From 5246e52be3bf4427791000355cbef86626b43eca Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Fri, 29 Jan 2021 16:20:19 +0100 Subject: Initial commit --- .../jazzer/instrumentor/Instrumentor.kt | 39 ++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt new file mode 100644 index 00000000..b0b3bb0b --- /dev/null +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -0,0 +1,39 @@ +// Copyright 2021 Code Intelligence GmbH +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package com.code_intelligence.jazzer.instrumentor + +import org.objectweb.asm.Opcodes +import org.objectweb.asm.tree.MethodNode + +enum class InstrumentationType { + CMP, + COV, + DIV, + GEP, +} + +internal interface Instrumentor { + fun instrument(bytecode: ByteArray): ByteArray + + fun shouldInstrument(access: Int): Boolean { + return (access and Opcodes.ACC_ABSTRACT == 0) && + (access and Opcodes.ACC_NATIVE == 0) + } + + fun shouldInstrument(method: MethodNode): Boolean { + return shouldInstrument(method.access) && + method.instructions.size() > 0 + } +} -- cgit v1.2.3 From 0bcfd380fae4e121e3275fe05c9b8101ffca3fff Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Fri, 12 Feb 2021 09:56:53 +0100 Subject: Update dependencies (#5) * Update dependencies * Fail if changed Maven deps are not repinned * Extract ASM API version into Instrumentor --- .../java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index b0b3bb0b..d467a5cb 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -36,4 +36,8 @@ internal interface Instrumentor { return shouldInstrument(method.access) && method.instructions.size() > 0 } + + companion object { + const val ASM_API_VERSION = Opcodes.ASM9 + } } -- cgit v1.2.3 From 14ada3769e88861b2214670320c5e20d918dbce4 Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Mon, 22 Feb 2021 07:21:52 +0100 Subject: Hook reflective calls Calls through reflection are the equivalent of indirect calls in C/C++. With this commit, caller-callee relationships (hook ID and hash of method descriptor) are tracked by libFuzzer via the __sanitizer_cov_trace_pc_indir callback. --- .../main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 1 + 1 file changed, 1 insertion(+) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index d467a5cb..50904e61 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -22,6 +22,7 @@ enum class InstrumentationType { COV, DIV, GEP, + INDIR, } internal interface Instrumentor { -- cgit v1.2.3 From 71ac55c6fc9d808bcc8a8e8d895f7f20141bec86 Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Mon, 22 Mar 2021 14:48:58 +0100 Subject: Do not intercept JVM-internal C stdlib calls (#45) * Replace uses of quick_exit and at_quick_exit quick_exit is not supported on macOS, but can easily replaced by a call to _Exit after running our cleanup manually. * Run buildifier --lint=fix -r . * Build libFuzzer from source Building libFuzzer from source is easy and has multiple advantages: * The clang distributed with XCode on macOS does not include libFuzzer. * Applying a small patch to libFuzzer will allow us to replace the --wrap linker feature, which is not supported on platforms other than Linux. * Replace -Wl,--wrap with a source code patch * Pin non-native rules_python * Print exit code on test failure * Do not intercept JVM-internal C stdlib calls The JVM frequently calls strcmp/memcmp/..., which fills up the table of recent compares with entries that are either duplicates of values already reported by the bytecode instrumentation or JDK-internal strings that are not relevant for fuzzing. This commit adds an ignorelist to the C stdlib interceptors that filters out calls from known JVM libraries. If the fuzz target has not yet loaded a native library, all such callbacks are ignored, which greatly improves fuzzer performance for string-heavy targets. E.g., JsonSanitizerDenylistFuzzer takes < 1 million runs now when it used to take over 3 million. --- .../main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 1 + 1 file changed, 1 insertion(+) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index 50904e61..78793842 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -23,6 +23,7 @@ enum class InstrumentationType { DIV, GEP, INDIR, + NATIVE, } internal interface Instrumentor { -- cgit v1.2.3 From f938920a37042376e56c7ac771886565bcfe8b5e Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Mon, 22 Mar 2021 14:49:05 +0100 Subject: Revert "Do not intercept JVM-internal C stdlib calls (#45)" This reverts commit 71ac55c6fc9d808bcc8a8e8d895f7f20141bec86. --- .../main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 1 - 1 file changed, 1 deletion(-) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index 78793842..50904e61 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -23,7 +23,6 @@ enum class InstrumentationType { DIV, GEP, INDIR, - NATIVE, } internal interface Instrumentor { -- cgit v1.2.3 From c95ecbf9db8263eea620384666ee724fa75b1b1b Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Fri, 19 Mar 2021 14:26:02 +0100 Subject: Do not intercept JVM-internal C stdlib calls The JVM frequently calls strcmp/memcmp/..., which fills up the table of recent compares with entries that are either duplicates of values already reported by the bytecode instrumentation or JDK-internal strings that are not relevant for fuzzing. This commit adds an ignorelist to the C stdlib interceptors that filters out calls from known JVM libraries. If the fuzz target has not yet loaded a native library, all such callbacks are ignored, which greatly improves fuzzer performance for string-heavy targets. E.g., JsonSanitizerDenylistFuzzer takes < 1 million runs now when it used to take over 3 million. --- .../main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 1 + 1 file changed, 1 insertion(+) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index 50904e61..78793842 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -23,6 +23,7 @@ enum class InstrumentationType { DIV, GEP, INDIR, + NATIVE, } internal interface Instrumentor { -- cgit v1.2.3 From 04fd630ec184fa1da44881dbb0ffafa67c15d4cf Mon Sep 17 00:00:00 2001 From: Fabian Meumertzheim Date: Fri, 26 Mar 2021 11:33:30 +0100 Subject: Shade external dependencies Fuzz targets may use the ASM libraries or JaCoCo themselves, which can lead to dependency version conflicts. To counter this, we shade all our external dependencies into the com.code_intelligence.jazzer.third_party.* package using bazel_jar_jar when we build the instrumentor library. The seemingly simpler approach of applying jar shading directly to the jazzer_agent_deploy.jar does not work as jarjar is unable to handle some of the Kotlin runtime files in the resulting jar. --- .../java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt') diff --git a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt index 78793842..86ad45a3 100644 --- a/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt +++ b/agent/src/main/java/com/code_intelligence/jazzer/instrumentor/Instrumentor.kt @@ -14,8 +14,8 @@ package com.code_intelligence.jazzer.instrumentor -import org.objectweb.asm.Opcodes -import org.objectweb.asm.tree.MethodNode +import com.code_intelligence.jazzer.third_party.objectweb.asm.Opcodes +import com.code_intelligence.jazzer.third_party.objectweb.asm.tree.MethodNode enum class InstrumentationType { CMP, -- cgit v1.2.3