Re: [RFC PATCH] xen: add libafl-qemu fuzzer support

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
To: Stefano Stabellini <sstabellini@kernel.org>
Cc: "xen-devel@lists.xenproject.org" <xen-devel@lists.xenproject.org>,
	Andrew Cooper <andrew.cooper3@citrix.com>,
	Jan Beulich <jbeulich@suse.com>, Julien Grall <julien@xen.org>,
	Bertrand Marquis <bertrand.marquis@arm.com>,
	Michal Orzel <michal.orzel@amd.com>,
	Dario Faggioli <dfaggioli@suse.com>,
	Juergen Gross <jgross@suse.com>,
	George Dunlap <gwd@xenproject.org>
Subject: Re: [RFC PATCH] xen: add libafl-qemu fuzzer support
Date: Wed, 20 Nov 2024 00:50:52 +0000	[thread overview]
Message-ID: <87iksilod0.fsf@epam.com> (raw)
In-Reply-To: <alpine.DEB.2.22.394.2411191409140.1160299@ubuntu-linux-20-04-desktop> (Stefano Stabellini's message of "Tue, 19 Nov 2024 15:23:18 -0800	(PST)")


Hi Stefano,

(sorry, hit wrong Reply-To option, re-sending for wider audience)

Stefano Stabellini <sstabellini@kernel.org> writes:

> On Tue, 19 Nov 2024, Volodymyr Babchuk wrote:
>> Hi Stefano,
>>
>> Stefano Stabellini <sstabellini@kernel.org> writes:
>>
>> > On Thu, 14 Nov 2024, Volodymyr Babchuk wrote:
>>
>> [...]
>>
>> >> +Building LibAFL-QEMU based fuzzer
>> >> +---------------------------------
>> >> +
>> >> +Fuzzer is written in Rust, so you need Rust toolchain and `cargo` tool
>> >> +in your system. Please refer to your distro documentation on how to
>> >> +obtain them.
>> >> +
>> >> +Once Rust is ready, fetch and build the fuzzer::
>> >> +
>> >> + # git clone
>> >> https://github.com/xen-troops/xen-fuzzer-rs
>> >> +  # cd xen-fuzzer-rs
>> >> +  # cargo build
>> >
>> > Is this the only way to trigger the fuzzer? Are there other ways (e.g.
>> > other languages or scripts)? If this is the only way, do we expect it to
>> > grow much over time, or is it just a minimal shim only to invoke the
>> > fuzzer (so basically we need an x86 version of it but that's pretty much
>> > it in terms of growth)?
>>
>> Well, original AFL++ is written in C. And I planned to use it
>> initially. I wanted to make plugin for QEMU to do the basically same
>> thing that LibAFL does - use QEMU to emulate target platform, create
>> snapshot before running a test, restore it afterwards.
>>
>> But then I found LibAFL. It is a framework for creating fuzzers, it
>> implements the same algorithms as original AFL++ but it is more
>> flexible. And it already had QEMU support. Also, it seems it is quite
>> easy to reconfigure it for x86 support. I didn't tried tested this yet,
>> but looks like I need only to change one option in Cargo.toml.
>>
>> This particular fuzzer is based on LibAFL example, but I am going to
>> tailor it for Xen Project-specific needs, like CI integration you
>> mentioned below.
>
> Is my understanding correct that we only need to invoke LibAFL as you
> are doing already, and that's pretty much it? We need a better
> configuration specific for Xen, and we need one more way to invoke it to
> cover x86 but that's it? So, the expectation is that the code currently
> under
> https://github.com/xen-troops/xen-fuzzer-rs
> will not grow much?
>

Yes, it basically configures different bits of LibAFL and integrates
them together. So yes, it will not grow much. I am planning to add some
QoL things like ability to re-run specific input so it will be easier to
debug discovered issues. Or maybe tune some fuzzing algorithms
settings... But nothing big.


>
>> As for test harness, I am using Zephyr currently. My first intention was
>> to use XTF, but it is x86-only... I am still considering using XTF for
>> x86 runs.
>>
>> Zephyr was just the easiest and fastest way to trigger hypercalls. At
>> first I tried to use Linux kernel, but it was hard to cover all possible
>> failure paths. Zephyr is much simpler in this regard. Even better is to
>> use MiniOS or XTF. But ARM support in MiniOS is in sorry state and XTF
>> does not work on ARM at all.
>
> There is a not-yet-upstream XTF branch that works on ARM here:
> https://gitlab.com/xen-project/fusa/xtf/-/tree/xtf-arm?ref_type=heads

Ah, thanks. I'll try to use it as a harness.

[...]

>
>>
>> I was considering this as well. Problem is that fuzzing should be
>> running for a prolonged periods of time. There is no clear consensus on
>> "how long", but most widely accepted time period is 24 hours. So looks
>> like it should be something like "nightly build" task. Fuzzer code
>> needs to be extended to support some runtime restriction, because right
>> now it runs indefinitely, until user stops it.
>
> We can let it run for 48 hours continuously every weekend using the
> Gitlab runners

Great idea. Anyways, I need to add option to limit runtime to the fuzzer
and invent some method for reporting discovered crashes to the CI first.

>
>> I am certainly going to implement this, but this is a separate topic,
>> because it quires changes in the fuzzer app. Speaking on which... Right
>> now both fuzzer and test harness reside in our github repo, as you
>> noticed. I believe it is better to host it on xenbits as an official
>> part of the Xen Project.
>
> Yes we can create repos under gitlab.com/xen-project for this, maybe a
> new subgroup gitlab.com/xen-project/fuzzer

Good. Whom should I ask to do this?

--
WBR, Volodymyr

next prev parent reply	other threads:[~2024-11-20  0:51 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-14 22:46 [RFC PATCH] xen: add libafl-qemu fuzzer support Volodymyr Babchuk
2024-11-19  1:46 ` Stefano Stabellini
2024-11-19 15:16   ` Volodymyr Babchuk
2024-11-19 18:32     ` Andrew Cooper
2024-11-19 20:46       ` Volodymyr Babchuk
2024-11-19 23:23     ` Stefano Stabellini
2024-11-20  0:50       ` Volodymyr Babchuk [this message]
2024-11-20 22:07         ` Stefano Stabellini
2024-11-21 23:15           ` Volodymyr Babchuk
2024-11-22  0:37             ` Stefano Stabellini
2024-11-25 23:23               ` Volodymyr Babchuk
2024-11-20  1:20     ` Marek Marczykowski-Górecki
2024-11-20 22:05       ` Stefano Stabellini
2024-11-19 18:02   ` Andrew Cooper

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87iksilod0.fsf@epam.com \
    --to=volodymyr_babchuk@epam.com \
    --cc=andrew.cooper3@citrix.com \
    --cc=bertrand.marquis@arm.com \
    --cc=dfaggioli@suse.com \
    --cc=gwd@xenproject.org \
    --cc=jbeulich@suse.com \
    --cc=jgross@suse.com \
    --cc=julien@xen.org \
    --cc=michal.orzel@amd.com \
    --cc=sstabellini@kernel.org \
    --cc=xen-devel@lists.xenproject.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.