coordinator component in savior
The coordinator includes the following compoenents
A wrapper for launching the fuzzer units, extendable, currently only Support AFL.
A wrapper for launching the symbolic execution units, extendable, currently only supports our modified KLEE.
The switch oracle decide weather and when to launch the SE units. Currently 3 options are available.
- random
This oracle will randomly invoke SE to explore seeds in the fuzzer's queue.
- saturate
This oracle monitors the fuzzers and only invoke SE if over half of the fuzzer instances hit a coverage plateau.
- driller_saturate
This oracle is based on Driller's switch heuristic, and only invoke SE if over half of the fuzzer instances whose pendng favoriate statistics do not increase over a period of time.
The edge/path oracles decide which edges or paths should be revisited by the SE unit. Currently 6 options are available.
- sequential
Sequentially picks the inputs from fuzzer's queue and feed them to SEs.
- random
Randomly assigns score to inputs from fuzzer's queue, the score will be different everytime the oracle is invoked.
- san-guided
This oracle is guided by sanitizer labels. It logs the untriggered sanitizer branches (i.e., the continue branch) by each input from fuzzer's queue, and rank these inputs from high to low for seed prioritization. The more unsolved sanitizer branches exist on the path, the more bugs we can trigger by negating the unsatisfied branch conditions with concolic execution.
- bug-potential
On top of the untriggered sanitizer branches, this oracle also use the static reachability result generated by DMA to estimate once the unsolved branches are triggered, how many more sanitizer labels can be reached from these branches.
To use this oracle, user needs to fill in the followin infomation in the fuzzing config file.
[auxiliary info]
bug_reach_map=
pair_edge_file=
*avg-bug-potential
Same as the bug-potential, but this oracle will normalize the score by the number of edges on the path.
- uncov-edge-bug
On top of the untriggered sanitizer branches, this oracle also use the static reachability result generated by DMA (without -savior-label-only option) to ensemble the code coverage potential as well as sanitizer label triggering potential. The weight can be adjusted depends on user's need, e.g., the primary goal is to cover more code, or trigger more sanitizer instrumented asserts.
To use this oracle, user needs to fill in the followin infomation in the fuzzing config file.
[edge oracle]
bug_potential_weight=
code_potential_weight=
[auxiliary info]
code_reach_map=
pair_edge_file=