Merge pull request #5 from PAMunb/distance-coverage-orderer

Distance coverage orderer

cmd/dogefuzz/env.go

@@ -76,6 +76,7 @@ type Env interface {
 	BlackboxFuzzer() interfaces.Fuzzer
 	GreyboxFuzzer() interfaces.Fuzzer
 	DirectedGreyboxFuzzer() interfaces.Fuzzer
+	OtherDirectedGreyboxFuzzer() interfaces.Fuzzer
 	PowerSchedule() interfaces.PowerSchedule
 }
 
@@ -128,11 +129,12 @@ type env struct {
 	transactionsCheckerJob        interfaces.CronJob
 	transactionsTimeoutCheckerJob interfaces.CronJob
 
-	fuzzerLeader          interfaces.FuzzerLeader
-	blackboxFuzzer        interfaces.Fuzzer
-	greyboxFuzzer         interfaces.Fuzzer
-	directedGreyboxFuzzer interfaces.Fuzzer
-	powerSchedule         interfaces.PowerSchedule
+	fuzzerLeader               interfaces.FuzzerLeader
+	blackboxFuzzer             interfaces.Fuzzer
+	greyboxFuzzer              interfaces.Fuzzer
+	directedGreyboxFuzzer      interfaces.Fuzzer
+	otherDirectedGreyboxFuzzer interfaces.Fuzzer
+	powerSchedule              interfaces.PowerSchedule
 }
 
 func NewEnv(cfg *config.Config) *env {
@@ -477,6 +479,13 @@ func (e *env) DirectedGreyboxFuzzer() interfaces.Fuzzer {
 	return e.directedGreyboxFuzzer
 }
 
+func (e *env) OtherDirectedGreyboxFuzzer() interfaces.Fuzzer {
+	if e.otherDirectedGreyboxFuzzer == nil {
+		e.otherDirectedGreyboxFuzzer = fuzz.NewOtherDirectedGreyboxFuzzer(e)
+	}
+	return e.otherDirectedGreyboxFuzzer
+}
+
 func (e *env) PowerSchedule() interfaces.PowerSchedule {
 	if e.powerSchedule == nil {
 		e.powerSchedule = fuzz.NewPowerSchedule(e)

fuzz/common.go

@@ -15,6 +15,7 @@ type env interface {
 	BlackboxFuzzer() interfaces.Fuzzer
 	GreyboxFuzzer() interfaces.Fuzzer
 	DirectedGreyboxFuzzer() interfaces.Fuzzer
+	OtherDirectedGreyboxFuzzer() interfaces.Fuzzer
 	PowerSchedule() interfaces.PowerSchedule
 
 	TransactionService() interfaces.TransactionService
@@ -33,6 +34,8 @@ func buildOrderer(strategy common.PowerScheduleStrategy, contract *dto.ContractD
 		return newCoverageBasedOrderer()
 	case common.DISTANCE_BASED_STRATEGY:
 		return newDistanceBasedOrderer(contract)
+	case common.DISTANCE_COVERAGE_BASED_STRATEGY:
+		return newDistanceCoverageBasedOrderer(contract)
 	default:
 		panic(fmt.Sprintf("invalid power schedule strategy: %s", strategy))
 	}

fuzz/distance_coverage_orderer.go

@@ -0,0 +1,83 @@
+package fuzz
+
+import (
+	"math"
+	"sort"
+
+	"github.com/dogefuzz/dogefuzz/pkg/dto"
+)
+
+type distanceCoverageBasedOrderer struct {
+	contract *dto.ContractDTO
+}
+
+func newDistanceCoverageBasedOrderer(contract *dto.ContractDTO) *distanceCoverageBasedOrderer {
+	return &distanceCoverageBasedOrderer{contract}
+}
+
+func (o *distanceCoverageBasedOrderer) OrderTransactions(transactions []*dto.TransactionDTO) {
+	sort.SliceStable(transactions, func(i, j int) bool {
+		return o.computeScore(transactions[i]) > o.computeScore(transactions[j])
+	})
+}
+
+func (o *distanceCoverageBasedOrderer) computeScore(transaction *dto.TransactionDTO) float64 {
+	return math.Max(o.computeCriticalInstructionsHits(transaction), math.Max(o.computeCoverage(transaction), o.computeDistance(transaction)))
+}
+
+func (o *distanceCoverageBasedOrderer) computeCoverage(transaction *dto.TransactionDTO) float64 {
+	var totalInstructions = len(o.contract.CFG.Instructions)
+	var executedInstructions = len(transaction.ExecutedInstructions)
+
+	if totalInstructions != 0 {
+		return float64(executedInstructions) / float64(totalInstructions)
+	}
+
+	return 0
+}
+
+func (o *distanceCoverageBasedOrderer) computeDistance(transaction *dto.TransactionDTO) float64 {
+	var maxDistance map[string]uint32
+	var distanceSum int64 = 0
+	var distancePercentage float64 = 0
+	var minDistance uint64 = transaction.DeltaMinDistance
+
+	for _, distance := range o.contract.DistanceMap {
+		if maxDistance == nil {
+			maxDistance = make(map[string]uint32)
+			for pc := range distance {
+				maxDistance[pc] = 0
+			}
+		}
+
+		for instr := range maxDistance {
+			if val, ok := distance[instr]; ok {
+				if val != math.MaxUint32 && val > maxDistance[instr] {
+					maxDistance[instr] = val
+				}
+			}
+		}
+	}
+
+	for _, distance := range maxDistance {
+		distanceSum += int64(distance)
+	}
+
+	if minDistance >= uint64(math.MaxUint32) {
+		minDistance -= math.MaxUint32
+	}
+
+	if distanceSum != 0 {
+		distancePercentage = float64(minDistance) / float64(distanceSum)
+	}
+
+	return distancePercentage
+}
+
+func (o *distanceCoverageBasedOrderer) computeCriticalInstructionsHits(transaction *dto.TransactionDTO) float64 {
+	if o.contract.TargetInstructionsFreq != 0 {
+		return float64(transaction.CriticalInstructionsHits) / float64(o.contract.TargetInstructionsFreq)
+	}
+
+	return 0
+}

fuzz/leader.go

@@ -6,16 +6,18 @@ import (
 )
 
 type fuzzerLeader struct {
-	blackboxFuzzer        interfaces.Fuzzer
-	greyboxFuzzer         interfaces.Fuzzer
-	directedGreyboxFuzzer interfaces.Fuzzer
+	blackboxFuzzer             interfaces.Fuzzer
+	greyboxFuzzer              interfaces.Fuzzer
+	directedGreyboxFuzzer      interfaces.Fuzzer
+	otherDirectedGreyboxFuzzer interfaces.Fuzzer
 }
 
 func NewFuzzerLeader(e env) *fuzzerLeader {
 	return &fuzzerLeader{
-		blackboxFuzzer:        e.BlackboxFuzzer(),
-		greyboxFuzzer:         e.GreyboxFuzzer(),
-		directedGreyboxFuzzer: e.DirectedGreyboxFuzzer(),
+		blackboxFuzzer:             e.BlackboxFuzzer(),
+		greyboxFuzzer:              e.GreyboxFuzzer(),
+		directedGreyboxFuzzer:      e.DirectedGreyboxFuzzer(),
+		otherDirectedGreyboxFuzzer: e.OtherDirectedGreyboxFuzzer(),
 	}
 }
 
@@ -27,6 +29,8 @@ func (l *fuzzerLeader) GetFuzzerStrategy(typ common.FuzzingType) (interfaces.Fuz
 		return l.greyboxFuzzer, nil
 	case common.DIRECTED_GREYBOX_FUZZING:
 		return l.directedGreyboxFuzzer, nil
+	case common.OTHER_DIRECTED_GREYBOX_FUZZING:
+		return l.otherDirectedGreyboxFuzzer, nil
 	default:
 		return nil, ErrFuzzerTypeNotFound
 	}

fuzz/other_directed_greybox.go

@@ -0,0 +1,66 @@
+package fuzz
+
+import (
+	"strings"
+
+	"github.com/dogefuzz/dogefuzz/pkg/common"
+	"github.com/dogefuzz/dogefuzz/pkg/interfaces"
+	"github.com/ethereum/go-ethereum/accounts/abi"
+)
+
+// This is temporally, it is like 'directed_greybox' but with another strategy to order seeds
+type otherDirectedGreyboxFuzzer struct {
+	powerSchedule interfaces.PowerSchedule
+
+	solidityService interfaces.SolidityService
+	functionService interfaces.FunctionService
+	contractService interfaces.ContractService
+}
+
+func NewOtherDirectedGreyboxFuzzer(e env) *otherDirectedGreyboxFuzzer {
+	return &otherDirectedGreyboxFuzzer{
+		powerSchedule:   e.PowerSchedule(),
+		solidityService: e.SolidityService(),
+		functionService: e.FunctionService(),
+		contractService: e.ContractService(),
+	}
+}
+
+func (f *otherDirectedGreyboxFuzzer) GenerateInput(functionId string) ([]interface{}, error) {
+	function, err := f.functionService.Get(functionId)
+	if err != nil {
+		return nil, err
+	}
+
+	contract, err := f.contractService.Get(function.ContractId)
+	if err != nil {
+		return nil, err
+	}
+
+	abiDefinition, err := abi.JSON(strings.NewReader(contract.AbiDefinition))
+	if err != nil {
+		return nil, err
+	}
+	method := abiDefinition.Methods[function.Name]
+
+	seedsList, err := f.powerSchedule.RequestSeeds(functionId, common.DISTANCE_COVERAGE_BASED_STRATEGY)
+	if err != nil {
+		return nil, err
+	}
+
+	chosenSeeds := common.RandomChoice(seedsList)
+
+	inputs := make([]interface{}, len(method.Inputs))
+	for inputsIdx, inputDefinition := range method.Inputs {
+		handler, err := f.solidityService.GetTypeHandlerWithContext(inputDefinition.Type)
+		if err != nil {
+			return nil, err
+		}
+		handler.SetValue(chosenSeeds[inputsIdx])
+		mutationFunction := common.RandomChoice(handler.GetMutators())
+		mutationFunction()
+		inputs[inputsIdx] = handler.GetValue()
+	}
+
+	return inputs, nil
+}

listener/env.go

@@ -40,5 +40,6 @@ type Env interface {
 	BlackboxFuzzer() interfaces.Fuzzer
 	GreyboxFuzzer() interfaces.Fuzzer
 	DirectedGreyboxFuzzer() interfaces.Fuzzer
+	OtherDirectedGreyboxFuzzer() interfaces.Fuzzer
 	PowerSchedule() interfaces.PowerSchedule
 }

pkg/common/types.go

@@ -30,9 +30,10 @@ var (
 type FuzzingType string
 
 const (
-	BLACKBOX_FUZZING         FuzzingType = "blackbox"
-	GREYBOX_FUZZING          FuzzingType = "greybox"
-	DIRECTED_GREYBOX_FUZZING FuzzingType = "directed_greybox"
+	BLACKBOX_FUZZING               FuzzingType = "blackbox"
+	GREYBOX_FUZZING                FuzzingType = "greybox"
+	DIRECTED_GREYBOX_FUZZING       FuzzingType = "directed_greybox"
+	OTHER_DIRECTED_GREYBOX_FUZZING FuzzingType = "other_directed_greybox"
 )
 
 type ContractStatus string
@@ -77,8 +78,9 @@ type DistanceMap map[string]map[string]uint32 // blockPC => instruction => dista
 type PowerScheduleStrategy string
 
 const (
-	DISTANCE_BASED_STRATEGY PowerScheduleStrategy = "distance_based"
-	COVERAGE_BASED_STRATEGY PowerScheduleStrategy = "coverage_based"
+	DISTANCE_BASED_STRATEGY          PowerScheduleStrategy = "distance_based"
+	COVERAGE_BASED_STRATEGY          PowerScheduleStrategy = "coverage_based"
+	DISTANCE_COVERAGE_BASED_STRATEGY PowerScheduleStrategy = "distance_coverage_based"
 )
 
 type TaskReport struct {

pkg/solc/compiler.go

@@ -13,6 +13,7 @@ import (
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/Masterminds/semver/v3"
 	"github.com/dogefuzz/dogefuzz/pkg/common"
@@ -25,23 +26,40 @@ var ErrContractNotFound = errors.New("the contract was not found in compiled cod
 
 type solidityCompiler struct {
 	storageFolder string
+	versions      []string
 }
 
 func NewSolidityCompiler(storageFolder string) *solidityCompiler {
-	return &solidityCompiler{storageFolder: storageFolder}
+	versions, err := getDescendingOrderedVersionsFromSolidyBinariesEndpoint()
+	if err != nil {
+		versions = []string{}
+	}
+	return &solidityCompiler{storageFolder: storageFolder, versions: versions}
 }
 
 func (c *solidityCompiler) CompileSource(contractName string, contractSource string) (*common.Contract, error) {
 	if len(contractSource) == 0 {
 		return nil, ErrEmptySourceFile
 	}
 
-	solcVersion, err := getIdealSolcVersionBasedOnSource(contractSource)
-	if err != nil {
-		return nil, err
+	var solcVersion *semver.Version
+	maxRetries := 5
+	var err error
+	for retries := 1; retries <= maxRetries; retries++ {
+		if retries == maxRetries {
+			return nil, err
+		}
+
+		solcVersion, err = c.getIdealSolcVersionBasedOnSource(contractSource)
+		if err != nil {
+			time.Sleep(100 * time.Millisecond)
+			continue
+		}
+		break
 	}
 
 	var solcBinaryLocation string
+
 	if location, ok := c.getSolcBinaryLocationIfExists(solcVersion); ok {
 		solcBinaryLocation = location
 	} else {
@@ -154,10 +172,14 @@ func run(cmd *exec.Cmd, source string, maxVersion *semver.Version) (map[string]*
 	return compiler.ParseCombinedJSON(stdout.Bytes(), source, maxVersion.String(), maxVersion.String(), strings.Join(buildArgs(maxVersion), " "))
 }
 
-func getIdealSolcVersionBasedOnSource(source string) (*semver.Version, error) {
-	versions, err := getDescendingOrderedVersionsFromSolidyBinariesEndpoint()
-	if err != nil {
-		return nil, err
+func (c *solidityCompiler) getIdealSolcVersionBasedOnSource(source string) (*semver.Version, error) {
+	var versions = c.versions
+	if len(versions) == 0 {
+		var err error
+		versions, err = getDescendingOrderedVersionsFromSolidyBinariesEndpoint()
+		if err != nil {
+			return nil, err
+		}
 	}
 
 	versionConstraint, err := extractVersionConstraintFromSource(source)