Skip to content
This repository has been archived by the owner on Jun 4, 2024. It is now read-only.

Teku fuzzing does not work #38

Open
JustinDrake opened this issue Jul 13, 2020 · 10 comments
Open

Teku fuzzing does not work #38

JustinDrake opened this issue Jul 13, 2020 · 10 comments
Labels
bug Something isn't working teku

Comments

@JustinDrake
Copy link

A little birdy suggested I do the following:

make teku
docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

The second command is not working:

Justins-MBP:eth2fuzz justin$ docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing
[eth2fuzz] Testing FuzzerJavaJQFAfl is available
Performing pilot run....  Pilot run success! Launching AFL now...
[+] Loaded environment variable AFL_SKIP_BIN_CHECK with value 1
[+] Loaded environment variable AFL_AUTORESUME with value 1
[+] Loaded environment variable AFL_SKIP_CPUFREQ with value 1
[+] Loaded environment variable AFL_SKIP_CRASHES with value 1
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
[+] Loaded environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
afl-fuzz++2.65d based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] Power schedules from github.com/mboehme/aflfast
[+] Python Mutator and llvm_mode whitelisting from github.com/choller/afl
[+] afl-tmin fork server patch from github.com/nccgroup/TriforceAFL
[+] MOpt Mutator from github.com/puppet-meteor/MOpt-AFL
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE, default)
[+] You have 4 CPU cores and 4 runnable tasks (utilization: 100%).
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[*] Scanning '/eth2fuzz/workspace/corpora/attester_slashing'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:00000000000000000000000000000000.00000002.honggfuzz.cov'...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (adjusting -t may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:682

[eth2fuzz] Fuzzer quit
@pventuzelo
Copy link
Contributor

Look like a default timeout issue, I just published a fix 1b5cfd9

Please, do the following:

$ git pull
$ make teku

Let me know if it is not working.

@JustinDrake
Copy link
Author

Nope, still not working.
Screenshot 2020-07-13 at 11 39 38

@pventuzelo
Copy link
Contributor

pventuzelo commented Jul 13, 2020
edited
Loading

Can you give me more info about your specs? because I suppose the fuzzer is not "running fast enough". Teku fuzzing is really slow for now because it is running inside the JVM...

@zedt3ster
Copy link
Member

Yep, Teku's fuzzers are the slowest we have. Here's @JustinDrake 's laptop specs:

  • MacBook Pro (2016), macOS 10.14.6
  • 2 GHz Intel Core i5
  • 8 GB RAM

@zedt3ster
Copy link
Member

Hey @JustinDrake - we're pretty sure this is a timeout related issue, most likely due to the slowness of Teku's fuzzer.

I've created a dedicated branch that should hopefully address this problem. Could you please follow these steps (from the beacon-fuzz folder):

  1. git pull
  2. git checkout teku-timeout-fix
  3. cd eth2fuzz && make teku CACHE=--no-cache
  4. docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

Let us know if this fixes the problem for you. Cheers!

@JustinDrake
Copy link
Author

Nope, still not working :) I performed all the steps above.

Justins-MBP:eth2fuzz justin$ docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing
[eth2fuzz] Testing FuzzerJavaJQFAfl is available
Performing pilot run....  Pilot run success! Launching AFL now...
[+] Loaded environment variable AFL_SKIP_BIN_CHECK with value 1
[+] Loaded environment variable AFL_AUTORESUME with value 1
[+] Loaded environment variable AFL_SKIP_CPUFREQ with value 1
[+] Loaded environment variable AFL_SKIP_CRASHES with value 1
[+] Loaded environment variable AFL_NO_AFFINITY with value 1
[+] Loaded environment variable AFL_I_DONT_CARE_ABOUT_MISSING_CRASHES with value 1
afl-fuzz++2.65d based on afl by Michal Zalewski and a big online community
[+] afl++ is maintained by Marc "van Hauser" Heuse, Heiko "hexcoder" Eißfeldt, Andrea Fioraldi and Dominik Maier
[+] afl++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] Power schedules from github.com/mboehme/aflfast
[+] Python Mutator and llvm_mode whitelisting from github.com/choller/afl
[+] afl-tmin fork server patch from github.com/nccgroup/TriforceAFL
[+] MOpt Mutator from github.com/puppet-meteor/MOpt-AFL
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE, default)
[+] You have 4 CPU cores and 2 runnable tasks (utilization: 50%).
[+] Try parallel jobs - see /usr/local/share/doc/afl/parallel_fuzzing.md.
[!] WARNING: Not binding to a CPU core (AFL_NO_AFFINITY set).
[*] Checking core_pattern...
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Scanning '/eth2fuzz/workspace/corpora/attester_slashing'...
[+] No auto-generated dictionary tokens to reuse.
[*] Creating hard links for all input files...
[*] Validating target binary...
[*] Attempting dry run with 'id:000000,time:0,orig:00000000000000000000000000000000.00000002.honggfuzz.cov'...
[*] Spinning up the fork server...

[-] PROGRAM ABORT : Timeout while initializing fork server (adjusting -t may help)
         Location : afl_fsrv_start(), src/afl-forkserver.c:682

[eth2fuzz] Fuzzer quit

@zedt3ster
Copy link
Member

zedt3ster commented Jul 16, 2020
edited
Loading

Interesting, you seem to be the only person with this issue (we confirmed with other MacOS users that they're able to run this fuzzer).

After [*] Spinning up the fork server..., did it hang for 5 minutes before the next error message? Asking since I changed the timeout value to 5 minutes on the teku-timeout-fix branch. Thanks!

@JustinDrake
Copy link
Author

After [*] Spinning up the fork server..., did it hang for 5 minutes before the next error message?

Nope, it does not. It fails immediately after this message.

@JustinDrake
Copy link
Author

I'm on the correct branch and I did recompile teku as above:

Justins-MBP:eth2fuzz justin$ git branch
  master
* teku-timeout-fix

@zedt3ster
Copy link
Member

Ok, turns out an environment variable used within AFL might be overriding the timeout value. We just (hopefully) fixed this in the latest commit on teku-timeout-fix (commit 753b00a4). If this doesn't work, I suspect it'll most likely be related to something else (perhaps an OS limitation on Mojave).

Please follow these steps, assuming you're on the teku-timeout-fix branch (it should take you at least 30+ minutes to rebuild the docker):

  1. git pull
  2. cd eth2fuzz && make teku CACHE=--no-cache
  3. docker run -it -v $(pwd)/workspace:/eth2fuzz/workspace eth2fuzz_teku target teku_attester_slashing

If this doesn't work, we'll have to investigate further.

@pventuzelo pventuzelo added bug Something isn't working teku labels Aug 1, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working teku
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JustinDrake @pventuzelo @zedt3ster