New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FRIDA mode does NOT support multithreading #1605
Comments
AFL++ FRIDA mode does only support a single thread right now as that’s all I needed for my purposes. There are a few options though which you could pursue to add multi threading and PRs would be welcome. If you still wish to fuzz a single thread, but it happens not to be the main thread (e.g. the one which calls main). You could modify main.c to not call the main startup code directly ( AFLplusplus/frida_mode/src/main.c Line 200 in 342081d
Alternatively, for all threads to be instrumented, you’d need to modify the portion where stalker is initialised to stalk the other threads too, and then modify the inline instrumentation code to store the previous_pc value in thread local storage instead of a global (although that may well add some performance overhead). Generally I have taken the approach of writing my harnesses to operate in a single threaded fashion, replacing any IPC with a simple queue and processing the messages on the originating thread. |
I made an attempt to handle this and it works for me, please check if it makes any sense. |
Is this not equivalent to just setting |
I had a program which did the processing in second thread, setting entrypoint using |
Is your feature request related to a problem? Please describe.
It seems that current FRIDA mode cannot catch the basic block hit happening in child thread. It limits FRIDA mode's ability to collect the coverage of binaries which heavily use multithreading. Some program just do almost all the thing in child thread and do nothing in main thread; In this situation, FRIDA mode cannot collect useful coverage information.
Describe the solution you'd like
Is there some way to collect coverage in child thread with FRIDA mode? Maybe it is hard for FRIDA mode due to the limitation of frida itself.
Describe alternatives you've considered
If edge coverage is hard to implement, is there some way to implement basic block coverage and so on?
Additional context
It is easy to prove that current FRIDA mode does not consider the child thread. let's see such a simple C++ program
example.cc
:Let's compile the program into a native binary with g++:
Now, Let's test it with FRIDA mode, enabling AFL_FRIDA_INST_TRACE. The results of the following two will be much different: the first one will output continuously, while the second one only output a few and then nothing anymore.
I think the result is abnormal. Maybe it is the limitation of frida itself. Any ideas?
The text was updated successfully, but these errors were encountered: