Question about the test input of driller

[JsHuang]

When testing program with AFL , the program must read a file as an input , thus AFL can do the mutation job with the input file. While driller‘s test input was from stdin，see ("#48").
But in the Driller paper, the CGC test program NRFIN_00017, reads an xml file as input ,so how can driller test this program reads a file as an input?

[rhelmot]

All CGC programs can only read from stdin. The xml file is delivered over stdin.

…

On Mon, Jan 15, 2018 at 4:39 AM Jin ***@***.***> wrote: When testing program with AFL , the program must read a file as an input , thus AFL can do the mutation job with the input file. While driller‘s test input was from stdin，see ("#48 <#48>"). But in the Driller paper, the CGC test program NRFIN_00017, reads an xml file as input ,so how can driller test this program reads a file as an input? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#56>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACYg9bgD8oiGK742RHFN5qwSC5NTBLq6ks5tK0cdgaJpZM4ReWyj> .

[JsHuang]

So you changed AFL to let it test CGC programs that read from stdin?
I tried to use the same command shellphuzz("https://github.com/shellphish/fuzzer/blob/master/shellphuzz") used to start afl with cgc program CADET_00001 , the command I used is

/usr/bin/afl-cgc/afl-fuzz -i - -o ./afl-work/CADET_00001/sync -m 8G -Q -M fuzzer-master -x ./afl-work/CADET_00001/CADET_00001.dict -- ./CADET_00001

but it always failed with error:

    handshake with the injected code. There are two probable explanations:

    - The current memory limit (8.00 GB) is too restrictive, causing an OOM
      fault in the dynamic linker. This can be fixed with the -m option. A
      simple way to confirm the diagnosis may be:

      ( ulimit -Sv $[8191 << 10]; /path/to/fuzzed_app )

      Tip: you can use http://jwilk.net/software/recidivm to quickly
      estimate the required amount of virtual memory for the binary.

    - Less likely, there is a horrible bug in the fuzzer. If other options
      fail, poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:208

if I chanaged the -m option as "-m none", it also failed:

[*] Spinning up the fork server...

[-] Hmm, looks like the target binary terminated before we could complete a
    handshake with the injected code. Perhaps there is a horrible bug in the
    fuzzer. Poke <[email protected]> for troubleshooting tips.

[-] PROGRAM ABORT : Fork server handshake failed
         Location : init_forkserver(), afl-fuzz.c:2088

I don't konw why.
I have looked your version of driller-afl, it seems you build your own version of afl-qemu-trace, did this error has anything to to with afl-qemu-trace?

[zardus]

Are you doing this in the shellphish/mechaphish docker container? If not, it could be any number of things... Please try it in the container.

[JsHuang]

thanks ,in the container it runs well.