Nautilus is a coverage guided, grammar based fuzzer. You can use it to improve your test coverage and find more bugs. By specifying the grammar of semi valid inputs, Nautilus is able to perform complex mutation and to uncover more interesting test cases. Many of the ideas behind this fuzzer are documented in a Paper published at NDSS 2019.
Version 2.0 has added many improvements to this early prototype and is now 100% compatible with AFL++. Besides general usability improvements, Version 2.0 includes lots of shiny new features:
- Support for AFL-Qemu mode
- Support for grammars specified in python
- Support for non-context free grammars using python scripts to generate inputs from the structure
- Support for specifying binary protocols/formats
- Support for specifying regex based terminals that aren't part of the directed mutations
- Better ability to avoid generating the same very short inputs over and over
- Massive cleanup of the code base
- Helpful error output on invalid grammars
- Fixed a bug in the the timeout code that occasionally deadlocked the fuzzer
You specify a grammar using rules such as EXPR -> EXPR + EXPR
or EXPR -> NUM
and NUM -> 1
. From these rules, the fuzzer constructs a tree. This internal representation allows to apply much more complex mutations than raw bytes. This tree is then turned into a real input for the target application. In normal Context Free Grammars, this process is straightforward: all leaves are concatenated. The left tree in the example below would unparse to the input a=1+2
and the right one to a=1+1+1+2
. To increase the expressiveness of your grammars, using Nautilus you are able to provide python functions for the unparsing process to allow much more complex specifications.
# checkout the git
git clone '[email protected]:nautilus-fuzz/nautilus.git'
cd nautilus
/path/to/AFLplusplus/afl-clang-fast test.c -o test #afl-clang-fast as provided by AFL
# all arguments can also be set using the config.ron file
cargo run --release -- -g grammars/grammar_py_example.py -o /tmp/workdir -- ./test @@
# or if you want to use QEMU mode:
cargo run /path/to/AFLplusplus/afl-qemu-trace -- ./test_bin @@
Here, we use python to generate a grammar for valid xml-like inputs. Notice the use of a script rule to ensure the the opening and closing tags match.
#ctx.rule(NONTERM: string, RHS: string|bytes) adds a rule NONTERM->RHS. We can use {NONTERM} in the RHS to request a recursion.
ctx.rule("START","<document>{XML_CONTENT}</document>")
ctx.rule("XML_CONTENT","{XML}{XML_CONTENT}")
ctx.rule("XML_CONTENT","")
#ctx.script(NONTERM:string, RHS: [string]], func) adds a rule NONTERM->func(*RHS).
# In contrast to normal `rule`, RHS is an array of nonterminals.
# It's up to the function to combine the values returned for the NONTERMINALS with any fixed content used.
ctx.script("XML",["TAG","ATTR","XML_CONTENT"], lambda tag,attr,body: b"<%s %s>%s</%s>"%(tag,attr,body,tag) )
ctx.rule("ATTR","foo=bar")
ctx.rule("TAG","some_tag")
ctx.rule("TAG","other_tag")
#sometimes we don't want to explore the set of possible inputs in more detail. For example, if we fuzz a script
#interpreter, we don't want to spend time on fuzzing all different variable names. In such cases we can use Regex
#terminals. Regex terminals are only mutated during generation, but not during normal mutation stages, saving a lot of time.
#The fuzzer still explores different values for the regex, but it won't be able to learn interesting values incrementally.
#Use this when incremantal exploration would most likely waste time.
ctx.regex("TAG","[a-z]+")
To test your grammars you can use the generator:
$ cargo run --bin generator -- -g grammars/grammar_py_exmaple.py -t 100
<document><some_tag foo=bar><other_tag foo=bar><other_tag foo=bar><some_tag foo=bar></some_tag></other_tag><some_tag foo=bar><other_tag foo=bar></other_tag></some_tag><other_tag foo=bar></other_tag><some_tag foo=bar></some_tag></other_tag><other_tag foo=bar></other_tag><some_tag foo=bar></some_tag></some_tag></document>
You can also use Nautilus in combination with AFL. Simply point AFL -o
to the same workdir, and AFL will synchronize
with Nautilus. Note that this is one way. AFL imports Nautilus inputs, but not the other way around.
#Terminal/Screen 1
./afl-fuzz -Safl -i /tmp/seeds -o /tmp/workdir/ ./test @@
#Terminal/Screen 2
cargo run --release -- -o /tmp/workdir -- ./test @@
- chakra-core/ChakraCore#5503
- mruby/mruby#3995 (CVE-2018-10191)
- mruby/mruby#4001 (CVE-2018-10199)
- mruby/mruby#4038 (CVE-2018-12248)
- mruby/mruby#4027 (CVE-2018-11743)
- mruby/mruby#4036 (CVE-2018-12247)
- mruby/mruby#4037 (CVE-2018-12249)
- https://bugs.php.net/bug.php?id=76410
- https://bugs.php.net/bug.php?id=76244
nautilus's People
Forkers
asdyxcyxc jarlob thomasking2014 ash1n2 cokesme sthagen riusksk sucof akshayjaing jack51706 adrian-rt killvxk ant4g0nist mcgrady1 h1994st thuanpv thurday mshsmlv deimon135 developer191 ababook colorlight graydon springri esperanto9657 dkoch144 secretnonempty spector-in-london andreafioraldi grant-h yetingli cityoflight77 alexsandershaw howknows cancelll microsvuln ptr-yudai bott0n debach domenukk rchildre3 qijiale kveinaxel omergreen lenawanel reshahar beneficialcode 1013503897 twizmwazin changochen thomastno 47cid ava-rider-aura-security qrxqrx nereuxofficial kirimoe 0x4b16b2 jamestiotio bendrissou vanhauser-thc r9295 2010youy01 ophirharpaznautilus's Issues
Panicked while fuzzing
Hi, I am trying to set up nautilus. When I use the grammar of javascript to test sqlite, it panicked with the following log after running for 33 mins:
thread 'fuzzer_1' panicked at 'couldn't read child hello: Custom { kind: TimedOut, error: "timed out waiting for fd to be ready" }', forksrv/src/lib.rs:95:17
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread 'main' panicked at 'RAND_2698731594: Any', fuzzer/src/main.rs:495:9
The CMD line I am using is: cargo run --release -- -g grammars/javascript_new.py -o /tmp/workdir -- ~/sqlite/bld2/sqlite3 -init @@
Cannot generate grammar caused by panic
Panic when generating grammar. Here is my setup on ubuntu 20.04
cityoflight@nautilus:~/nautilus$ rustc -V
rustc 1.57.0-nightly (9dd4ce80f 2021-09-17)
cityoflight@nautilus:~/nautilus$ python3
Python 3.8.10 (default, Sep 28 2021, 16:10:42)
[GCC 9.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>>
Panic trace
cityoflight@nautilus:~/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 2
Finished dev [unoptimized + debuginfo] target(s) in 0.07s
Running `target/debug/generator -g grammars/grammar_py_example.py -t 2`
thread 'main' panicked at 'assertion failed: `(left != right)`
left: `0`,
right: `0`: The Python interpreter is not initalized and the `auto-initialize` feature is not enabled.
Consider calling `pyo3::prepare_freethreaded_python()` before attempting to use Python APIs.', /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
stack backtrace:
0: rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
1: core::panicking::panic_fmt
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
2: core::panicking::assert_failed_inner
3: core::panicking::assert_failed
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:141:5
4: pyo3::gil::GILGuard::acquire::{{closure}}
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:224:21
5: parking_lot::once::Once::call_once_force::{{closure}}
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:189:13
6: parking_lot::once::Once::call_once_slow
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:304:9
7: parking_lot::once::Once::call_once_force
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/parking_lot-0.11.2/src/once.rs:188:9
8: pyo3::gil::GILGuard::acquire
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/gil.rs:220:17
9: pyo3::python::Python::acquire_gil
at /home/cityoflight/.cargo/registry/src/github.com-1ecc6299db9ec823/pyo3-0.14.5/src/python.rs:214:9
10: generator::python_grammar_loader::load_python_grammar
at ./fuzzer/src/python_grammar_loader.rs:77:15
11: generator::main
at ./fuzzer/src/generator.rs:86:15
12: core::ops::function::FnOnce::call_once
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
shm_id "No space left on device"
I have tried running Nautilus on both Mac OS and Ubuntun, but its crashing.
Running target/release/fuzzer -o findings -- ./test '@@'
[2024-07-01] 12:44:07 Starting Fuzzing...
thread 'fuzzer_1' panicked at forksrv/src/lib.rs:192:17:
shm_id "No space left on device"
note: run with RUST_BACKTRACE=1
environment variable to display a backtrace
Segmentation fault
Are there any memory requirements?
`regex_mutator::generate()` panics
regex_mutator::generate()
panics with the following examples
"[^+*?]+"
"[^xu]"
"[^\\\\']"
"u{[0-9a-fA-F]+}"
".*"
"\\$[a-zA-Z_]\\w*"
"\\s"
share memory config error
Regex mutator panics when producing u32 values above char::MAX
The following regex rule can produce a u32 value that cannot be converted to a char :
ctx.regex(u'ANY', '.*')
As a consequence, the regex_mutator
will panic in append_unicode_range
on line 116, because from_u32
will return a None
that the code tries to unwrap:
fn append_unicode_range(res: &mut Vec<u8>, scr: &mut RegexScript, cls: ClassUnicodeRange) {
let mut chr_a_buf = [0; 4];
let mut chr_b_buf = [0; 4];
cls.start().encode_utf8(&mut chr_a_buf);
cls.end().encode_utf8(&mut chr_b_buf);
let a = u32::from_le_bytes(chr_a_buf);
let b = u32::from_le_bytes(chr_b_buf);
let c = scr.get_range(a as usize, (b + 1) as usize) as u32;
append_char(res, std::char::from_u32(c).unwrap());
}
I suggest capping the value of b+1
to char::MAX
to prevent this error, or using char::from_u32_unchecked
instead.
ANTLR support
Hi,
I realise that the ANTLR parser don't seem to be in this new version of nautilus, is the import of ANTLR grammars into nautilus no longer supported?
Support for specifying binary protocols/formats
Hi @eqv,
This Nautilus 2.0 looks great! I am interested in its new feature that supports binary protocols/formats. It would be great if you could add some tutorial(s) showing how it can be done. For example, how can we fuzz popular targets like LibPNG or ProFTPD with Nautilus 2.0?
Cheers!
Thuan
shmem error when fuzzing solidity
I got an error when I run nautilus with solidity as my target. It said thread 'fuzzer_2' panicked at 'shm_id "No space left on device
.
thread 'fuzzer_1' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
stack backtrace:
thread 'fuzzer_2' panicked at 'shm_id "No space left on device"', forksrv/src/lib.rs:205:17
0: 0x5555556e6bfc - std::backtrace_rs::backtrace::libunwind::trace::h2ab374bc2a3b7023
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/libunwind.rs:90:5
1: 0x5555556e6bfc - std::backtrace_rs::backtrace::trace_unsynchronized::h128cb5178b04dc46
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
2: 0x5555556e6bfc - std::sys_common::backtrace::_print_fmt::h5344f9eefca2041f
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:67:5
3: 0x5555556e6bfc - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h213003bc5c7acf04
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:46:22
4: 0x555555708e5c - core::fmt::write::h78bf85fc3e93663f
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/fmt/mod.rs:1126:17
5: 0x5555556e4165 - std::io::Write::write_fmt::he619515c888f21a5
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/io/mod.rs:1667:15
6: 0x5555556e87c0 - std::sys_common::backtrace::_print::hf706674f77848203
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:49:5
7: 0x5555556e87c0 - std::sys_common::backtrace::print::hf0b6c7a88804ec56
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:36:9
8: 0x5555556e87c0 - std::panicking::default_hook::{{closure}}::h2dde766cd83a333a
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:210:50
9: 0x5555556e8377 - std::panicking::default_hook::h501e3b2e134eb149
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:227:9
10: 0x5555556e8e74 - std::panicking::rust_panic_with_hook::hc09e869c4cf00885
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:624:17
11: 0x5555556e8950 - std::panicking::begin_panic_handler::{{closure}}::hc2c6d70142458fc8
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:521:13
12: 0x5555556e70a4 - std::sys_common::backtrace::__rust_end_short_backtrace::had58f7c459a1cd6e
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys_common/backtrace.rs:141:18
13: 0x5555556e88b9 - rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
14: 0x55555559db3b - std::panicking::begin_panic_fmt::h72e1f9ab89522086
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:460:5
15: 0x5555556c4322 - forksrv::ForkServer::new::h32c3a55efbd4dcac
16: 0x5555555c827e - fuzzer::fuzzer::Fuzzer::new::hc13533b0a5d67be8
17: 0x5555555a44f5 - fuzzer::fuzzing_thread::h8950c25ab0c74bcf
18: 0x5555555ae752 - std::sys_common::backtrace::__rust_begin_short_backtrace::h256253a3ae85ff90
19: 0x5555555c1497 - core::ops::function::FnOnce::call_once{{vtable.shim}}::h85a6a903e174724b
20: 0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h59eef3b9c8a82350
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
21: 0x5555556ec653 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::hb5bbe017c347469c
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/alloc/src/boxed.rs:1636:9
22: 0x5555556ec653 - std::sys::unix::thread::Thread::new::thread_start::h62931528f61e35f5
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/sys/unix/thread.rs:106:17
23: 0x7ffff7a1f609 - start_thread
at /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
24: 0x7ffff77ef293 - clone
25: 0x0 - <unknown>
stack backtrace:
Segmentation fault
But I still have much free space on disk.
cityoflight77@vps:~/nautilus$ df -h /
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 150G 35G 110G 24% /
cityoflight77@vps:~/nautilus$ df -h /dev/shm
Filesystem Size Used Avail Use% Mounted on
tmpfs 7.7G 0 7.7G 0% /dev/shm
default shared memory limits
cityoflight77@vps:~/nautilus$ ipcs -l
------ Messages Limits --------
max queues system wide = 32000
max size of message (bytes) = 8192
default max size of queue (bytes) = 16384
------ Shared Memory Limits --------
max number of segments = 4096
max seg size (kbytes) = 18014398509465599
max total shared memory (kbytes) = 18014398509481980
min seg size (bytes) = 1
------ Semaphore Limits --------
max number of arrays = 32000
max semaphores per array = 32000
max semaphores system wide = 1024000000
max ops per semop call = 500
semaphore max value = 32767
When I change shmmni to bigger value and reboot than default nautilus will return same error.
And same error happened when I try to fuzz mruby with root. But the error doesn't happened when I fuzz mruby with sudo user.
Any idea @andreafioraldi ?
Disable generation during fuzzing
Hi,
I am experimenting with multiple mutation-based fuzzers. In order to properly evaluate the mutation approach of the Nautilus tool, I would like to disable the generation feature of the tool. That is, I want to prevent Nautilus from generating inputs from scratch during fuzzing iterations. Is this option available?
Thank you.
Hangup in php fuzz
Hi,
I adopted Nautilus on PHP.
After fuzzing for a while, It hangs up.
Then I launched 10 instances for PHP and all of them have this problem.
See follow.
_ _ _ _ _
| \ | | | | (_) |
| \| | __ _ _ _| |_ _| |_ _ ___
| . ` |/ _` | | | | __| | | | | / __|
| |\ | (_| | |_| | |_| | | |_| \__ \
|_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
|_| \_|\__,_|\__,_|\__|_|_|\__,_|___/
------------------------------------------------------
Run Time: 0 days, 4 hours, 12 minutes, 46 seconds
Execution Count: 1230536
Executions per Sec: 217
Left in queue: 3266
Trees in Chunkstore: 8312
------------------------------------------------------
Last ASAN crash: Not found yet.
Last SIG crash: Not found yet.
Last Timeout: [2020-07-26] 23:35:20
Total ASAN crashes: 0
Total SIG crashes: 0
------------------------------------------------------
New paths found by Gen: 53
New paths found by Min: 726
New paths found by Min Rec: 470
New paths found by Det: 12
New paths found by Splice: 5160
New paths found by Havoc: 1474
New paths found by Havoc Rec: 657
------------------------------------------------------
Hangup------------------------------------------------
Do you have any idea about this problem?
Thanks.
thread 'fuzzer_1' panicked at 'couldn't read child hello
When i run 'cargo run ../AFLplusplus/afl-qemu-trace -- ./main @@', it's fail.
Finished dev [unoptimized + debuginfo] target(s) in 0.04s
Running target/debug/fuzzer ../AFLplusplus/afl-qemu-trace -- ./main '@@'
[2022-11-22] 08:13:05 Starting Fuzzing...
thread 'fuzzer_1' panicked at 'couldn't read child hello: Error { kind: UnexpectedEof, message: "failed to fill whole buffer" }', forksrv/src/lib.rs:98:22.
What should I address it?
Add weights to grammar
Feature: Let the user specify weights for individual rules, that are used to bias generation towards/against these specific rules.
regex_mutator always outputting empty strings
nautilus/regex_mutator/src/lib.rs
Line 171 in b6fa83d
Should probably be while !stack.is_empty()
Large path gap in ChakraCore fuzz
Hi, I found when I fuzz ChakraCore with nautilus( with the builtin js grammar), the path number of different instance can be extremely different.
I launched 10 fuzz instances at the same time and fuzz for 24 hours, one instance discovered 13.3k path while others discovered only 6~7k.
As the paper shows, the p-value of nautilus is low. So I wonder the reason for this situation.
`#![feature]` may not be used on the stable release channel
When I run the command "cargo run --release -- -g grammars/grammar_py_example.py -o /tmp/workdir -- ./test @@", there is some errors:
error[E0554]: #![feature]
may not be used on the stable release channel
--> grammartec/src/lib.rs:17:1
|
17 | #![feature(exclusive_range_pattern)]
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
error[E0554]: #![feature]
may not be used on the stable release channel
--> grammartec/src/lib.rs:18:1
|
18 | #![feature(step_trait)]
| ^^^^^^^^^^^^^^^^^^^^^^^
error[E0554]: #![feature]
may not be used on the stable release channel
--> grammartec/src/lib.rs:18:12
|
18 | #![feature(step_trait)]
| ^^^^^^^^^
What should I do next.
Nautilus not synchronising with AFL
Hi,
I have been trying to run Nautilus in combination with AFL, as illustrated in the Readme. However the "S" instance is not aware of the "M" instance, and is not importing its entries.
Terminal 1
cargo run --release -- -o findings -- ./test @@
Terminal 2
afl-fuzz -Safl -i seeds -o findings ./test @@
afl-fuzz++4.10a based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE)
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking core_pattern...
[!] WARNING: Could not check CPU scaling governor
[+] You have 4 CPU cores and 5 runnable tasks (utilization: 125%).
[*] Setting up output directories...
[*] Checking CPU core loadout...
[+] Found a free CPU core, try binding to #3.
[!] WARNING: no -M main node found. It is recommended to run exactly one main instance.
The synchronisation works fine when using an AFL M instance.
No path while fuzzing ChakraCore
Nautilus cannot find any path while fuzzing ChakraCore with grammars/javascript_new.py
.
I set up nautilus with the instructions in README.md
Then I enlarged the size of bitmap to 1 << 20 and instrument ChakraCore with afl-clang-fast.
modified the config.ron
at
bitmap_size: 1048576, //1<<20
pathed file forksrv/src/lib.rs
at
return (shm_id, trace_bits as *mut [u8; 1 << 20]);
Fuzzer status
It cannot find any path during fuzzing. See following output.
------------------------------------------------------
Run Time: 0 days, 0 hours, 0 minutes, 45 seconds
Execution Count: 2643
Executions per Sec: 71
Left in queue: 0
Trees in Chunkstore: 1
------------------------------------------------------
Last ASAN crash: Not found yet.
Last SIG crash: Not found yet.
Last Timeout: No Timeout yet.
Total ASAN crashes: 0
Total SIG crashes: 0
------------------------------------------------------
New paths found by Gen: 1
New paths found by Min: 0
New paths found by Min Rec: 0
New paths found by Det: 0
New paths found by Splice: 0
New paths found by Havoc: 0
New paths found by Havoc Rec: 0
------------------------------------------------------
My System Infomation
git:(master) ✗ uname -a
Linux alucard 4.15.0-76-generic #86-Ubuntu SMP Fri Jan 17 17:24:28 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
git:(master) ✗ rustc --version
rustc 1.45.0-nightly (75e1463c5 2020-05-13)
git:(master) ✗ rustup toolchain list
stable-x86_64-unknown-linux-gnu (default)
nightly-2020-05-14-x86_64-unknown-linux-gnu
does not compile with latest rust toolchains.
What rust toolchain are you using to compile the project.
It failed with multiple toolchains on different packages for different reasons.
So far I've tried:
stable-x86_64-unknown-linux-gnu
nightly-2019-09-11-x86_64-unknown-linux-gnu
nightly-2019-12-11-x86_64-unknown-linux-gnu
nightly-x86_64-unknown-linux-gnu (default)
NONE of these is able to compile and run the simple example:
cargo run --bin generator -- -g grammars/lua.py -t 100
Missing parse function
Hi,
Is there a way to parse a string input to a tree using Nautilus? There is an unparse
function, but no parse
function.
This is important when using seed inputs, or when verifying the validity of a given input.
Thank you.
Error while running the generator
While running the command from the example i get the following error:
researcher@DESKTOP:~/leaning_to_fuzz/nautilus$ RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
Finished dev [unoptimized + debuginfo] target(s) in 0.07s
Runningtarget/debug/generator -g grammars/grammar_py_example.py -t 100
thread 'main' panicked at 'Mismatch between definition and access oftree_depth
. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
0: rust_begin_unwind
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/std/src/panicking.rs:575:5
1: core::panicking::panic_fmt
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/panicking.rs:64:14
2: clap::parser::error::MatchesError::unwrap
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
3: clap::parser::matches::arg_matches::ArgMatches::get_one
at /home/researcher/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
4: generator::main
at ./fuzzer/src/generator.rs:66:23
5: core::ops::function::FnOnce::call_once
at /rustc/d5a82bbd26e1ad8b7401f6a718a9c57c96905483/library/core/src/ops/function.rs:507:5
note: Some details are omitted, run withRUST_BACKTRACE=full
for a verbose backtrace.
some errors while fuzzing
I get such errors while fuzzing. Should I be worried?
thread 'fuzzer_18' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
note: run with RUST_BACKTRACE=1
environment variable to display a backtrace
thread 'fuzzer_10' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
thread 'fuzzer_20' panicked at 'internal error: entered unreachable code', grammartec/src/tree.rs:350:17
I also get things like "found fu**y bit 4299"
Bug in regex_mutator unicode generation
Hello,
it seems like there is a bug in the regex mutator.
If you supply the following grammar to the generator
ctx.rule("START", "{CHAR}")
ctx.regex("CHAR", ".")
it panics every other invocation in append_unicode_range()
:
$ ./target/release/generator -g ./demo.py -t 1
thread 'main' panicked at 'called `Option::unwrap()` on a `None` value', regex_mutator/src/lib.rs:113:45
stack backtrace:
0: rust_begin_unwind
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/std/src/panicking.rs:517:5
1: core::panicking::panic_fmt
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:103:14
2: core::panicking::panic
at /rustc/9dd4ce80fb01d1ff5cb5002f08b7b3847b59e664/library/core/src/panicking.rs:50:5
3: regex_mutator::generate
4: grammartec::rule::Rule::generate
5: grammartec::tree::Tree::generate_from_rule
6: grammartec::context::Context::generate_tree_from_nt
7: generator::main
Cannot Compile Generator
The generator binary will not compile for me.
Not sure what details are relevant here.
Cargo version 1.61.0
Cloned master
Ubuntu 20.04
> RUST_BACKTRACE=1 cargo run --bin generator -- -g grammars/grammar_py_example.py -t 100
Finished dev [unoptimized + debuginfo] target(s) in 0.06s
Running `target/debug/generator -g grammars/grammar_py_example.py -t 100`
thread 'main' panicked at 'Mismatch between definition and access of `tree_depth`. Could not downcast to usize, need to downcast to alloc::string::String
', fuzzer/src/generator.rs:67:10
stack backtrace:
0: rust_begin_unwind
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/std/src/panicking.rs:584:5
1: core::panicking::panic_fmt
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/panicking.rs:143:14
2: clap::parser::error::MatchesError::unwrap
at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/error.rs:30:9
3: clap::parser::matches::arg_matches::ArgMatches::get_one
at /home/username/.cargo/registry/src/github.com-1ecc6299db9ec823/clap-4.0.32/src/parser/matches/arg_matches.rs:113:9
4: generator::main
at ./fuzzer/src/generator.rs:66:23
5: core::ops::function::FnOnce::call_once
at /build/rustc-ZOqcvC/rustc-1.61.0+dfsg1/library/core/src/ops/function.rs:227:5
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
Error while compile and run test demo
Hi !
I just followed your instruction to fuzz the test.c demo with nautilus but I got this :
Compiling textwrap v0.11.0
error[E0554]: #![feature] may not be used on the stable release channel
--> /home/crypt/.cargo/registry/src/github.com-1ecc6299db9ec823/lock_api-0.3.3/src/lib.rs:89:34
|
89 | #![cfg_attr(feature = "nightly", feature(const_fn))]
| ^^^^^^^^^^^^^^^^^
error: aborting due to previous error
For more information about this error, try rustc --explain E0554.
error: could not compile lock_api.
warning: build failed, waiting for other jobs to finish...
error: build failed
Also, I didn't succeed at running this command :
git clone '[email protected]:nautilus-fuzz/nautilus.git'
Because I got this error :
Cloning into 'nautilus'...
[email protected]: Permission denied (publickey).
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
Thus I just cloned the repository in this way :
git clone https://github.com/nautilus-fuzz/nautilus.git
Any workaround for the first error ?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.