config.toml

##############################
# Documentation forthcoming! #
##############################

job = "Roper"
selection = "Tournament" 
timeout = "1 day"

num_islands = 8
# The mutation_exponent is the lambda for a Levy Flight mutation pattern.
mutation_rate = 0.03
mutation_exponent = 2.0
crossover_algorithm = "one_point"
crossover_period = 2
crossover_rate = 1.0 # versus clone
max_init_len = 600
min_init_len = 500
# bigger populations seem like the way to go. 
# TODO: experiment with shrinking populations:
# large initial populations, with permadeath
# and a minimal limit set.
pop_size = 0x500
max_length = 900
num_epochs = 1000

[fitness]
#function = "register_conjunction"
#function = "memory_pattern"
#function = "error_rate" # weird idea
#function = "register_conjunction"
#priority = "register_error + crash_count" # could this be set by the ff?
#priority = "1 / (subpattern_2 + 1)"
#priority = "register_error"
#function = "code_coverage"
target = 0
eval_by_case = false
dynamic = false # TODO: use this to decide whether to re-evaluate fitness
# as distinct, sometimes, from execution.
#
###
# The variables available to use here are:
# x := the unweighted fitness score
# E := the current epoch.
# You can use these to deprioritize weights as
# time goes on.
##
#weighting = "(10 * (10 - min(10, gadgets_executed))) + (100 * register_freq) + zeroes"
# weighting = "1"
#weighting = "constancy_penalty * 10 + (100 * register_freq) + register_error + (10 * crash_count / gadgets_executed)"
#weighting = "(100 / (1 + pattern_writes)) + (10 / (1 + num_writes))" # + (1 / (1 + gadgets_executed))"
#
#weighting = "(10 * (20 - min(20, gadgets_executed))) + register_error + (10 * register_freq) + crash_count"

function = "register_pattern"
weighting = "register_error + (10 * register_freq)"
priority = "register_error"
#
#function = "memory_pattern"
#weighting = "(100000 / (1 + subpattern_4)) + (10000 / (1 + subpattern_3)) + (1000 / (1 + subpattern_2)) + (100 / (1 + subpattern_1)) + (10 / (num_writes + 1)) + memory_freq + genetic_diversity + (1 / (1 + ret_count))"
#priority = "(100000 / (1 + subpattern_4)) + (10000 / (1 + subpattern_3)) + (1000 / (1 + subpattern_2)) + (100 / (1 + subpattern_1))" 
#function = "code_coverage"
#weighting = "1 - code_coverage"


[tournament]
num_offspring = 2
num_parents = 2
tournament_size = 5
# todo: plot diversity and fitness wrt radius changes.
# maybe experiment with dynamic radius adjustments
# as a response to loss of diversity
geographic_radius = 10
migration_rate = 0.01


[roulette]
# Should be a float greater than 0.0 and less than 1.0. The lower the value, the more elitist the selection.
weight_decay = 0.8

[hello]
target = "Mares eat oats and does eat oats and little lambs eat ivy."

# TODO: observe mutation rate's effects on ret count inm ropgadget pops
[linear_gp]
max_steps = 0x1000

[observer]
dump_population = 0.1
dump_soup = true 
data_directory = "~/logs"
window_size  = 10000
report_every = 100

[roper]
use_push = false
#arch = "X86"
#mode = "MODE_64"
#gadget_file = "./gadgets/sshd_ropgadget.json"
soup_size = 0x40000
binary_path = "./binaries/X86/MODE_32/tshark"
#binary_path = "/tmp/ldconfig"
#num_workers = 70 # will take num_cpus::get 
#num_emulators = 60
max_emu_steps = 0x1000
millisecond_timeout = 0
emulator_stack_size = 0x1000
record_basic_blocks = true
output_registers= ["EAX", "EBX", "ECX", "EDX", "ESP", "EBP", "EIP"]
randomize_registers = true
register_pattern_file = "./experiments/register_pattern.txt"
memory_pattern = [0x41, 0x42, 0x43, 0x44]
break_on_calls = true
# this similarity in field names is a bit confusing. maybe it would
# be good to further break up the RoperConfig into some substructures,
# to group related fields. One for register pattern stuff, one for memory
# pattern stuff, etc.
record_memory_writes = true
monitor_stack_writes = true

[push_vm]
max_steps = 0x1000
min_len = 20
max_len = 100
literal_rate = 0.2