Bytecode instrumentation vs. settrace #16
Description
Hello atheris team,
I would like to propose an improvement of atheris
that can at least double the execution speed of your fuzzer.
In atheris you use sys.settrace for coverage
collection but this is not the fastest approach.
It is possible to instrument .py files the way AFL
instruments .c files in order to get rid of all the runtime overhead.
At the beginning of each basic
block a call to atheris.log(idx) can be inserted
that like __afl_maybe_log(idx) treats idx as an
offset into the counter-region and increments the
corresponding byte. This way the number of instrumented
locations is known at compile-time and a call to
atheris.reg(num) can be inserted at the very beginning
of the module that tells atheris how many counters
this module needs.
At the beginning of a fuzz target where all modules
are imported atheris collects the atheris.reg calls
and keeps track of the overall number of counters needed.
In atheris.Fuzz() a memory region of a suitable size
can be allocated and used as the region for counters.
This is perfectly compatible with your
approach of fuzzing C/C++ extensions. The extensions
just have to be built with -fsanitize-coverage=inline-8bit-counters.
However this is not perfect. It does not support
- data-flow guided fuzzing
- differential fuzzing since the counters of each module start at 0
But I can image these limitations are not hard to overcome.
Here is a POC I've built that implements the concept described above: python-fuzz-poc
I've used the POC to fuzz some libraries and found quite some bugs with it and the results are very promising. On average I get a 5x performance boost in contrast to sys.settrace.
I am very interested in your opinion about this approach. What do you think of this idea?