From 54d2c8180a1de75be786da05c4ac787acc8379a7 Mon Sep 17 00:00:00 2001 From: Alex Groce Date: Sat, 1 Sep 2018 14:04:31 -0700 Subject: [PATCH] update README, nicer output from reducer --- README.md | 52 ++++++++++++++++++++++++++++++++++++++++ bin/deepstate/reducer.py | 5 +++- 2 files changed, 56 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index dd545e2..041b3e6 100644 --- a/README.md +++ b/README.md @@ -144,6 +144,58 @@ memory during a test, if that memory would not be freed on a test failure. This will leak memory and libFuzzer will run out of memory very quickly in each fuzzing session. +## Test case reduction + +While tests generated by symbolic execution are likely to be highly +concise already, fuzzer-generated tests may be much larger than they +need to be. + +DeepState provides a test case reducer to shrink tests intelligently, +aware of the structure of a DeepState test. For example, if your +executable is named `TestFileSystem` and the test you want to reduce +is named `rmdirfail.test` you would use it like this: + +```shell +deepstate-reduce ./TestFileSystem rmdirfail.test minrmdirfail.test +``` + +In many cases, this will result in finding a different failure or +crash that allow smaller test cases, so you can also provide a string +that controls which test outputs are considered valid reductions (by +default, the reducer looks for any test that fails or crashes): + +```shell +deepstate-reduce ./TestFileSystem rmdirfail.test minrmdirfail.test "FATAL: /root/testfs/super.c(252)" +``` + +The output will look something like: +```shell +ORIGINAL TEST HAS 119 BYTES +LAST BYTE READ IS 123 +ONEOF REMOVAL REDUCED TEST TO 103 BYTES +BYTE REDUCTION: BYTE 3 FROM 4 TO 0 +BYTE REDUCTION: BYTE 7 FROM 2 TO 1 +BYTE REDUCTION: BYTE 15 FROM 3 TO 2 +BYTE REDUCTION: BYTE 19 FROM 4 TO 0 +BYTE REDUCTION: BYTE 55 FROM 3 TO 1 +BYTE REDUCTION: BYTE 59 FROM 2 TO 0 +BYTE REDUCTION: BYTE 75 FROM 2 TO 0 +BYTE REDUCTION: BYTE 79 FROM 4 TO 0 +ONEOF REMOVAL REDUCED TEST TO 91 BYTES +BYTE REDUCTION: BYTE 59 FROM 4 TO 0 +ONEOF REMOVAL REDUCED TEST TO 87 BYTES +ONEOF REMOVAL REDUCED TEST TO 75 BYTES +ONEOF REMOVAL REDUCED TEST TO 55 BYTES +ONEOF REMOVAL REDUCED TEST TO 51 BYTES +NO REDUCTIONS FOUND +PADDING TEST WITH 5 ZEROS + +WRITING REDUCED TEST TO minrmdirfail.test +``` + +You can use `--which ` to specify which test to +run, as with the `--input_which_test` options to test replay. + ## Fuzzing with AFL DeepState can also be used with a file-based fuzzer (e.g. AFL). There diff --git a/bin/deepstate/reducer.py b/bin/deepstate/reducer.py index ad02d11..11bac2b 100644 --- a/bin/deepstate/reducer.py +++ b/bin/deepstate/reducer.py @@ -127,7 +127,10 @@ def main(): print "PADDING TEST WITH", (s[1] + 1) - len(currentTest), "ZEROS" padding = bytearray('\x00' * ((s[1] + 1) - len(currentTest))) currentTest = currentTest + padding - + + print + print "WRITING REDUCED TEST TO", out + with open(out, 'wb') as outf: outf.write(currentTest)