Intel PT feedback "less precise results"

[Liam Hayes]

Hi,

I'm interested in fuzzing binaries (no source code). I've written a small C program to test my fuzzing setup. I've found that with compile-time instrumentation used as feedback, honggfuzz forces execution down an obscure code path (a long series of if statements). However this doesn't happen when using Intel PT over a similar number of iterations.

docs/FeedbackDrivenFuzzing.md mentions that PT feedback "currently produces less precise results" than when using BTS feedback. Is the above problem likely to be this lack of precision? If so, would Intel BTS work better? Why is Intel PT less precise and is there any way I can change this? 

Unfortunately I only have systems that support Intel PT (and not Intel BTS) to test on.

Thanks,

Liam

[Robert Święcki]

Hi,

 

I'm interested in fuzzing binaries (no source code). I've written a small C program to test my fuzzing setup. I've found that with compile-time instrumentation used as feedback, honggfuzz forces execution down an obscure code path (a long series of if statements). However this doesn't happen when using Intel PT over a similar number of iterations.

docs/FeedbackDrivenFuzzing.md mentions that PT feedback "currently produces less precise results" than when using BTS feedback. Is the above problem likely to be this lack of precision? If so, would Intel BTS work better? Why is Intel PT less precise and is there any way I can change this? 

Long story short, Intel PT is a byte-code which aims at minimizing the output size. Therefore it uses tricks that make it hard to recreate the code execution path w/o doing so-called 'full decode'. Full decode is slow, therefore honggfuzz is doing partial decode, which is way more precise (lowe number of recovered program blocks) but way faster.

The way to change this is to implement full decoder for Intel PT, which will use the fuzzer binary as an input. Apparently WinAFL started doing that some weeks ago, so mayb the code could be reused.

With BTS what is stored by CPU are all branch/jump src/dst addresses, so it's more precise in this sense.

 

Unfortunately I only have systems that support Intel PT (and not Intel BTS) to test on.

Intel BTS is supported pretty much under every CPU which supports Intel PT. It's probably the Linux kernel which is a problem - in its newer releases the BTS is disabled due to the introduction of KPTI (kernel page table isolation) b/c os the spectre/meltdown bugs.

If you don't care about those bugs (system only for fuzzing), you can bring back BTS by adding pti=off to your kernel boot flags. Under Ubuntu it'd be

$ grep pti /etc/default/grub

# For full documentation of the options in this file, see:

GRUB_CMDLINE_LINUX_DEFAULT="nosplash nvidia-drm.modeset=1 l1tf=off nopti pti=off spectre_v2=off spec_store_bypass_disable=off no_stf_barrier no_file_caps"

and then

$ sudo update-grub

 

Thanks,

Liam

--
You received this message because you are subscribed to the Google Groups "honggfuzz" group.
To unsubscribe from this group and stop receiving emails from it, send an email to honggfuzz+...@googlegroups.com.
To post to this group, send email to hong...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/honggfuzz/69a031a6-f068-4ee9-866f-867beff3b1e4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Robert Święcki

[Liam Hayes]

What a comprehensive answer! You saved me lots of research, thanks so much.

Liam