This repository contains the source code of the tool, SeedUI: Understanding Initial Seeds in Fuzzing, that is accepted at 1st International Workshop on Explainable Automated Software Engineering (Ex-ASE 2025).
A demonstration of SeedUI is available in YouTube.
- SeedUI requires some pre-requisites to be installed in your system.
- To skip running fuzzing campaigns and gathering fuzzing corpus, you can directly follow the quick instructions which uses saved corpus in the
examplesdirectory. - If you would like to know the complete sequence of steps that can work on any target that can be fuzzed using AFL++ or Honggfuzz, you can follow the complete instructions.
-
AflPlusPlus compiled after applying
external/rename_seeds_afl.patch.[or]
Honggfuzz compiled after applying
external/rename_seeds_honggfuzz.patch -
LLVM >= 14.0.6
In general, a corpus should be extracted from fuzzing campaigns (more information in run-fuzzers).
However, to quickly look at SeedUI, we provide a fuzzing corpora that is extracted from 5 minutes fuzzing campaigns of AFL++ and Honggfuzz on readelf.
We will use this saved corpus in the following steps.
There are three steps to run SeedUI, as follows:
- Compile AFL++ in your local machine. SeedUI uses
afl-qemu-traceto extractdrcovtrace information. You can use our handy script in theexternaldirectory for this purpose or use the instructions mentioned in AFL++ Wiki.cd external bash compile_aflpp.sh - Compile
binutils-gdbwith debug information enabled: usually with-gflag. We provide a handy script in theexamples/readelf/localdirectory:cd examples/readelf/local bash compile_binutils_debug.sh - Extract
drcovtrace for saved corpus items usingafl-qemu-trace. We also provided a python script to extract the line coverage for this corpus:examples/readelf/extract_binary_traces.py. Execute the following commands to extract line coverage:cd examples/readelf/ unzip saved_corpus.zip python3 extract_binary_traces.py
- A configuration file needs to be specified to the server. We provide the configuration file for the example being discussed (
readelf) inexamples/readelf/readelf.ron. The description of the configuration options is explained here. To start the server with the configuration file, use the following commands:cd server cargo build --release ./target/release/server ../examples/readelf.ron [or] cd server cargo run -r --package server --bin server ../examples/readelf.ron
To start the web client, use the following commands in another terminal:
cd web
npm install
npm run build
npm start
Once the client is successfully build, you can access the web interface at https://localhost:3000/
There are four steps to run SeedUI, as follows:
- Run fuzzing campaign(s) on a target
- Extract
drcovtraces for each of the seed saved in the corpus - Start SeedUI server
- Start SeedUI web client
- Please refer to Afl++ documentation for instructions to run AFL++.
- Please refer to Honggfuzz documentation for instructions to run Honggfuzz.
- Compile AFL++ in your local machine. SeedUI uses
afl-qemu-traceto extractdrcovtrace information. You can use our handy script in theexternaldirectory for this purpose or use the instructions mentioned in AFL++ Wiki.cd external bash compile_aflpp.sh - Compile the target being fuzzed
binutils-gdbwith debug information enabled: usually with-gflag. We provide a handy script forreadelfin theexamples/readelf/localdirectory:cd examples/readelf/local bash compile_binutils_debug.sh - Extract
drcovtrace for each of the corpus items usingafl-qemu-trace. We also provided a handy python script for this purpose:examples/extract_binary_traces_general.py. Make sure to update the Binary path, Corpus path, Trace path in the python file before executing it. An example for extracting the traces is explained here.
-
A configuration file needs to be specified while starting the server. An example configuration for
readelfis already provided inexamples/readelf/readelf.ron. Here we explain different parts of the configuration file:UserConfig( target_info: TargetConfig( target_path: "", # absolute path to the target binary compiled with DWARF debug information target_source_code_path: "", # absolute path to the source code of the target target_include_filter: [""], # absolute folder path(s) that contains source files to be included for line coverage allowed_extensions: [], # allowed file extension(s) to record line coverage: e.g., "c", "cpp" ), fuzzer_infos: [ ( fuzzer_configuration_id: 1, # incremental integer fuzzer_configuration: "", # desired name of the configuration traces_directory_path: "", # absolute path to the drcov traces directory inputs_directory_path: "", # absolute path to the queue folder of the AFL++ corpus ), ... ] )
-
The configuration file should then be passed to start the server as follows:
cd server cargo build --release ./target/release/server path/to/configuration.ron
To start the web client, use the following commands in another terminal:
cd web
npm install
npm run build
npm start
Once the client is successfully build, you can access the web interface at https://localhost:3000/
The web client contains five views as described in our paper: "SeedUI: Understanding Initial Seeds in Fuzzing".
The tests in the crates: trace_map and inputs_database, depend on the drcov trace files. Before running the tests, generate the corresponding trace files using the following commands:
# For trace_map
cd trace_map/test_data/sources && bash make.sh
cd ..
mkdir traces
python3 extract_binary_traces.py# For inputs_database
cd test_data/test1/ && bash make.sh
cd ..
mkdir traces
python3 extract_binary_traces.py