Skip to content

Monitoring and Logging

Jump to bottom
Patrick D edited this page Aug 5, 2022 · 1 revision

Stateful fuzzing augments traditional fuzzing with state graph inference and it might be interesting for us to get some insights about the state graph during fuzzing.
This tutorial shows different ways to get state graph info out of the fuzzer and onto disk / screen.

Monitors

One way to quickly get state information is to use the StateMonitor. Simply create the monitor like this

let monitor = StateMonitor::new();

and observe that the information it prints is the same as SimpleMonitors plus the number of vertices and edges in the state graph:

[butterfly::Stats] uptime: 0h-0m-12s | cores: 1 | corpus: 20 | objectives: 0 | total execs: 155 | exec/s: 12 | nodes: 11 | edges: 34

Internally, butterfly stores this metadata in the user stats of the fuzzer. The number of nodes is available as USER_STAT_NODES and is a UserStats::Number. Similarly, the number of edges is available as USER_STAT_EDGES.

If you don't want to use StateMonitor butterfly provides a helper trait HasStateStats that supplies the two functions

  • avg_statemachine_nodes(): Returns an average of USER_STAT_NODES of all instances
  • avg_statemachine_edges(): Returns an average of USER_STAT_EDGES of all instances

To access these methods in the display() method of a different monitor simply implement the trait like this:

impl HasStateStats for DifferentMonitor {}

Graphviz output

butterfly is also capable of dumping a DOT representation of the state graph. This is quite costly and must be explicitly enabled by the feature graphviz. If the feature is enabled the DOT source will be stored in the user stats under USER_STAT_STATEGRAPH as a UserStats::String. No monitor is capable of printing the state graph to screen at the moment. This has to be picked up by loggers.

Loggers

If we want to persistently log the fuzzing progress we have two options:

  • libafls OnDiskTOMLMonitor: This logger includes user stats in its output and is thus capable of logging state graph info
  • butterflys GraphvizMonitor: A reduced version of OnDiskTOMLMonitor that only writes the USER_STAT_STATEGRAPH to disk.
    GraphvizMonitor wraps another monitor and can be created like this:
let monitor = GraphvizMonitor::new(
    // Child monitor that is being wrapped.
    // If you don't want to print anything use
    // NopMonitor::new() here
    StateMonitor::new(),
    
    // Name of the output file
    "stategraph.dot",
    
    // Interval at which to write to the file in seconds
    60,
);

It is available only when the feature graphviz is enabled.

Clone this wiki locally