Run the Fuzzer
First, we'll make a new script fuzz.simics. We'll start with the same parameters we
used previously:
$cpu_comp_class = "x86QSP2"
$disk0_image = "%simics%/windows-11.img"
$use_vmp = FALSE
$create_usb_tablet = TRUE
$num_cores = 1
$num_threads = 2
We'll add some code next the top to check if we have a checkpoint called
booted.ckpt, and read the configuration from it if we do. This will allow us to skip
the (many minutes) wait time on all but first boot, which significantly improves
time-to-fuzzing-start.
if file-exists "booted.ckpt" {
echo "Booted checkpoint found, loading..."
read-configuration "booted.ckpt"
} else {
echo "No booted checkpoint saved, running..."
run-command-file "%simics%/targets/qsp-x86/qsp-hdd-boot.simics"
board.disk0.hd_image.add-diff-file filename = "windows-11.diff.craff"
# Uncomment this line to enable VNC for headless access
# board.console.con.vnc-setup port = 7500 password = "PassPass"
}
Next, we'll add a script-branch that will wait for our graphical breakpoint. This
allows us to unattended-ly wait until the system is booted and the Simics agent, which
allows us to run commands and upload files to the system, is started.
Once we get the breakpoint, we will save the booted checkpoint if we did not have one already.
Then, we start the agent manager, set the poll interval to 1 minute such that the slow simulation (since we are running without VMP) will not time out.
Finally, we run our fuzzer executable and wait for all commands to execute. Once the fuzzer executable runs, the fuzzer will start and the execution loop will begin.
script-branch {
board.console.con.bp-wait-for-gfx breakpoint-boot 1
echo "Got booted breakpoint. Waiting 10 seconds..."
bp.time.wait-for seconds = 10
echo "Got booted breakpoint, stopping..."
stop
if not (file-exists "booted.ckpt") {
echo "Got booted BP, saving checkpoint..."
write-configuration booted.ckpt
} else {
echo "Already had checkpoint, not saving..."
}
start-agent-manager
$matic = (agent_manager.connect-to-agent)
continue
$matic.wait-for-job
$matic.agent-poll-interval ms = 60000
stop
load-module tsffs
init-tsffs
@tsffs.log_level = 4
@tsffs.start_on_harness = True
@tsffs.stop_on_harness = True
@tsffs.timeout = 3.0
@tsffs.exceptions = [13]
@tsffs.generate_random_corpus = True
@tsffs.iteration_limit = 1000
$matic.upload-dir -overwrite "%simics%/fuzzer/"
$matic.run "C:\\fuzzer\\fuzzer.exe"
continue
$matic.wait-for-job
echo "Done with jobs..."
}
For example, you should see something like below. Note that you should see a very large initial spike in coverage on the first fuzzer execution.
[tsffs info] Saving checkpoint to /home/rhart/hub/tsffs/examples/tutorials/windows-kernel/checkpoint.ckpt
[tsffs info] Saving initial snapshot
[tsffs info] Testcase: Testcase { testcase: "[181, 102] (2 bytes)", cmplog: false }
[tsffs info] Posting event on processor at time 175.99922852 for 3s (time 178.99922852)
[tsffs info] Resuming simulation
[tsffs info] on_magic_instruction(4)
[tsffs info] Simulation stopped with reason Magic { magic_number: StopNormal }
[tsffs info] Cancelling event with next time 2.9999871535 (current time 175.9992413665)
[tsffs info] Testcase: Testcase { testcase: "[139, 250, 96, 144, 239, 7, 187, 60, 109, 147, 230, 211] (12 bytes)", cmplog: false }
[tsffs info] Posting event on processor at time 175.99922852 for 3s (time 178.99922852)
[tsffs info] Resuming simulation
[tsffs info] on_magic_instruction(1)
[tsffs info] Interesting input for AFL indices [503, 766, 2935, 3049, 3169, 3797, 4263, 4337, 4655, 5256, 5335, 5350, 5361, 5373, 6196, 6310, 6381, 6570, 6715, 10288, 10680, 11672, 11805, 12079, 13347, 13408, 13418, 14562, 14800, 14846, 17643, 20093, 20115, 20116, 20353, 20986, 21600, 21706, 22895, 24028, 24504, 24570, 24792, 24808, 25568, 25709, 25896, 26497, 26871, 26901, 26921, 26944, 26949, 26960, 26993, 27111, 27134, 27175, 27201, 27208, 27215, 27231, 27285, 27327, 27408, 27421, 27447, 27449, 27471, 27480, 27504, 27581, 27592, 27593, 27604, 27645, 27906, 27916, 27926, 27966, 28001, 28169, 28178, 28218, 28239, 28265, 28269, 28277, 28294, 28315, 28341, 28356, 28404, 28415, 28434, 28436, 28450, 28482, 28531, 28552, 28570, 28603, 28620, 28624, 28649, 28671, 28672, 29080, 29107, 29163, 29164, 29168, 29400, 29447, 29624, 29683, 29730, 29734, 29770, 29781, 29828, 29852, 29923, 29970, 29979, 30009, 30030, 30050, 30061, 30068, 30076, 30119, 30150, 30169, 30213, 30262, 30285, 30299, 30329, 30348, 30396, 30406, 30461, 30500, 30505, 30536, 30553, 30580, 30600, 30602, 30622, 30640, 30675, 30677, 31132, 31412, 31696, 31746, 31748, 31765, 31776, 31795, 31796, 31900, 31932, 32028, 32124, 32136, 32189, 32249, 32779, 32799, 33039, 33101, 33106, 33132, 33148, 33212, 33789, 33795, 33814, 33854, 33920, 33921, 33926, 33930, 33938, 33945, 33961, 33968, 33975, 33978, 33980, 34017, 34048, 34058, 34078, 34103, 34108, 34123, 34125, 34137, 34248, 34252, 34268, 34270, 34279, 34301, 34547, 34579, 34629, 34694, 34782, 34793, 35774, 35942, 35957, 36151, 36164, 36229, 36250, 36254, 36275, 36279, 36332, 36945, 36968, 37213, 37243, 37310, 37459, 37466, 37483, 37508, 37529, 37554, 37556, 37623, 37657, 37663, 37687, 37732, 37752, 37804, 37847, 38777, 38943, 39043, 39069, 39237, 39292, 39304, 39320, 39704, 39808, 39810, 39827, 39845, 39989, 40030, 40066, 40203, 40267, 40426, 40444, 40859, 40898, 40909, 40922, 40967, 40972, 40976, 40978, 41015, 41040, 41055, 41056, 41104, 41223, 41425, 41499, 41890, 42264, 42328, 42348, 42405, 42406, 42427, 42702, 42930, 42938, 43013, 43151, 43336, 43570, 43598, 43612, 43641, 43661, 43677, 43691, 43693, 43711, 43724, 43735, 43762, 43768, 43773, 43784, 43804, 43812, 43894, 43906, 43935, 44002, 44053, 44087, 44144, 44176, 44257, 44270, 44385, 44619, 44697, 44741, 44768, 44771, 44774, 44827, 44828, 44851, 45095, 45113, 45231, 45736, 45870, 45929, 46047, 46427, 46440, 46466, 46490, 46516, 46879, 49157, 49528, 49671, 49683, 49722, 49758, 49763, 49769, 49837, 49862, 49883, 49907, 50002, 50045, 50067, 50092, 50099, 50191, 50201, 50284, 50293, 50407, 50537, 50657, 50712, 50722, 50751, 50777, 50809, 50871, 50902, 51457, 51767, 51798, 51806, 51811, 51902, 51905, 51911, 51920, 51935, 51969, 52002, 52099, 52101, 52144, 52148, 52193, 52203, 52245, 52300, 52317, 52355, 52359, 52403, 52428, 52444, 52454, 52456, 52459, 52485, 52521, 52581, 52582, 52594, 52606, 52626, 52699, 52701, 52724, 52770, 52849, 52888, 52899, 52943, 52958, 52959, 53025, 53106, 53129, 53170, 53210, 54665, 54966, 55048, 55099, 55312, 55425, 55545, 55565, 55802, 55836, 56068, 56076, 56110, 56833, 56842, 56863, 56938, 56972, 56987, 57221, 57259, 57338, 57367, 57474, 57475, 57476, 57497, 57504, 57526, 57579, 57701, 57712, 57765, 57790, 57798, 57803, 57817, 57919, 58071, 58187, 58200, 58222, 58267, 58707, 58864, 59183, 59211, 59235, 59379, 60738, 60760, 61386, 62586, 62976, 63317, 63637, 63647, 63668, 63717, 63718, 64067, 64430, 65124, 66015, 66722, 66872, 66905, 66914, 66940, 67021, 68227, 71196, 71228, 71367, 72668, 73658, 74857, 75644, 75858, 75955, 75960, 76042, 76164, 76193, 76199, 76202, 76268, 76568, 76594, 76605, 76633, 76644, 76652, 77804, 78094, 78511, 80215, 80318, 81032, 81098, 81210, 81217, 81225, 81244, 81265, 81266, 81342, 81529, 81904, 82214, 82770, 84289, 84295, 84341, 84380, 84402, 84436, 84459, 84467, 84471, 84481, 84901, 84955, 84991, 85046, 85134, 85144, 85171, 85183, 85203, 85223, 85225, 85256, 85308, 85348, 85435, 85701, 85751, 85777, 85783, 85844, 85879, 85932, 86301, 86422, 86742, 86757, 86774, 86782, 87028, 87739, 89260, 89951, 90610, 90813, 91088, 91182, 91481, 91588, 92006, 92633, 92799, 93101, 93143, 93159, 93163, 95382, 96072, 96269, 96360, 96506, 96528, 96529, 96534, 96574, 96606, 96681, 96763, 96782, 96787, 96802, 96804, 96810, 96825, 96832, 96833, 96847, 96886, 96956, 96957, 96985, 97066, 97080, 97097, 97147, 97169, 97173, 97188, 97224, 97235, 97267, 97538, 97574, 97666, 97814, 97904, 97966, 98015, 98033, 98100, 98122, 98146, 98157, 98178, 98179, 98204, 98220, 98225, 98254, 98288, 98649, 98897, 100786, 100884, 100990, 100994, 101028, 101041, 101043, 101930, 101978, 102002, 102064, 102434, 102445, 102458, 102470, 102473, 102481, 102483, 102484, 102494, 102643, 102782, 102968, 103039, 103142, 103167, 103169, 103172, 103181, 103279, 103348, 103353, 103438, 103599, 104038, 104075, 104080, 104085, 104120, 104128, 104181, 104326, 104530, 104750, 104962, 105456, 105475, 105491, 105675, 105683, 105715, 105742, 106491, 108730, 108753, 109047, 109393, 109508, 109554, 109666, 109716, 109790, 109829, 109832, 109848, 109900, 109961, 109998, 110086, 110098, 110099, 110165, 110258, 110313, 110376, 110398, 110470, 110582, 111201, 112657, 112723, 112725, 112743, 112747, 112765, 112839, 112880, 112947, 112968, 112969, 113073, 113104, 113110, 113115, 113131, 113133, 113136, 113142, 113223, 113224, 113308, 113328, 113332, 113361, 113395, 113408, 113412, 113420, 113465, 113484, 113500, 113506, 113510, 113514, 113531, 113567, 113581, 113602, 113609, 113708, 113729, 114201, 114228, 114239, 114698, 114717, 114737, 114740, 114777, 114806, 114901, 115008, 115031, 115054, 115133, 115191, 115227, 115241, 115261, 115270, 115309, 115826, 115897, 115908, 115934, 116058, 116059, 116102, 116123, 116151, 116159, 116177, 116196, 116225, 116229, 116235, 116261, 116287, 116339, 116348, 116360, 116386, 116404, 116434, 116460, 116591, 116622, 116623, 116989, 117662, 117825, 117848, 117855, 117877, 117900, 117909, 117918, 117999, 118073, 118130, 118143, 118215, 118306, 118377, 118414, 118433, 118448, 119041, 119047, 119129, 119139, 119160, 119394, 119446, 119482, 119500, 119623, 119646, 119680, 119689, 119697, 119711, 119728, 119742, 119754, 119781, 119875, 120231, 120246, 120388, 120504, 120807, 121096, 122007, 122039, 122079, 122109, 123049, 124211, 124252, 124433, 124456, 124508, 124605, 124937, 124955, 124987, 125019, 125028, 125030, 125034, 125094, 125097, 125112, 125120, 125148, 125183, 125253, 125254, 125272, 125326, 125328, 125364, 125409, 125698, 126696, 127225, 127271, 127281, 127475, 127494, 127496, 127504, 127539, 127582, 127617, 127640, 127678, 127728, 127748, 127749, 127751, 127753, 127764, 127792, 127796, 127798, 127825, 127842, 127849, 127855, 127886, 127898, 127908, 127932, 127939, 127941, 128023, 128557, 129009, 129070, 129071, 129095, 129102, 129113, 129144, 129156, 129159, 129173, 129202, 129206, 129208, 129239, 129255, 129273, 129300, 129330, 129400, 129423, 129451, 129455, 129484, 129494, 129679, 129776, 129784, 129811, 129825, 129833, 129835, 129881, 129911, 130080, 130601, 130676] with input [181, 102]
[tsffs info] 955 Interesting edges seen since last report (955 edges total)