail && ((result == DeepState_TestRunCrash) ||
+			      (result == DeepState_TestRunFail))) {
+      abort();
+  }  
+
+  return result;
+}
+
 /* Run a single saved test case with input initialized from the file
  * `name` in directory `dir`. */
 static enum DeepState_TestRunResult
@@ -711,6 +749,60 @@ static int DeepState_RunSingleSavedTestCase(void) {
   return num_failed_tests;
 }
 
+/* Fuzz test `FLAGS_input_which_test` or first test, if not defined. */
+static int DeepState_Fuzz(void) {
+  DeepState_LogFormat(DeepState_LogInfo, "Starting fuzzing");
+  
+  if (HAS_FLAG_seed) {
+    srand(FLAGS_seed);
+  } else {
+    srand(time(NULL));
+  }
+
+  long start = (long)time(NULL);
+  long current = (long)time(NULL);
+  long diff = 0;
+  unsigned i = 0;
+
+  int num_failed_tests = 0;
+
+  struct DeepState_TestInfo *test = NULL;  
+
+  DeepState_Setup();
+
+  for (test = DeepState_FirstTest(); test != NULL; test = test->prev) {
+    if (HAS_FLAG_input_which_test) {
+      if (strncmp(FLAGS_input_which_test, test->test_name, strlen(FLAGS_input_which_test)) == 0) {
+	break;
+      }
+    } else {
+      DeepState_LogFormat(DeepState_LogInfo,
+			  "No test specified, defaulting to last test defined");
+      break;
+    }
+  }
+
+  if (test == NULL) {
+    DeepState_LogFormat(DeepState_LogInfo,
+                        "Could not find matching test for %s",
+                        FLAGS_input_which_test);
+    return 0;
+  }
+  
+  while (diff < FLAGS_timeout) {
+    i++;
+    num_failed_tests += DeepState_FuzzOneTestCase(test);    
+    
+    current = (long)time(NULL);
+    diff = current-start;
+  }
+
+  DeepState_LogFormat(DeepState_LogInfo, "Ran %u tests.  %d failed tests.",
+		      i, num_failed_tests);
+
+  return num_failed_tests;
+}
+
 /* Run tests from `FLAGS_input_test_files_dir`, under `FLAGS_input_which_test`
  * or first test, if not defined. */
 static int DeepState_RunSingleSavedTestDir(void) {
@@ -811,7 +903,11 @@ static int DeepState_Run(void) {
 
   if (HAS_FLAG_input_test_files_dir) {
     return DeepState_RunSingleSavedTestDir();
-  }  
+  }
+
+  if (FLAGS_fuzz) {
+    return DeepState_Fuzz();
+  }
 
   int num_failed_tests = 0;
   int use_drfuzz = getenv("DYNAMORIO_EXE_PATH") != NULL;

src/lib/DeepState.c

@@ -37,8 +37,12 @@ DEFINE_string(output_test_dir, "", "Directory where tests will be saved.");
 DEFINE_bool(take_over, false, "Replay test cases in take-over mode.");
 DEFINE_bool(abort_on_fail, false, "Abort on file replay failure (useful in file fuzzing).");
 DEFINE_bool(verbose_reads, false, "Report on bytes being read during execution of test.");
+DEFINE_bool(fuzz, false, "Perform brute force unguided fuzzing.");
+DEFINE_bool(fuzz_save_passing, false, "Save passing tests during fuzzing.");
 
 DEFINE_int(log_level, 0, "Minimum level of logging to output.");
+DEFINE_int(seed, 0, "Seed for brute force fuzzing (uses time if not set).");
+DEFINE_int(timeout, 120, "Timeout for brute force fuzzing.");
 
 /* Set to 1 by Manticore/Angr/etc. when we're running symbolically. */
 int DeepState_UsingSymExec = 0;
@@ -555,14 +559,60 @@ void DeepState_BeginDrFuzz(struct DeepState_TestInfo *test) {
   DrMemFuzzFunc(DeepState_Input, DeepState_InputSize);
 }
 
+/* Right now "fake" a hexdigest by just using random bytes.  Not ideal. */
+void makeFilename(char *name, size_t size) {
+  const char *entities = "0123456789abcdef";
+  for (int i = 0; i < size; i++) {
+    name[i] = entities[rand()%16];
+  }
+}
+
+void writeInputData(char* name) {
+  size_t path_len = 2 + sizeof(char) * (strlen(FLAGS_output_test_dir) + strlen(name));
+  char *path = (char *) malloc(path_len);
+  snprintf(path, path_len, "%s/%s", FLAGS_output_test_dir, name);
+  FILE *fp = fopen(path, "wb");
+  if (fp == NULL) {
+    DeepState_LogFormat(DeepState_LogError, "Failed to create file `%s`", path);
+    free(path);
+    return;
+  }
+  size_t written = fwrite((void *)DeepState_Input, 1, DeepState_InputSize, fp);
+  if (written != DeepState_InputSize) {
+    DeepState_LogFormat(DeepState_LogError, "Failed to write to file `%s`", path);
+  } else {
+    DeepState_LogFormat(DeepState_LogInfo, "Saved test case to file `%s`", path);
+  }
+  free(path);  
+  fclose(fp);  
+}
+
 /* Save a passing test to the output test directory. */
-void DeepState_SavePassingTest(void) {}
+void DeepState_SavePassingTest(void) {
+  char name[48];
+  makeFilename(name, 40);
+  name[40] = 0;
+  strncat(name, ".pass", 48);
+  writeInputData(name);
+}
 
 /* Save a failing test to the output test directory. */
-void DeepState_SaveFailingTest(void) {}
+void DeepState_SaveFailingTest(void) {
+  char name[48];
+  makeFilename(name, 40);
+  name[40] = 0;
+  strncat(name, ".fail", 48);
+  writeInputData(name);
+}
 
 /* Save a crashing test to the output test directory. */
-void DeepState_SaveCrashingTest(void) {}
+void DeepState_SaveCrashingTest(void) {
+  char name[48];
+  makeFilename(name, 40);
+  name[40] = 0;
+  strncat(name, ".crash", 48);
+  writeInputData(name);
+}
 
 /* Return the first test case to run. */
 struct DeepState_TestInfo *DeepState_FirstTest(void) {

src/lib/Option.c

@@ -125,7 +125,8 @@ static void ProcessOptionString(void) {
         if (' ' == *ch || DeepState_FakeSpace == *ch) {
           *ch = '\0';
           state = kSeenSpace;
-
+	} else if ('-' == *ch) {
+	  state = kSeenDash;
         } else if (IsValidValueChar(*ch)) {  /* E.g. `--tools bbcount`. */
           state = kInValue;
           DeepState_OptionValues[num_options - 1] = ch;