Struct hyperpom::core::HyperPom

source · 
pub struct HyperPom<L: 'static + Loader, LD, GD> { /* private fields */ }
Expand description

The main fuzzer object.

HyperPom

This structure offers the main interface to start and interact with the fuzzer. A new instance can be created using HyperPom::new and expects four arguments.

  • A crate::config::Config object that contains the parameters used to configure the fuzzer (the number of workers to instanciate, the path to the corpus directory, the seed for the PRNG, etc.).
  • An implementation of the crate::loader::Loader trait, to give the necessary tools and information to the fuzzer so that workers can load the targeted program.
  • A Global Data structure, which is a generic type used by the fuzzer to share data between all workers.
  • A Local Data structure, which is a generic type that gets cloned passed to each workers so they can store local data.

Once the different objects needed have been instanciated, the fuzzer can be run using HyperPom::fuzz. It will create as many threads as defined by the configuration and instanciate one worker in it. Each worker run independently while occasionally sharing some information (coverage, global data, corpus, etc.).

For more information about fuzzing workers, refer to Worker.

Example

use hyperpom::config::Config;
use hyperpom::core::HyperPom;
use hyperpom::loader::Loader;

#[derive(Clone)]
pub struct GlobalData(u32);

#[derive(Clone)]
pub struct LocalData(u32);

#[derive(Clone)]
pub struct DummyLoader;

impl Loader for DummyLoader {
    // [...]
}

// We instanciate a global data object.
let gdata = GlobalData(0);
// We instanciate a local data object.
let ldata = LocalData(0);

// `loader` contains the methods that will load and map the program from the file `binary`.
let loader = DummyLoader::new("./binary");

// We create a configuration for the fuzzer.
let config = Config::builder(0x10000000, "/tmp/hyperpom/", "/tmp/corpus/")
    .nb_workers(64)
    .seed(0xdeadbeef)
    .timeout(std::time::Duration::new(60, 0))
    .iterations(Some(1))
    .build();

// We instanciate the fuzzer and pass the previous arguments to it.
let mut hp = HyperPom::<DummyLoader, LocalData, GlobalData>::new(config, loader, ldata, gdata)
    .unwrap();

// The fuzzer can now be started.
hp.fuzz().expect("fuzzing failed");

Implementations

Creates a new instance of the fuzzer.

Returns the maximum number of Workers that can be instanciated for the fuzzer (i.e. the number of applevisor::Vcpu that can be created).

Starts the fuzzer.

This function creates one thread per Worker. Each Worker gets:

  • a copy of the Config;
  • a copy of the Loader;
  • a copy of the Hooks;
  • a local data instance;
  • a shared reference to the global data;
  • a shared reference to the corpus;

Workers also get a reference to the global physical memory pma, so that each instance can set up its own virtual address space backed by a single PhysMemAllocator.

Panic

Workers are expected to be resilient and responsible for handling their own errors. If an error cannot be handled, the thread should panic.

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more
Immutably borrows from an owned value. Read more
Mutably borrows from an owned value. Read more

Returns the argument unchanged.

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

The type returned in the event of a conversion error.
Performs the conversion.
The type returned in the event of a conversion error.
Performs the conversion.