diff options
| author | van Hauser <vh@thc.org> | 2019-06-25 12:08:50 +0200 |
|---|---|---|
| committer | van Hauser <vh@thc.org> | 2019-06-25 12:08:50 +0200 |
| commit | 5dfb3ded174a6010d9562b0bbddff9aa5f450ff8 (patch) | |
| tree | b73f23fca7d14538159e0ebddc13f2d8122f2edc | |
| parent | 0104e99caabd83e7d53f7b1248425991f4c0c431 (diff) | |
| download | afl++-5dfb3ded174a6010d9562b0bbddff9aa5f450ff8.tar.gz | |
improved documentation
| -rw-r--r-- | docs/QuickStartGuide.txt | 3 | ||||
| -rw-r--r-- | docs/README | 16 | ||||
| -rw-r--r-- | docs/perf_tips.txt | 8 |
3 files changed, 22 insertions, 5 deletions
diff --git a/docs/QuickStartGuide.txt b/docs/QuickStartGuide.txt index e94b26ed..af4fe75f 100644 --- a/docs/QuickStartGuide.txt +++ b/docs/QuickStartGuide.txt @@ -42,6 +42,9 @@ how to hit the ground running: 6) Investigate anything shown in red in the fuzzer UI by promptly consulting docs/status_screen.txt. +7) compile and use llvm_mode (afl-clang-fast/afl-clang-fast++) as it is way + faster and has a few cool features + That's it. Sit back, relax, and - time permitting - try to skim through the following files: diff --git a/docs/README b/docs/README index 41a9459f..ca8533f7 100644 --- a/docs/README +++ b/docs/README @@ -110,6 +110,11 @@ superior to blind fuzzing or coverage-only tools. 3) Instrumenting programs for use with AFL ------------------------------------------ +PLEASE NOTE: llvm_mode compilation with afl-clang-fast/afl-clang-fast++ +instead of afl-gcc/afl-g++ is much faster and has a few cool features. +See llvm_mode/ - however few code does not compile with llvm. +We support llvm versions 4.0 to 8. + When source code is available, instrumentation can be injected by a companion tool that works as a drop-in replacement for gcc or clang in any standard build process for third-party code. @@ -129,10 +134,11 @@ For C++ programs, you'd would also want to set CXX=/path/to/afl/afl-g++. The clang wrappers (afl-clang and afl-clang++) can be used in the same way; clang users may also opt to leverage a higher-performance instrumentation mode, as described in llvm_mode/README.llvm. -Clang/LLVM has a much better performance, but only works with LLVM up to and -including 6.0.1. +Clang/LLVM has a much better performance and works from LLVM version 4.0 to 8. Using the LAF Intel performance enhancements are also recommended, see -docs/README.laf-intel +llvm_mode/README.laf-intel +Using partial instrumentation is also recommended, see +llvm_mode/README.whitelist When testing libraries, you need to find or write a simple program that reads data from stdin or from a file and passes it to the tested library. In such a @@ -148,8 +154,8 @@ automatically enable code hardening options that make it easier to detect simple memory bugs. Libdislocator, a helper library included with AFL (see libdislocator/README.dislocator) can help uncover heap corruption issues, too. -PS. ASAN users are advised to review notes_for_asan.txt file for important -caveats. +PS. ASAN users are advised to docs/review notes_for_asan.txt file for +important caveats. 4) Instrumenting binary-only apps diff --git a/docs/perf_tips.txt b/docs/perf_tips.txt index 263065c0..215895b6 100644 --- a/docs/perf_tips.txt +++ b/docs/perf_tips.txt @@ -64,6 +64,14 @@ that can offer huge benefits for programs with high startup overhead. Both modes require you to edit the source code of the fuzzed program, but the changes often amount to just strategically placing a single line or two. +If there are important data comparisons performed (e.g. strcmp(ptr, MAGIC_HDR) +then using laf-intel (see llvm_mode/README.laf-intel) will help afl-fuzz a lot +to get to the important parts in the code. + +If you are only intested in specific parts of the code being fuzzed, you can +whitelist the files that are actually relevant. This improves the speed and +accuracy of afl. See llvm_mode/README.whitelist + 4) Profile and optimize the binary ---------------------------------- |